Jeremy King: CNP fraud [online card fraud] continues to be a challenge here in Europe and globally.
Jeremy King: CNP fraud [online card fraud] continues to be a challenge here in Europe and globally.

Consumers are now able to authenticate themselves with their credit and debit card issuers when buying online by using web browsers or via mobile applications using the new EMV® 3DS standard, designed to cut online card fraud.

With the move from signature to chip and pin credit card use, card fraud largely went online, but yesterday at the PCI Europe Community Meeting the PCI Security Standards Council (PCI SSC) announced two new security standards to support secure implementation of EMVCo's EMV® 3-D Secure (3DS) protocol.

“EMV® 3DS solutions will make it increasingly difficult for criminals to obtain cardholder data (CHD) in online payment channels,” said PCI SSC iInternational director Jeremy King in an email to SC Media UK. “As CNP fraud continues to be a challenge here in Europe and globally, PCI SSC is pleased to be able to provide support for the secure implementation of these solutions.”


“Dynamic authentication is becoming increasingly important to securing payments in an omni-channel world,” added PCI SSC chief technology officer Troy Leach. “A new and improved EMV® 3DS protocol supported by PCI Security Standards will enhance the security of 3DS infrastructures and transactions and improve dynamic authentication for e-commerce and m-commerce environments.”


In a press statement the PCI SSC Senior Director of Data Security Standards Emma Sutcliffe explained the new standard, who it applies to, and the role it will play in enhancing e-commerce security.

What is 3-D Secure (3DS)?    

Emma Sutcliffe: “EMV® Three-Domain Secure (3DS) is an EMVCo messaging protocol that enables consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce and m-commerce purchases. The additional security layer helps prevent unauthorised CNP transactions and protects the merchant from CNP exposure to fraud. The three domains in the EMVCo specification consist of the acquirer domain, issuer domain, and the interoperability domain (eg payment systems).”

How does the PCI 3DS Core Security Standard work with the EMV® 3DS protocol to improve security of payments?

Emma Sutcliffe: “The purpose of the EMV® 3DS protocol is to facilitate the exchange of data between stakeholders – the merchant, cardholder and card issuer. The objective is to benefit each of these parties by providing the ability to authenticate cardholders during a CNP e-commerce purchase, reducing the likelihood of fraudulent usage of payment cards. Developers create 3DS products and services based on the EMVCo specification so that they are interoperable globally. 

“The PCI 3DS Core Security Standard provides a framework for three critical EMV® 3DS components—ACS, DS, and 3DS Server—to implement physical and logical security controls to support the integrity and confidentiality of the 3DS transaction process.”

What does the PCI 3DS Core Security Standard address specifically?

Emma Sutcliffe: “The PCI 3DS Core Security Standard defines physical and logical security requirements for protecting environments where ACS, DS, and/or 3DSS functions are performed.  The requirements in the standard are organised into two sections:

        Part 1: Baseline Security Requirements, which provide technical and operational security requirements designed to protect environments where 3DS functions are performed. These requirements reflect general information security principles and practices common to many industry standards, and should be considered for any type of environment.

        Part 2: 3DS Security Requirements, which provide security controls specifically intended to protect 3DS data, technologies, and processes.

“Accompanying the standard is the PCI 3DS Data Matrix, which identifies a number of data elements common to 3DS transactions, as defined by EMVCo, that are also subject to requirements in the PCI 3DS Core Security Standard. The data elements identified in the PCI 3DS Data Matrix include those considered to be 3DS sensitive data, which are subject to specific data protection requirements, and certain cryptographic key types that are subject to HSM requirements.”

Why is the PCI SSC addressing 3DS?

Emma Sutcliffe: “The marketplace is changing every day, and with mobile payments projected to continue to rise, it is vitally important that security be addressed in the design of the authentication system to keep up with the evolving threats.

“The PCI 3DS Core Security Standard will help secure the 3DS components that are critical to the overall EMV® 3DS transaction process, supporting the integrity and confidentiality of 3DS authentication data and improving the overall security of online payments.

“Additionally, very soon we will publish a supporting PCI Security Standard for the EMV® 3-D Secure SDK Specification, which defines EMV® 3DS requirements for entities developing a 3DS Software Development Kit (SDK) for use in mobile-based 3DS transactions. The PCI 3DS SDK Security Standard will be for developers and vendors of 3DS SDK products and is focused on ensuring the SDK has been designed and developed with security in mind.

“A new and improved EMV® 3DS protocol together with these PCI Security Standards will enhance the security of 3DS infrastructures and transactions and improve dynamic authentication for e-commerce and m-commerce environments.”

Who has to comply with the PCI 3DS Core Security Standard?

Emma Sutcliffe: “The standard is intended for those companies that manage or provide EMV® 3DS components, specifically: ACS, DS, and 3DSS. It provides guidelines for identifying and implementing appropriate security controls to protect the 3DS transaction process.

“Compliance requirements for these entities will be defined by the applicable payment brands.”

How will assessments be performed for PCI 3DS environments?

Emma Sutcliffe: “Assessors of 3DS components will use the standard as a framework for assessing and reporting on the implemented security controls. 

“Training and Qualification Requirements for QSAs to become qualified to perform 3DS Assessments will be available by early 2018. In the interim, PCI P2PE Assessors and existing 3-D Secure v1 Visa assessors that are also QSAs will be able to perform PCI 3DS Assessments after completing a streamlined qualification process.”

What resources are available to help stakeholders in understanding and implementing the PCI 3DS Core Security Standard?

Emma Sutcliffe: “As well as general guidance contained within the standard and Data Matrix, specific Implementation Guidance is provided for each requirement in the standard to help entities and assessors understand how a requirement could be met.  A separate FAQ document will be available in the next few weeks, which covers some of the key questions stakeholders may have as they review the standard and begin to implement it.”


The PCI 3DS Core Security Standard is available now on the PCI SSC website and the PCI 3DS SDK Security Standard will be available on the PCI SSC The PCI Security Standards Council  website next month.