Today, the PCI SSC published documentation for vendors and labs to use in developing and evaluating 3-D Secure Software Development Kit products in accordance with the PCI 3-D Secure Software Development Kit (3DS SDK) Security Standard. The PCI 3DS SDK Security Standard supports the EMV® 3-D Secure—SDK Specification, which defines EMV 3DS requirements for entities developing 3DS Software Development Kits (SDK) for use in mobile-based 3DS transactions. The standard is for developers and vendors of 3DS SDK products, and it is focused on ensuring the SDK has been designed and developed with security in mind. Together with the PCI 3DS Core Security Standard, the PCI 3DS SDK Security Standard focuses on securing the EMV 3DS infrastructure that supports 3DS transactions.
What is covered in the 3DS SDK Program Guide?
Gill Woodcock: The 3DS SDK Program Guide outlines the roles and responsibilities for various parties involved in development and validation of a 3DS SDK product, the evaluation and reporting process, and how to maintain a PCI validated 3DS SDK product listing on the PCI SSC website.
What is a 3DS SDK?
Gill Woodcock: A 3DS SDK is software for facilitating cardholder authentication that is embedded in a merchant mobile app. When a cardholder initiates an in-app (mobile) transaction, the 3DS SDK communicates with 3DS Core Components to authenticate the cardholder. The PCI 3DS SDK Security Standard supports the mobile device-side component of the EMV® 3-D Secure Protocol and Core Functions Specification v2.1.0 and promotes good security practices for the SDKs.
Who is the 3DS SDK Program Guide intended for?
Gill Woodcock: The 3DS SDK Program Guide applies to vendors developing and seeking validation of their 3DS SDK product, and labs performing the testing and validation of these products.
What should vendors interested in submitting products for 3DS SDK evaluation be aware of?
Gill Woodcock: Developers and vendors of 3DS SDK products need to be aware that the PCI SSC testing process is separate from the EMVCo functional evaluation, and that to be eligible for a PCI SSC SDK security evaluation, their products first must successfully undergo EMVCo functional evaluation. We encourage them to review the 3DS SDK Program Guide to understand what’s required for submitting products.
Can all PCI-recognized labs perform evaluations of 3DS SDK products?
Gill Woodcock: Only labs that are both PCI-recognized and EMVCo Security Labs are eligible to perform these evaluations. These labs will be identified on the PCI SSC and EMVCo websites.
Can you explain how the evaluation process works for 3DS SDK products?
Gill Woodcock: As mentioned earlier, 3DS SDK products must first successfully undergo functional testing as defined in the EMV® 3-D Secure—SDK Specification prior to security testing as defined in the PCI 3DS SDK Security Standard.
Once a vendor completes the EMVCo process for 3DS SDK functional testing for its product, the vendor will work with a PCI 3DS SDK Lab, which will perform the 3DS SDK evaluation following the “Evaluation Procedures” for each security objective and associated requirements specified within the PCI 3DS SDK Security Standard. When the lab determines that all objectives and requirements are met the lab completes the 3DS SDK Report on Validation (ROV) and 3DS SDK Attestation of Validation (AOV) in accordance with applicable PCI SSC templates, guidance, and instructions and submits them to PCI SSC for validation. PCI SSC will list “Approved 3DS SDKs” on the PCI SSC website.
This process is described in section 3 of the 3DS SDK Program Guide, along with the processes for reassessing updated versions of Approved 3DS SDK products. The 3DS SDK reporting documents for labs will be published next month.
Do Qualified Security Assessors (QSA) have any role in 3DS SDK evaluations?
Gill Woodcock: No, QSAs are not involved in 3DS SDK evaluations. PCI 3DS assessors are those QSAs qualified by PCI SSC to perform assessments using the PCI 3DS Core Security Standard, but they do not have a role in 3DS SDK evaluations.
What do merchants and acquirers need to know about the 3DS SDK Program Guide and product evaluation process?
Gill Woodcock: The 3DS SDK Program Guide and product evaluation process is aimed at vendors and the labs that will perform evaluations. Merchants and acquirers will benefit from a PCI SSC listing of PCI 3DS SDK products that have been validated as meeting the PCI 3DS SDK Security Standard to provide security throughout the 3DS transaction.
*EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.