Today, the PCI SSC published a minor revision to the PCI 3-D Secure Software Development Kit (3DS SDK) Security Standard, which supports the mobile device-side component of the EMV® 3-D Secure Protocol and Core Functions Specification and promotes good security practices for the development and maintenance of SDKs.
A 3DS SDK is software for facilitating cardholder authentication that is embedded in a merchant mobile app. When a cardholder initiates an in-app (mobile) transaction, the 3DS SDK communicates with 3DS Core Components to authenticate the cardholder.
In this post we talk with PCI SSC Standards Manager Jake Marcinko about the revised standard and what payment card industry stakeholders need to know.
Why is PCI SSC revising the PCI 3DS SDK Security Standard now?
Jake Marcinko: Earlier this year PCI SSC introduced the PCI 3DS SDK Program for testing and validation of 3DS SDK products that meet the requirements in the PCI 3DS SDK Security Standard for providing security throughout the 3DS transaction. To support implementation of this program, we’ve updated the PCI 3DS SDK Security Standard with more detailed procedures for PCI 3DS SDK Labs to assess these products. The updates include feedback received during a request for comments (RFC) period with PCI SSC Participating Organizations and PCI Recognized Labs.
Are any new requirements being introduced in version 1.1?
Jake Marcinko: No, there are no new requirements in v1.1 of the PCI 3DS SDK Security Standard. Titles have been added to each requirement for ease of navigation, and the assessment procedures have been updated to provide more details and guidance for the PCI 3DS SDK Labs performing 3DS SDK security evaluations.
What do PCI 3DS SDK Labs need to know about the updated standard?
Jake Marcinko: The addition of more detailed assessment procedures provides the labs evaluating 3DS SDK products with greater direction for performing PCI 3DS SDK security evaluations. This allows the labs to ensure they have the necessary tools and processes needed to properly evaluate 3DS SDK products. The detailed assessment procedures also provide a consistent baseline of security testing that will be applied to all 3DS SDK products being evaluated against the PCI 3DS SDK Security Standard.
The updated standard will be followed by reporting templates, to be available in early 2019.
Only labs that are both PCI-recognized and EMVCo Security Labs are eligible to become a PCI 3DS SDK lab. Interested labs should contact the PCI 3DS Program Manager via 3DS@pcisecuritystandards.org.
What do 3DS SDK product developers and vendors need to know about the updated standard?
Jake Marcinko: The addition of more detailed assessment procedures provides 3DS SDK product developers and vendors with greater understanding about how their 3DS SDK products will be evaluated, which in turn helps them design their products in accordance with the requirements.
3DS SDK developers and vendors are encouraged to review the updated assessment procedures to ensure they understand what will be required for the PCI security evaluation of their 3DS SDK products.
As a reminder, developers and vendors of 3DS SDK products need to be aware that the PCI SSC testing process is separate from the EMVCo functional evaluation, and that to be eligible for a PCI SSC SDK security evaluation, their products first must successfully undergo EMVCo functional evaluation. We encourage 3DS developers and vendors to review the PCI 3DS SDK Program Guide to understand what’s required for submitting products.
What do merchants and acquirers need to know about the updated standard?
Jake Marcinko: The PCI 3DS SDK Security Standard and program is aimed at vendors and the labs that will perform evaluations. 3DS SDK products that are independently tested and validated against the standard through the PCI 3DS SDK program will be listed on the PCI SSC website for merchants and acquirers to use when selecting a software vendor.
*EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.