At this week’s PCI Europe Community Meeting in Barcelona, the PCI Security Standards Council (PCI SSC) released a new security standard to support EMVCo’s EMV® 3-D Secure Protocol and Core Functions Specification. The PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server (referred to as PCI 3DS Core Security Standard) addresses physical and logical security for Access Control Server (ACS), Directory Server (DS), and 3DS Server (3DSS), which are critical components in the 3DS ecosystem as defined by EMVCo’s specification. The work of both EMVCo and PCI SSC ensures an agile and workable structure is established for both functional testing and security evaluation of 3DS solutions.
Here we talk with PCI SSC Senior Director of Data Security Standards Emma Sutcliffe about the new standard, who it applies to, and the role it will play in enhancing e-commerce security.
What is 3-D Secure (3DS)?
Emma Sutcliffe: EMV® Three-Domain Secure (3DS) is an EMVCo messaging protocol that enables consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce and m-commerce purchases. The additional security layer helps prevent unauthorized CNP transactions and protects the merchant from CNP exposure to fraud. The three domains in the EMVCo specification consist of the acquirer domain, issuer domain, and the interoperability domain (e.g. payment systems).
How does the PCI 3DS Core Security Standard work with the EMV® 3DS protocol to improve security of payments?
Emma Sutcliffe: The purpose of the EMV® 3DS protocol is to facilitate the exchange of data between stakeholders – the merchant, cardholder and card issuer. The objective is to benefit each of these parties by providing the ability to authenticate cardholders during a CNP e-commerce purchase, reducing the likelihood of fraudulent usage of payment cards. Developers create 3DS products and services based on the EMVCo specification so that they are interoperable globally.
The PCI 3DS Core Security Standard provides a framework for three critical EMV® 3DS components—ACS, DS, and 3DS Server—to implement physical and logical security controls to support the integrity and confidentiality of the 3DS transaction process.
What does the PCI 3DS Core Security Standard address specifically?
Emma Sutcliffe: The PCI 3DS Core Security Standard defines physical and logical security requirements for protecting environments where ACS, DS, and/or 3DSS functions are performed. The requirements in the standard are organized into two sections:
- Part 1: Baseline Security Requirements, which provide technical and operational security requirements designed to protect environments where 3DS functions are performed. These requirements reflect general information security principles and practices common to many industry standards, and should be considered for any type of environment.
- Part 2: 3DS Security Requirements, which provide security controls specifically intended to protect 3DS data, technologies, and processes.
Accompanying the standard is the PCI 3DS Data Matrix, which identifies a number of data elements common to 3DS transactions, as defined by EMVCo, that are also subject to requirements in the PCI 3DS Core Security Standard. The data elements identified in the PCI 3DS Data Matrix include those considered to be 3DS sensitive data, which are subject to specific data protection requirements, and certain cryptographic key types that are subject to HSM requirements.
Why is the PCI SSC addressing 3DS?
Emma Sutcliffe: The marketplace is changing every day, and with mobile payments projected to continue to rise, it is vitally important that security be addressed in the design of the authentication system to keep up with the evolving threats.
The PCI 3DS Core Security Standard will help secure the 3DS components that are critical to the overall EMV® 3DS transaction process, supporting the integrity and confidentiality of 3DS authentication data and improving the overall security of online payments.
Additionally, very soon we will publish a supporting PCI Security Standard for the EMV® 3-D Secure SDK Specification, which defines EMV® 3DS requirements for entities developing a 3DS Software Development Kit (SDK) for use in mobile-based 3DS transactions. The PCI 3DS SDK Security Standard will be for developers and vendors of 3DS SDK products and is focused on ensuring the SDK has been designed and developed with security in mind.
A new and improved EMV® 3DS protocol together with these PCI Security Standards will enhance the security of 3DS infrastructures and transactions and improve dynamic authentication for e-commerce and m-commerce environments.
Who has to comply with the PCI 3DS Core Security Standard?
Emma Sutcliffe: The standard is intended for those companies that manage or provide EMV® 3DS components, specifically: ACS, DS, and 3DSS. It provides guidelines for identifying and implementing appropriate security controls to protect the 3DS transaction process.
Compliance requirements for these entities will be defined by the applicable payment brands.
How will assessments be performed for PCI 3DS environments?
Emma Sutcliffe: Assessors of 3DS components will use the standard as a framework for assessing and reporting on the implemented security controls.
Training and Qualification Requirements for QSAs to become qualified to perform 3DS Assessments will be available by early 2018. In the interim, PCI P2PE Assessors and existing 3-D Secure v1 Visa assessors that are also QSAs will be able to perform PCI 3DS Assessments after completing a streamlined qualification process.
What resources are available to help stakeholders in understanding and implementing the PCI 3DS Core Security Standard?
Emma Sutcliffe: As well as general guidance contained within the standard and Data Matrix, specific Implementation Guidance is provided for each requirement in the standard to help entities and assessors understand how a requirement could be met. A separate FAQ document will be available in the next few weeks, which covers some of the key questions stakeholders may have as they review the standard and begin to implement it.
