Security Requirements and Assessment Procedures for EMV 3-D Secure Core Components: ACS, DS, and 3DS Server

Similar documents
Payment Card Industry (PCI) 3-D Secure (PCI 3DS) Qualification Requirements for 3DS Assessors

Payment Card Industry (PCI) Point-to-Point Encryption

PCI DSS 3.2 AWARENESS NOVEMBER 2017

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

All the Latest Data Security News. Best Practices and Compliance Information From the PCI Council

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Advanced Certifications PA-DSS and P2PE. Erik Winkler, VP, ControlCase

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

Payment Card Industry (PCI) Payment Application Data Security Standard. Requirements and Security Assessment Procedures. Version 2.0.

Data Security Standard

Section 1: Assessment Information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.2)

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry Data Security Standards Version 1.1, September 2006

Payment Card Industry (PCI) Data Security Standard

Segmentation, Compensating Controls and P2PE Summary

Payment Card Industry (PCI) Point-to-Point Encryption. Template for Report on Validation for use with P2PE v2.0 (Revision 1.1) for P2PE Solution

Payment Card Industry - Data Security Standard (PCI-DSS)

PCI DSS Q & A to get you started

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Self-Assessment Questionnaire A

Payment Card Industry (PCI) Data Security Standard

PCI DATA SECURITY STANDARDS VERSION 3.2. What's Next?

A Perfect Fit: Understanding the Interrelationship of the PCI Standards

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

Understanding PCI DSS Compliance from an Acquirer s Perspective

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Evolution of Cyber Attacks

Section 1: Assessment Information

Credit Union Service Organization Compliance

ISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview

Will you be PCI DSS Compliant by September 2010?

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

Self-Assessment Questionnaire A

Payment Card Industry (PCI) Compliance

Managing Risk in the Digital World. Jose A. Rodriguez, Director Visa Consulting and Analytics

PCI DSS COMPLIANCE 101

SAQ A AOC v3.2 Faria Systems LLC

Payment Card Industry (PCI) Data Security Standard

University of Sunderland Business Assurance PCI Security Policy

Payment Card Industry (PCI) Data Security Standard Report on Compliance. PCI DSS v3.2.1 Template for Report on Compliance. Revision 1.

Introduction to the PCI DSS: What Merchants Need to Know

Site Data Protection (SDP) Program Update

Navigating the PCI DSS Challenge. 29 April 2011

David Jenkins (QSA CISA) Director of PCI and Payment Services

The PCI Security Standards Council

First Data TransArmor VeriFone Edition Abbreviated Technical Assessment White Paper

Instructions: SAQ-D for Merchants Using Shift4 s True P2PE

Customer Compliance Portal. User Guide V2.0

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance

PCI DSS V3.2. Larry Newell MasterCard

How to Complete Your P2PE Self-Assessment Questionnaire

Payment Card Industry Data Security Standard (PCI DSS) Payment Application Data Security Standard (PA-DSS) Summary of 2012 Feedback

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

Payment Card Industry (PCI) Data Security Standard

PCI SSC Global Security Standards for the payments industry

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants

PCI COMPLIANCE IS NO LONGER OPTIONAL

Cipherithm LLC 2013 PCI SSC North America Community Meeting Notes

Maintaining Trust: Visa Inc. Payment Security Strategy

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

UCSB Audit and Advisory Services Internal Audit Report. Credit Cards PCI Compliance. July 1, 2016

Qualified Integrators and Resellers (QIR) TM. QIR Implementation Statement, v2.0

Attestation of Compliance for Onsite Assessments Service Providers

Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

FAQs. The Worldpay PCI Program. Help protect your business and your customers from data theft

How to become PCI DSS Compliant: The complete roadmap

Payment Card Industry (PCI) Data Security Standard Payment Application Data Security. Template for Report on Validation for use with PA-DSS v3.

Transcription:

Payment Card Industry 3-D Secure (PCI 3DS) Security Requirements and Assessment Procedures for EMV 3-D Secure Core Components: ACS, DS, and 3DS Server Frequently Asked Questions November 2017

Introductory Note This document addresses frequently asked questions (FAQs) related to the PCI 3DS Security Requirements and Assessment Procedures for EMV 3-D Secure Core Components: ACS, DS, and 3DS Server (hereafter referred to as the PCI 3DS Core Security Standard). Throughout this FAQ document: The use of PCI 3DS Core Security Standard or PCI 3DS refers to the current version of the PCI 3DS Security Requirements and Assessment Procedures for EMV 3-D Secure Core Components: ACS, DS, and 3DS Server, as published on the PCI SSC website (www.pcisecuritystandards.org). The use of EMVCo 3DS Core Specification refers to the EMV 3-D Secure Protocol and Core Functions Specification, as published by EMVCo (www.emvco.com). Further information about use and applicability of the PCI 3DS Core Security Standard can be found in the Introduction, Terminology, and Scope of Requirements sections within the standard itself, as well as in the general PCI Glossary on the PCI SSC website: https://www.pcisecuritystandards.org/pci_security/glossary. The FAQs in this document are organized as follows: 1. General FAQs 2. Relationship between PCI 3DS Core Security Standard and other PCI standards 2017 PCI Security Standards Council, LLC. All Rights Reserved Page 2

