What is PCI 3DS?
PCI 3D Secure (PCI 3DS) Core Security Standard is a framework from the Payment Card Industry Security Standards Council that provides security protections for online card transactions. The goal of PCI 3DS is to prevent unauthorized transactions and reduce fraud in online payments by enabling consumers to authenticate their identity when making card-not-present (CNP) purchases.
PCI 3DS was developed to support the secure implementation of EMVCo’s EMV 3DS protocol.
The standard applies to entities that perform or provide the following functions:
3DS Access Control Server (ACS)
The ACS contains the authentication rules and is controlled by the Issuer. It verifies whether authentication is available for a card number and device type and authenticates specific transactions. Specific ACS functions include:
- Verifying whether a card number is eligible for 3DS authentication
- Verifying whether a Consumer Device type is eligible for 3DS authentication
- Authenticating the Cardholder for a specific transaction
3DS Directory Server (DS)
The DS maintains lists of card ranges for which authentication may be available and coordinates communication between the 3DSS and ACS to determine whether authentication is available for a particular card number and device type. DS functions include:
- Authenticating the 3DS Server and the ACS
- Routing messages between the 3DS Server and the ACS
- Validating the 3DS Server, the 3DS SDK, and the 3DS Requestor
- Defining specific program rules (for example, logos, time-out values, etc.)
- Onboarding 3DS Servers and ACSs
- Maintaining ACS versions and 3DS Method URLs
3DS Server (3DSS)
The 3DSS provides the functional interface between the 3DS Requestor Environment flows and the Directory Server (DS). Functions performed by the 3DS Server include:
- Collecting necessary data elements for 3DS messages
- Authenticating the DS
- Validating the DS, the 3DS SDK, and the 3DS Requestor
- Ensuring that message contents are protected
The 3DS Server may also link to the Acquirer and initiate authorization requests.
Getting Certified
The PCI 3DS requirements are organized in two parts:
Part 1: Baseline Security Requirements – A baseline of technical and operational security requirements designed to protect the 3DS data environment (3DE). Part 1 contains the following control domains:
- Maintain security policies for all personnel
- Secure network connectivity
- Develop and maintain secure systems
- Vulnerability management
- Manage access
- Physical security
- Incident response preparedness
Part 2: 3DS Security Requirements – Security requirements to protect 3DS data and processes. Part 2 contains the following control domains:
- Validate scope
- Security Governance
- Protect 3DS systems and applications
- Secure logical access to 3DS systems
- Protect 3DS data
- Cryptography and key management
- Physically secure 3DS systems
When validating if your organization has met the PCI 3DS requirements, a certified 3DS assessor is expected to follow this validation method:
- Examine: The assessor critically evaluates data evidence. Common examples include documents, screenshots, configuration files, audit logs, and data files.
- Observe: The QSA watches an action or views something in the environment. Examples of observation subjects include personnel performing a task or process, system components performing a function or responding to input, system configurations/settings, environmental conditions, and physical controls.
- Interview: The assessor interviews individual personnel. Interview objectives may include confirmation of whether an activity is performed, descriptions of how an activity is performed, and whether personnel have particular knowledge or understanding.
Assessment Process
To begin their PCI 3DS compliance journey, organizations will typically begin by completing the EMVCo functional testing for ACS, DS, and/or 3DSS and receive a Letter of Approval from EMVCo. At that point, organizations can proceed to:
- Confirm the scope of the PCI 3DS assessment
- Perform the PCI 3DS assessment
- Complete the 3DS assessment report and attestation
- Submit the assessment report and attestation, along with any other requested documentation, to the applicable payment brands
- If required, perform remediation to address requirement gaps, and provide an updated report
Comparing PCI 3DS and PCI DSS
PCI 3DS and PCI DSS are separate standards. The 3DS standard applies to 3DS environments (3DE) where 3DSS, ACS, and/or DS functions are performed. The DSS standard applies to the cardholder data environment (CDE), where payment card data is stored, processed, or transmitted.
PCI DSS-certified organizations that include 3DE in their CDE may be able to use the results of their DSS assessment to meet the 3DS Baseline Security Requirements.
The Benefits of PCI 3DS Certification
For organizations that operate in the eCommerce space, there are several benefits to being PCI 3DS certified. Implementing the 3DS security controls will result in more effective data protection data and fraud prevention, reducing the risk of financial and reputational damage caused by a data breach or fraudulent transactions.
PCI 3DS is accepted globally, your certification will ensure compliance with payment card industry standards, gain consumer trust, and enable transactions with customers worldwide.
To learn more about PCI 3DS, listen to this episode of the Compliance Pointers podcast.
How We Can Help
PCI 3DS is a daunting task for any business to tackle alone. CompliancePoint is an authorized 3DS Qualified Security Assessor (QSA). When you partner with us, you get an experienced partner that will guide you through every step of the certification process. We help organizations proactively identify their security gaps, build out frameworks to meet compliance requirements, and can manage their security program on an ongoing basis to maintain certification.
Credit card fraud in the US is at an all-time high. CompliancePoint experts are here to help your organization comply with PCI requirements, reduce the risk of a breach, gain competitive advantage, and increase credibility.
Frequently Asked Questions
Payment Card Industry Three Domain Secure (PCI 3DS) is a security protocol developed to enhance the security of online transactions made with a credit or debit card. It is designed to reduce fraud by providing an additional layer of authentication for card-not-present transactions.
When a cardholder makes a transaction, the 3DS protocol prompts them to provide additional information to verify their identity. This might include a password, a one-time code sent via SMS, or biometric authentication, depending on the implementation.
PCI DSS and PCI 3DS are separate standards.
PCI DSS was designed to protect payment card data in the cardholder data environment (CDE), which is where the data is stored, processed, or transmitted.
PCI 3DS is a security protocol developed specifically to enhance the security of online credit and debit card transactions to prevent fraud.
A 3DS entity that has applied PCI DSS to protect its 3DS environment (3DE) as described above may be able to leverage the results of its PCI DSS assessment to meet the PCI 3DS Part 1: Baseline Security Requirements.
A PCI 3DS Qualified Security Assessor (QSA) is an individual or a company certified by the PCI Security Standards Council (PCI SSC) to assess compliance with the PCI 3DS security standards. To secure PCI 3DS certification, an organization must have an audit of its security controls performed by a certified QSA.