|Knowledge base contents are continuously uploaded, therefore it is worthwhile to visit our page regularly!
What is 3-D Secure?
EMV® Three-Domain Secure (3-D Secure, or 3DS) is a messaging protocol that enables consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases. The additional security layer helps prevent unauthorized CNP transactions and protects the merchant from exposure to CNP fraud. The three domains consist of the merchant/acquirer domain, issuer domain, and the interoperability domain (for example, Payment Systems). For details about EMV® 3-D Secure, refer to https://www.emvco.com/emv-technologies/3d-secure/
To whom does the PCI 3DS Core Security Standard apply?
The PCI 3DS Core Security Standard applies to entities that perform or provide the following functions, as defined in the EMVCo 3DS Core Specification:
- 3DS Server (3DSS)
- 3DS Directory Server (DS)
- 3DS Access Control Server (ACS)
Third-party service providers that can impact these 3DS functions, or the security of the environments where these functions are performed, may also be required to meet PCI 3DS requirements as applicable to the provided service.
Whether an entity is required to validate compliance with the PCI 3DS Core Security Standard is defined by the individual payment brand compliance programs.
How are the PCI 3DS requirements structured?
The requirements in the PCI 3DS Core Security Standard are organized into the following sections:
- Part 1: Baseline Security Requirements, which provide technical and operational security requirements designed to protect environments where 3DS functions are performed. These requirements reflect general information security principles and practices common to many industry standards, and should be considered for any type of environment.
- Part 2: 3DS Security Requirements, which provide security controls specifically intended to protect 3DS data, technologies, and processes.
What is the relationship between the PCI 3DS Core Security Standard and the PCI 3DS SDK Security Standard?
The PCI 3DS Core Security Standard and PCI 3DS SDK Security Standard are independent standards that define security controls covering different areas of the 3DS ecosystem.
- The PCI 3DS Core Security Standard supports the EMVCo 3DS Core Specification, and applies to entities that perform or provide specific 3DS functions; namely 3DS Server (3DSS), 3DS Directory Server (DS), or 3DS Access Control Server (ACS) functions.
- The PCI 3DS SDK Security Standard applies to entities that develop 3DS Software Development Kits (SDK), as defined in the EMV® 3-D Secure SDK Specification.
While these two PCI standards define consistent levels of security for respective 3DS components, they are distinct standards with separate requirements and programs, and validation against one standard does not imply or result in validation against the other.
What is the relationship between the PCI 3DS Core Security Standard and the PCI DSS?
The PCI 3DS Core Security Standard and PCI DSS are separate, independent standards each intended for specific types of entities. The PCI 3DS Core Security Standard applies to 3DS environments where 3DSS, ACS, and/or DS functions are performed, while PCI DSS applies wherever payment card account data is stored, processed or transmitted. Details of each standard’s applicability are provided within the introductory sections of that standard.
Where an entity meets the applicability for both standards, the entity should consult with their acquirer and/or payment brand, as applicable, to determine whether they are required to validate to either or both standards.
While many 3DS entities may have both PCI 3DS and PCI DSS responsibilities, there may be cases where a 3DS entity does not store, process, or transmit any payment card account data–for example, where the 3DS entity is involved only in 3DS transactions for EMVCo payment tokens. In this scenario, the 3DS entity may not be subject to PCI DSS. In all cases, entities should refer to their acquirer and/or the payment brand(s) to determine their compliance obligations to a PCI standard.
How should a 3DS entity manage an environment covered by both PCI 3DS and PCI DSS?
3DS entities that store, process, or transmit payment card account data will have a defined 3DS environment (3DE) and a defined cardholder data environment (CDE). If account data is present in the environment where 3DS functions are performed, that environment would be considered both a 3DE and a CDE.
Where the 3DE and CDE are combined in the same environment, the 3DS entity may be able to implement security controls that meet requirements in both standards. As the PCI 3DS Part 1: Baseline Security Requirements cover many of the security objectives required by PCI DSS, additional controls may not be needed to meet the PCI 3DS Part 1 Requirements if PCI DSS is fully implemented.
Where a requirement in one standard requires more stringent security controls than what is implemented or required by the other standard, the entity may need to implement the more stringent controls throughout the environment to ensure the applicable requirements from both standards are met.
An alternative scenario is where the 3DS entity has a CDE that is separate and segmented from the 3DE. In this scenario, the 3DS entity may choose to apply different controls to each environment as appropriate for the applicable standard.
Whether a 3DS entity is required to validate compliance with the PCI 3DS Core Security Standard and/or PCI DSS is defined by the individual payment brand compliance programs.
Can an entity use their PCI DSS assessment results for their 3DS assessment?
It may happen, that additional controls may not be needed to meet the PCI 3DS Part 1: Baseline Security Requirements if PCI DSS is fully implemented to protect the 3DE and all 3DS system components. In circumstances where the 3DE and CDE are combined in the same environment, and PCI DSS controls have been applied and validated for all 3DE system components, the 3DS entity may be able to leverage the results of their PCI DSS assessment to validate the PCI 3DS Part 1 Requirements. 3DS entities wishing to use the results of a PCI DSS assessment for this purpose should confirm this approach with their acquirer and/or the payment brand(s). PCI DSS assessment results cannot be leveraged to validate 3DS Part 2 Requirements.
Refer to Appendix B: Alignment between PCI 3DS and PCI DSS Requirements, in the PCI 3DS Core Security Standard, for details on requirements for leveraging PCI DSS for PCI 3DS Part 1. The 3DS assessor will need to document PCI DSS coverage of the 3DE in the 3DS Report on Compliance and Attestation documents.
There is currently no option for entities to leverage results of a PCI 3DS assessment for their PCI DSS validation. Validation to PCI 3DS Part 1 does not impact or replace PCI DSS compliance obligations.
For further information, please visit www.pcisecuritystandards.org