PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Tracked metadata: Sourced from EMVCo's public document index. PCI Watch records each document's details and its extracted text so changes can be tracked over time; the document PDF itself is hosted by EMVCo.
View on EMVCo.com →

EMV® 3-D Secure Approval – Test Platform Requirements

v1.4 Service Provider Recognition/Qualification
3-D Secure
Extracted document text

EMVCo's index flattens the document's layout, so this text is best used for searching and comparing versions rather than reading end-to-end.

This document is large; EMVCo's index truncates its extracted text, so the excerpt below is partial.

EMV® 3-D Secure Approval Test Platform Requirements Version 1.4 October 2025 EMV® 3-D Secure Approval Test Platform Requirements v1.4 Page i / vi Legal Notice This document is subject to change by EMVCo at any time. This document does not create any binding obligations upon EMVCo or any third party regarding the subject matter of this document, which obligations will exist, if at all, only to the extent set forth in separate written agreements executed by EMVCo or such third parties. In the absence of such a written agreement, no product provider, test laboratory or any other third party should rely on this document, and EMVCo shall not be liable for any such reliance. No product provider, test laboratory or other third party may refer to a product, service or facility as EMVCo approved, in form or in substance, nor otherwise state or imply that EMVCo (or any agent of EMVCo) has in whole or part approved a product provider, test laboratory or other third party or its products, services, or facilities, except to the extent and subject to the terms, conditions and restrictions expressly set forth in a written agreement with EMVCo, or in an approval letter, compliance certificate or similar document issued by EMVCo. All other references to EMVCo approval are strictly prohibited by EMVCo. Under no circumstances should EMVCo approvals, when granted, be construed to imply any endorsement or warranty regarding the security, functionality, quality, or performance of any particular product or service, and no party shall state or imply anything to the contrary. EMVCo specifically disclaims any and all representations and warranties with respect to products that have received evaluations or approvals, and to the evaluation process generally, including, without limitation, any implied warranties of merchantability, fitness for purpose or noninfringement. All warranties, rights and remedies relating to products and services that have undergone evaluation by EMVCo are provided solely by the parties selling or otherwise providing such products or services, and not by EMVCo, and EMVCo will have no liability whatsoever in connection with such products and services. This document is provided "AS IS" without warranties of any kind, and EMVCo neither assumes nor accepts any liability for any errors or omissions contained in this document. EMVCO DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT, AS TO THIS DOCUMENT. EMVCo makes no representations or warranties with respect to intellectual property rights of any third parties in or in relation to this document. EMVCo undertakes no responsibility to determine whether any implementation of this document may violate, infringe, or otherwise exercise the patent, copyright, trademark, trade secret, know-how, or other intellectual property rights of third parties, and thus any person who implements any part of this document should consult an intellectual property attorney before any such implementation. Without limiting the foregoing, this document may provide for the use of public key encryption and other technology, which may be the subject matter of patents in several countries. Any party seeking to implement this document is solely responsible for determining whether its activities require a license to any such technology, including for patents on public key encryption technology. EMVCo shall not be liable under any theory for any party's infringement of any intellectual property rights in connection with this document. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 Page ii / vi Revision Log – Version 1.4 The following changes have been made to the document since the publication of Version 1.3. Some of the numbering and cross references in this version have been updated to reflect changes introduced by the published bulletins. The numbering of existing requirements did not change, unless explicitly stated otherwise. Incorporated changes described in the following Specification and Administrative Updates: • None Other editorial changes: • Section 3.2.7.2.1 updated to reflect the regression testing for all 3DS components • Section 3.3.1, item 5 added to clarify the meaning of ‘remediates per plan’ • Editorial updates. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 Page iii / vi Contents 1 INTRODUCTION................................................................................................................... 1 1.1 Purpose..................................................................................................................... 1 1.2 Audience ................................................................................................................... 1 1.3 Normative Reference................................................................................................. 1 1.4 Definitions ................................................................................................................. 4 1.5 Notational Conventions ............................................................................................. 