PCI 3DS Core Security Standard v1
PCI 3DS Core Security Standard v1
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 2
Table of Contents
Document Changes ..................................................................................................................................................................................................... 2
Introduction .................................................................................................................................................................................................................. 5
Terminology ................................................................................................................................................................................................................ 7
Roles and Responsibilities ......................................................................................................................................................................................... 8
Scope of PCI 3DS Core Security Standard .............................................................................................................................................................. 10
3DS Data .................................................................................................................................................................................................................. 10
Relationship between PCI 3DS Core Security Standard and PCI DSS ................................................................................................................... 10
Use of Third-Party Service Providers / Outsourcing .............................................................................................................................................. 11
3DS Security Requirements and Assessment Procedures ................................................................................................................................... 12
Risk-Management Approach to Requirements ........................................................................................................................................................ 12
Validating Requirements .......................................................................................................................................................................................... 12
Compensating Controls ............................................................................................................................................................................................ 13
3DS Assessment Process ........................................................................................................................................................................................ 13
Part 1: 3DS Baseline Security Requirements .......................................................................................................................................................... 14
Requirement P1-1. Maintain security policies for all personnel ............................................................................................................................... 14
Requirement P1-2. Secure network connectivity ..................................................................................................................................................... 17
Requirement P1-3. Develop and maintain secure systems ..................................................................................................................................... 19
Requirement P1-4. Vulnerability management......................................................................................................................................................... 23
Requirement P1-5. Manage access ......................................................................................................................................................................... 26
Requirement P1-6. Physical Security ....................................................................................................................................................................... 28
Requirement P1-7. Incident response preparedness ............................................................................................................................................... 30
Part 2: 3DS Security Requirements .......................................................................................................................................................................... 33
Requirement P2-1. Validate scope ........................................................................................................................................................................... 33
Requirement P2-2. Security governance ................................................................................................................................................................. 34
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 3
Requirement P2-3 Protect 3DS systems and applications ...................................................................................................................................... 37
Requirement P2-4. Secure logical access to 3DS systems ..................................................................................................................................... 41
Requirement P2-5. Protect 3DS data ....................................................................................................................................................................... 45
Requirement P2-6 Cryptography and Key Management ......................................................................................................................................... 49
Requirement P2-7 Physically secure 3DS systems ................................................................................................................................................. 57
Appendix A-1: Compensating Controls ................................................................................................................................................................... 59
Appendix A-2: Compensating Controls Worksheet ............................................................................................................................................... 60
Appendix B: Alignment between PCI 3DS and PCI DSS Requirements ............................................................................................................... 61
Leveraging PCI DSS for PCI 3DS Part 1: Baseline Security Requirements ............................................................................................................ 64
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 4
Introduction
This document, the PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS
Server (hereafter referred to as the “PCI 3DS Core Security Standard”), defines physical and logical security requirements and assessment
procedures for entities that perform or provide the following functions, as defined in the EMV® 3-D Secure Protocol and Core Functions
Specification:
3DS Server (3DSS)
The requirements in this PCI 3DS Core Security Standard are organized in two parts:
Part 1: Baseline Security Requirements – A baseline of technical and operational security requirements designed to protect the 3DS
data environment (3DE)
Part 2: 3DS Security Requirements – Security requirements to protect 3DS data and processes
This standard does not address how an entity would meet the requirements in the EMV® 3-D Secure Note: Whether an entity is
Protocol and Core Functions Specification. Rather, this document defines the security controls needed to required to validate to the PCI
protect environments where specific 3DS functions occur. Entities performing these functions may be 3DS Core Security Standard is
subject to the requirements in this document. To determine whether an entity is required to meet these determined by payment brand
requirements, confirm with the payment brand for which the functions are performed. compliance programs.
The requirements in this standard cover EMV® 3-D Secure implementations. Table 1 provides a high-level overview of the PCI 3DS Core Security
Standard requirements.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 5
Table 1: Overview of PCI 3DS Core Security Standard Requirements
PCI 3DS Part 1: Baseline Security Requirements PCI 3DS Part 2: 3DS Security Requirements
1. Maintain security 1.1 Maintain security policies 1. Validate scope 1.1 Scoping
policies for all 1.2 Evaluate risk
personnel 1.3 Educate personnel
1.4 Screen personnel
2. Secure network 2.1 Protect 3DS systems from 2. Security governance 2.1 Security governance
connectivity untrusted systems and networks 2.2 Manage risk
2.2 Protect 3DS systems from network 2.3 Business as usual (BAU)
threats 2.4 Manage third-party relationships
3. Develop and 3.1 Secure application development 3. Protect 3DS systems 3.1 Protect boundaries
maintain secure 3.2 Configuration standards and applications 3.2 Protect baseline configurations
systems 3.3 Change management 3.3 Protect applications and application
interfaces
3.4 Secure web configurations
3.5 Maintain availability of 3DS operations
4. Vulnerability 4.1 Protect against malicious software 4. Secure logical access 4.1 Secure connections for issuer and
management 4.2 Address vulnerabilities and security to 3DS systems merchant customers
weaknesses 4.2 Secure internal network connections
4.3 Secure remote access
4.4 Restrict wireless exposure
4.5 Secure VPNs
5. Manage access 5.1 Access management 5. Protect 3DS data 5.1 Data lifecycle
5.2 Account management 5.2 Data transmission
5.3 Authentication 5.3 TLS configuration
5.4 Data storage
5.5 Monitoring 3DS transactions
6. Physical security 6.1 Restrict physical access 6. Cryptography and key 6.1 Key management
6.2 Secure media management 6.2 Secure logical access to HSMs
6.3 Secure physical access to HSMs
7. Incident response 7.1 Incident response plan 7. Physically secure 3DS 7.1 Data center security
preparedness 7.2 Audit logs systems 7.2 CCTV
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 6
Terminology
Definitions for PCI terminology used throughout this document are provided in the general PCI Glossary on the PCI SSC website:
https://www.pcisecuritystandards.org/pci_security/glossary.
Additionally, the following terms are used in this PCI 3DS Core Security Standard:
Authentication Value (AV) – As defined in the EMV® 3-D Secure Protocol and Core Functions Specification: A cryptographic value
generated by the ACS to provide a way, during authorization processing, for the authorization system to validate the integrity of the
authentication result. The AV algorithm is defined by each Payment System.
3-D Secure (3DS) – As defined in the EMV® 3-D Secure Protocol and Core Functions Specification: An authentication protocol that
enables the secure processing of payment and non-payment card transactions.
3DE – Acronym for 3DS data environment. The 3DE is a secure area within which ACS, DS, and/or 3DSS functions are performed, as
described in the EMV® 3-D Secure Protocol and Core Functions Specification.
3DS data – Covers a number of discrete data elements as defined in the EMV® 3-D Secure Protocol and Core Functions Specification,
and generally includes any data transmitted within 3DS messages.
3DS entity – Term used to describe entities that perform 3DSS, ACS, and/or DS functions as defined in the EMV® 3-D Secure Protocol
and Core Functions Specification.
3DS messages – A set of messages—for example, PReq, PRes, CReq, CRes, etc.—that are used to convey information between 3DS
components, as described in the EMV® 3-D Secure Protocol and Core Functions Specification.
3DS sensitive data – Specific data elements requiring additional protection as defined in the PCI 3DS Data Matrix. Data in this category
includes 3DS authentication data, public-key data, authentication challenge data (CReq/CRes), and cardholder challenge data.
3DS system – General description for any system component—for example, network device, server, computing device, or application—
that performs or supports a 3DS function or comprises the 3DE infrastructure.
Consumer Device Information (CDI) – Data provided by the Consumer Device that is used in the authentication process. The Consumer
Device—for example, a smartphone, laptop, or tablet—is used by a cardholder to conduct payment activities, including authentication and
purchase.
Cardholder Verification Method (CVM) – A process used to confirm that the person presenting a payment card (or payment token) is the
legitimate cardholder. Examples of static CVM data include online PIN, offline PIN, challenge-response, shared secret/static password,
and biometric. Examples of dynamic CVM data include a one-time passcode (OTP).
Definitions and terminology related to the 3-D Secure Protocol can be found in the EMV® 3-D Secure Protocol and Core Functions Specification
(www.emvco.com).
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 7
Roles and Responsibilities
There are several stakeholders involved in maintaining and managing PCI standards. The following describes the high-level roles and
responsibilities as they relate to the PCI 3DS Core Security Standard.
PCI SSC
PCI SSC maintains various PCI standards, supporting programs, and related documentation. In relation to the PCI 3DS Core Security
Standard, PCI SSC:
Maintains the PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and
3DS Server (this document, hereafter referred to as the PCI 3DS Core Security Standard).
Maintains supporting documentation including reporting templates, attestation forms, frequently asked questions (FAQs), and guidance
to assist entities implementing and assessing to the PCI 3DS Core Security Standard.
Provides training for assessors evaluating 3DS entities in accordance with the requirements and assessment procedures in the PCI 3DS
Core Security Standard.
Maintains the list of qualified assessors on the PCI SSC Website.
Maintains a quality assurance program for qualified assessors.
EMVCo
EMVCo is the global technical body owned by American Express, Discover, JCB, MasterCard, UnionPay, and Visa that facilitates the
worldwide interoperability and acceptance of secure payment transactions by managing and evolving the EMV Specifications and related
testing processes. Adoption of EMV Specifications and associated approval and certification processes promotes a unified international
payments framework, which supports an advancing range of payment methods, technologies, and acceptance environments.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 8
Additionally, the following EMV® 3-D Secure entities are identified for the purpose of this standard:1
1 For further information about 3DS roles and functions, refer to the EMV® 3-D Secure Protocol and Core Functions Specification.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 9
Scope of PCI 3DS Core Security Standard
The PCI 3DS Core Security Standard applies to environments where ACS, DS, and/or 3DSS functions are performed. Typically, this will consist of
the 3DS Environment (3DE), which contains system components involved in performing or facilitating 3DS transactions, as well as system
components supporting the 3DE. The term “system components” includes network devices, servers, computing devices, and applications.
