PCI 3DS

PCI 3DS Certification Services

PCI 3DS Certification

Secure your card-not-present transactions with PCI 3DS Core Security Standard - enhancing authentication and adding an extra layer of security for e-commerce and m-commerce purchases.

What is PCI 3DS?

PCI 3DS Core Security Standard is a set of security requirements and assessment procedures required to assess EMV's 3D Secure Core security protocol and core functions. The Three-Domain Secure (3DS) is an EMVCo messaging protocol that enables consumers to authenticate themselves with their card issuer when making card-not-present e-commerce and m-commerce purchases.

There are three domains in the 3DS specification:

  • Acquirer Domain - Merchant and acquirer environment
  • Issuer Domain - Card issuer environment
  • Interoperability Domain - Card scheme network infrastructure

The standard requirements are organized in two parts:

  • Baseline Security Requirements - A baseline of technical and operational security requirements designed to protect the 3DS data environment (3DE)
  • 3DS Security Requirements - Security requirements to protect 3DS data, processes and technologies

PCI 3DS Core Security Standard defines a set of security requirements and assessment procedures required to assess EMV's 3D Secure Core security protocol and core functions. PCI 3DS enhances secure user authentication by adding an extra layer of security during CNP (Card-Not-Present) transactions.

The EMV® 3-D Secure entities under PCI 3DS consideration are:

  • 3DS Directory Server (DS) - Routes authentication messages between merchants and issuers
  • 3DS Access Control Server (ACS) - Authenticates cardholders during transactions
  • 3DS Server (3DSS) - Initiates authentication and interfaces with merchant systems

All the necessary physical and logical security requirements and assessments are defined under the EMV 3-D Secure Protocol and Core Functions Specification. The controls defined in the standard protect the confidentiality and integrity of the 3DS transaction.

What We Offer

The key to implementing robust security controls lies in identifying the right scope, recognizing the difference between compliance and security, and sustaining compliance after successful control implementation.

Business Understanding

Evaluating business process and environment to understand the in-scope elements.

Scope Finalization

Finalize the scope elements and prepare the requirement documentation.

Readiness Assessment

Identify the potential challenges that might arise during requirement implementation.

Risk Assessment

Identifying and analyzing the risks in the information security posture.

Data Flow Assessment

Conducting thorough systems analysis to evaluate data flow and possible leakages.

Documentation Support

Assist you with list of policy and procedure to help you in validation or evidence collection.

Remediation Support

Support you by recommending solutions to compliance challenges.

Awareness Training

Conduct awareness sessions for your Team and personnel involved in the scope.

Scans And Testing

Identify critical vulnerabilities in your system with a robust testing approach.

Evidence Review

Review of the evidence collected to assess their maturity, in line with the compliance.

Final Assessment and Attestation

Post successful assessment, we get you attested for compliance with our audit team.

Continuous Compliance Support

Support you in maintaining compliance by providing guidelines.

Frequently Asked Questions

How Are The PCI 3DS Requirements Structured?

The PCI 3DS Core Security Standard requirements are organized into the following sections:

  • Baseline Security Requirements: These set of technical and operational security requirements are designed to protect environments where 3DS functions are performed. These requirements reflect general information security principles and practices common to many industry standards, and should be considered for any type of environment.
  • 3DS Security Requirements: These set of requirements provide security controls specifically intended to protect 3DS data, technologies, and processes.

Whom Does The PCI 3DS Core Security Standard Apply?

The PCI 3DS Core Security Standard applies to entities that perform or provide the following functions, as defined in the EMVCo 3DS Core Specification:

  • 3DS Server (3DSS)
  • 3DS Directory Server (DS)
  • 3DS Access Control Server (ACS)

Some third-party service providers that can impact these 3DS functions, or the security of the environments where these functions are performed, may also be required to meet PCI 3DS requirements as applicable to the provided service.

What Is The PCI 3DS Data Matrix And How Does It Fit In With The PCI 3DS Core Security Standard?

The PCI 3DS Data Matrix is a separate document that supports the PCI 3DS Core Security Standard and identifies a number of data elements common to 3DS transactions. The data elements identified in the PCI 3DS Data Matrix include those considered to be 3DS sensitive data, which are subject to specific data protection requirements, and certain cryptographic key types that are subject to HSM requirements.

What Is The Relationship Between The PCI 3DS Core Security Standard And The PCI DSS?

The PCI 3DS Core Security Standard and PCI DSS are separate, independent standards each intended for specific types of entities. The Standard applies to 3DS environments where 3DSS, ACS, and/or DS functions are performed, while PCI DSS applies wherever payment card account data is stored, processed or transmitted.

What Are The Deliverables Of The PCI 3DS Certification?

The deliverables of PCI 3DS certification are:

  • Attestation of Compliance (AOC)
  • Report of Compliance (ROC)
  • Certificate of Compliance (COC)