8 1.5.1 Abbreviations ................................................................................................. 8 1.5.2 Terminology and Conventions........................................................................ 8 2 ROLES AND RESPONSIBILITIES ............................................................................................ 9 2.1 EMVCo...................................................................................................................... 9 2.2 Test Platform Provider ............................................................................................... 9 2.3 EMVCo Recognised Laboratory .............................................................................. 10 3 3DS TEST PLATFORM AND TEST PLATFORM PROVIDER REQUIREMENTS ............................. 11 3.1 Business Requirements........................................................................................... 11 3.1.1 Partnership .................................................................................................. 11 3.1.2 Financial ...................................................................................................... 11 3.1.3 Legal Entity .................................................................................................. 11 3.1.4 Public Communications and Test Results .................................................... 12 3.1.5 Independence .............................................................................................. 12 3.1.6 Impartiality ................................................................................................... 13 3.1.7 Confidentiality .............................................................................................. 13 3.1.8 Business Coverage...................................................................................... 13 3.1.9 Not Transferrable ......................................................................................... 14 3.2 Development Requirements .................................................................................... 15 3.2.1 Architecture.................................................................................................. 15 3.2.2 Test Scripts Development Requirements ..................................................... 15 3.2.3 Harness and SUT Requirements ................................................................. 15 3.2.4 Reference/Requestor Application................................................................. 16 3.2.5 Test Session and User Interface Requirements ........................................... 16 3.2.6 Public Key Infrastructure Management ........................................................ 17 3.2.7 Test Plan Selection ...................................................................................... 17 3.2.7.1 Test Plan Identification ......................................................................... 17 3.2.7.2 Regression Testing .............................................................................. 18 3.2.7.3 Single Protocol Version | Multiple Test Plans | Overlapping Period ...... 20 3.2.7.4 Multiple Protocol Version | Multiple Test Plans | Migration Period ........ 21 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 Page iv / vi 3.2.8 Multi-Protocol Version Support..................................................................... 22 3.2.8.1 Example 1: Migration Period between 2 Selectable Protocols and Overlapping Period for 2 Test Plan Versions ........................................ 22 3.2.8.2 Example 2: Migration Period between 3 Selectable Protocols and Overlapping Period for 2 Test Plan Versions ........................................ 23 3.2.8.3 Example 3: Migration Period between 3 Selectable Protocols and no Overlapping Period .............................................................................. 24 3.2.8.4 Example 4: Migration Period between 2 Selectable Protocols and no Overlapping Period .............................................................................. 24 3.2.8.5 Example 5: T5 – No Migration Period and no Overlapping Period ........ 25 3.2.9 ICS Import/Export ........................................................................................ 25 3.2.10 Report generation ........................................................................................ 26 3.2.11 Documentation............................................................................................. 26 3.3 Security Requirements ............................................................................................ 27 3.3.1 Test Platform Security.................................................................................. 27 3.3.2 Confidential Materials and Information ......................................................... 28 3.3.3 Test Reports ................................................................................................ 28 3.3.4 Test Platform Usage .................................................................................... 28 3.3.5 Networks...................................................................................................... 30 3.4 Operational Requirements....................................................................................... 31 3.4.1 Application & Platform Management ............................................................ 31 3.4.2 Application & Platform Resilience ................................................................ 31 3.4.3 Incident Management (Service Availability).................................................. 31 3.4.4 Management of Issues during Pre-Compliance or Compliance Testing ....... 32 3.4.4.1 Issue Management Process with EMVCo ............................................ 