This article presents a brief description of the PCI 3DS standard, aimed at protecting non-face-to-face transactions (card-not-present) e-commerce through robust cardholder authentication.
All articles in the series «What is it?‘:
Introduction
The standard Payment Card Industry 3-D Secure – Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server (or PCI 3DS) is a security-oriented standard for components involved in transactions with the EMV 3-D Secure (E) protocol.MV® 3-D Secure Protocol and Core Functions Specification) to authenticate the cardholder in non-face-to-face transactions.
It is currently in the version 1.0 published in October 2017.
Origin
One of the main problems of non-face-to-face transactions (card-not-present – CNP) with payment cards (where it is not required to insert, swipe or bring the physical card closer to a reader) is due to the authentication of the holder at the time of the transaction. Unlike face-to-face transactions, in which the holder requires the presence of 2 authentication factors (the plastic of the card (what you have) and the pin (what is known)), in non-face-to-face transactions the same authentication factor is usually used twice (the PAN and the CVV2, which are both printed on plastic), so that a criminal who has access to this data would have the possibility of making fraudulent transactions.
In October 2017, in the framework of the PCI Europe Community Meeting held in Barcelona (Spain), the PCI SSC announced the outcome of the multi-year work: defining a number of security controls to protect the 3DS messaging-related data processing environment in a new standard: PCI 3DS Core Security Standard. This standard is based on the EMV® 3-D Secure protocol specification (EMV® 3-D Secure Protocol and Core Functions Specification) and the objective of this integration is the creation of a transversal framework that allows the massive implementation of this security protocol in e-commerce environments (e-commerce) and purchases via mobile phones (m-commerce).
What is 3-D Secure (3DS)?
EMV® Three-Domain Secure (3-D Secure or 3DS) is an anti-fraud messaging protocol that allows consumers to authenticate with their payment card issuer at the time of non-face-to-face (CNP) transactions. This is about an additional layer of security that helps prevent unauthorized transactions in e-commerce environments and, in turn, protects the trade from fraud.

Example of 3DS authentication for a Visa card
As such, at the time the transaction is made, the card issuer (i.e.: the bank of the cardholder who issued the plastic) asks the cardholder for an additional authentication data to CVV2, which can usually be:
- A PIN.
- A password or the answer to a secret question
- A code from a coordinate card.
- A code sent via SMS to a registered mobile phone.
- A single-use key (One Time Password – OTP) generated by an electronic device or an application installed on a mobile phone.
The objective is that access to this additional data is only by the issuing bank, which is why the trade and any other intermediate entity should only receive the response to such validation: approved or not.

Example of 3DS with VBV using an SMS code
It's called "Three Domains» (three domains) due to the interaction of three main actors, defined in the EMV 3-D Secure protocol specification:
- The mastery of the trade/acquirer,
- The Issuer domain, and
- The interoperability domain (e.g. a payment system).

3DS transaction flow across all 3 domains
History of the 3-D Secure protocol and its different versions

3-D Secure specification and PCI 3DS standard timeline
In 1996 Visa, Mastercard, GTE, IBM, Microsoft, Netscape, SAIC, Terisa Systems, RSA and Verisign created the SET Consortium (Secure Electronic Transaction (SET) Consortium), which laid the first foundations for protecting financial transactions on the internet. The consortium developed a set of security protocols and formats based on the combination of digital certificates and digital signatures between the buyer, the merchant and the buyer's bank to ensure the privacy and confidentiality of the transaction, so each user of the system required a digital certificate to be able to operate. Unfortunately, this method was very poorly received due to the costs and integration problems with the browsers (browsers) of the time.
As an alternative method to SET, in 1999 Visa created the messaging protocol Three-Domain Secure (3-D Secure) v1.0 to provide merchants and issuers with a way to authenticate cardholders when online purchases are made. This protocol governed the interaction between three main elements involved in transaction authentication: the merchant, the card issuer and the directory service.
During the late 1990s and early 2000s Arcot Systems developed a robust authentication system that complied with this protocol (called TransFort), It was well received by major banks in the United States. This system required merchants to download a software add-on (plug-in) that would recognize the authentication scheme to be applied and that cardholders register in the service by telephone, creating a personal identification number (PIN) that would be requested at the time of payment. The interesting thing about this method is that it did not require major changes to the merchants' infrastructure and that any payment card supported this additional authentication technique.
Due to the success of this model, Visa USA (through its subsidiary e-Visa) acquired the software from Arcot Systems in 2001 to replace its technology based on Secure Electronic Transaction (SET), renaming it as Verified by Visa (VbV).