Examples of system components include but are not limited to:
Systems that provide security services (for example, authentication servers), facilitate segmentation (for example, internal firewalls), or
may impact the security of (for example, name resolution or web redirection servers) the 3DE.
Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and
hypervisors.
Network components including but not limited to firewalls, switches, routers, wireless access points, network appliances, and other
security appliances.
Server types including but not limited to web, application, database, authentication, mail, proxy, Network Time Protocol (NTP), and
Domain Name System (DNS).
Applications including all purchased and custom applications, including internal and external (for example, Internet) applications.
Any other component or device located within or connected to the 3DE.
3DS Data
3DS transaction processes involve a number of discrete data elements that may be also used for purposes other than performing 3DS
transactions. Requirements in this standard that address “3DS data” apply where such data is part of a 3DS transaction process or is otherwise
present where ACS, DS, and/or 3DSS functions occur—that is, within a 3DE. Data that exist outside of a 3DE and used only for purposes
unrelated to 3DS transactions are not in scope for this standard.
Relationship between PCI 3DS Core Security Standard and PCI DSS
There is an independent relationship between the PCI 3DS Core Security Standard and PCI DSS. A 3DE could be part of a cardholder data
environment (CDE) or be completely separate from any CDE. If a 3DE contains account data, it may be subject to PCI DSS and/or the PCI 3DS
Core Security Standard in accordance with payment brand compliance programs.
Where a 3DS entity has already applied PCI DSS to protect its 3DE as part of its CDE, the 3DS entity may be able to leverage the results of its
PCI DSS assessment to meet the PCI 3DS Part 1: Baseline Security Requirements. Refer to Appendix B, “Alignment between PCI 3DS and PCI
DSS Requirements,” for details.
Whether a 3DS entity is required to validate to PCI DSS, to the PCI 3DS Core Security Standard, or to both is defined by individual payment brand
compliance programs.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 10
Use of Third-Party Service Providers / Outsourcing
3DS entities will often outsource or rely on a third-party service provider for certain functionality of the 3DE. Common examples include hosting of
applications, management of network devices or databases, and maintenance of physical security. Additionally, a 3DS entity may outsource
aspects of the 3DS transaction process—for example, performing risk-based analysis of 3DS transactions—to an external third party. Where a
third-party service can impact 3DS functionality or the security of the 3DE, the applicable PCI 3DS requirements will need to be identified and
implemented for that service.
Critical steps in the process include understanding which 3DS functions and system components can be impacted by the service provider and
identifying which PCI 3DS requirements are the responsibility of the service provider(s) and which are the responsibility of the 3DS entity.
It is expected that a 3DS entity will have processes in place to manage risks associated with third-party providers, including:
Performing due diligence prior to engagement.
Clear definition of security responsibilities.
Periodic verification that agreed-upon responsibilities are being met.
A written agreement to ensure both parties understand and acknowledge their security responsibilities.
While the ultimate responsibility for the security of the 3DE and 3DS Data lies with the 3DS entity, service providers may be required to
demonstrate compliance with the applicable PCI 3DS requirements based on the provided service. The service provider may do so by either:
(a) Undergoing a PCI 3DS assessment and providing evidence to its 3DS entity customers to demonstrate its compliance to applicable PCI
3DS requirements; or
(b) For each of its 3DS entity clients’ assessments, providing the required evidence to demonstrate compliance with the applicable PCI 3DS
requirements.
The evidence provided by service providers should be sufficient to verify that the scope of the service provider’s 3DS assessment covered the
services applicable to the 3DS entity, and that the relevant PCI 3DS requirements were examined and determined to be in place. The specific type
of evidence provided will depend on the how the assessments are managed. For example, if the service provider undergoes its own PCI 3DS
assessment, the service provider’s 3DS Attestation of Compliance (AOC) and/or relevant sections of the service provider’s 3DS Report on
Compliance (redacted to protect any confidential information) could provide some or all of the information. If the service provider does not have a
3DS AOC or Report on Compliance, the evidence provided should encompass the specific requirements being assessed, and be consistent with
the validation methods described for each requirement.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 11
3DS Security Requirements and Assessment Procedures
The security requirements and assessment procedures in this PCI 3DS Core Security Standard are presented in the following format:
Requirements – The specific security control or objective that a 3DS entity is required to meet.
Validation Methods – The assessment activities to be performed to determine whether a requirement has been met.
Implementation Guidance* – Additional information to help entities and assessors understand how a requirement could be met. The
guidance may include examples of controls or methods that— when properly implemented—could meet the intent of a requirement, as
well as best practices that should be considered. This guidance is not intended to preclude other methods that an entity may use to meet
a requirement, nor does it replace or extend the requirement to which it refers.
* The examples and practices in the Implementation Guidance column are not requirements.
Where a PCI 3DS requirement does not define a minimum frequency for periodic or recurring activities (for example, audit log reviews), the 3DS
entity may define the frequency as appropriate for its business. The frequency defined by the 3DS entity must be supported by the 3DS entity’s
security policy and risk-management strategy. The 3DS entity should also be able to demonstrate that the frequency it has defined is appropriate
for the activity to be effective and meets the intent of the requirement.
Validating Requirements
The validation methods identified for each requirement describe the expected activities to be performed by the assessor to validate whether the
entity has met the requirement. The intent behind each validation method is described as follows:
Examine: The assessor critically evaluates data evidence. Common examples include documents (electronic or physical), screenshots,
configuration files, audit logs, and data files.
Observe: The assessor watches an action or views something in the environment. Examples of observation subjects include personnel
performing a task or process, system components performing a function or responding to input, system configurations/settings,
environmental conditions, and physical controls.
Interview: The assessor converses with individual personnel. Interview objectives may include confirmation of whether an activity is
performed, descriptions of how an activity is performed, and whether personnel have particular knowledge or understanding.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 12
The validation methods are intended to allow the 3DS entity to demonstrate how they have met a requirement. They also provide the 3DS entity
and the assessor with a common understanding of the assessment activities to be performed. The specific items to be examined or observed and
personnel to be interviewed should be appropriate for both the requirement being assessed and each entity’s particular implementation.
When documenting the assessment results, the assessor identifies the validation activities performed and the result of each activity. While it is
expected that an assessor will perform all the validation methods identified for each requirement, it is also possible for an implementation to be
validated using different or additional methods. In such cases, the assessor should document why they used validation methods that differed from
those identified in this document.
The PCI 3DS Reporting Template and Attestation documents (available on the PCI SSC Website) should always be used to document the results
of a PCI 3DS security assessment.
Compensating Controls
Compensating controls may be considered when, due to legitimate technical or documented business constraints, an entity cannot meet a PCI
3DS requirement as stated but has sufficiently mitigated the risk associated with the requirement through implementation of alternative, or
compensating, controls. Refer to Appendix A for details and requirements on the use of compensating controls.
1. The 3DS entity completes EMVCo functional testing for ACS, DS, and/or 3DSS and receives a Letter of Approval from EMVCo.
2. Confirm the scope of the PCI 3DS assessment.
3. Perform the PCI 3DS assessment, following the requirements and assessment procedures in this PCI 3DS Core Security Standard.
4. Complete the 3DS assessment report and attestation in accordance with applicable templates, guidance, and instructions.
5. Submit the assessment report and attestation, along with any other requested documentation, to the applicable payment brand(s).
6. If required, perform remediation to address requirements that are not in place, and provides an updated report.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 13
Part 1: 3DS Baseline Security Requirements
Requirement P1-1. Maintain security policies for all personnel
Overview Requirements
P1-1 Security policies define rules and requirements for all personnel to 1.1 Maintain security policies
protect the security and integrity of the entity’s resources and protect 1.2 Evaluate risk
against identified risks.
1.3 Educate personnel
1.4 Screen personnel
P1 1.1.5 Personnel acknowledge that they Examine evidence of All security policies and policy updates should be approved by
have read and understood the acknowledgments. management to ensure they are aligned with the entity’s security strategy
security policy, including updates and business objectives. Any exception to the policies should require
Interview personnel.
to the policy. management sign-off to ensure the appropriate due diligence is done and
approval obtained.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 14
Requirements Validation Methods Implementation Guidance
P1-1.2 Evaluate Risk
P1 1.2.1 A risk-assessment process is Examine documented policies Risks to 3DS environments should be assessed at least annually and upon
documented. and procedures. significant changes. The risk assessment should identify assets, threats,
Interview personnel. likelihood, and potential impacts. Risk considerations should include
P1 1.2.2 The documented risk-assessment
responsible for risk- internal and external attacks—e.g., for cybercrime, fraud, or theft—internal
process is performed at least
assessment process. control failures, and malware. Risks should be prioritized and resources
annually and upon significant
allocated to implement controls that reduce the likelihood and/or the
changes.
potential impact of the threat being realized. Considerations should include
regulatory obligations and changes in technology—e.g., deprecation of
encryption algorithms.
Examples of risk-assessment methodologies include but are not limited to
OCTAVE, ISO 27005 and NIST SP 800-30.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 15
Requirements Validation Methods Implementation Guidance
P1-1.4 Screen personnel
P1 1.4.1 Personnel are screened Examine documented policies The intent of screening personnel is to reduce the risk of fraud and
(background checks) prior to being and procedures. unscrupulous behavior from an internal resource. Role descriptions should
granted access to the 3DE. Interview personnel. describe the level of security or access required for the role, and the level
of screening should be appropriate for the particular position. Positions
P1 1.4.2 The screening process includes Examine results of screening requiring greater responsibility or that have administrative access to critical
established criteria and a decision process. data or systems may warrant more detailed background checks than
process for background check
positions with less responsibility and access. The policy should also cover
results.
internal transfers where personnel in lower-risk positions, and who have not
already undergone a detailed background check, are promoted or
transferred to positions of greater responsibility or access. The specific
roles to be screened will depend on the entity’s personnel and security
policies. For example, an entity may have a policy that requires detailed
screening for all personnel or defines different levels of screening for
different job functions.
