PCI 3D Secure
Payment Card Industry 3DS Core Security Standard popularly known as PCI -3DS is the security standard laid out by the PCI Security Standards Council applicable to specific entities.
- Assessor Type
- Applicability
- Validity
- Governing Body
- Data Type
- Regions
- 3DS QSA
- 3DS Provider
- 3 Years
- PCI SSC
- PIN, CVV
- Global
Required
REQUIRED
Required
NA
Required
The PCI 3DS standards applies to all the entities who perform or provide 3DS Server (33DS), 3DS Directory Server (DS), 3DS Access Control Server (ACS) services.
All these entities must renew their PCI 3DS Certification every year.
The standard outlines the technical and operational requirements required to protect cardholder data.
The requirements in this PCI 3DS Core Security Standard are organized in two parts:
Part 1: Baseline Security Requirements – A baseline of technical and operational security requirements designed to protect the 3DS data environment (3DE)
Part 2: 3DS Security Requirements – Security requirements to protect 3DS data and processes
The PCI 3DS standards applies to all the entities who perform or provide 3DS Server (33DS), 3DS Directory Server (DS), 3DS Access Control Server (ACS) services.
All these entities must renew their PCI 3DS Certification every year.
The standard outlines the technical and operational requirements required to protect cardholder data.
The requirements in this PCI 3DS Core Security Standard are organized in two parts:
Part 1: Baseline Security Requirements – A baseline of technical and operational security requirements designed to protect the 3DS data environment (3DE)
Part 2: 3DS Security Requirements – Security requirements to protect 3DS data and processes
Applicability
Organizations - which provide the 3d secure validation while processing payment card data for e-commerce transactions
Required
Risk Assessment
Global
Region
3DS Service Provider processes
Protagonist
Validation
Type of compliance
3 Year
Validity
3DS-QSA
Assesor Qualification
Specific Business Services
Scope
NA
SOC Operations
Why certify?
If you are hosting 3DS Server (33DS), 3DS Directory Server (DS), 3DS Access Control Server (ACS) or providing these services, PCI 3DS annual validation is mandatory by payment brands and pre-requisites for any kind of licenses with respect to 3DS service with payment brands.
Our PCI 3DS services
PCI 3DS Gap assessment and consulting
Here we will find out all the gaps and consult on how to mitigate those
PCI 3DS Support services
As per PCI 3DS requirements, there are certain scans and tests need to be done, We will provide these security tests services here.
PCI 3DS Final assessment
After reporting gaps, we will do a final assessment to make sure these gaps are mitigated, after which we will be able to provide final reports, ROC, AOC and PCI 3DS certificate.
Our PCI 3DS services
PCI 3DS Gap assessment and consulting
Here we will find out all the gaps and consult on how to mitigate those
PCI 3DS Support services
As per PCI 3DS requirements, there are certain scans and tests need to be done, We will provide these security tests services here.
PCI 3DS Final assessment
After reporting gaps, we will do a final assessment to make sure these gaps are mitigated, after which we will be able to provide final reports, ROC, AOC and PCI 3DS certificate.
Bespoke advisory Solutions
We understand silver bullet approach wont help at all, we provide customized solutions to make sure that you implement PCI 3DS Controls effectively in your environment.
industry experience
Our decades of experience in various industries has enabled us to address industry pain points be it
- Automobile & Manufacturing
- Banks/BFSI
- BPOs
- Data Center / Cloud Provider
- E-Commerce Merchant
- Government / PSU
- Health Care & Hospitality
- IT&ITES
Compliance Management tool
Our Automated approach in providing report, exchanging documents and workflow management saves lot efforts and keeps us away from audit fatigue
Comprehensive Services
Being a full service vendor of PCI , we provide all the auxiliary services needed to be PCI standards Compliant, Our consulting support will be there even after PCI 3DS Compliance.
Our Approach
Our team of Qualified Security Assessors (QSAs) bring to the table their vast experience on payment card domain across industry verticals to make compliance easy for you. At Crossbow Labs, our methodology is our biggest asset when providing PCI 3DS consulting and implementation support.
