In response to stakeholder feedback, the PCI Security Standards Council (PCI SSC) has issued an important revision to the PCI 3DS Core Security Standard v1.0 through an update to the standard’s Technical Frequently Asked Questions (Technical FAQs).
Effective immediately, Technical FAQ Q3 has been revised to no longer exclusively require the evaluation of non-console HSM access solutions by an independent laboratory to verify compliance with ISO 13491, provided an alternative set of criteria is met. The update includes a set of alternative requirements that, if met in their entirety, can be used to satisfy the currently published requirements P2-6.2.1 through P2-6.2.5.
The Council regularly issues Technical FAQs as a mechanism to provide additional clarification regarding the interpretation and application of security and program requirements between revisions of a given PCI security standard. It is important to recognize that this Technical FAQ update is an integral part of the PCI 3DS Core Security Standard and must be considered during a PCI 3DS Core Security assessment.
This update was made through the Technical FAQ process to expeditiously address feedback from the PCI 3DS community. PCI SSC highly values feedback from the global payment card industry, which plays a critical role in the ongoing maintenance and development of these resources for the industry. Later this year, the Council will hold a Request for Comment (RFC) period to further revise the PCI 3DS Core and SDK Security Standards. The RFC period is currently anticipated for December 2023 – January 2024. Eligible stakeholders are encouraged to provide their feedback on the draft revisions through the upcoming RFC process. Learn more about how to participate in the RFC Process.