Examples of criteria that may be appropriate include employment history,
criminal records, credit history, and reference checks.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 16
Requirement P1-2. Secure network connectivity
Overview Requirements
P1-2 Network connectivity controls provide secure pathways to 2.1 Protect 3DS systems from untrusted systems and
the entity’s systems while protecting those systems from networks
unauthorized access and network-based threats. 2.2 Protect 3DS systems from network threats
P1 2.1.2 Up-to-date network and data flow Examine network and data Network and data flow information—for example, diagrams or network
information is maintained for all flow information. mapping tools—accurately document how the entity’s 3DS networks are
3DS communication paths. Observe methods used to configured, the identity and location of all 3DS systems, how 3DS systems
maintain up-to-date network are connected to each other and to other systems, and all communication
and data flow information. paths with trusted and untrusted networks.
P1 2.1.3 Access between trusted and Examine documentation Documentation illustrating authorized communications, both internal and
untrusted networks, systems, and describing controls. external—including source and destination systems, interface connections,
applications is limited via physical Observe physical and/or security controls for those connections, and the type of data being sent—
and/or logical controls. logical controls. will assist in meeting these requirements.
Protection mechanisms may include technologies such as network
P1 2.1.4 Traffic to/from 3DS systems is Examine documentation
gateways, routers, firewalls, encryption, API controls, and virtualization
restricted to only that which is identifying necessary traffic.
techniques. Controls may be a combination of software and hardware—for
necessary, with all other traffic Observe configurations of example, use of packet-filtering capability based on header information,
specifically denied. ingress and egress controls. advanced filtering/inspection tools, and implementation of dedicated
physical network devices or channels to separate network segments.
Many security devices and software provide rule sets and settings that can
validate the existence and methodologies used to secure network
connectivity.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 17
Requirements Validation Methods Implementation Guidance
P1 2.1.5 Network connectivity controls are Examine documented Reviewing device configurations allows the entity to identify and remove
monitored and/or periodically methods for monitoring and/or any unneeded, outdated, or incorrect rules and confirm that only authorized
reviewed to confirm periodically reviewing network connections, ports, protocols, services, and APIs are allowed as defined in
configurations are effective. connectivity controls. the documented business justifications. All other services, protocols, and
Observe implemented ports should remain disabled or be removed through periodic reviews.
methods and processes. Review processes may include real-time monitoring and analysis, periodic
maintenance cycles to ensure the controls are accurate and working as
intended, and periodic reviews of network traffic connectivity across ports,
protocols, and services. For guidance on services, protocols, or ports
considered to be insecure, refer to industry standards and guidance—e.g.,
NIST, ENISA, OWASP, etc.
P1 2.2.2 Suspicious traffic is blocked or Examine documented If suspicious traffic is not automatically blocked, an alert should be
generates an alert that is procedures. generated that is actively monitored and immediately investigated.
investigated and responded to. Observe implemented Where suspicious traffic is automatically blocked, a record of the traffic
controls and processes. should also be generated and investigated to determine whether action is
needed to prevent further attack.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 18
Requirement P1-3. Develop and maintain secure systems
Overview Requirements
P1-3 Security risks and events can occur at any time during the 3.1 Secure application development
lifetime of a system or application. Integrating secure 3.2 Configuration standards
processes throughout the lifecycle provides assurance that
system integrity is maintained at all times. 3.3 Change management
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 19
Requirements Validation Methods Implementation Guidance
P1 3.1.5 The software security testing Examine documented Correcting identified software defects before the software is deployed
process identifies defects and software security testing prevents it from exposing the environments to potential exploit. Requiring a
security vulnerabilities. procedures. formal review and sign-off by management should verify that the software
Examine results of software is approved and has been developed in accordance with policies and
P1 3.1.6 Identified software defects and
security testing. procedures.
security vulnerabilities are
addressed prior to release. Interview personnel.
P1 3.1.7 Results of software security testing
are signed off by management
prior to software release.
P1 3.2.2 An up-to-date inventory of all 3DS Examine system inventory. Maintaining a current inventory of all system components enables an
system components is maintained. Interview personnel. organization to accurately and efficiently apply security controls to protect
the assets. The inventory should be periodically confirmed by either
manual or automated process—for example by correlation with the results
of vulnerability scans or penetration testing—to confirm it is up to date.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 20
Requirements Validation Methods Implementation Guidance
P1 3.2.3 Configuration standards are Examine system configuration System configuration standards must be kept up to date to ensure that
defined and implemented for all standards and build newly identified weaknesses are corrected prior to a system being
3DS system types. procedures for all system deployed in the environment.
component types.
P1 3.2.4 Configuration standards address System configuration standards and related processes should specifically
all known security vulnerabilities Examine system address security settings and parameters that have known security
and are based on industry- configurations. implications for each type of system in use. Examples of industry-accepted
accepted system hardening Interview personnel. configuration standards include, but are not limited to: Center for Internet
standards. Security (CIS), International Organization for Standardization (ISO),
SysAdmin Audit Network Security (SANS) Institute, and National Institute
P1 3.2.5 Configuration standards and build Examine system configuration of Standards Technology (NIST).
procedures include: standards and build
procedures for all system The implemented controls should provide assurance that all 3DS systems
Changing all vendor-supplied
component types. have known secure configurations.
default accounts and system
settings. Examine system
Removing or disabling all configurations.
unnecessary system or Interview personnel.
application functionality.
Preventing functions that
require different security levels
from co-existing on the same
system component.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 21
Requirements Validation Methods Implementation Guidance
P1 3.3.5 Unauthorized changes to system Examine documentation of The implemented process should be able to either prevent or detect and
or application configurations are controls and/or processes. address the unauthorized addition, removal, or modification of system
prevented and/or detected and Observe implemented critical files such as configuration file contents, operating system programs,
addressed. controls. and application executables. If the implemented solution relies on
detection, processes should be in place to ensure that unauthorized
Interview personnel. changes are detected and addressed as soon as possible. Where
unauthorized change attempts are automatically blocked, a record of the
attempted change should also be generated and investigated to determine
whether action is needed to prevent further attempts.
The controls could include change-detection solutions, such as file-integrity
monitoring, or a frequent re-load of a trusted build to restore the system
component to a known secure state.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 22
Requirement P1-4. Vulnerability management
Overview Requirements
P1-4 New vulnerabilities are continually being discovered and can enter 4.1 Protect against malicious software
the network from both internal and external sources. An ongoing 4.2 Address vulnerabilities and security weaknesses
cycle of testing and remediation helps ensure that security controls
continue to be effective in a changing environment.
P1 4.2.2 Vulnerability scans, both internal Examine vulnerability Vulnerability scans and all required remediation should be completed as
and external, are performed at scanning reports frequently as needed to ensure vulnerabilities are addressed in a timely
least quarterly to identify and Interview personnel. manner. Rescans should be performed to verify vulnerabilities have been
address vulnerabilities. addressed. In addition to a regular scanning process, vulnerability scans
should also be performed after any significant change to the environment.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 23
Requirements Validation Methods Implementation Guidance
P1 4.2.3 Vulnerability scans are performed Examine vulnerability Internal vulnerability scans can be performed by qualified, internal staff or
by qualified personnel: scanning reports. outsourced to a qualified third party. For scans managed by the entity, the
External scans are performed Interview personnel. entity should ensure that scanning engines and vulnerability fingerprints are
by a PCI SSC Approved up to date and the scanning engine configured in accordance with vendor
Scanning Vendor (ASV). guidance documentation.
Internal scans are performed Internal personnel should have sufficient knowledge to review and
by qualified personnel. understand the scan results, and determine appropriate remediation.
Internal personnel who interact with the ASV should also be knowledgeable
in the network architecture and implemented security controls in order to
provide the ASV with information needed to complete the scan.
P1 4.2.4 Identified vulnerabilities are ranked Examine documented Vulnerabilities should be ranked and prioritized in accordance with an
to determine the criticality of the procedures for ranking industry-accepted methodology or organizational risk-management
vulnerability. vulnerabilities. strategy.
Interview personnel.
P1 4.2.5 Penetration tests are performed at Examine penetration test Penetration tests should be performed at regular intervals and after
least annually. reports. significant changes to the environment. The penetration-testing
Interview personnel. methodology should be based on industry-accepted approaches and
incorporate both application-layer and network-layer testing. The scope of
testing should cover the 3DE perimeter and critical systems, and include
testing from both inside and outside the network. Testing should also be
performed to verify all segmentation controls are operational and effective,
and that out-of-scope systems and networks do not have access to the
3DE. The specific methodology, depth, and frequency of the testing should
be based on the entity’s risk-assessment strategy, and be updated as
needed to consider new threats and vulnerabilities.
P1 4.2.6 Penetration tests are performed by Examine penetration test Tests should only be performed by qualified personnel who can
qualified personnel. reports. demonstrate knowledge and experience, and are organizationally
Interview personnel. independent of the environment being tested.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 24
Requirements Validation Methods Implementation Guidance
P1 4.2.7 Vulnerabilities and penetration Examine results of penetration Security patches and fixes should be implemented based on risk ranking.
testing findings considered as high tests and vulnerability Where high-risk vulnerabilities cannot be addressed within one month, a
risk are addressed within one scanning reports. formal exception process should be followed, including approval by
month. All other vulnerabilities and Examine evidence of personnel with appropriate responsibility and accountability. (See
identified security issues are remediation to address Requirements P2-2.1.2 and P2-2.1.3.)
addressed in a timely manner. vulnerabilities and security Once remediation activities have been performed—for example,
issues. implementing a patch or updating a configuration file to address a
vulnerability or security flaw—rescans and penetration tests should be
Interview personnel.
performed as necessary to verify the remediation is effective and the
identified vulnerability or security issue has been mitigated.