32 3.4.4.2 Issue Reporting .................................................................................... 33 3.4.4.3 Issue Reporting Template .................................................................... 33 3.5 Performance Requirements and Service Levels ...................................................... 35 3.5.1 Performance ................................................................................................ 35 3.5.2 Service Availability ....................................................................................... 35 3.5.3 Incident Management Severity Levels.......................................................... 35 3.5.4 Test Platform Service Level Report.............................................................. 36 3.6 Maintenance Requirements..................................................................................... 37 3.6.1 Change Management .................................................................................. 37 3.6.2 Test Equipment Hardware and Software Upgrades ..................................... 39 3.6.3 Documentation Management ....................................................................... 39 3.6.4 Example Change History Table.................................................................... 39 3.7 Administrative Requirements ................................................................................... 40 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 Page v / vi 3.7.1 Software Configuration Management ........................................................... 40 3.7.2 Personnel Management ............................................................................... 40 3.7.2.1 Personnel Information .......................................................................... 40 3.7.2.2 Personnel Technical Expertise ............................................................. 41 3.7.3 EMV Test Case/Test Plan Update and Activation Dates .............................. 41 3.7.4 Test Data Retention Period .......................................................................... 42 3.7.5 Language..................................................................................................... 42 3.7.6 Test Platform Provider Fees ........................................................................ 42 3.7.7 Terms and Conditions .................................................................................. 42 3.7.8 Complaints................................................................................................... 42 3.8 Communication Requirements ................................................................................ 43 3.8.1 Communication to EMVCo ........................................................................... 43 3.8.2 Communication from EMVCo....................................................................... 43 3.8.2.1 EMVCo 3DS Approval Communications ([APP COMS])....................... 43 3.8.2.2 EMVCo 3DS TPP Document Repository .............................................. 44 3.8.2.3 Knowledge Base: ................................................................................. 44 3.9 Test Platform Provider Recognition Process ........................................................... 45 3.10 Changes to Test Platform Post Qualification............................................................ 46 3.10.1 Changes in EMVCO requirements ............................................................... 46 3.10.2 Platform Update and Qualification Requirements......................................... 46 4 NON-CONFORMANCE ....................................................................................................... 47 4.1 Non-Conformance Investigation .............................................................................. 47 4.2 Corrective Action for Non-Conformance .................................................................. 48 4.2.1 Fix due to Test Platform Issue...................................................................... 48 4.2.2 Fix due to Test Case Update........................................................................ 48 Appendix A - Relationship between Test Platform Provider and Laboratories.................. 49 Appendix B - EMVCo Ticket Severity .............................................................................. 50 Appendix C - Platform Service Level Report.................................................................... 52 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 Page vi / vi Tables Table 1.1: 3-D Secure Specifications .................................................................................... 1 Table 1.2: 3-D Secure Approval Documents ......................................................................... 2 Table 1.3: 3-D Secure Test Platform Forms .......................................................................... 3 Table 1.4: External References ............................................................................................ 3 Table 1.5: Definitions ............................................................................................................ 4 Table 1.6: Abbreviations ....................................................................................................... 8 Table 3.1: Regression test list application in 3DS product re-approval ................................ 19 Table 3.2: Regression test list application in BME product approval.................................... 19 Table 4.1: EMVCo Ticket Severity Definition ....................................................................... 50 Figures Figure 3.1: Overlapping Period ........................................................................................... 