The PCI 3DS Core Security Standard and PCI 3DS SDK Security Standard are independent standards that define security controls covering different areas of the 3DS ecosystem.
Who needs to be validated?
3DS Server (3DSS) providers
Access Control Server (ACS) providers
Directory Server (DS) providers
SC2labs provides PCI 3DS assessments service, as a qualified PCI 3DS Assessor
certified by the PCI Security Standards Council.
PCI 3DS is one – year program, so assessment should be performed on annualy basis by PCI 3DS auditor.
Kickoff and Planning
The kickoff is considered the start of the engagement after the agreement is executed. We will discuss the certification process, identify the point of contact from both organizations and timelines for assessment, define a project roadmap and plan the next steps. One of the most important steps is “3DS scoping” to identify the systems that, at a minimum, need to be included in the scope of PCI 3DS.
Formal validation
The PCI 3DS Assessment of Compliance is the formal process where 3DS Qualified Security Assessor will conduct on-site interviews, system configuration sampling, and document reviews. Testing and gathering is the core of compliance engagement. The results of the on-site assessment are documented.
Reporting
The report will be provided within 3 weeks of the last day of successful completion (all required documents are delivered and collected by the 3DS QSA auditor.
Deliverables
The deliverables may include:
- 3DS Core Report on Compliance (RoC)
- 3DS Core Attestation of Compliance (AoC)
- 3DS SDK Report on Validation (RoV)
- 3DS SDK Attestation of Validation (AoV)
Completed 3DS documentation is submitted to the Customer’s Participating Payment Brands.
Continual Support
After your successful certification, we provide continual support in the ongoing maintenance of the organization’s compliance - we will provide and discuss changes to the security standard itself, as well as explain and support with emerging issues and questions.