Skip to main content

EMV® 3-D Secure – Securing E-Commerce

If you're coming to this post wondering what exactly 3DS is, it may be worth starting with one of our previous posts on the subject here, or here.

From these you'll learn that there are four major components to a 3DS solution:

  • A 3DS client, which may be a web browser, app, or other function interfaced by the customer
  • A 3DS Server, on the merchant end, which includes a 3DS Requestor
  • The Directory Service, which is used to route data to the correct Issuer
  • And the Authentication Control Service, which is used in the authentication of the customer during the transaction

Each of these components are covered by specific testing requirements and regimens, as illustrated below.

PCI 3DS Secure

The illustration above shows that each component must go through functional testing whilst the SDK component is in scope for the PCI 3DS SDK evaluation, and the other components are in scope for the 3DS Core requirements, which is actually split into two parts - Baseline Security Requirements, and 3DS Security Requirements. Below, we'll go through aspects of each of these standards, and how they may apply to your environment or solution.

The 3DS SDK standard applies to the software components that are used to secure data at the customer end - usually this is through the utility of a 'Software Development Kit' (SDK) that is integrated into another software component (such as a phone app) that then allows for in-app purchases using 3DS protocols and security. The 3DS SDK standard can be assessed only by 3DS approved PCI Laboratories, which can be validated by the '3D' padlock icon next to their name here.

Currently (at the time of writing, Feb 2019), evaluation of SDKs is considered best practice only, but is strongly recommended to ensure that your solution is sufficiently protecting your customer data and providing you with the security you require for your transactions. This is especially important in the face of legislation around strong authentication and customer data protection that is now common around the world.

The 3DS Core - Baseline Security Requirements, provide - as the name implies - baseline technical and operational security requirements that are necessary to secure the 3DS operational environment. These requirements align with the control objectives of PCI DSS, and can be broadly seen as a translation of PCI DSS into the 3DS realm, where the customer PAN may not be present to otherwise create a need for PCI DSS assessment.

The 3DS Core - Security Requirements then cover the actual 3DS data that may be processed within the 3DS infrastructure during a transaction. PCI additionally provides a 'data matric' that details each of the data elements and the levels of protection that it requires, which includes if that element is permitted to be stored, and for some elements if that storage is only permitted temporarily, or even if it must be managed within a HSM.

One way to look at the 3DS Core standards is that the Baseline Security Requirements exist to cover the infrastructure on which the 3DS application is executed - the servers, networks, etc. - and the Security Requirements themselves are really designed to be applied to the actual application and processing performed as part of the 3DS transaction.

Evaluation of DS and ACS systems against the 3DS Core requirements is considered mandatory by mane of the payment brands, and should be considered as part of your roadmap for deployment if you are involved in this aspect.

How many of these systems exist? What's the take-up of 3DS been like? At UL we manage the infrastructure that performs the functional testing for all 3DS solutions, and with this information we can start to paint a picture of the success of EMV® 3-D Secure. Below, we provide a snapshot of the current functional testing landscape, which shows that things are progressing well in many areas of the world - with EMEA leading the way (Assumedly due to mandates around PSD2). These numbers may seem on the low side, but they have to be viewed with the understanding that testing has only really been available for a few months now. The pipeline on incoming solutions is increasing as vendors ramp up their solutions and get them ready for compliance assessment, so this is showing a good positive trend for the overall adoption of EMV® 3-D Secure.

PCI 3DS

For details on which specific products are approved, you can visit the EMVCo 3DS approval website page here, which allows you to filter results based on the company names and product types, choose the 3DS options down towards the bottom of the radio button list to get the details on approvals for this technology type.

However, with the security requirements considered along with the mandates requirements for functional testing (which I have not covered in this post), it can be seen that developing and deploying a 3DS solution can be quite complex. As the only company able to offer all services for 3DS testing, UL is an undisputed expert in this area and is happy to help you with your 3DS needs.