The PCI 3DS Core Security Standard and PCI 3DS SDK Security Standard are independent standards that define security controls covering different areas of the 3DS ecosystem.
• The PCI 3DS Core
Security Standard supports the EMVCo 3DS Core Specification, and applies to entities that perform or provide specific 3DS functions; namely 3DS Server (3DSS), 3DS Directory Server (DS), or 3DS Access Control Server (ACS) functions.
• The PCI 3DS SDK
Security Standard applies to entities that develop 3DS Software Development Kits (SDK) , as defined in the EMV ® 3-D Secure SDK Specification.
While these two PCI standards define consistent level s of security for respective 3DS components, they are distinct standards with separate requirements and programs, and validation against one standard does not imply or result in validation against the other.
The PCI 3DS Security Requirements and Assessment Procedures for EMV 3-D Secure Core Components: ACS, DS, and 3DS Server (hereafter referred to as the ‘PCI 3DS Core Security Standard’), defines physical and logical security requirements and assessment procedures for entities that perform or provide the following functions, as defined in the EMV 3-D Secure Protocol and Core Functions
– 3DS Server (3DSS)
– 3DS Directory Server (DS)
– 3DS Access Control Server (ACS)
SC2labs provides PCI 3DS assessments service, as a qualified PCI 3DS Assessor certified by the PCI Security Standards Council.
PCI 3DS Reporting Requirements :
RoC – Report on Compliance
AoC – Attestation of Compliance
Completed 3DS documentation is submitted to Customer’s Participating Payment Brands
The requirements in the standard are organized into two sections:
Part 1: Baseline Security Requirements, which provide technical and operational security requirements designed to protect environments where 3DS functions are performed. These requirements reflect general information security principles and practices common to many industry standards, and should be considered for any type of environment.
1.Maintain security policies for all personnel
2. Secure network connectivity
3.Develop and maintain secure systems
4. Vulnerability management
5. Manage access
6. Physical security
7. Incident response preparedness
Part 2: 3DS Security Requirements, which provide security controls specifically intended to protect 3DS data, technologies, and processes. There are seven 3DS Part 2 requirements:
1. Validate scope
2. Secure governance
3. Protect 3DS systems and applications
4. Secure logical access to 3DS systems
5. Protect 3DS data
6. Cryptography and key management
7. Physically secure 3DS system
The PCI 3DS Data Matrix is a separate document that supports the PCI 3DS Core Security Standard . The PCI 3DS Data Matrix identifies a number of data elements common to 3DS transactions, as defined by EMVCo, that are also subject to requirements in the PCI 3DS Core Security Standard. The data elements identified in the PCI 3DS Data Matrix include those considered to be 3DS sensitive data, which are subject to specific data protection requirements, and certain cryptographic key types that are subject to HSM requirements.