The 3DS 2.0 New Era
3D Secure (3DS) is a solution designed to enhance the security of online payment-by-card transactions by authenticating the payer is the rightful owner of the card. All major global card schemes have adopted the common 3DS standards and specification that are managed by the EMVCo. Global card schemes have set liability shift timelines for migration to 3DS transactions while the revised European Payment Services Directive (PSD2) requires Strong Customer Authentication (SCA) for online payments. The newest EMV® 3-D Secure Protocol and Core Functions Specification for the certification of ACS, DS, and 3DSS products is version 2.2.0, while the Payment Card Industry Security Standards Council (PCI SSC) released the PCI 3DS Core Security Standard v1.0 in December 2017. The global payment cards industry has entered into a new 3DS 2.0 era.
3DS Product Certification
3DS product providers and software vendors will need certification of compliance to EMVCo’s 3DS specification as well as card schemes’ secure programs in order to integrate with the card schemes’ Directory Server. You can visit EMVCo’s website for more information on EMVCo’s 3DS product specifications, and Visa Technology Partner website for more information on Visa Secure program and Visa’s EMV 3DS Product Testing.
PCI 3DS Assessment and Certification
Banks and/or payment service providers should adopt the new 3DS 2.0 system to further reduce fraud and improve customer experience for card-not-present online payment transactions. But, who exactly will need to be validated for compliance to the PCI 3DS standard?
Below is a summary of relevant certification requirements based on Visa’s Certification Guide and Checklist for the ACS and 3DSS (Visa’s EMV 3DS Product Certification Guide and Checklist – Access Control Server, and Visa’s EMV 3DS Product Certification Guide and Checklist-3DS Server), as well as our suggestions.
(1) 3DSS Services
If you are a 3DS Server(3DSS) Hosting Services provider or an Acquirer Processor, you need to pass the validation of PCI DSS for 3DE (3DS Data Environment). If you are a Merchant and run your own 3DSS for your operations, you have to pass PCI DSS assessment too. In other words, no businesses should pass the PCI 3DS Standard validation according to Visa’s certification requirement.
(Source: Visa’s EMV 3DS Product Certification Guide and Checklist – 3DS Server Prerequisites)
(2) ACS Services
For ACS services, if you are an ACS Hosting Services Provider or Issuer Processor, you are required to pass both PCI DSS and PCI 3DS assessments for your 3DE (or to pass both Part 1 and Part 2 of PCI 3DS).
But if you are an Issuer, whether you buy an ACS solution or build your own ACS system, you can choose whether to get these assessments. Both standards are not mandated for an Issuer using ACS.
(Source: Visa’s EMV 3DS Product Certification Guide and Checklist – Access Control Server)
(3) Cloud Service and Cloud Service Vendor
For those companies who would like to utilize cloud technologies for their 3DS operations or ACS services, it is very important to verify if the cloud service vendor has been validated by PCI 3DS Standard; both PCI 3DS AOC and ROC should be submitted to the card scheme before it can register as a 3DS services vendor.
(4) HSM (Hardware Security Module)
PCI 3DS Standard requires a high level HSM for the cryptographic management.
Part II 6.1.2 For ACS and DS only: All key management activity for specified cryptographic keys (as defined in the PCI 3DS Data Matrix) is performed using an HSM that is either:
– FIPS 140-2 Level 3 (overall) or higher certified, or
– PCI PTS HSM approved.
If you are planning your ACS services, you should bear in mind to get the right model and level of your HSM. For some Key Management Services (KMS) of Cloud, their security level is only FIPS 140-2 Level 2 (overall), and it will not meet the requirements of PCI 3DS.
How to get PCI 3DS Certification
For those who need to pass the PCI 3DS validation, here are some basic steps for the certification:
(1) Check your PCI DSS compliance
There are two parts to the requirements in PCI 3DS Core Security Standard,
Part 1: Baseline Security Requirements
Part 2: 3DS Security Requirements
The first part is the Baseline Security Requirements which is the equivalent part to PCI DSS. So if you have passed the validation of PCI DSS to the PCI 3DS environment, you don’t need to be validated for Part 1 again. If you have not been validated for PCI DSS, then you can choose to pass PCI 3DS Part I validation or use PCI DSS to validate the PCI 3DS environment. However, since VISA requires ACS Hosting and Issuing Processor to have PCI DSS validation, PCI DSS should be seen as a must.
(2) Confirmed products (ACS, DS, 3DSS) have been approved by EMVCo
Please check whether the software systems you use have been certified by EMVco and card scheme. If you do it by yourself, you have to get the LOA by yourself, and if you get it from your software/solution vendors, let them confirm they have gotten the LOA.
(3) Establish a PCI 3DS environment based on PCI 3DS Secure Standard
Set up your systems, applications, databases and the networks and security components. You can either base them on PCI DSS requirements or PCI 3DS standard Part 1.
If you are going to use a cloud service to build up your PCI 3DS environment, check with your cloud service vendor if they have been validated by PCI 3DS before you use it.
(4) Ensure the security of your 3DS data
Based on the PCI 3DS Data Matrix, all sensitive data should be encrypted when you keep the data in your 3DS environment.
Most 3DS transaction data transferred by API interface between DS, 3DSS, and ACS, the security of data transfer protected by TLS and the relevant certificates issued by card schemes should be in place.
(5) Prepare and implement related procedures and management assignments
PCI 3DS standard requires many accompanying management policies, procedures and risk management strategies. And you will also need to keep the execution records to prove your compliance to the management procedures and PCI 3DS standard.
(6) Technical testing of compliance requirements
Most technical tests are required by PCI DSS or the PCI 3DS Part 1, but you still need to take care the application/development security, code review and testing of the API interfaces should be done before you can get your systems validated.
(7) PCI 3DS Assessment
Engage a PCI 3DS QSA company to do the assessment, based on card scheme requirement, you have to inform your card schemes before you conduct the PCI 3DS Assessment
Assessment takes 3-5 days onsite checking and evidence review, follow the guidance of the QSA company to get the environment ready and keep enough compliance evidence can help you pass the validation more smoothly and quickly.
Secure Vectors Information Technologies Inc.
Secure Vectors Information Technologies, Inc. (SVITI) is a leading professional consulting and certification firm specializing in providing payment card related security consulting and certification services, including PCI DSS, PCI 3DS, and PCI PIN Security Standards. Headquartered in California, U.S., and with branch offices in Taiwan (Taipei), China (Beijing and Hunan), Vietnam (Hanoi), and Singapore, Secure Vectors is a leading company in this space and is recognized for our best-in-class service quality.
Written by Vincent Huang
* QSA and Consultant at Secure Vectors Information Technologies Inc. 20-year experience in IT Security Management, Payment Card Industry Security, Data Center Security and Cloud Security.
* Professional certifications include:
– PCI DSS QSA, PCI 3DS Assessor, PIN Security QPA,
– CISSP, CEH, NSPA,
– ISMS LA, ITSM LA, Certified CSA STAR Auditor,
– Europrise Technical Expert
- For more information and inquiries please kindly email us at service@securevectors.com and our expert support team will answer all your questions.