A record of remediation activities should be maintained—for example, via
change-control records, configuration file updates, and audit logs. All
updates and patches should be managed in accordance with change-
control processes. Where applicable, changes to system configurations
should be reflected in the configuration build standards.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 25
Requirement P1-5. Manage access
Overview Requirements
P1-5 Strong access controls protect systems and data from 5.1 Access management
unauthorized access and can limit the likelihood of a 5.2 Account management
compromised system being used to gain access to other systems
and networks. 5.3 Authentication
P1 5.1.2 Roles and responsibilities are Examine defined roles and Determining who has access to what, for how long, and what level of
defined for groups and accounts responsibilities. access they have should be based on established roles and
with access to 3DS systems. Interview personnel. responsibilities. This includes the processes used to maintain, monitor, and
approve administrative and user access to 3DS systems and data.
P1 5.1.3 Least privileges are assigned Observe assigned access Access to 3DS systems and data should be restricted based on business
based on individual job function privileges. need, while also accounting for the sensitivity of the data being transmitted
and periodically reviewed. Examine evidence that access between the 3DS systems. Access privileges should be reviewed by
privileges are periodically responsible personnel as defined by the 3DS entity. The frequency of
reviewed. reviews should be defined in accordance with the entity’s defined policies
and be appropriate for the level of privilege assigned.
Interview personnel.
P1 5.2.2 Individuals are assigned a unique Examine documented Assigned unique IDs should allow the organization to maintain individual
account ID. procedures. responsibility for actions and an effective audit trail per employee.
Observe account settings.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 26
Requirements Validation Methods Implementation Guidance
P1 5.2.3 Controls are implemented to Examine documented Implemented controls should protect the confidentiality and integrity of
protect the confidentiality and procedures. accounts for both local and remote users. The controls should include
integrity of accounts and Observe implemented ensuring that account and credential information is securely transmitted
credentials. controls. and stored—for example, using strong cryptography—at all times.
P1 5.2.4 Controls are implemented to Examine documented Processes for prevent misuse of accounts should include, at a minimum,
prevent misuse of accounts. procedures. the use of account lockouts, lockout durations, session timeouts, and
Observe implemented reactivation processes. Inactive user accounts should be removed or
controls. disabled within a timely manner. All processes should align with the entity’s
security policies and procedures.
P1 5.2.5 Access for third parties is Examine documented Configuration and connection requirements should be defined and
identified, controlled, and procedures. implemented for all access by third-party personnel—for example, ensuring
monitored. Observe implemented accounts are enabled only during the time needed and disabled when not
controls. in use, and monitoring account activity when in use.
P1-5.3 Authentication
P1 5.3.1 All access to 3DS systems Examine documented Authentication may be consist of one or more of:
requires strong authentication procedures. Something you know, such as a password or passphrase
prior to access being granted. Observe implemented Something you have, such as a token device or smart card
controls.
Something you are, such as a biometric
Where passwords are used, documented requirements should include
considerations for entropy (strength/complexity), password history and
reuse, reset processes, and other best practices for secure password use.
Passwords should meet a minimum level of strength, as defined by the
entity’s security policy, that provides reasonable assurance they are not
guessable and would withstand a brute-force attack.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 27
Requirement P1-6. Physical Security
Overview Requirements
P1-6 Individuals with physical access to systems or media could potentially bypass 6.1 Restrict physical access
logical access controls and gain access to sensitive data. Strong physical 6.2 Secure media
access controls also protect against the unauthorized addition, modification,
removal, or damage of systems and data.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 28
Requirements Validation Methods Implementation Guidance
P1-6.2 Secure media
P1 6.2.1 Strict control is maintained over the Observe implemented Controls and processes should cover secure storage, transport, and
storage and accessibility of media. controls. disposal of all storage media used in the 3DE. Procedures and technical
Interview personnel. controls should provide assurance that media cannot be removed, stolen,
or copied by unauthorized persons. The specific controls and level of rigor
required to protect media should be appropriate for the sensitivity of the
data stored on the media.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 29
Requirement P1-7. Incident response preparedness
Overview Requirements
P1-6 An effective incident response plan allows an entity to respond to 7.1 Incident response plan
potential security issues quickly and effectively, and minimize the 7.2 Audit logs
potential impact of a security incident or breach.
P1 7.1.2 An incident response plan is in Examine documented incident The incident response plan should be comprehensive and include
place that includes: response plans and coverage of all 3DS systems.
Roles and responsibilities procedures.
Communication and contact strategies should include notification of the
Communication and contact Interview personnel. payment brands, at a minimum.
strategies
Incident response personnel/teams should be trained and knowledgeable
Specific incident response in incident response procedures, and be available to respond immediately
procedures to an incident.
Business recovery and
continuity procedures
Data back-up processes
Analysis of legal requirements
for reporting compromises
Coverage and responses of all
critical system components
Consideration of payment
brands’ response requirements
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 30
Requirements Validation Methods Implementation Guidance
P1 7.1.3 The plan is reviewed and tested at Examine documented The incident response plan should be periodically reviewed, tested, and
least annually. procedures. updated to incorporate lessons learned. Relevant staff should be included
Examine evidence of reviews in the testing and be briefed on the post-test review. Testing should include
and testing. validation that system, audit, and monitoring logs are available and contain
all needed data.
Interview personnel.
P1 7.2.2 Audit logs are implemented to: Examine system Recording all personnel access, both physical and logical, to 3DS systems
Link all access to 3DS systems configurations. should help the entity identify any misuse of accounts, and ensure that
to an individual user. Observe access attempts. each individual is accountable for their actions.
Record security events. Examine audit log files. The determination of “security event” will vary for each organization and
may include consideration for the type of technology, location, and function
of the system. Logging of security events should include notifications or
alerts related to suspicious or anomalous activities—for example, as
defined in Requirements P1-2.2.2 and P1-3.3.5. The level of detail logged
should be sufficient to identify who, what, where, when, and how an event
occurred in the 3DS environment. This requirement does not encompass
3DS transaction logs.
P1 7.2.3 Time synchronization is Examine system Designated central time server(s) should be defined to receive time signals
implemented on 3DS systems to configurations. from trusted external sources, based on International Atomic Time or UTC.
ensure system clocks are Central time server(s) should peer with one another to keep accurate time.
synchronized and have the correct Systems receive time only from designated central time server(s).
and consistent time.
Time-synchronization technology should be kept current and time data
protected from unauthorized modification.
P1 7.2.4 Logs and security events are Examine evidence of reviews Real-time monitoring and/or periodic reviews should be in place for all
monitored and/or periodically of logs and security events. security events, critical system logs, and security system logs—for
reviewed for all 3DS systems to Interview personnel. example, firewalls, IDS/IPS, authentication servers, e-commerce
identify anomalies or suspicious redirection servers, etc. The frequency of reviews should be aligned with
activity. the associated risk.
The use of log harvesting, parsing, and alerting tools can help facilitate the
process by identifying log events that need to be reviewed.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 31
Requirements Validation Methods Implementation Guidance
P1 7.2.5 Audit logs are secured so they Examine Only individuals who have a job-related need should be able to view audit
cannot be altered. controls/configurations. log files. Audit logs should be promptly backed up to a centralized log
Observe attempts to modify server or media that is difficult to alter. Physical and logical access controls
audit logs should be in place to prevent unauthorized modifications to audit logs. File-
integrity monitoring or change-detection software can be implemented to
ensure that any changes to saved log data generates an alert.
P1 7.2.6 Audit and monitoring logs are Examine audit log files. Log-retention policies should include storage and retrieval procedures. If
retained for least one year, with a Interview personnel. stored in off-line locations, procedures should include assurance that log
minimum of three months data can be retrieved in a timely manner. The logs to be retained include at
immediately available for analysis. least those defined in Requirement P1-7.2.2.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 32
Part 2: 3DS Security Requirements
Requirement P2-1. Validate scope
Overview Requirements
P2-1 Scoping involves the identification of the facilities, people, processes, 1.1 Scoping
and technologies that interact with or could impact the security of 3DS
data or systems. Once scope is properly identified, the appropriate
security controls can be applied.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 33
Requirement P2-2. Security governance
Overview Requirements
P2-2 A security governance program provides oversight and assurance that 2.1 Security governance
an entity’s information security strategies are aligned with its business 2.2 Manage risk
objectives and adequately address risks to the entity’s data and
systems. 2.3 Business as usual (BAU)
2.4 Manage third-party relationships
P2 2.1.2 Responsibilities and accountability Examine documentation. The assignment of specific roles and responsibilities should include
for meeting security objectives are Interview personnel. monitoring and measurement of performance to ensure security objectives
formally assigned, including are met. Roles and responsibilities may be assigned to a single owner or
responsibilities for the security of multiple owners for different aspects.
3DS processes. Ownership should be assigned to individuals with the authority to make
P2 2.1.3 Responsibility for identifying and Examine documentation. risk-based decisions and upon whom accountability rests for the specific
addressing evolving risks is function. Duties should be formally defined, and owners should be able to
Interview personnel. demonstrate an understanding of their responsibilities and accountability.
assigned.
P2 2.2.2 The risk-management strategy is Examine documentation. The risk-management strategy should be approved by personnel with
approved by authorized personnel Interview personnel. appropriate responsibly and accountability. (See Requirements P2-2.1.2
and updated as needed to address and P2-2.1.3.)
changing risk environment.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 34
Requirements Validation Methods Implementation Guidance
P2-2.3 Business as usual (BAU)
P2 2.3.1 Review and/or monitoring is Examine evidence of reviews Periodic reviews and/or ongoing monitoring of personnel and activities
performed periodically to confirm and/or ongoing monitoring. should ensure security is included as part of normal business operations
personnel are following security Interview personnel. on an ongoing basis. Reviews should be performed by responsible
policies and procedures. personnel as defined by the entity. The frequency of reviews should be
defined in accordance with the entity’s risk assessments and be
appropriate for the particular job function.
P2 2.3.2 Processes to detect and respond Examine documented The entity should be able to detect any failures in security controls and
to security control failures are processes. respond to them in a timely manner. Processes for responding to security
defined and implemented. Observe implemented control failures should include:
processes. Restoring the security control
Interview personnel. Identifying the cause of failure
Identifying and addressing any security issues that arose during the
failure of the security control
Implementing mitigation (such as process or technical controls) to
prevent the cause of the failure recurring
Resuming monitoring of the security control
P2 2.4.2 Due diligence is performed prior to Examine documented Due-diligence processes should include thorough vetting and a risk
any engagement with a third party. procedures. analysis prior to establishing a formal relationship with the third party.