Example of 3DS implementation through "Verified By Visa" (VbV)
Years later, the other payment card brands began to develop their additional authentication programs for online purchases based on the 3-D Secure protocol: MasterCard SecureCode (MSC) and JCB J/Secure in 2005 and American Express Safekey in 2010.
However, this first version of the 3-D Secure specification soon became obsolete, it was already developed to authenticate cardholders in online purchases when the only connection mechanism available to e-commerce was through browsers (browsers) on personal computers. Due to the rapid proliferation of mobile devices, the static authentication of 3-D Secure (based on passwords and personal identification numbers) and the limitations of integration with new web technologies began to affect online purchases, causing abandonments at the time of payment and operational costs to card issuers for user support when they forgot their authentication credentials.
For this reason, in 2016 Visa, Mastercard, JCB, Discover, American Express and UnionPay centralize efforts through EMVCo to publish Version 2 of the 3-D Secure protocol. This new version was designed to be less intrusive than the first version of the specification, allowing additional transaction data to be sent as context for validation in terms of risk, requiring additional authentication only when the transaction is determined to be high risk (frictionless). It also allows new methods of authentication of the cardholder (Cardholder Verification Method – CVM) as online/offline PIN, question/answer (challenge-response), shared secrets (shared secret), static passwords, biometrics or single-use codes (One-Time Passcodes – OTP), as well as integration with new devices (Consumer Device Information – CDI) such as smart phones and watches, computers and tablets.
Finally, it is important to clarify several issues:
- The functional specification of 3-D Secure version 2 is managed exclusively by EMVco.
- Each payment brand has its own 3-D Secure compliance program, which includes specific rules and policies to operate with your cards using the 3-D Secure specification.
What is the scope of PCI 3-D Secure (PCI 3DS)?
The standard PCI 3DS Core Security Standard, published by the PCI SSC, defines the logical and physical requirements and assessment procedures for those entities that provide or perform the following functions, as set out in the document: EMV®3-D Secure Protocol and Core Functions Specification:
- 3DS Server (3DSS): provides the functional interface between the environment from which 3DS functionality is requested and the directory server (DS).
- 3DS Directory Server (DS): manages the list of card ranges for which authentication is available and coordinates communication between the 3DS server (3DSS) and the access control server (ACS) to determine which authentication is available for a particular card number and device type.
- 3DS Access Control Server (ACS): the ACS contains the authentication rules and is controlled by the issuer. Verify what type of authentication is available and authenticate the specific transaction.
Therefore, the applicability of this new standard will be linked to those environments where ACS, DS or 3DSS functions are performed. Typically, it contemplates the 3DS environment (referred to as 3DS Environment o 3DE), which contains the system components involved in executing 3DS transactions, as well as the components that support 3DE.
To synthesize, the applicability/interaction of EMV's 3-D Secure specification and PCI 3DS standard is defined as follows:
- The 3-D Secure protocol specification is provided by EMVco.
- The definition of security controls to protect the components of a 3DS environment is provided by the PCI 3DS standard.
Likewise, the same criterion applies with Software Development Kits (Software Development Kit – SDK), where EMVco provides the specification (EMV® 3-D Secure SDK Specification), while PCI SSC provides the security requirements that must be secured by those entities that develop SDKs under the EMV specification for 3DS transactions on mobile devices (PCI 3DS SDK Security Standard).
A very complete description about the functionality of the 3DSS, ACS, DS and 3DS SDK components can be found in this article: How 3D Secure Works: ACS, 3DS Server, and SDK Explained.
How is the PCI 3DS standard organized?
The standard PCI 3DS Core Security is divided into two parts:
- Part 1: Baseline Security Requirements, which provide technical and operational security requirements designed to protect environments where 3DS functions are performed. These requirements reflect the general principles and practices of information security common to multiple industry standards and should be considered in any type of environment.
- Part 2: 3DS Security Requirements, which describes specific security controls to protect data from 3DS transactions, technologies and processes.

PCI 3DS requirements
Additionally, the standard is accompanied by the following documents:
- PCI 3DS Data Matrix, which lists the elements of a 3DS transaction and describes their level of confidentiality and storage potential.
- PCI 3DS SDK Security Standard, which defines the requirements and test procedures for 3DS Software Development Kits, following the specifications of the document EMV® 3-D Secure-SDK Specification.
As part of the actions of assessment and certification of environments, the PCI SSC will be responsible for the training of advisors, maintenance of the list of certified advisors and management of a quality program. These actions are described in the following documents:
3D-Ssecure QSA (Qualified Security Assessors) training courses began in the first quarter of 2018.
What is the relationship between the PCI DSS standard and the PCI 3DS Core Security standard?
Depending on the form of deployment, a 3-D Secure environment (3DS environment -3DE) can be part of a payment card data environment (Cardholder Data Environment – CDE) or be completely separate. If a 3DS environment processes card data, it may be subject to PCI DSS compliance.

Integration of PCI DSS CDE with PCI 3DS 3DE
However, if the environment in which 3DS authentication actions are implemented also complies with PCI DSS, then compliance with Part 1 of 3DS can be directly approved:

Correspondence of PCI DSS and PCI 3DS requirements part 1
The applicability of 3DS Part 2 is not affected by PCI DSS compliance or non-compliance.

PCI 3DS compliance alternatives when the environment is PCI DSS compliant or not
What is the process for conducting a PCI 3DS compliance assessment?
Finally, below are the steps required to perform a PCI 3DS compliance assessment by a QSA Advisor for PCI 3DS:
- Â The entity must confirm the type of 3-D Secure components present in its environment (3DSS, DS, or ACS).
-  Each component must be EMVco approved in order to operate in a 3DS environment. The list of approved products can be found here https://www.emvco.com/approved-registered/approved-products/ . Each of these components must have its approval letter (Letter of Approval – LOA) valid and issued by EMVco.
- Â Confirm whether or not the 3DS (3DE) environment processes, stores and/or transmits payment card data:
- If it contains payment card data, the 3DS environment must also comply with PCI DSS.
- If it does not contain payment card data, the 3DS environment must comply with Part 1 of PCI 3DS.
- Â Depending on the type of component (3DSS, DS or ACS), some requirements are applicable or not (use of certified HSMs, physical security controls in the data center, remote access to the HSM console, etc.).
-  Upon completion of the compliance assessment, the QSA advisor will complete a compliance report (Report on Compliance – RoC) and a certificate of compliance (Attestation of Compliance – AoC), which must be sent to each of the payment marks by the evaluated entity.
- Â The validation of PCI 3DS compliance is annual.