20 Figure 3.2: Migration Period ................................................................................................ 21 Figure 3.3: Multi-Protocol Version Support.......................................................................... 22 Figure 3.4: Issue Management Process .............................................................................. 32 © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 Page 1 / 55 1 Introduction EMVCo specifies and qualifies EMV 3-D Secure (3DS) Test Platforms developed and hosted by independent and recognised Test Platform Providers throughout the world to conduct 3DS testing. 1.1 Purpose This document describes the requirements for the development and the hosting of a 3DS Test Platform by a 3DS Test Platform Provider. Test Platform Providers may decide to develop/run Test Platform for testing all or part of the 3DS Components: • 3DS SDK (Default-SDK or Split-SDK variants) • 3DS Server • Directory Server (DS) • Access Control Server (ACS) 1.2 Audience This document is intended for qualified parties who are willing to develop and host 3DS Test Platform. It is also made available to the 3DS Laboratories. 1.3 Normative Reference Ref. [PCF 3DS] [SDK 3DS] [SPLIT 3DS] [DEV 3DS] [VER 3DS] [SB 3DS] Table 1.1: 3-D Secure Specifications Document Title EMV® 3-D Secure Protocol and Core Functions Specification EMV® 3-D Secure SDK Specification EMV® 3-D Secure Split-SDK Specification EMV® 3-D Secure SDK Device Information EMV® 3DS Version Number Management - Protocol Version 2.3.0 & above EMV® 3-D Secure Specification Bulletins (SB Bulletins) Version Latest Available per Protocol Version Latest Available per Protocol Version Latest Available All versions Latest Available All Distribution Publicly Available Publicly Available Publicly Available Publicly Available Publicly Available Publicly Available © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 Page 2 / 55 Ref. [SB 3DS 255] Document Title EMV® 3-D Secure Specification Bulletins 255 – 3DS Specification Version Configuration Version Latest Available Distribution Publicly Available Table 1.2: 3-D Secure Approval Documents Ref. [AP 3DS] [TC 3DS] [SUT REQ] [HARNES] [TP ACR] TPP_REQ Document Title EMV® 3-D Secure Approval Administrative Process EMV® 3-D Secure Test Suite (which includes EMV® 3-D Secure Test Plan) Test Requirements - for all Systems Under Test - for ACS as System Under Test - for 3DS Default-SDK and Split-SDK as System Under Test - for DS as System Under Test - for 3DS Server as System Under Test Test Harness for Split-SDK as System Under Test EMV® 3-D Secure - Test Platform Provider Recognition and Test Platform Qualification Process Additional test requirements for Test Platform Providers Version Latest Available Latest Available per Protocol Version Last Applicable version Last Applicable version Latest Available Latest Available [CM 3DS] [Lab Recog Req] [AB 3DS 04] EMV® 3-D Secure - Change Management and Notification Process EMV® 3-D Secure Approval— Laboratory Recognition Requirements EMV® 3-D Secure Approval Bulletin n°4 – 3-D Secure Test Platform Fees and Invoicing Process Latest Available Latest Available Latest Available Distribution Publicly Available Restricted to Laboratories and Test Platform Providers Publicly Available Publicly Available Publicly Available Restricted to Laboratories and Test Platform Providers Restricted to Laboratories and Test Platform Providers Publicly Available Restricted to Test Platform Providers © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 Page 3 / 55 Ref. [AB 3DS 19] [AB 3DS] [APP COMS] Document Title EMV® 3-D Secure Approval Bulletin n°19 – Selectable EMV® 3-D Secure Specification Versions During an Approval EMV® 3-D Secure Application Bulletins (AB Bulletins) EMV® 3-D Secure Approval Communications Test Document License Agreement Test Platform Provider Agreement Version Latest Available All All Latest Available Latest Available Distribution Publicly Available Publicly Available Restricted to Test Platform Providers Restricted to Test Platform Providers Restricted to Test Platform Providers Ref. [ICS 3DS] Ref. [ISO17025] Table 1.3: 3-D Secure Test Platform Forms Document Title 3-D Secure - Implementation Conformance Statement 3-D Secure Report Template Version Latest Available Distribution Publicly Available Latest Available Restricted to Laboratories and Test Platform Providers Table 1.4: External References Document Title Version Distribution ISO/IEC 17025—General requirements for the competence of testing and calibration laboratories Latest Available Publicly Available [ISO27001] ISO/IEC 27001 Security techniques / Information security management systems Requirements Latest Available Publicly Available [SSAE18] AICPA Statement on Standards for Attestation Engagements no. 18 Latest Available Publicly Available © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 1.4 Definitions Table 1.5 defines selected terms used in this document. Page 4 / 55 Term 3DS Approval Bulletin 3DS Approval Communication 3DS Component Recognition Active/Activation Active Protocol Approval Compliance Compliance Testing EMVCo Table 1.5: Definitions Definition Public notification released to communicate updates to the 3-D Secure Approval Process (Test Plan activation date or process updates). Restricted notification released to communicate to the Laboratories and/or Test Platform Providers updates to the 3-D Secure Approval Process (Test Plan activation dates, test case or Test Platform issues, testing guidelines, or process updates). A 3-D Secure Component that will be approved. There are four 3DS components: • 3DS SDK (Default-SDK or Split-SDK variants) • 3DS Server • Directory Server (DS) Access Control Server (ACS) Formal recognition by EMVCo that a Test Laboratory or a Test Platform Provider is competent to carry out specific functions as defined by EMV 3-D Secure approval procedures. Refers to the condition that a Protocol Version, Test Plan version or a specific Test Plan Implementation is deployed on an EMVCo Recognised Test Platform and becomes available for Product Provider to execute. The list of the active Protocol Versions is provided in the latest 3DS Specification Bulletin 255 [SB 3DS 255]. Acknowledgment by EMVCo that the specified Product has demonstrated sufficient compliance to the EMV Specifications for its stated purpose. Meeting all requirements and any implemented optional requirements for a given specification. The execution by a Test Platform of a defined set of tests against requirements described in a specification to determine sufficient compliance with that specification. The organization that manages the EMV specifications and their related testing processes. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 EMVCo Recognised Laboratory (or Test Laboratory or Laboratory) EMVCo Recognised Test Platform Provider (or Test Platform Provider) EMVCo 3DS Approval Secretariat EMVCo 3DS Test Platform Provider Document Repository EMVCo Qualified Auditor EMVCo Qualified Test Platform Impartiality Inactive/Deactivation Incoming Test Plan Version Letter of Recognition Letter of Approval Page 5 / 55 An independent, impartial entity that has been audited by an EMVCo Qualified Auditor for compliance with EMVCo 3DS Laboratory requirements and has received a Letter of Recognition from EMVCo entitling it to perform 3DS testing and test report validation. An independent, impartial entity that has been audited by an EMVCo Qualified Auditor for compliance with EMVCo 3DS Test Platform Requirements and has received a Letter of Recognition from EMVCo, entitling it to provide 3DS Test Platform services. The EMVCo entity that manages the 3-D Secure Approval process defined in [AP 3DS] and related documents. A digital file repository, used for distributing material from EMVCo to Test Platform Providers, for example Test Plans. Currently referred to as Thrive. An independent, impartial entity that has received a Letter of Qualification from EMVCo, entitling it to verify conformance to EMV defined Approval procedures. A Test Platform for which the Test Platform Provider has received a Letter of Qualification from EMVCo. Freedom from conflicts of interest, from bias, from prejudice, neutrality, fairness, open-mindedness, even-handedness detachment and balance. Ability to ensure that conflict of interest do not exist or are resolved so as not to adversely influence the activities of the Laboratory. Refers to the condition that a Protocol Version, Test Plan version or a specific Test Plan Implementation is phased out on an EMVCo Recognised Test Platform and becomes unavailable for Product Provider to execute. Refers to the latest Test Plan to be activated or newly activated on the Test Platform. See also Outgoing Test Plan definition Written statement that confirms the formal recognition by EMVCo that a Test Laboratory or a Test Platform Provider has been audited and recognised by EMVCo to carry out specific functions as defined by EMVCo approval procedures. Written statement that documents the decision of EMVCo that a specified Product has demonstrated sufficient compliance to the applicable EMV specifications on the date of testing. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 Letter of Qualification Letter of Revocation Licensee MANUAL_PP Migration Period Multi-Protocol Version Support Outgoing Test Plan Version Overlapping Period Pre-Compliance testing Product Product Provider Protocol Version Page 6 / 55 Written statement that documents the decision of EMVCo that a Test Platform has demonstrated sufficient compliance to support and operate EMVCo test plans and requirements. Written statement that documents the decision of EMVCo that a Test Platform is no longer an EMVCo qualified Test Platform and that the EMVCo’s Test Platform Provider Agreement is terminated. An entity that has executed a Test Document License Agreement with EMVCo. A test case requiring human verification with additional evidence provided by the Product Provider. Period where both a newer Protocol Version and an older Protocol Version are available for selection by the Product Provider to perform testing for Letter of Approval. EMVCo will determine a date when the older Protocol Version is no longer available for selection. After this date, the older protocol version can no longer be selected 3DS components are required to support all active Protocol Versions as defined in [PCF 3DS] Requirement 311 and in the latest 3DS Specification Bulletin 255 [SB 3DS 255]. This rule is applied in Compliance testing to include the highest Protocol Version selected and all lessor active Protocol Versions. Refers to the Test Plan version(s) to be deactivated on the Test Platform. See Incoming Test Plan definition. Period where both the Incoming and Outgoing Test Plans under a single Protocol Version are active and supported on the Test Platform. This period ends when the Outgoing Test Plan Version becomes Inactive. An approval process test phase where Product Providers can access the same defined set of Compliance tests allowing debug, analysis and review of the compliance with that specification. A 3-D Secure component submitted for approval Entity submitting a 3-D Secure component for Approval. Protocol Version defines the interoperability between the 3DS Secure components. Protocol Version format is MAJOR.MINOR.PATCH and it is defined in [VER 3DS]. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 Qualification Qualification Reference Number Registration Number Selectable Protocol Specification Bulletin System Under Test Test Case Test Plan Test Plan Implementation Test Platform (or 3DS Test Platform) Test Platform Recognition Manager Test Platform Provider Test Script Test Suite Page 7 / 55 Process to obtain formal recognition by EMVCo that a Test Platform has sufficiently implemented the Test Cases for a particular EMVCo test Plan or type of EMVCo testing. A unique identification number that EMVCo assigns to a specific version of the Test Platform once that version of the Test Platform has been qualified. Unique identification number that EMVCo assigns to a Test Platform Provider, to be used on all communication and reports sent to EMVCo. The list of the selectable Protocol Versions for a 3DS approval is provided in [AB 3DS 19] Notification released to communicate updates to the EMV specifications. The 3-D Secure Component (may include hardware with identified Operating System) that is being evaluated for its compliance with EMVCo specification and for receipt of LOA A description of the actions required to achieve a specific test objective. Specification describing all Test Cases that have to be run to verify the compliance of a 3DS component to a version of 3DS Secure protocol and Core Functions Specification and 3DS Secure SDK Specification. Implementation of a Test Plan by a Test Platform Provider in its testing environment. An online test system that has been EMVCo recognised for 3DS testing. The Test Platform executes 3-D Secure test plans and test cases which SUTs use for 3DS compliance approval. An independent, impartial entity that has been selected by EMVCo to supervise the recognition of a Test Platform Provider and to conduct qualification evaluations. Entity developing and hosting the Test Platform, in accordance with EMV Test requirements. The implementation of an individual test case. The total collection of all test scripts that implement the individual test cases for a particular Test Plan version. The Test Suite also includes the documentation as well as the System Under Test Requirements. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 1.5 Notational Conventions 1.5.1 Abbreviations The abbreviations listed in Table 1.6 are used in this document. Abbreviation 3DS 3DSS DS ACS ICS LoA LoQ PP SDK SUT TPAM TPP Table 1.6: Abbreviations Description EMV 3-D Secure 3DS Server Directory Server Access Control Server Implementation Conformance Statement Letter of Approval Letter of Qualification Product Provider Software Development Kit System Under Test Test Platform Recognition Manager Test Platform Provider Page 8 / 55 1.5.2 Terminology and Conventions The following words are used often in these specifications and have a specific meaning: Shall Defines a Product or system capability which is mandatory. May Defines a Product or system capability which is optional or a statement which is informative only and is out of scope for these specifications. Should Defines a Product or system capability which is recommended. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 2 Roles and Responsibilities Page 9 / 55 2.1 EMVCo EMVCo responsibilities include the following: • Owns, defines, and maintains the EMV specifications, • Owns, defines, and maintains test cases appropriate to test Products developed to EMV specifications, • Communicates any specification or test cases updates and their effective dates, • Defines Test Platform Provider recognition requirements, • Determines whether a Test Platform Provider should be granted EMVCo recognition, • Defines Test Platform qualification requirements, • Determines whether a Test Platform should be granted EMVCo qualification, • Defines Laboratory recognition requirements, • Recognise and Audit Laboratories that test Products against EMVCo test cases, • Notifies EMVCo Recognised Laboratories when a Test Platform has been qualified for a new version of the test cases including the new qualification reference number of the Test Platform, • Notifies EMVCo Recognised Laboratories when a Test Platform Provider has been recognised, • Notifies EMVCo Recognised Laboratories when the recognition of a Test Platform Provider has been terminated, suspended, or revoked, • Maintains a list of EMVCo recognised Test Platform Providers on the EMVCo website including the version numbers of the 3DS Protocol Versions they are qualified to test, • Maintains a list of EMVCo Recognised 3DS Laboratories on the EMVCo website. 2.2 Test Platform Provider The Test Platform Provider shall: • Register with EMVCo, • Notify EMVCo of any change in contact information, • Satisfy all Test Platform Provider requirements in this document, • Satisfy Additional Test Requirements for Test Platform Providers as defined in [TC 3DS] and in [TPP_REQ], • Implement the EMVCo test cases and test cases updates defined in [TC 3DS], • Complete the Test Platform qualification processes defined by EMVCo in [TP ACR] to demonstrate that the test cases have been correctly implemented, © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 Page 10 / 55 • Complete the Test Platform Provider recognition processes defined by EMVCo in [TP ACR] to demonstrate that it can provide Test Platform services, • Provide feedback on the specifications and test cases to EMVCo and confirm feasibility of the Effective Date of the test cases updates, • Notify EMVCo and all EMVCo Recognised Laboratories using the Test Platform of any changes made to the Test Plan Implementation beyond editorial fixes and typos, • Maintain a Change History Table of the modification made to the Test Platform and Test Plan Implementation, • Inform EMVCo of any issues found with its qualified tool after receiving a Letter of Qualification: o any issue that will affect the Test Platform Provider’s ability to offer services to Product Provider (for example outages, or performance/throughput issues), o any issue that would impact the quality and accuracy of the test results returned by the platform., o any issue that would impact Product Provider satisfaction with EMVCo’s 3DS Testing Program. • Comply with all conditions in the Letter of Qualification, the Letter of Recognition and the Test Document License Agreement, • Pay the applicable qualification fees and the support fees defined in the 3-D Secure Approval Bulletin 4 in accordance with the payment schedule described, • Make available to EMVCo auditor a copy of Test Platform Provider’s Test Platform terms and conditions. 