Examine results of due Specific due-diligence processes and goals will vary for each entity and
diligence efforts should provide sufficient assurance that the third party can meet the
entity’s security and operational needs.
Interview personnel.
P2 2.4.3 Security responsibilities are clearly Examine documentation The specific approach for defining security responsibilities will depend on
defined for each third-party Interview personnel. the type of service as well as the particular agreement between the entity
engagement. and third party. The entity should have a clear understanding of the
security responsibilities to be met by the third party and those to be met by
the entity.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 35
Requirements Validation Methods Implementation Guidance
P2 2.4.4 The 3DS entity periodically verifies Examine results of periodic The specific type of evidence provided by the third party will depend on the
that the agreed-upon verification. agreement in place between the two parties. The evidence should provide
responsibilities are being met. Interview personnel. assurance that the agreed-upon responsibilities are being met on a
continual basis. The frequency of verification should be aligned with the
entity’s risk analysis of the service being provided.
P2 2.4.5 Written agreements are Examine documentation. Agreements should promote a consistent level of understanding between
maintained. Interview personnel. parties about their applicable responsibilities, and be acknowledged by
each party. The acknowledgement evidences each party’s commitment to
maintaining proper security in regard to the 3DS services.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 36
Requirement P2-3 Protect 3DS systems and applications
Overview Requirements
P2-3 To maintain the security of 3DS environments, controls need 3.1 Protect boundaries
to be designed and implemented to protect the confidentiality, 3.2 Protect baseline configurations
integrity, and availability of 3DS technologies, processes, and
data. 3.3 Protect applications and application interfaces
3.4 Secure web configurations
3.5 Maintain availability of 3DS operations
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 37
Requirements Validation Methods Implementation Guidance
P2-3.3 Protect applications and application interfaces
P2 3.3.1 Applications and programs are Examine log files. Ensuring the integrity of applications and programs in production requires
protected from unauthorized Observe implemented more than an effective change-control process. A combination of strict
changes once in a production controls. access controls, monitoring, and programmatic controls should be
state. considered. Examples of additional mechanisms include software
authentication codes, digitally signed modules, or execution within an SCD.
The use of a protection technique is only effective if the system confirms
the results (for example, is the digital signature valid?) and acts on the
results.
P2 3.3.2 The mechanisms to protect Observe implemented Protection mechanisms should be kept up to date and monitored to ensure
applications and programs from controls for monitoring and they are working as intended and continue to be effective. Cryptographic
unauthorized changes are maintaining protection techniques used for API code protection may require updating as
monitored and maintained to mechanisms computation capabilities and cryptanalysis improvements evolve.
confirm effectiveness. Interview personnel.
P2 3.3.3 All APIs that interface with the Examine network and data- All exposed APIs need to be periodically reviewed and tested to ensure
3DS environment are identified, flow diagrams that they are functioning as intended. Use of industry best practices and
defined, and tested to verify they Observe implemented guidance is recommended—for example, the OWASP REST
perform as expected. controls. (REpresentational State Transfer) Security Cheat Sheet provides best
practices for REST-based services.
P2 3.3.4 Controls are implemented to Examine results of testing
protect APIs exposed to untrusted
Interview personnel.
networks.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 38
Requirements Validation Methods Implementation Guidance
P2 3.4.3 Applications (or the underlying Examine documented (See previous page)
systems) are configured to reject controls.
content provided by external Observe implemented
sources by default. Exceptions are controls.
explicitly authorized.
Interview personnel.
P2 3.4.4 Applications are configured to Examine documented Similarly, content provided by the 3DS provider should be prevented (to the
prevent content from being controls. extent possible) from being embedded in the sites of untrusted third
embedded into untrusted third- Observe implemented parties. Otherwise, those parties might use the content of the 3DS entity to
party sites/applications. controls. impersonate the 3DS entity in an attempt to hijack 3DS transactions and/or
Exceptions are explicitly commit fraud.
authorized. Interview personnel.
P2 3.4.5 Security features native to the Examine documented Native security functions are available in most modern development
development framework and/or controls. platforms and frameworks, and are effective at protecting against common
application platform are enabled, Observe implemented client-side attacks without requiring additional security functionality to be
where feasible, to protect against controls. written into the application code. Methods to restrict such content and
common client-side attacks (such functionality include the use of Content Security Policy (CSP) directives
as XSS, Injection, etc.). Interview personnel. and HTTP Strict Transport Security (HSTS). Other security features native
to the development framework that should be considered include
automated compile-time security checks that are performed as part of the
application build process.
Where native security controls such as those described above are not
used, 3DS entities should document the controls that have been
implemented to protect applications and systems from common client-side
attacks (such as XSS, XSRF, Injection attacks, etc.) and provide
justification for why native features were not used.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 39
Requirements Validation Methods Implementation Guidance
P2-3.5 Maintain availability of 3DS operations
P2 3.5.1 Availability mechanisms are Examine documented 3DS components should be architected with high availability as a key
implemented to protect against controls. factor in the software, system, and infrastructure design to maintain the
loss of processing capability within Observe implemented integrity of the 3DS ecosystem. Security policies should reflect availability
the 3DS infrastructure. controls. requirements of 3DS components and security resources in support of 3DS
platform and clusters—for example, review of catastrophic testing results,
failover results, and change-control processes. The controls should ensure
security resources are working correctly and according to policy within the
respective testing processes.
The plan for availability should allow the entity to withstand denial-of-
service (DoS) attacks that could force fallback to less secure verification
methods or provide cover for other attacks against a system or the
infrastructure. The implemented controls should demonstrably reduce this
risk through, for example, a combination of fault-tolerance and rapid
response/recovery capabilities as well as the use of application isolation,
data and system restraints, and load balancing. Documentation and
domain architectures should be reviewed for denial-of-service utilities and
network load-balancing capabilities. Testing of back-up process and data
should be performed.
P2 3.5.2 The availability mechanisms Observe implemented The mechanisms intended to maintain availability of the 3DS infrastructure
implemented are monitored and controls for monitoring and should be maintained and monitored to ensure they are working as
maintained to confirm maintaining the availability intended and continue to be effective. Continuous monitoring of processing
effectiveness. mechanisms. availability and rapid reporting of outages aid in timely response to
Interview personnel. potential failures.
Availability mechanisms and technologies evolve and may require periodic
refresh. Additionally, the sophistication of attacks that may adversely
impact availability or that may exploit a degraded system continues to
evolve.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 40
Requirement P2-4. Secure logical access to 3DS systems
Overview Requirements
P2-4 In addition to ensuring strong access controls and account 4.1 Secure connections for issuer and merchant customers
management for the 3DS environment, certain types of 4.2 Secure internal network connections
access present a higher risk and require more stringent
controls to prevent them from being misused or compromised. 4.3 Secure remote access
4.4 Restrict wireless exposure
4.5 Secure VPNs
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 41
Requirements Validation Methods Implementation Guidance
P2-4.2 Secure internal network connections
P2 4.2.1 Multi-factor authentication is Examine documented Multi-factor authentication (MFA) requires the completion of at least two
required for all personnel with non- procedures. different authentication methods—that is, something you know, something
console access to ACS, DS, and Observe implemented you have, and something you are—prior to access being granted. The
3DSS. controls. authentication mechanisms used should be implemented to ensure their
independence such that access to one factor does not grant access to any
other factor, and the compromise of any one factor does not affect the
integrity or confidentiality of any other factor. Additionally, no prior
knowledge of the success or failure of any factor should be provided to the
individual until all factors have been presented. Refer to industry standards
and best practices for further guidance on MFA principles.
MFA can be applied at the network level, system level, or application level.
For example, MFA could be applied when connecting to the 3DE secure
network or network segment, or when connecting to an individual 3DS
system component.
MFA is required for all personnel connections to the ACS, DS, and 3DSS
that occur over a network interface. Examples of access include for
purposes of maintenance, configuration, updating, administration, or
general management of the 3DS component. MFA is not required for
application or system accounts performing automated functions.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 42
Requirements Validation Methods Implementation Guidance
P2 4.3.2 Remote access to the 3DE is Examine policies and Remote access processes should be fully documented to ensure access is
controlled and documented, procedures. only granted to users or systems that have been previously approved for
including: Observe remote access such access. Disconnection of remote access sessions after a period of
System components for which controls. inactivity should be considered. Policies and operational procedures should
remote access is permitted be kept up to date so personnel understand the proper processes and to
Interview personnel. prevent unauthorized access to the network.
The location(s) from which
remote access is permitted
The conditions under which
remote access is acceptable
Individuals with remote access
permission
The access privileges
applicable to each authorized
use
P2 4.3.3 Where remote access using Examine policies and Remote access using a personally owned device should only be permitted
personally owned devices is procedures. under a strictly defined process that includes management approval and
permitted, strict requirements for Observe remote access verification that the device could not impact the security of 3DS systems.
their use are defined and controls. Devices should be verified as meeting at least the same rigor of security as
implemented to include:
Interview personnel. defined in the entity’s security policies. Devices should be maintained and
Device security controls are monitored via a centralized, secure device-management solution. Approval
implemented and maintained for the use of a personal device should be explicitly provided on a case-by-
as equivalent to corporate- case basis, by an appropriate person who has assigned responsibilities for
owned devices. security. (See Requirement P2-2.1.2.)
Each device is explicitly
approved by management.
P2 4.3.4 Remote access privileges are Examine documented Remote access privileges should be regularly reviewed, at least quarterly,
monitored and/or reviewed at least processes. by an authorized individual. Documentation of reviews should be retained.
quarterly by an authorized Examine evidence of Results of these reviews should include identification and removal of any
individual to confirm access is still monitoring and/or reviews. unneeded or incorrect access, and should ensure that only individuals with
required. a current business need are granted remote access.
Interview personnel.