1. General FAQs Q 1: What is 3-D Secure? A: EMV Three-Domain Secure (3-D Secure, or 3DS) is a messaging protocol that enables consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases. The additional security layer helps prevent unauthorized CNP transactions and protects the merchant from exposure to CNP fraud. The three domains consist of the merchant/acquirer domain, issuer domain, and the interoperability domain (for example, Payment Systems). For details about EMV 3-D Secure, refer to https://www.emvco.com/emv-technologies/3d-secure/. Q 2: To whom does the PCI 3DS Core Security Standard apply? A: The PCI 3DS Core Security Standard applies to entities that perform or provide the following functions, as defined in the EMVCo 3DS Core Specification: 3DS Server (3DSS) 3DS Directory Server (DS) 3DS Access Control Server (ACS) Third-party service providers that can impact these 3DS functions, or the security of the environments where these functions are performed, may also be required to meet PCI 3DS requirements as applicable to the provided service. Whether an entity is required to validate compliance with the PCI 3DS Core Security Standard is defined by the individual payment brand compliance programs. Q 3: How are the PCI 3DS requirements structured? A: The requirements in the PCI 3DS Core Security Standard are organized into the following sections: Part 1: Baseline Security Requirements, which provide technical and operational security requirements designed to protect environments where 3DS functions are performed. These requirements reflect general information security principles and practices common to many industry standards, and should be considered for any type of environment. Part 2: 3DS Security Requirements, which provide security controls specifically intended to protect 3DS data, technologies, and processes. Q 4: Does the Implementation Guidance have to be met in order for a requirement to be considered in place? A: No. The intent of the Implementation Guidance is to provide additional information to help entities and assessors understand how a requirement could be met. The examples and practices in the Implementation Guidance column are not requirements and do not preclude other methods that may be used to meet a requirement. While the Implementation Guidance contains recommendations and best practices that should be considered, this guidance does not replace or extend the requirement to which it refers. Assessors and 3DS entities should work together to ensure clear understanding of how implemented controls meet the intent of the requirements. 2017 PCI Security Standards Council, LLC. All Rights Reserved Page 3

Q 5: What is the PCI 3DS Data Matrix and how does it fit in with the PCI 3DS Core Security Standard? A: The PCI 3DS Data Matrix is a separate document that supports the PCI 3DS Core Security Standard. The PCI 3DS Data Matrix identifies a number of data elements common to 3DS transactions, as defined by EMVCo, that are also subject to requirements in the PCI 3DS Core Security Standard. The data elements identified in the PCI 3DS Data Matrix include those considered to be 3DS sensitive data, which are subject to specific data protection requirements, and certain cryptographic key types that are subject to HSM requirements. Q 6: Who is qualified to assess the PCI 3DS Core Security Requirements? A: A two-phase approach will be implemented to qualify assessors to perform 3DS Assessments: From Q4 2017, P2PE Assessors and existing 3-D Secure v1 Visa assessors that are also QSAs will be able to perform PCI 3DS Assessments after completing a short online training module. This grandfathering arrangement will be in place for two years. At that time, these assessors will be subject to the qualification requirements defined below. From early 2018, a qualification path will be available for QSAs with at least three years QSA experience and at least one industry-recognized certification in both information security and IT audit (as defined in QSA Qualification Requirements section 3.2). Additionally, QSAs wishing to perform PCI 3DS Assessments will be required to attend training and pass an examination. Details of training and qualification requirements for assessors will be provided in Q4 2017 and early 2018 respectively. Q 7: Does PCI SSC provide a list of 3DS entities that are validated to the PCI 3DS Core Security Standard? A: There are currently no plans for PCI SSC to list 3DS entities that have been assessed to the PCI 3DS Core Security Standard. Any queries about PCI 3DS Core Security Standard compliance should be directed to the applicable payment brand(s). Q 8: Are 3DS entities that support v1 of the 3-D Secure protocol required to migrate to EMV 3-D Secure? A: Whether an entity is required to use and/or support a specific version of 3DS is determined by the payment brands. 3DS entities should contact the applicable payment brand and/or issuer to whom they provide 3DS services for further information. Q 9: Are 3DS entities that currently meet the Visa 3-D Secure Security Requirements for Enrollment Servers and Access Control Servers also required to meet the PCI 3DS Core Security Standard? A: All queries related to validating compliance should be directed to the applicable payment brand. 2017 PCI Security Standards Council, LLC. All Rights Reserved Page 4

