The PCI 3DS Core Security Standard and PCI 3DS SDK Security Standard are independent standards that define security controls covering different areas of the 3DS ecosystem.
-
The PCI 3DS Core Security Standard supports the EMVCo 3DS Core Specification, and applies to entities that perform or provide specific 3DS functions:
The Merchant/Acquirer Domain (3DS Server). This domain includes banks/merchant entities that handle payment request environments.
The Issuer Domain (3DS Access Control Server). This domain ensures the applicability of authentication for a particular card and is managed by the issuer bank. Whether it comes under 3DS environment or not is validated under this domain.
The Interoperability Domain (3DS Directory Server). This domain is responsible for authentication, validation and maintenance of data flow among server entities.
The PCI 3DS SDK. Security Standard applies to entities that develop 3DS Software Development Kits (SDK), as defined in the EMV ® 3-D Secure SDK Specification.
SC2labs provides PCI 3DS assessments service, as a qualified PCI 3DS Assessor
certified by the PCI Security Standards Council.
Who needs to be validated?
3DS Server (3DSS) providers
Access Control Server (ACS) providers
Directory Server (DS) providers
PCI 3DS is one – year program, so assessment should be performed on an annualy basis.
The requirements in the standard are organized into two sections:
Part 1: Baseline Security Requirements, which provide technical and operational security requirements designed to protect environments where 3DS functions are performed. These requirements reflect general information security principles and practices common to many industry standards, and should be considered for any type of environment.
1. Maintain security policies for all personnel
2. Secure network connectivity
3. Develop and maintain secure systems
4. Vulnerability management
5. Manage access
6. Physical security
7. Incident response preparedness
Part 2: 3DS Security Requirements, which provide security controls specifically intended to protect 3DS data, technologies, and processes.
There are seven 3DS Part 2 requirements:
1. Validate scope
2. Secure governance
3. Protect 3DS systems and applications
4. Secure logical access to 3DS systems
5. Protect 3DS data
6. Cryptography and key management
7. Physically secure 3DS system
The PCI 3DS Data Matrix is a separate document that supports the PCI 3DS Core Security Standard. The PCI 3DS Data Matrix identifies a number of data elements common to 3DS transactions, as defined by EMVCo, that are also subject to requirements in the PCI 3DS Core Security Standard. The data elements identified in the PCI 3DS Data Matrix include those considered to be 3DS sensitive data, which are subject to specific data protection requirements, and certain cryptographic key types that are subject to HSM requirements.
Link :
https://www.pcisecuritystandards.org/document_library
SC2labs provides PCI 3DS assessments service, as a qualified PCI 3DS Assessor certified by the PCI Security Standards Council.
Kickoff and Planning
The kickoff is considered the start of the engagement after the agreement is executed. We will discuss certification proces, identify the point of contact from both organizations, timelines for assessment, define a project roadmap and plan next steps.
One of the most important step is “3DS scoping” to identify the systems that, at a minimum, need to be included in the scope of PCI 3DS.
Formal validation
The PCI 3DS Assessment of Compliance, is the formal process where 3DS Qualified Security Assessor will conduct on-site interviews, system configuration sampling, and document reviews. Testing and gathering is the core of the compliance engagement. The results of the on-site assessment are documented.
Reporting
The report will be provided within 3 weeks of the last day of successful completion (all required documents are delivered and collected by the 3DS QSA auditor.
Deliverables
The deliverables include:
RoC – Report on Compliance
AoC – Attestation of Compliance
Completed 3DS documentation is submitted to Customer’s Participating Payment Brands.
Continual Support
After your successful certification, we provide continual support in the ongoing maintenance of organization’s compliance - we will provide and discuss changes the security standard itself, as well as explain and support with emerge issues and questions.