Crossbow Labs

PCI 3D Secure

Payment Card Industry 3DS Core Security Standard popularly known as PCI -3DS is the security standard laid out by the PCI Security Standards Council applicable to specific entities.

  • Assessor Type
  • Applicability
  • Validity
  • Governing Body
  • Data Type
  • Regions
  • 3DS QSA
  • 3DS Provider
  • 3 Years
  • PCI SSC
  • PIN, CVV
  • Global
Network Security

Required

App Security

REQUIRED

PERIODIC VA & PT

Required

SOC or NOC

NA

RISK MANAGEMENT

Required

The PCI 3DS standards applies to all the entities who perform or provide 3DS Server (33DS), 3DS Directory Server (DS), 3DS Access Control Server (ACS) services.

All these entities must renew their PCI 3DS Certification every year.

The standard outlines the technical and operational requirements required to protect cardholder data.

The requirements in this PCI 3DS Core Security Standard are organized in two parts:

Part 1: Baseline Security Requirements – A baseline of technical and operational security requirements designed to protect the 3DS data environment (3DE)

Part 2: 3DS Security Requirements – Security requirements to protect 3DS data and processes

The PCI 3DS standards applies to all the entities who perform or provide 3DS Server (33DS), 3DS Directory Server (DS), 3DS Access Control Server (ACS) services.

All these entities must renew their PCI 3DS Certification every year.

The standard outlines the technical and operational requirements required to protect cardholder data.

The requirements in this PCI 3DS Core Security Standard are organized in two parts:

Part 1: Baseline Security Requirements – A baseline of technical and operational security requirements designed to protect the 3DS data environment (3DE)

Part 2: 3DS Security Requirements – Security requirements to protect 3DS data and processes

Applicability

Organizations - which provide the 3d secure validation while processing payment card data for e-commerce transactions

Required

Risk Assessment

Global

Region

3DS Service Provider processes

Protagonist

Validation

Type of compliance

3 Year

Validity

3DS-QSA

Assesor Qualification

Specific Business Services

Scope

NA

SOC Operations

Why certify?

If you are hosting 3DS Server (33DS), 3DS Directory Server (DS), 3DS Access Control Server (ACS) or providing these services, PCI 3DS annual validation is mandatory by payment brands and pre-requisites for any kind of licenses with respect to 3DS service with payment brands.

Our PCI 3DS services

PCI 3DS Gap assessment and consulting

Here we will find out all the gaps and consult on how to mitigate those

 

PCI 3DS Support services

As per PCI 3DS requirements, there are certain scans and tests need to be done, We will provide these security tests services here.

PCI 3DS Final assessment

After reporting gaps, we will do a final assessment to make sure these gaps are mitigated, after which we will be able to provide final reports, ROC, AOC and PCI 3DS certificate.

Our PCI 3DS services

PCI 3DS Gap assessment and consulting

Here we will find out all the gaps and consult on how to mitigate those

PCI 3DS Support services

As per PCI 3DS requirements, there are certain scans and tests need to be done, We will provide these security tests services here.

PCI 3DS Final assessment

After reporting gaps, we will do a final assessment to make sure these gaps are mitigated, after which we will be able to provide final reports, ROC, AOC and PCI 3DS certificate.

 

Bespoke advisory Solutions

We understand silver bullet approach wont help at all, we provide customized solutions to make sure that you implement PCI 3DS Controls effectively in your environment.

industry experience

Our decades of experience in various industries has enabled us to address industry pain points be it

Compliance Management tool

Our Automated approach in providing report, exchanging documents and workflow management saves lot efforts and keeps us away from audit fatigue

Comprehensive Services

Being a full service vendor of PCI , we provide all the auxiliary services needed to be PCI standards Compliant, Our consulting support will be there even after PCI 3DS Compliance.