2.3 EMVCo Recognised Laboratory The EMVCo Recognised Laboratory shall: • Register with EMVCo, • Have an established partnership with qualified 3DS Test Platform Provider(s), • Satisfy all Laboratory recognition requirements in [Lab Recog Req], • Complete the Laboratory recognition processes defined by EMVCo in [Lab Recog Req] to demonstrate that it can provide 3DS Laboratory services, • Support Product Provider during Pre-Compliance testing and review Pre-Compliance test report before a Product Provider switches to Compliance testing, • Report to EMVCo and Test Platform Provider functional issues found during PreCompliance and/or Compliance test sessions, • Validate ICS and Compliance test report before submitting it to EMVCo upon instruction from the Product Provider, • Comply with all conditions in the Letter of Recognition and the Test Document License Agreement, • Pay the applicable qualification fees and the support fees defined in the 3-D Secure Approval Bulletin 3 in accordance with the payment schedule described. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 Page 11 / 55 3 3DS Test Platform and Test Platform Provider Requirements This section describes Test Platform and Test Platform Provider requirements. It includes business, development, security, operational, maintenance and administrative requirements. Note: If a Test Platform Provider delegates to a Laboratory the management of the interface to the Test Platform services by the Product Providers, the split of the responsibilities between the Laboratory and the Test Platform Provider shall be clearly described, documented and agreed by both parties. Further details are defined in the 3DS Admin Process section 3.2.1. 3.1 Business Requirements This section describes the business requirements for a Test Platform Provider. 3.1.1 Partnership The Test Platform Provider shall partner with either: • an EMVCo Recognised Laboratory, • or a Laboratory in the process of EMVCo recognition in order to apply to EMVCo for recognition of a 3DS Test Platform. 3.1.2 Financial The Test Platform Provider shall conduct business in a manner that is consistent with the highest ethical standards and with practices that minimize risk. The Test Platform Provider may be subject to a due diligence review, with the primary focus of identifying and mitigating potential financial and goodwill risks. 1. The Test Platform Provider shall have a sound financial basis and be a part of a stable organization. 2. The Test Platform Provider shall adhere to ethical business standards and practices. 3. The Test Platform Provider shall have no financial dependencies on any Product Provider for which testing, or validation is being performed other than the Product Provider’s payment for the service provided. • The Test Platform Provider shall have no financial dependencies on any EMVCo member with regards to performance of any EMV activity unless permitted in writing by EMVCo. 4. The Test Platform Provider shall not have any fraudulent or criminal history. 3.1.3 1. Legal Entity The Test Platform Provider shall be recognised as a legal entity and shall be (or shall be part of) an organization that is registered as a tax-paying business or as having a tax-exempt status or as a legal entity in some form with a national body or a governmental agency or entity. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 Page 12 / 55 2. The Test Platform Provider shall be able to sign and abide by all EMVCo legal agreements applicable for 3DS Test Platform Providers, including EMVCo Test Document License Agreement and Test Platform Provider Agreement. 3.1.4 1. 2. 3. 4. Public Communications and Test Results The Test Platform Provider agrees to abide by EMVCo’s policy that a test performed by any EMVCo qualified Test Platform is acceptable for EMVCo 3-D Secure Approval and shall make no claims to the contrary in its marketing material. The Test Platform Provider shall not, under any circumstances, communicate nor disclose to any third party, including to a Product Provider, that the Product Provider’s Product has or has not been approved by EMVCo. EMVCo, not the Test Platform Provider, shall be the final party to determine whether a particular Product conforms to the EMV specifications. The Test Platform Provider shall comply with the conditions detailed in the Test Platform Letter of Qualification, the Test Platform Provider Letter of Recognition and the Test Document License Agreement about public communications / advertising / marketing. The Test Platform Provider shall prominently state the 3DS Protocol Version of the 3DS components the Test Platform supports. 3.1.5 Independence The Test Platform Provider shall be able to demonstrate independence from the Products under test and from the party involved in the design or manufacturing of the Product under test: 1. The Test Platform Provider shall receive communication and direction related to 3-D Secure Approval Processes only from EMVCo. 2. The Test Platform Provider shall not be a 3DS Product Provider or shall not be owned by a Product Provider involved in the creation of a 3DS Product. 