The recent publication by EMVCo of updated versions of their 3-D Secure (3DS) specifications, as well as industry changes and stakeholder feedback, is providing input into current PCI SSC revision efforts of the two PCI 3DS standards, namely the Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server (PCI 3DS Core) and Security Requirements and Assessment Procedures for EMV® 3-D Secure SDK (PCI 3DS SDK).
Stakeholders may be asking if the currently published versions can still be used to help secure 3DS environments.
In this post, we talk with Joel Weisz, Standards Manager, and the Chair of the PCI 3DS working group, about the current revision efforts for the PCI 3DS Core and PCI 3DS SDK standards.
What are the most recently published versions of the EMVCo 3-D Secure Specifications?
Joel Weisz: The current versions of the EMVCo 3DS specifications are EMV® 3-D Secure Protocol and Core Functions Specification v18.104.22.168, and EMV® 3-D Secure SDK Specification v22.214.171.124, both published on May 30, 2023. Additionally, since the last release of the PCI 3DS standards, EMVCo published the Split-SDK specification, the latest version of which is EMV® 3-D Secure Split-SDK Specification v126.96.36.199, published August 31, 2022. We encourage checking EMVCo’s website for the latest versions of these specifications and for more information about 3-D Secure.
Can the currently published PCI 3DS Standards still be used considering the recently updated EMVCo 3-D Secure Specifications?
Joel Weisz: Yes, the current PCI 3DS Standards can continue to be used to provide entities with baseline security requirements for securing their 3DS environments and systems. That said, the PCI SSC is revising both 3DS Standards to address the updated EMVCo 3DS specifications, along with additional stakeholder feedback. The current revision effort is intended to explicitly address the new ‘Split-SDK’ implementations.
How can stakeholders provide feedback on updates to the PCI 3DS Core and SDK Standards?
Joel Weisz: A Request for Comment (RFC) period on the draft PCI 3DS Core Security Standard v2.0, the draft PCI 3DS Data Matrix v2.0, and the draft PCI 3DS SDK Security Standard v2.0 is anticipated in December 2023 – January 2024. Eligible stakeholders are encouraged to provide their feedback on the draft standards through the upcoming PCI SSC RFC process. Learn more about how to participate in the RFC Process.
Where can additional information and guidance on PCI 3DS Core and SDK Standards and Programs be found?
Joel Weisz: Additional information and guidance on matters related to PCI 3DS Core and SDK Standards and Programs can be found in the Document Library of the PCI SSC website or on the PCI Perspectives Blog. Don’t forget that the Council also offers Knowledge Training on the 3DS Assessor Program. Knowledge Training is open to anyone, including non-assessors, who wish to obtain additional knowledge of our standards and programs. Knowledge Training fills the knowledge gap by providing learning opportunities for individuals to take the same training and exam as Assessors.