Automated processes may be used to assist in reviewing access
privileges—for example, to generate notifications when an account has not
been used for a period of time. Organizational processes to actively review
and change access when an individual changes job function can also
assist.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 43
Requirements Validation Methods Implementation Guidance
P2-4.4 Restrict Wireless Exposure
P2 4.4.1 3DS components (ACS, DS, Examine network diagrams. To prevent 3DS components from being exposed to wireless networks,
3DSS) do not use or connect to Observe implemented wireless-enabled devices should not be present within the 3DE.
any wireless network. controls. Additionally, ACS, DS, and 3DSS system components should not use or be
connected to any wireless-enabled components.
Interview personnel.
Any wireless networks and devices used or supported by the 3DS entity—
for example, for remote users—should be properly secured and configured
in accordance with industry standards.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 44
Requirement P2-5. Protect 3DS data
Overview Requirements
P2-5 Minimizing the distribution and amount of data to only that which is 5.1 Data lifecycle
necessary helps to reduce the risk of data exposure. The use of data- 5.2 Data transmission
specific controls provides a critical layer of protection when data is
exposed to public or untrusted environments, and can also protect data 5.3 TLS configuration
in trusted environments in the event other security controls are 5.4 Data storage
circumvented. 5.5 Monitoring 3DS transactions
P2 5.1.2 3DS data is retained only as Examine data retention Data-retention schedules should be defined to identify what data needs to
necessary and securely deleted schedule and data disposal be retained, for how long, where that data resides, and procedures for its
when no longer needed. process secure destruction as soon as it is no longer needed.
Interview personnel.
Observe data storage.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 45
Requirements Validation Methods Implementation Guidance
P2-5.2 Data transmission
P2 5.2.1 Strong cryptography and security Examine documentation Controls should be applied at all interfaces and locations where 3DS
protocols are used to safeguard describing methods for sensitive data (as defined in the PCI 3DS Data Matrix) is transmitted or
3DS sensitive data during encrypting data. received. This includes all transmissions over open or public networks,
transmission. Examine configuration internal networks, and transmissions within and between 3DS system
standards. domains. 3DS sensitive data should be protected to a level that is at least
P2 5.2.2 Fallback to insecure cryptographic
equivalent to that identified in Annex D of the current version of EMV® 3DS
protocols and configurations is not Observe implemented Protocol and Core Functions Specification.
permitted. controls.
Secure transmission of 3DS data requires use of trusted keys/certificates,
a secure protocol for transport, and strong cryptography to encrypt the 3DS
data. Connection requests from systems that do not support the required
encryption strength, and that would result in an insecure connection,
should not be accepted.
P2 5.3.3 TLS configurations do not support Examine configuration TLS configurations may not support rollback to unapproved algorithms, key
rollback to unapproved algorithms, standards and TLS sizes, or implementations.
key sizes, or implementations. configurations.
Observe TLS communications.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 46
Requirements Validation Methods Implementation Guidance
P2 5.3.4 Controls are in place to monitor Observe implemented controls A combination of tools and processes should be considered to ensure an
TLS configurations to identify for monitoring and maintaining appropriate level of monitoring is implemented. Examples of controls
configuration changes and to TLS configurations. include real-time monitoring, change-detection software, and analysis of
ensure secure TLS configuration Interview personnel. audit logs. Continuous monitoring is recommended to prevent, detect, and
is maintained. allow timely response to unauthorized modifications or use of non-
permitted configurations. The implemented controls should provide
continued assurance that TLS is properly configured and using only
approved cipher suites.
P2 5.4.2 Strong cryptography is used to Examine documentation 3DS sensitive data—as identified in the PCI 3DS Data Matrix—should be
protect any permitted storage of describing methods for protected wherever it is stored, using industry-recognized methods for
3DS sensitive data. protecting stored data. strong cryptography. The cryptographic control may be applied either to the
Observe implemented controls individual data elements or to the entire data packet or file that contains the
and configurations. data element. For example, where an element of 3DS sensitive data is
contained in a transaction log with other data, encryption may be applied to
the entire log or to only the sensitive data elements within the log.
Strong cryptographic controls include one-way hash functions that use an
appropriate algorithm and a strong input variable, such as a “salt.” Hash
functions are appropriate when there is no need to retrieve the original
data, as one-way hashes are irreversible. Alternatively the data can be
protected using cryptography based on an industry-tested and accepted
algorithm (not a proprietary or "home-grown" algorithm) with strong
cryptographic keys. Associated key-management processes and
procedures are defined in Requirement P2-6. Refer to industry standards
and best practices for information on strong cryptography and secure
protocols (e.g., NIST SP 800-52 and SP 800-57, OWASP, etc.).
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 47
Requirements Validation Methods Implementation Guidance
P2-5.5 Monitoring 3DS transactions
P2 5.5.1 3DS transactions are monitored to Examine documented Maintaining a baseline of normal 3DS traffic and transaction patterns will
identify, log, and alert upon procedures and configuration assist in identifying anomalous behaviors and developing use cases. All
anomalous activity. standards. identified deviations should be ranked by risk level and responded to
Examine log files. accordingly. In addition to real-time monitoring and analysis, frequent
P2 5.5.2 Anomalous or suspicious
reviews of network traffic and correlation of audit logs may identify
transaction activity is investigated Observe implemented potentially suspicious activity.
and addressed in a timely manner. controls.
Response processes should include specific investigative activities,
Interview personnel.
escalation, and notification, in accordance with the entity’s incident
response plan.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 48
Requirement P2-6 Cryptography and Key Management
Overview Requirements
P2-6 Proper management and use of cryptographic keys is critical to the 6.1 Key management
continued security of any encryption implementation. Strong key- 6.2 Secure Logical access to HSMs (For ACS
management practices prevent unauthorized or unnecessary access to
and DS only)
the keys, which in turn could result in exposure of keys and
compromise of data the keys are intended to protect. 6.3 Secure Physical access to HSMs (For ACS
and DS only)
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 49
Requirements Validation Methods Implementation Guidance
P2 6.1.2 For ACS and DS only: All key Examine documented key- The requirement to use an HSM applies to ACS and DS entities. The PCI
management activity for specified management procedures. 3DS Data Matrix identifies 3DS cryptographic key types required to be
cryptographic keys (as defined in Interview personnel. managed in an HSM. Key-management activities include key-encryption
the PCI 3DS Data Matrix) is and decryption operations, as well as key lifecycle functions such as key
performed using an HSM that is generation and storage.
either:
The HSM approval documentation verifies the HSM is either:
FIPS 140-2 Level 3 (overall)
Listed on the NIST Cryptographic Module Validation Program (CMVP)
or higher certified, or
list, with a valid listing number, and approved to FIPS 140-2 Level 3
PCI PTS HSM approved. (overall) or higher. Refer to http://csrc.nist.gov.
Listed on the PCI SSC website, with a valid PCI SSC listing number, as
an Approved PCI PTS Device under the approval class “HSM.”
While an HSM is required only for the keys specified in the PCI 3DS Data
Matrix, use of an HSM for other 3DS keys is strongly recommended. All
3DS keys should be evaluated in accordance with the 3DS entity’s risk-
management policy to determine whether they should be managed in an
HSM.
It is not required that 3DSS entities use an HSM to manage 3DS keys;
however it is strongly recommended. 3DSS entities are subject to all other
key management requirements in this standard.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 50
Requirements Validation Methods Implementation Guidance
P2 6.1.3 For ACS and DS only: The HSM Examine HSM approval An integral component of a PCI PTS or FIPS certification is the HSM
is deployed securely, in documentation / security security policy, which defines how to configure and operate the HSM in
accordance with its approved policy (as applicable). accordance with the certification.
security policy, as follows: Observe HSM configurations. The security policy enforced by the HSM should not allow unauthorized or
If FIPS-approved HSMs are unnecessary functions. HSM API functionality and commands that are not
used, the HSM uses the FIPS- required to support specified functionality should be disabled before the
approved cryptographic HSM is commissioned. When HSMs are connected to online systems,
primitives, data-protection controls should be in place to prevent the HSM being used to perform
mechanisms, and key- privileged or sensitive functions that are not available during routine HSM
management processes for operations. Examples of sensitive functions include but are not limited to:
account data decryption and loading of key components, outputting clear-text key components, and
related processes. altering HSM configuration.
If PCI PTS-approved HSMs
are used, the HSM is
configured to operate in
accordance with the security
policy that was included in the
PTS HSM approval, for all
operations (including
algorithms, data protection,
key management, etc.).
P2 6.1.4 A documented description of the Examine documented Cryptographic keys must be stored and functions handled securely to
cryptographic architecture exists description of the prevent unauthorized or unnecessary access that could result in the
that includes: cryptographic architecture. exposure of keys and compromise cardholder data.
Description of the usage for all Interview personnel.
keys Examine HSM approval
Details of all keys used by documentation.
each HSM (if applicable)
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 51
Requirements Validation Methods Implementation Guidance
P2 6.1.5 Cryptographic keys are securely Examine documented key- A good key-management process, whether manual or automated, is based
managed throughout the management procedures. on industry standards and addresses all elements of the key lifecycle.
cryptographic lifecycle including: Observe key-management Applicable standards include NIST Special Publication 800-57 (all parts),
Generation activities. Special Publication 800-130, ISO 11568, and ISO/IEC 11770—including
associated normative references cited within as applicable. For example,
Distribution/conveyance Interview personnel. the generation and use of deterministic random numbers should conform to
Storage NIST Special Publication 800-90A, ISO/IEC 18031, or equivalent.
Established crypto periods Keys should only be distributed in a secure manner, never in the clear, and
Replacement/rotation when only to designated custodians or recipients. Procedures for distribution
the crypto period is reached apply both within the entity and across 3DS domains. Secret and private
Escrow/backup keys should be encrypted with a strong key-encrypting key that is stored
separately, or be stored within a secure cryptographic device (such as a
Key compromise and recovery HSM), or be stored as at least two full-length key components or key
Emergency procedures to shares, in accordance with an industry-accepted method. The existence of
destroy and replace keys clear-text keys during data-encryption/decryption operations should be
Accountability and audit limited to the minimum time needed for its purpose—for example, where
clear-text keys may temporarily exist in memory, they should be securely
P2 6.1.6 Cryptographic key-management Examine documented key- purged from memory upon completion of the encryption/decryption
processes conform to recognized management procedures. operation.
national or international key- Observe key-management
management standards. A crypto period should be identified for each key based on a risk
activities. assessment, and keys changed when this period is reached. Additionally,
Interview personnel. keys should be destroyed and replaced immediately upon suspicion of a
compromise.