2. Relationship between PCI 3DS Core Security Standard and other PCI standards Q 10: What is the relationship between the PCI 3DS Core Security Standard and the PCI 3DS SDK Security Standard? A: The PCI 3DS Core Security Standard and PCI 3DS SDK Security Standard are independent standards that define security controls covering different areas of the 3DS ecosystem. The PCI 3DS Core Security Standard supports the EMVCo 3DS Core Specification, and applies to entities that perform or provide specific 3DS functions; namely 3DS Server (3DSS), 3DS Directory Server (DS), or 3DS Access Control Server (ACS) functions. The PCI 3DS SDK Security Standard applies to entities that develop 3DS Software Development Kits (SDK), as defined in the EMV 3-D Secure SDK Specification. While these two PCI standards define consistent levels of security for respective 3DS components, they are distinct standards with separate requirements and programs, and validation against one standard does not imply or result in validation against the other. Q 11: What is the relationship between the PCI 3DS Core Security Standard and the PCI DSS? A: The PCI 3DS Core Security Standard and PCI DSS are separate, independent standards each intended for specific types of entities. The PCI 3DS Core Security Standard applies to 3DS environments where 3DSS, ACS, and/or DS functions are performed, while PCI DSS applies wherever payment card account data is stored, processed or transmitted. Details of each standard s applicability are provided within the introductory sections of that standard. Where an entity meets the applicability for both standards, the entity should consult with their acquirer and/or payment brand, as applicable, to determine whether they are required to validate to either or both standards. While many 3DS entities may have both PCI 3DS and PCI DSS responsibilities, there may be cases where a 3DS entity does not store, process, or transmit any payment card account data for example, where the 3DS entity is involved only in 3DS transactions for EMVCo payment tokens. In this scenario, the 3DS entity may not be subject to PCI DSS. In all cases, entities should refer to their acquirer and/or the payment brand(s) to determine their compliance obligations to a PCI standard. Q 12: How should a 3DS entity manage an environment covered by both PCI 3DS and PCI DSS? A: 3DS entities that store, process, or transmit payment card account data will have a defined 3DS environment (3DE) and a defined cardholder data environment (CDE). If account data is present in the environment where 3DS functions are performed, that environment would be considered both a 3DE and a CDE. Where the 3DE and CDE are combined in the same environment, the 3DS entity may be able to implement security controls that meet requirements in both standards. As the PCI 3DS Part 1: Baseline Security Requirements cover many of the security objectives required by PCI DSS, additional controls may not be needed to meet the PCI 3DS Part 1 Requirements if PCI DSS is fully implemented. 2017 PCI Security Standards Council, LLC. All Rights Reserved Page 5

Where a requirement in one standard requires more stringent security controls than what is implemented or required by the other standard, the entity may need to implement the more stringent controls throughout the environment to ensure the applicable requirements from both standards are met. An alternative scenario is where the 3DS entity has a CDE that is separate and segmented from the 3DE. In this scenario, the 3DS entity may choose to apply different controls to each environment as appropriate for the applicable standard. Whether a 3DS entity is required to validate compliance with the PCI 3DS Core Security Standard and/or PCI DSS is defined by the individual payment brand compliance programs. Q 13: Can an entity use their PCI DSS assessment results for their 3DS assessment? A: As noted in Q12, additional controls may not be needed to meet the PCI 3DS Part 1: Baseline Security Requirements if PCI DSS is fully implemented to protect the 3DE and all 3DS system components. In circumstances where the 3DE and CDE are combined in the same environment, and PCI DSS controls have been applied and validated for all 3DE system components, the 3DS entity may be able to leverage the results of their PCI DSS assessment to validate the PCI 3DS Part 1 Requirements. 3DS entities wishing to use the results of a PCI DSS assessment for this purpose should confirm this approach with their acquirer and/or the payment brand(s). PCI DSS assessment results cannot be leveraged to validate 3DS Part 2 Requirements. Refer to Appendix B: Alignment between PCI 3DS and PCI DSS Requirements, in the PCI 3DS Core Security Standard, for details on requirements for leveraging PCI DSS for PCI 3DS Part 1. The 3DS assessor will need to document PCI DSS coverage of the 3DE in the 3DS Report on Compliance and Attestation documents. There is currently no option for entities to leverage results of a PCI 3DS assessment for their PCI DSS validation. Validation to PCI 3DS Part 1 does not impact or replace PCI DSS compliance obligations. 2017 PCI Security Standards Council, LLC. All Rights Reserved Page 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback