Blog single

Understanding PCI 3DS Core Security Standard & Compliance

Understanding PCI 3DS Core Security Standard & Compliance

PCI 3DS Core Security Standard is a security benchmark to support EMVCo’s EMV® 3-D secure protocol and functions specification. The PCI 3DS Requirements and Assessment procedures help address the physical and logical security of EMV® 3-D Secure Core Components.

The technical blog will help you unfold particulars about the core security standard, what it addresses, why it must address, the validation scope, the challenges, and the certification approach.

What is PCI 3D-Secure?

PCI 3D-Secure or PCI 3DS is a messaging protocol that allows customers to authenticate themselves with their card issuer in Card Not Present (CNP) transactions. These CNP transactions could be e-commerce or m-commerce purchases. The security standard provides an additional security layer that protects merchants from CNP frauds.

How the standard enhances payment security?

The specific query typically points to the core purpose of the PCI 3DS Security Standard. Mainly, it stimulates the exchange of information between the merchant, cardholder, and card issuer. The standard intends to benefit these parties by producing an additional layer of security that authenticates cardholders during CNP transactions. It helps reduce fraudulent use of payment cards.

The PCI 3DS Standard provides a framework for three crucial EMV® 3DS components. These are Access Control Server (ACS), Directory Server (DS), and 3DS Server (3DSS). The framework also looks to provide physical and logical protection for every 3DS transaction process.

Does the standard particularly address something?

As we pointed out above, PCI 3DS Requirements stick to implementing physical and logical security control to protect ACS, DS, and 3DSS environments. The requirements in the security standard get split into two parts: –

  • First, the baseline security requirements, which means technical and operational requisites. They help secure environments where 3DS functions get performed. These can be general security requirements, practices, and policies common to many industry standards.
  • On the other hand, we have 3DS security requirements that provide security controls designed to protect 3DS data, processes, and technologies.

Yet another element to consider here is the PCI 3DS Data Matrix. The data matrix identifies the number of data elements common to 3DS transactions and subject to PCI 3DS requirements. The data elements could be 3DS-sensitive data and those cryptographic key types subject to HSM requirements.

Why is the PCI SSC addressing 3DS?

In the digital era, where mobile payments are rising like anything, it is vital to address security in the design of the authenticating systems. The PCI core security standard protects the complete 3DS, helping improve online payment security. The PCI 3DS protocol with the core security standard enhances 3DS transactions and the infrastructure with dynamic authentication of both e-commerce and m-commerce environments.

Who requires PCI 3DS validation?

The PCI 3DS Standard circles those entities that manage or provide EMV® 3DS components. Namely, those critical entities which require PCI 3DS validation are: –

1. Access Control Server (ACS) providers

2. Directory Server (DS) providers

3. 3DS Server (3DSS) providers

Most entities scoping under the standard will have some existing form of validation in place. However, there are differences among 3DS protocols and their confirmation requirements. And the compliance requirements for the scoped entities would be defined by their applicable payment brands.

Challenges on the way to PCI 3DS Compliance

  • For an existing compliant organization sticking to the previous 3DS version, the initial hurdle will be choosing a Qualified Security Accessor to test their payment handling systems. It is important to note that QSAs are not permitted to validate the same entity for more than two consecutive years to ensure higher verification standards. However, in some cases, they will have explicit permission from the visa to bypass the condition. But as an entity, you must always think that such explicit permissions are not endowed.
  • Some of your existing systems might also retain sensitive 3DS data at places not required. The condition can induce an instant compliance failure. Entities need to update their payment systems promptly to avoid such situations. Another common challenge seen in an organization’s way to compliance is the way in which legitimate data get stored. It is common to note that data defined in the data matrix lack appropriate encryption while saving and are not safely deleted when no longer needed.
  • The new requirements for PCI 3DS compliance require additional monitoring and oversight for transactions to reduce payment frauds. The proactive analysis could be time-consuming but inevitable in all ways. Also, the compliance status of the cloud platform that entities stick to is yet another concern. These platforms lacking the required compliance demands would not fit in with the PCI 3DS 2. x payment systems either.
  • There are some physical challenges on your way to compliance as well. It is vital to note that PCI DSS requirements won’t integrate provisions for physical security in the

data centre. But, PCI 3DS requisites demand the use of certain mechanisms to control access to the server rooms. Here, entities will require upgrades to their infrastructure for compliance. Similarly, the way in which encryption keys are used in hardware security modules also changed. So, HSMs would need dual control, assuring no single party has the permit to all relevant encryption keys.

PCI 3DS Certification Approach of ValueMentor

ValueMentor PCI 3DS Engagement involves a three-phase approach – Assessment, Remediation and Audit phase. Next, we will entail the different sub tasks that come up under each of these phases in the PCI 3DS Certification project.

1. Assessment Phase

The initial phase involves defining the accurate scope of the project and performing a PCI 3DS gap analysis.

  • PCI 3DS Services Discovery

– Project initiation

– Knowing the client

– Discovery of offered PCI 3DS services

– Identification of infrastructure elements

  • PCI 3DS Gap Analysis

– Identification of 3DS data environment & infrastructure

– Gap identification against PCI 3DS requirements

2. Remediation Phase

Next is the remediation phase, where identified PCI 3DS gaps in the assessment phase go mitigated.

  • Remediation Advisory

–  PCI 3DS security testing & documentation

–  Remediation progress tracking

  • Control Reviews

– Periodic control implementation review

–  Periodic review of network segmentation

–  Consultancy on new controls

3. Audit and Attestation Phase

In the final phase, PCI 3DS Auditor performs a 3DE Audit towards a successful PCI 3DS Certification for clients.

  • PCI Scope Validation

– Revalidation of the final scope

–  Spot changes from the original scope

  • PCI Onsite Audit

– Perform testing as defined on PCI 3DS ROC template

  • PCI Report Compliance

– Evidence collection of 3DS Audit

–  Document 3DS Audit findings

–  ROC validation by QSA

–  ROC release for customer review

  • PCI 3DS Certification/Attestation

– Preparation of Attestation of Compliance (AOC)

– Issuing the Attestation of Compliance (AOC)

– Successful completion of PCI 3DS Certification project

Summing Up

To avoid data security challenges in the PCI environment, organizations require ensuring PCI 3DS compliance sooner than later. For this, you need to tie hands with a qualified PCI 3DS Auditing firm like ValueMentor, having in-depth experience in making you compliant and secure against all kinds of CNP frauds. ValueMentor is the leading PCI 3DS Security Attestation and Services company with a global presence and a 100 % success rate. The appropriate implementation of the PCI DSS security standard provides security for payment transactions by reducing the number of disputed transactions and ultimately improving the organization’s sales results.