PCI 3DS Services
What atsec offers
atsec (Beijing) Information Technology Co.,Ltd (“atsec China” for short) is accredited as a 3DS Assessor by the Payment Card Industry (PCI) Security Standards Council (SSC). Currently atsec China provides the PCI 3DS service in Canada, Europe, USA, and Asia Pacific market.
As a qualified 3DS Assessment company, atsec China performs on-site security assessments of 3DS data environment (3DE) in accordance with the PCI 3DS Core Security Standard. The standard provides a set of logical and physical security requirements as well as assessment procedures for performing PCI 3DS Assessments.
atsec China’s 3DS assessors can work with you to confirm the scope of 3DE, assess PCI 3DS requirements, complete PCI 3DS ROC (Report on Compliance) and AOC (Attestation of Compliance) and submit them to applicable payment brands or cooperative entities, re-validation can be further performed where applicable.
In addition to the assessment service, atsec offers a full range of consulting services to support your organization in achieving compliance with the PCI 3DS standard. Our consultants have detailed and expert experience in each of the 14 requirement areas (in both parts) and can help you develop policies and procedures, and also assess your compliance with the standard.
The PCI 3DS Core Security Standard is organized into two parts. Part 1 is a baseline of technical and operational security controls that are designed to protect the 3DE. It is possible that if an entity has already fully validated their 3DS environment to PCI DSS then they may be able to leverage the results of their PCI DSS assessment to validate the following PCI 3DS Part 1 Requirements.
- Maintain security policies for all personnel
- Secure network connectivity
- Develop and maintain secure systems
- Vulnerability management
- Manage access
- Physical security
- Incident response preparedness
Part 2 of the requirements are the 3DS Security Requirements that are designed to protect 3DS data and processes. Regardless of an entity's PCI DSS compliance, if the entity is performing 3DS functions then the following Part 2 requirements must be evaluated as part of the assessment.
- Validate scope
- Security governance
- Protect 3DS systems and applications
- Secure logical access to 3DS systems
- Protect 3DS data
- Cryptography and key management
- Physically secure 3DS systems
Why our services are important to you
The PCI 3DS Core security requirements are designed to protect the 3DS environments where specific 3DS functions are performed or 3DS data is stored. The specific functions to be protected include: the 3DS server, the 3DS Directory Server, and the 3DS Access Control Server.
The EMV (stands for “Europay, MasterCard, and Visa”) 3-D Secure Protocol and Core Functions Specification, which defines how to implement the 3-D Secure Protocol, is managed and maintained by EMVCo. The PCI 3DS Core Security Standard that supports 3DS implementations is managed and maintained by the PCI Security Standards Council.
3DS (EMV Three Domain Secure, EMV 3-D Secure or EMV 3DS) is a protocol designed to enable secure authentication for card-not-present (CNP) e-commerce purchases. The three domains consist of the following: Issuer Domain, Merchant/Acquirer Domain, Interoperability Domain (e.g. payment system).
Compared to version 1 of the 3DS protocol, new features in 3DS (version 2.0) include added support for application-based authentication as well as integration with digital or mobile wallets. There is also support for more authentication channels to help merchants further validate transactions within these complex card-not-present environments. The supported Cardholder Verification Methods (CVM) include Online PIN, Offline PIN, Challenge-response, Shared Secret, Static Password, Biometric, One-time Passcode, and the supported Consumer Device Information (CDI) could be Smartphone, Laptop or Tablet.
PCI 3DS standard compliance can be the mandatory requirement defined by the card brands or your cooperative entities when the functions related to the new version of 3DS are implemented. atsec has plenty of experience and knowledge in different security areas related to PCI 3DS standard and can help you to improve the overall security level of the 3DS environment.
For more information
More information about atsec PCI services and our public resources can be found at http://www.atsec.com and at the PCI SSC website at https://www.pcisecuritystandards.org.
For more information about this service, please contact us at info_cn@atsec.com.