Secure key-management practices include minimizing access to keys to
the fewest number of custodians necessary, enforcing split knowledge and
dual control for activities involving clear-text keys or key components, and
defining roles and responsibilities for key custodians and key managers.
6.1.7 Cryptographic keys are used only Examine documented key- Cryptographic keys should only be used for the purpose they were
for their intended purpose, and management procedures. intended—for example, a key-encryption key should never be used to
keys used for 3DS functions are Interview personnel. encrypt 3DS sensitive data. Similarly, public and private keys should only
not used for non-3DS purposes. be used for a single defined purpose—private keys should be used either
for decryption or for creating digital signatures, and public keys used only
for encryption or for verifying digital signatures.
Keys used to protect 3DS transactions or data should not be used for any
business function other than their 3DS purpose.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 52
Requirements Validation Methods Implementation Guidance
P2 6.1.8 A trusted Certificate Authority is Examine documented Entities need to ensure that the Certificate Authority (CA) that they use has
used to issue all digital evidence of Certificate robust security controls to ensure the security of 3DS protocols and to
certificates used for 3DS Authority validation (e.g., verify a chain of trust. Refer to Section 6.1, “Links,” in the current version of
operations between 3DSS, ACS, security assessments, the EMV® 3DS Protocol and Core Functions Specification to identify
and DS components. certifications). connections between 3DSS, ACS, and DS components that require digital
Observe implemented digital certificates. The CA could be approved by a payment brand or could
certificates. undergo a security assessment, conducted by the entity or other third
party, against an industry-standard framework such as ISO 27001. The
assessment should confirm the CA has robust controls around security,
processing integrity, confidentiality, online privacy, and availability. Entities
can also leverage WebTrust, an assurance service jointly developed by the
American Institute of Certified Public Accountants (AICPA) and the
Canadian Institute of Chartered Accountants (CICA).
P2 6.1.9 Audit logs are maintained for all Examine documented key- Recording the function or key-management activity being performed (for
key-management activities and management procedures. example, key loading), and the purpose of the affected key (for example,
all activities involving clear-text Examine audit logs. 3DS data encryption) provides the entity with a complete and concise
key components. The audit log record of key-management activities. Identifying whether the activity
includes: Interview personnel. resulted in success or failure confirms the status upon conclusion of the
Unique identification of the activity. By recording these details for the auditable events, a potential
individual that performed each compromise can be quickly identified with sufficient detail to know who,
function what, where, when, and how.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 53
Requirements Validation Methods Implementation Guidance
P2-6.2 Secure logical access to HSMs (For ACS and DS only)
P2 6.2.1 Personnel with logical access to Examine system HSMs have high security needs, and additional controls are necessary to
HSMs must be either at the HSM configurations restrict and protect logical access to these systems. If personnel have
console or using an HSM non- If non-console access is used: network (non-console) access to HSMs, the security of the HSM non-
console access solution that has console access solution is critical to the overall security of the HSM itself.
been evaluated by an Examine documented Examples of personnel access include for purposes of maintenance,
independent laboratory to comply evidence (e.g., lab certification configuration, updating, administration, and general management of the
with the following sections of the letters, solution technical HSM. Use of non-console access solution is not required for application or
current version of ISO 13491: documentation, or vendor system accounts performing automated functions.
attestation) that the solution
Annex A – Section A.2.2: Logical has been validated to An HSM non-console access solution is typically comprised of both
security characteristics. applicable ISO requirements hardware components (for example, network appliances and smart cards)
Annex D – Section D.2: Logical Observe implemented solution
and software components (for example, client-side applications) that define
security characteristics. and manage how non-console access is handled. For additional assurance
(Note: The use of single DEA that only authorized persons can access the HSM, the use of multi-factor
message authentication codes is not authentication for all personnel access should also be considered.
permitted.)
An independent laboratory is one that is organizationally independent of
Annex E – Section E.2.1: Physical the non-console management solution vendor and is not otherwise subject
security characteristics, and Section to any commercial, financial, or other commitment that might influence its
E.2.2: Logical security evaluation of the vendor’s product.
characteristics.
(Note: Only random number
generators meeting the requirements
of SP 800-90A are allowed.)
Annex F – Section F.2.1: Physical
security characteristics, and Section
F.2.2: Logical security
characteristics.
If digital signature functionality is
provided: Annex G – Section G.2.1:
General considerations, and Section
G.2.2: Device management for digital
signature verification.
P2 6.2.2 All non-console access to HSMs Examine network and system To ensure that non-console access to HSMs originates from a secure
originates from a 3DE network(s). configuration settings location, such access may only be provided to systems located within a
3DS environment (3DE) that is protected in accordance with the
requirements in this standard.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 54
Requirements Validation Methods Implementation Guidance
P2 6.2.3 Devices used to provide Observe locations of devices The term “devices” refers to the endpoint device (for example, a PC,
personnel with non-console used for non-console access laptop, terminal, or secure cryptographic device) that an individual is using
access to HSMs are secured as to HSMs. to access the HSM via a non-console connection. The implemented
follows: Observe device physical and logical security controls should provide assurance that
Located in a designated configurations. devices are being used only as intended, and only by authorized
secure area or room that is personnel. The specific security configurations for each device will depend
Observe HSM authentication on its particular technology and function. In order to prevent malicious
monitored at all times. mechanisms. individuals from “piggy-backing” on an authorized connection, devices
Locked in room/rack/cabinet/ should only be connected to the network used to access the HSM. For
drawer/safe when not in use. example, connectivity on multi-homed devices should be disabled for all
Physical access is restricted but the interface accessing the HSM, and any VPN/SSH tunnels to other
to authorized personnel and networks should be closed before opening a tunnel to the HSM.
managed under dual control.
Methods to verify that only authorized devices are permitted to connect to
Authentication mechanisms the HSM can include digital signatures and other cryptographic techniques.
(e.g., smart cards, dongles,
etc.) for devices with non- All non-console access to HSMs should occur only over a secure
console access are physically communication channel, such as a VPN that meets Requirement 4.4.
secured when not in use.
Operation of the device
requires dual control and
multi-factor authentication.
Devices have only
applications and software
installed that are necessary.
Devices are verified as having
up-to-date security
configurations.
Devices cannot be connected
to other networks while
connected to the HSM.
Devices are cryptographically
authenticated prior to the
connection being granted
access to HSM functions.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 55
Requirements Validation Methods Implementation Guidance
P2 6.2.4 The loading and exporting of Examine device Non-console access to HSMs should only be used for the purpose of HSM
clear-text cryptographic keys, key configurations. maintenance/administration. Because the loading and export of clear-text
components, and/or key shares keys, key components, and key shares requires a higher assurance of
to/from the HSM is not permitted physical security, all such activities are required to be performed at the
over a non-console connection. HSM.
P2 6.2.5 Activities performed via non- Examine policies and If personnel are not physically at the HSM console, additional controls may
console access adhere to all procedures. be necessary to ensure that the 3DS entity’s policies and procedures
other HSM and key-management Interview personnel. around key management and HSM usage are adhered to. For example, if
requirements. the ability to access an HSM function or key-management activity requires
Examine HSM configurations dual control, and the activity or function can be accessed by personnel
and observe connection physically at the HSM console or over a non-console (network) connection,
processes. the requirements for dual control need to be enforced over both methods of
access.
P2-6.3 Secure physical access to HSMs (For ACS and DS only)
P2 6.3.1 HSMs are stored in a dedicated Examine 3DS device Physical access to HSMs requires passing an additional physical control—
area(s). inventory. e.g., via locked cabinets or cages, or a separate secure room. HSMs could
Observe physical locations of be in multiple racks within the same dedicated physical space, or in one or
HSMs. more dedicated rooms, and so on.
Where HSMs are in a data center managed by the 3DS entity, the HSMs
P2 6.3.2 Physical access to the HSMs is Examine documented
should be in a space dedicated to HSMs and HSM-management devices.
restricted to authorized personnel procedures.
Where a 3DS entity’s HSMs are in a shared data center, such as a co-
and managed under dual control. Observe access controls. location facility, the 3DS entity’s HSMs should be in a space that is
dedicated to the entity’s systems and is physically separate from all other
customers of the co-location facility.
Dual control requires two or more people to perform a function, and no
single person can access or use the authentication materials of another.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 56
Requirement P2-7 Physically secure 3DS systems
Overview Requirements
P2-7 As ACS and DS systems are critical components of the 3DS 7.1 Data center security
infrastructure, they require a secure facility with elevated physical 7.2 CCTV
security controls to restrict, manage, and monitor all physical access.
P2 7.1.2 Data centers supporting ACS and Observe data center entry A positively controlled mantrap is typically a small room with an entry door
DS are equipped with a positively points. on one wall and an exit door on the opposite wall. One door of a mantrap
controlled single-entry portal (e.g., cannot be unlocked and opened until the opposite door has been closed
mantrap), that: and locked.
Requires positive Access controls can be a combination of automated (for example,
authentication prior to granting electronic access cards and physical barriers) and manual (for example, a
entry; and human security guard performing visual verification and confirmation of
Grants entry to a single person identity). These controls ensure that the second door is not opened until
for each positive authentication is complete, and that only one individual is provided access
authentication. per authentication.
