Following publication of the PCI 3DS Core Security Standard in October, the PCI SSC has published a second PCI 3DS Security Standard for software development kits. The PCI 3DS SDK Security Standard supports the EMV® 3-D Secure SDK Specification, which defines EMV® 3DS requirements for entities developing 3DS Software Development Kits (SDK) for use in mobile-based 3DS transactions. The standard is for developers and vendors of 3DS SDK products, and it is focused on ensuring the SDK has been designed and developed with security in mind. Together with the PCI 3DS Core Security Standard, the PCI 3DS SDK Security Standard focuses on securing the EMV® 3DS infrastructure that supports 3DS transactions. The PCI SSC is also developing a SDK supporting validation program for 2018, which it plans to first test as a pilot program in 2017. The final program will include a PCI SSC listing of SDK solutions that meet the PCI 3DS SDK Security Standard. Here we talk with Chief Technology Officer Troy Leach about this second PCI 3DS Security Standard, who it applies to, and how it will ultimately help merchants in enhancing m-commerce security.
What is a 3DS Software Development Kit (SDK)?
Troy Leach: A 3DS SDK is software for facilitating cardholder authentication that is embedded in a merchant mobile app. When a cardholder initiates an in-app (mobile) transaction, the 3DS SDK communicates with 3DS Core Components to authenticate the cardholder. The PCI 3DS SDK Standard supports the mobile device-side component of the EMV® 3-D Secure protocol and promotes good security practices for the SDKs.
What is the goal of the PCI 3DS SDK Security Standard?
Troy Leach: The goal of our standard is to promote good software security to enable secure mobile authentication as designed by the EMVCo specification. The supporting validation program for 3DS SDK will verify that a 3DS SDK has been developed and designed to meet specific security objectives, including:
- Reduced risk of breach or compromise of the merchant app(s) that embed the 3DS SDK
- Properly safeguard data captured by the 3DS SDK
- The security mechanisms specified in the EMVCo 3DS specifications are properly utilized
- Protect the integrity of SDK from manipulation by other apps or processes on the consumer device.
Who is the PCI 3DS SDK Standard for?
Troy Leach: The standard is intended for software developers to use in designing secure 3DS SDK products. Assessors will test and evaluate the security of 3DS SDK products using the requirements and validation procedures in the standard.
What are the key areas that the PCI 3DS SDK Standard covers to ensure that 3DS SDK products have been designed and developed with security in mind?
Troy Leach: The requirements cover security objectives such as integrity protection, data protection, proper use of cryptography, vulnerability management and implementation guidance, as they pertain specifically to 3DS SDK products.
How will the PCI 3DS SDK Standard benefit merchants?
Troy Leach: SDK software products that are independently tested and validated against the standard will be listed on the PCI SSC website for merchants to use when selecting a software vendor. Merchants and their customers using SDK products from the PCI SSC listing have assurance that the software was developed with security as a priority and minimize additional due diligence cost for evaluating the software.
How will 3DS SDK products be validated against this standard?
Troy Leach: PCI SSC is currently developing a 3DS SDK validation program for 2018, which we plan to test first as a pilot program in 2017.
Once the program is available in 2018 vendors of 3DS SDK products will be able to submit their products for assessment against the PCI 3DS SDK Standard and after validation, the products will be included in a new listing on the PCI SSC website. Details of the program, including identifying requirements for assessors, are currently being developed. PCI SSC will keep stakeholders updated on its availability.
How will this process align with testing against the EMVCo 3DS SDK specification?
Troy Leach: The PCI SSC security assessment process is separate from the EMVCo functional evaluation. In order to complete a PCI SSC SDK security assessment, a product will first have to undergo EMVCo functional evaluation. PCI and EMVCo are working together to streamline this process.
Any thoughts for developers of 3DS SDK products to keep in mind when reviewing the standard?
Troy Leach: 3DS SDK developers should keep in mind that the PCI 3DS SDK standard provides a minimum baseline of security features and functionality that 3DS SDK products should implement to help facilitate secure 3DS transactions.
In addition to the PCI 3DS SDK requirements, 3DS SDK developers should follow industry best practices for secure software development when developing 3DS SDK products, including frequent testing for vulnerabilities.
Many of the objectives outlined in the PCI 3DS SDK Standard for securely developing an application are similar to other PCI software standards that provide criteria for building and maintaining secure applications such as requirements in DSS, PA-DSS and the PCI Software Security Framework currently in development. Where they differ is that the PCI 3DS SDK Standard addresses protecting specific data elements collected by the SDK in association with a 3D-Secure transaction.