Our Approach

Our Approach to PCI – 3DS Certification

Our team of Qualified Security Assessors (QSAs) bring to the table their vast experience on payment card domain across industry verticals to make compliance easy for you. At Crossbow Labs, our methodology is our biggest asset when providing PCI 3DS consulting and implementation support.

1. Pre-approval from EMVCo

The 3DS entity completes EMVCo functional testing for ACS, DS and/or 3DSS and receives a letter of approval from EMVCo.

2. Scope Formulation

Involves identification of all the system components which store, process and/or transmit cardholder data. Network segmentation is used as a trump card to reduce the scope. It is done by isolating the cardholder data environment from the rest.

3. Gap Analysis

Involves comparing the status of information security controls present in the organisation against the requirements outlined in the PCI 3DS standard. We provide recommendation/advisory wherever there is a challenge to meet the requirements outlined in the PCI 3DS standard.

4. Implementation Assistance

There comes an all-or-nothing stage in the effort of achieving PCI 3DS compliance certification. And, this is when the implementation or correction of security controls make all the difference. For technical support, we also bring in our engineering team to play. Our engineering team brings in the technical expertise for threat modelling, vulnerability identification and management.

5. Final Audit

This is a due diligence exercise to be performed right before the PCI 3DS compliance certification. This involves ensuring all the policy documents are up to date, all the gaps and recommendations have been effectively addressed and the teams are fully prepared for certification.

6. Certification

PCI 3DS certification requires collection of all the evidences by the 3DS Assessor, preparing a report to explain the adherence to all the requirements in the PCI 3DS standard and validating them with observations of processes, configurations and discussions. And yes this is a yearly certification.

Why CBL?

PCI 3D SECURE FAQs

The PCI DSS and PCI 3DS Core Security Standard are independent standards and are therefore assessed separately. A 3DE can be a part of the PCI cardholder data environment (CDE) or can be completely separate. The payment brand identifies if an entity is required to comply with 3DS Core Security Standard requirements, PCI DSS, or both.  Crossbow Labs being a PCI QSA and PCI 3DS Assessor can perform assessment and audit for both standalone environments and combined environment.

The PCI 3DS Core Security Standard applies to entities that perform the following functions, as defined in the EMVCo 3DS Core Specification:

  • 3DS Server (3DSS)
  • 3DS Directory Server (DS)
  • 3DS Access Control Server (ACS)

When a third-party service provider can impact 3DS functionality or the security of the 3DS Environment (3DE), certain requirements of the PCI 3DS Core Security Standard will be applicable to the third-party service provider too.

While the responsibility for the security of the 3DE and 3DS Data lies with the 3DS entity, service providers are required to demonstrate compliance with the applicable PCI 3DS requirements based on the services provided.

Whether an entity is required to validate compliance with the PCI 3DS Core Security Standard is defined by the individual payment brand compliance programs

The PCI 3DS Core Security Standard and PCI DSS are two separate and independent standards with different applicabilities.

The PCI 3DS Core Security Standard applies to specifically to 3DS environments where 3DSS, ACS, and/or DS functions are performed whereas PCI DSS standard applies wherever payment card account data is stored, processed or transmitted.

When both standards are applicable to an entity, the entity should talk to Acquirer or Payment brand to decide if the entity needs to validate to either or both standards.

In cases where the 3DE and CDE are combined in the same environment, and PCI DSS controls have been applied and validated for all 3DE system components, the 3DS entity may be able to leverage the results of their PCI DSS assessment to validate the PCI 3DS Part 1 Requirements.

PCI DSS assessment results cannot be leveraged to validate 3DS Part 2 Requirements.

The 3DS assessor will document PCI DSS coverage of the 3DE in the 3DS Report on Compliance and Attestation documents. There is currently no option for entities to leverage results of a PCI 3DS assessment for their PCI DSS validation. Validation to PCI 3DS Part 1 does not impact or replace PCI DSS compliance obligations.

Talk With an Expert

Learn more about how crossbow labs can help protect your business. Contact us today.