P2 7.1.3 Doors to areas within the data Observe all entrances to the Electronic access-control systems, such as a keypad with individually
center that contain 3DS systems 3DE. assigned PIN codes or individually assigned access cards, provide
are fitted with an electronic Examine audit logs and/or assurance that the individual gaining access is who they claim to be. To
access-control system (e.g., card other access records. provide additional protection against the unauthorized use of an
reader, biometric scanner) that individual’s credential, multi-factor authentication should be considered.
controls and records all entry and
exit activities.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 57
Requirements Validation Methods Implementation Guidance
P2 7.1.4 Multi-factor authentication is Examine access controls. A telecommunications room is a room or space where communications are
required for entry to Observe access events. consolidated and distributed. Telecommunications rooms typically house
telecommunications rooms that communications equipment (such as switches and routers), cable
are not located within a secure termination points, and cross-connects serving a specific area and/or floor.
data center. Examples of multi-factor authentication for physical access include use of
an access card with PIN/passcode and use of an access card with a
biometric reader. Visual verification of government-issued photo ID by an
authorized guard at the entry point may also be acceptable as one of the
two factors.
Multi-factor authentication is not required for physical access to
telecommunications rooms housed within a data center environment that
meets the requirements in this standard.
P2 7.1.5 Entry controls prevent piggy- Observe personnel entering Each individual is identified and authenticated before being granted access
backing by granting access to a the data center. to the 3DS data centers. These controls provide assurance that the identity
single person at a time, with each of every individual in the data center is known at any given time.
person being identified and
authenticated before access is
granted.
P2 7.1.6 A physical intrusion-detection Interview personnel. To be effective, an intrusion-detection system should be activated
system that is connected to the Observe intrusion-detection whenever the 3DS environment is intended to be unoccupied. The
alarm system is in place. controls. intrusion-detection system may be activated automatically or via manual
process.
P2 7.1.7 Physical connection points leading Observe physical connection Securing networking and communications hardware prevents malicious
into the 3DE are controlled at all points. users from intercepting network traffic or physically connecting their own
times. devices to wired network resources.
P2-7.2 CCTV
P2 7.2.1 CCTV cameras are located at all Observe all entrances and The cameras need to be able to identify individuals physically entering and
entrances and emergency exit emergency exit points. exiting the area, even during dark periods, as this provides valuable
points and capture identifiable Examine CCTV footage. information in the event of an investigation.
images, at all times of the day and
night.
P2 7.2.2 CCTV recordings are time Examine CCTV records. Clocks need to be properly synchronized to ensure the captured images
stamped. can be correlated to create an accurate record of the sequence of events.
Synchronization may use automated or manual mechanisms.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 58
Appendix A-1: Compensating Controls
Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use
of compensating controls to meet a PCI 3DS requirement.
1. Meet the intent and rigor of the original PCI 3DS requirement.
2. Provide a similar level of defense as the original PCI 3DS requirement, such that the compensating control sufficiently offsets the risk that
the original PCI 3DS requirement was designed to defend against.
3. Be “above and beyond” other PCI 3DS requirements. (Simply being in compliance with other PCI 3DS requirements is not a compensating
control.)
When evaluating “above and beyond” for compensating controls, consider the following:
(a) Existing PCI 3DS requirements CANNOT be considered as compensating controls if they are already required for the item under
review.
(b) Existing PCI 3DS requirements MAY be considered as compensating controls if they are required for another area, but are not
required for the item under review.
(c) Existing PCI 3DS requirements may be combined with new controls to become a compensating control.
Note: The items at a) through c) above are intended as examples only. All compensating controls must be reviewed and validated for
sufficiency by the assessor who conducts the PCI 3DS review. The effectiveness of a compensating control is dependent on the specifics
of the environment in which the control is implemented, the surrounding security controls, and the configuration of the control. Entities
should be aware that a particular compensating control will not be effective in all environments.
4. Be commensurate with the additional risk imposed by not adhering to the PCI 3DS requirement.
The assessor is required to thoroughly evaluate all compensating controls during the PCI 3DS assessment and validate that each compensating
control adequately addresses the risk the original PCI 3DS requirement was designed to address. Processes and controls must be in place to
ensure compensating controls remain effective after the assessment is complete.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 59
Appendix A-2: Compensating Controls Worksheet
Use this worksheet to document any compensating controls used to meet a PCI 3DS requirement. Compensating controls should also be
documented with the corresponding PCI 3DS requirement in the 3DS Report on Compliance.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 60
Appendix B: Alignment between PCI 3DS and PCI DSS Requirements
The PCI 3DS Part 1 Baseline Security Requirements cover many of the security objectives required by PCI DSS. Where PCI DSS has been
applied to the 3DS environment as described below, the implementation of additional controls may not be needed to meet the PCI 3DS Part 1
Requirements:
1. The 3DE is contained within a CDE, and all 3DS system components—including supporting infrastructure and systems—are included in
scope for the applicable PCI DSS requirements. See Table 2 “Mapping of PCI 3DS Part 1: Baseline Security Requirements to PCI DSS
Requirements” later in this section for details of applicable PCI DSS requirements; and
2. The applicable PCI DSS requirements are confirmed to be “In Place” through a PCI DSS assessment performed no more than 12 months
prior to the 3DS assessment.
A 3DE that is not within the security boundary of a PCI DSS-compliant (as defined by applicable payment brand Note: The individual
compliance programs) CDE, or does not store, process, or transmit any cardholder data (CHD) or sensitive authentication payment brand
data (SAD), may be subject to PCI 3DS Part 1 Requirements, based on payment brand compliance programs. compliance programs
define whether an entity is
The applicability of PCI 3DS Part 2: 3DS Security Requirements is not impacted by a PCI DSS implementation. The PCI
required to validate to PCI
3DS Part 2 Requirements apply whether or not PCI DSS is also implemented.
3DS, PCI DSS, or both.
The following diagram provides an illustration of how PCI DSS may impact applicability of 3DS Requirements.
Diagram 1: Relationship between PCI 3DS Requirements and PCI DSS
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 61
A 3DS entity that has applied PCI DSS in accordance with Table 2 “Mapping of PCI 3DS Part 1: Baseline Security Requirements to PCI DSS
Requirements” may either confirm that its PCI DSS validation covers the systems and environments in scope for PCI 3DS, or complete validation
to the 3DS Part 1 Requirements. A 3DS entity that does not store, process, or transmit any account data (CHD and/or SAD), and therefore has not
applied PCI DSS, should complete both 3DS Part 1 and 3DS Part 2 Requirements.
The following diagrams conceptually illustrate how a 3DE could be separate to or within a CDE, and the corresponding applicability of requirements.
In Diagram 2 above, the 3DS entity does not store, process, or transmit any account data (CHD or SAD) as part of the 3DS transaction process.
This entity’s 3DE is therefore not part of any CDE and is not protected by PCI DSS. In this scenario, the 3DS systems in the 3DE are subject to
3DS Part 1 and Part 2 Requirements.
Systems that are outside of the 3DE and that connect to or otherwise support 3DS system components in the 3DE would also be subject to 3DS
Part 1 and Part 2 Requirements.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 62
Diagram 3: Scenario with Combined 3DE/CDE
In Diagram 3 above, the entity’s 3DE is contained within or is the same as its CDE, and all 3DE system components (including ACS, DS, and/or
3DSS) are already protected by PCI DSS. In this scenario, the 3DS systems in the 3DE may be validated to either PCI DSS or 3DS Part 1
Requirements. The 3DS Part 2 Requirements also apply to these system components.
System components that are outside the combined 3DE/CDE and that connect to or otherwise support 3DS system components in the 3DE also
need to be protected. If all connected-to and supporting systems are protected by the appropriate PCI DSS controls, these system components
could also be validated to either PCI DSS or 3DS Part 1 Requirements. In all cases, these system components would be subject to 3DS Part 2
Requirements.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 63
Leveraging PCI DSS for PCI 3DS Part 1: Baseline Security Requirements
A mapping of PCI 3DS Part 1 Requirements to the applicable PCI DSS requirements is provided in Table 2 on the following page. The intent of
this mapping is to assist 3DS entities that have implemented PCI DSS to protect their 3DS environment in confirming that the PCI DSS controls
they have implemented are appropriate to meet the objectives of the 3DS Part 1 Requirements.
All identified PCI DSS requirements in place – 3DS entities that have all the identified PCI DSS requirements in place for their 3DS
environment could either:
(a) Confirm PCI DSS coverage for the scope of their 3DS environment, or
(b) Validate to 3DS Part 1 Requirements
Some but not all identified PCI DSS requirements in place – 3DS entities that have some but not all the identified PCI DSS
requirements in place for their 3DS environment could either:
(a) Implement and validate the applicable PCI DSS requirements in order to confirm PCI DSS coverage, or
(b) Validate to 3DS Part 1 Requirements.
One or more PCI DSS requirements identified as N/A – If any PCI DSS requirements were identified as being “Not Applicable” during
the PCI DSS assessment, the 3DS entity could either:
(a) Provide verification that all “N/A” PCI DSS requirement(s) are also not applicable to the 3DS environment, or
(b) Implement and validate the applicable PCI DSS requirements in order to confirm PCI DSS coverage, or
(c) Complete the 3DS Part 1 Requirements.
PCI DSS has not been implemented – Entities that have not implemented PCI DSS should complete the 3DS Part 1 Requirements in
their entirety.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 64
Table 2: Mapping of PCI 3DS Part 1: Baseline Security Requirements to PCI DSS Requirements
1. Maintain security policies for all Requirement 12: Maintain a policy that addresses information security for all personnel
personnel
2. Secure network connectivity Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
3. Develop and maintain secure systems Requirement 2: Do not use vendor-supplied defaults for system passwords and other
security parameters
Requirement 6: Develop and maintain secure systems and applications
4. Vulnerability management Requirement 5: Protect all systems against malware and regularly update anti-virus
software or programs
Requirement 6: Develop and maintain secure systems and applications
Requirement 11: Regularly test security systems and processes
5. Manage access Requirement 7: Restrict access to cardholder data by business need to know
Requirement 8: Identify and authenticate access to system components
7. Incident response preparedness Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 12: Maintain a policy that addresses information security for all personnel
Note: The applicability of 3DS Part 2: 3DS Security Requirements is not impacted by a PCI DSS implementation.
PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server, v1.0 October 2017
© 2017 PCI Security Standards Council, LLC. All Rights Reserved. Page 65