Launching a 3DS Component at the Market – The Complete Guide from UL
What you need to know
To reflect the current and future market requirements on protecting e-Commerce domain against hacking, fraud, and identity theft, EMVCo released the latest industry standard – the EMV® 3-D Secure. The EMV® 3-D Secure technology and its advantages are discussed in detail in UL blog posts and webinars.
Considerations before going live
Before going live, an EMV® 3DS component shall be approved by a payment scheme you are collaborating with.
Many payment schemes mandate product providers to obtain a EMV 3DS Letter Of Approval (LOA) from EMVCo, that ensures that the 3DS Component (i.e. Access Control Server, Directory Server, 3DS Server and 3DS SDK) is compliant with the EMV® 3-D Secure Protocol and Core Functions Specification. The process of obtaining such LOA is called EMV® 3DS approval process and is described in detail on EMVCo website. For your convenience, summary of this process is given below.
In addition to LOA from EMVCo, payment schemes might require additional certification to ensure compliance with the payment schemes specifications. For more details, please contact your payment scheme representative or reach out to UL for advice.
EMV® 3DS approval process with UL
To complete the EMV® 3DS approval process, a product provider shall select an EMVCo-qualified test tool and EMVCo-accredited 3DS testing laboratory. UL offers to Product Providers the EMV 3DS solution that consists of the UL 3DS Self Test Platform (Platform) and the services of UL 3DS Testing Laboratory (Test Lab), which, at the moment, is the only EMVCo accredited laboratory to deliver EMV 3DS approval services.
The EMV 3DS approval process for Product Providers consist of 4 phases: Registration, Pre-Compliance, Compliance and Approval. The Platform provides guidance through the approval process on the project level.
During the Registration phase, the product provider shall register their company with EMVCo and the Platform. Upon successful registration, the product provider will receive their registration number from EMVCo and login details to the Platform. Once the Registration step is completed, the Product Provider can proceed to the next step of the approval process, Pre-Compliance.
The Pre-Compliance phase starts with the product provider creating a project and executing test case on the Platform. The Platform provides the ability to debug, test and ensure compliance before submitting a component for approval. Once the Pre-Compliance testing has been completed, the product provider shall engage with the Test Lab to verify and accept the Pre-Compliance test results. Once the Test Lab approves the results, Compliance step can start.
The Compliance phase consists of 2 main steps: Implementation Conformance Statement (ICS) approval and Compliance testing. The product provider shall complete the ICS and submit it to the Test Lab via the Platform. The Test Lab will check data on the ICS and will pass it to EMVCo for signature. Once EMVCo signs the ICS, the product provider can start Compliance testing. The Test Lab will verify the Compliance test results and, if test results are successful, submit a corresponding test report to EMVCo (upon the product provider approval).
At the Approval phase the product providers shall submit a Request for Approval form to EMVCo. EMVCo will determine if approval should be granted and will notify the Product Provider on the decision. In case of a positive outcome of the review, EMVCo will issue the Letter of Approval to the Product Provider.
A detailed explanation of the process is given in Figure 1.
Figure 1 EMV® 3-D Secure Approval Process with the ULPPP
PCI 3DS Security Standard Core Assessment
In addition to EMVCo and brand testing, payment schemes will require the parties who will host an EMV® 3-D Secure Component to go through a PCI 3DS Security Standard Core assessment, to ensure physical and logical security of EMV 3DS transactions.
The 3DS SDK components providers willing to ensure good software security of their product, can go through PCI 3DS SDK security assessment services.
UL can provide PCI 3DS security assessment services. PCI have accredited UL for both PCI 3DS core and PCI 3DS SDK evaluations. In addition to these accredited services, UL offers PCI 3DS training, workshops, gap analysis and consulting services against the PCI 3DS requirements and program.
Are you ready?
EMV® 3-D Secure has arrived to revolutionize the authentication in eCommerce domain. To facilitate market adoption of 3-D Secure UL offers fully integrated solution for Acquirers, Issuers, Brand Schemes, Product Providers or Payment Service Providers while they are building and enhancing their 3-D Secure components.