1. Pre-approval from EMVCo
The 3DS entity completes EMVCo functional testing for ACS, DS and/or 3DSS and receives a letter of approval from EMVCo.
2. Scope Formulation
Involves identification of all the system components which store, process and/or transmit cardholder data. Network segmentation is used as a trump card to reduce the scope. It is done by isolating the cardholder data environment from the rest.
3. Gap Analysis
Involves comparing the status of information security controls present in the organisation against the requirements outlined in the PCI 3DS standard. We provide recommendation/advisory wherever there is a challenge to meet the requirements outlined in the PCI 3DS standard.
4. Implementation Assistance
There comes an all-or-nothing stage in the effort of achieving PCI 3DS compliance certification. And, this is when the implementation or correction of security controls make all the difference. For technical support, we also bring in our engineering team to play. Our engineering team brings in the technical expertise for threat modelling, vulnerability identification and management.
5. Final Audit
This is a due diligence exercise to be performed right before the PCI 3DS compliance certification. This involves ensuring all the policy documents are up to date, all the gaps and recommendations have been effectively addressed and the teams are fully prepared for certification.
6. Certification
PCI 3DS certification requires collection of all the evidences by the 3DS Assessor, preparing a report to explain the adherence to all the requirements in the PCI 3DS standard and validating them with observations of processes, configurations and discussions. And yes this is a yearly certification.
Why CBL?
- Our Automated approach in providing report, exchanging documents and workflow management saves lot efforts and keeps us away from audit fatigue
- Our decades of experience in various industry has enabled us to address industry pain Our decades of experience in various industry has enabled us to address industry pain
- We provide customized solutions to make sure that you implement Cyber security Controls effectively in your environment.
- Have client footprint in more than 25 countries.
PCI 3D SECURE FAQs
The PCI DSS and PCI 3DS Core Security Standard are independent standards and are therefore assessed separately. A 3DE can be a part of the PCI cardholder data environment (CDE) or can be completely separate. The payment brand identifies if an entity is required to comply with 3DS Core Security Standard requirements, PCI DSS, or both. Crossbow Labs being a PCI QSA and PCI 3DS Assessor can perform assessment and audit for both standalone environments and combined environment.
The PCI 3DS Core Security Standard applies to entities that perform the following functions, as defined in the EMVCo 3DS Core Specification:
- 3DS Server (3DSS)
- 3DS Directory Server (DS)
- 3DS Access Control Server (ACS)
When a third-party service provider can impact 3DS functionality or the security of the 3DS Environment (3DE), certain requirements of the PCI 3DS Core Security Standard will be applicable to the third-party service provider too.
While the responsibility for the security of the 3DE and 3DS Data lies with the 3DS entity, service providers are required to demonstrate compliance with the applicable PCI 3DS requirements based on the services provided.
Whether an entity is required to validate compliance with the PCI 3DS Core Security Standard is defined by the individual payment brand compliance programs
The PCI 3DS Core Security Standard and PCI DSS are two separate and independent standards with different applicabilities.
The PCI 3DS Core Security Standard applies to specifically to 3DS environments where 3DSS, ACS, and/or DS functions are performed whereas PCI DSS standard applies wherever payment card account data is stored, processed or transmitted.
When both standards are applicable to an entity, the entity should talk to Acquirer or Payment brand to decide if the entity needs to validate to either or both standards.
In cases where the 3DE and CDE are combined in the same environment, and PCI DSS controls have been applied and validated for all 3DE system components, the 3DS entity may be able to leverage the results of their PCI DSS assessment to validate the PCI 3DS Part 1 Requirements.
PCI DSS assessment results cannot be leveraged to validate 3DS Part 2 Requirements.
The 3DS assessor will document PCI DSS coverage of the 3DE in the 3DS Report on Compliance and Attestation documents. There is currently no option for entities to leverage results of a PCI 3DS assessment for their PCI DSS validation. Validation to PCI 3DS Part 1 does not impact or replace PCI DSS compliance obligations.