3. The Test Platform Provider shall not perform EMV 3DS Approval Testing on a Product that it has been involved in designing or in which it or its affiliates has any ownership or vested interest, except that it may provide quality assurance testing (debug sessions) prior to the Product Provider submitting the Product for official EMV 3DS Approval Testing. 4. Test Platform Provider shall not direct, require, recommend, suggest, advise or otherwise encourage a Product Provider to use any particular Product design, solution or concept or otherwise assist a Product Provider in the development of a Product. 5. Test Platform Provider shall conduct all activities in a manner as to not show partiality or provide for outside influence on test and evaluation processes, including without limitation by not performing Functional Evaluations on any Product in which it also has any ownership or vested interest. 6. Test Platform Provider shall not perform EMV 3DS Approval Testing activities on any Products for which Test Platform Provider personnel are also performing design activities, including without limitation by not designing, developing original documentation for, or building, coding or implementing any part of the Product to be tested. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 Page 13 / 55 3.1.6 Impartiality The Test Platform Provider shall be able to demonstrate impartiality in test case analysis methodology and review. 1. The Test Platform Provider management shall be committed to impartiality. 2. The Test Platform Provider activities are structured and managed to safeguard impartiality and avoid conflict of interest. 3. The Test Platform Provider shall identify risks to its impartiality on an ongoing basis. 4. If a risk to impartiality is identified, the Test Platform Provider shall be able to demonstrate how it eliminates or minimizes such risk. 3.1.7 Confidentiality The Test Platform Provider shall ensure the protection of its customers' confidential information and proprietary rights, including protecting the electronic storage and transmission of results. 1. The Test Platform Provider shall hold in strict confidence any confidential information received from EMVCo, Laboratories, Product Providers. Confidential documents shall be stored according to their confidentiality level. The Test Platform Provider is responsible for asking authorization to the Product Provider before releasing any confidential information to EMVCo. When a Product Provider grants permission to the Test Platform Provider to release classified information to EMVCo, this information may be released only to EMVCo. The EMVCo 3-D Secure Approval Secretariat will release the information to appropriate working group members within EMVCo. 2. When the Test Platform Provider is required by law or authorized by contractual arrangements to release confidential information, the customer or individual concerned shall, unless prohibited by law, be notified of the information provided. 3. Information about the customer obtained from sources other than the customer (e.g. complainant, regulators) shall be confidential between the customer and the Test Platform Provider. The provider (source) of this information shall be confidential to the Test Platform Provider and shall not be shared with the customer, unless agreed by the source. 4. Personnel, including any committee members, contractors, personnel of external bodies, or individuals acting on the Test Platform Provider's behalf, shall keep confidential all information obtained or created during the performance of Test Platform Provider activities, except as required by law 3.1.8 Business Coverage The Test Platform Provider shall be able to demonstrate its capability of doing business worldwide, with one or multiple physical locations. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 Page 14 / 55 3.1.9 Not Transferrable The Test Platform Provider shall inform the EMVCo 3-D Secure Approval Secretariat if the company name, ownership, legal entity status, address, or contact information changes from that which is stated on the Test Platform Provider’s Request for Registration, the Test Document License Agreement and the Test Platform Provider Agreement. Changes impacting company name, ownership, or legal status may require a new Test Document License Agreement and a new Test Platform Provider Agreement with EMVCo. Generally, Letters of Qualification and Letters of Recognition are not reissued when name changes are the result of corporate mergers or sales. Modifications to company addresses and contact information will be applied to the EMVCo website and to subsequent communication (e.g. notification of test cases updates, qualification notification, etc.). © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 3.2 Development Requirements Page 15 / 55 3.2.1 Architecture 1. The Test Platform shall be a web-based application that can be accessed by multiple 3DS Product Providers at the same time to test their 3DS Products. 2. It is strongly recommended that the Test Platform Engine software operates independent from the Test Plan implementation for a specific 3DS Protocol Version, and by doing so, changing a Test Script does not impact the Test Platform Engine itself. 3. The Test Platform shall support Test Plan Implementation for multiple 3DS protocol versions (see details in section 3.2.7) 4. A Test Platform Architecture description (systems overview of components that make up the Test Platform) shall be provided. Note: the 3DS platform infrastructure may be used and customized for other testing, as long as it does not interfere with EMVCo testing. Such customization is made under the responsibility of the Test Platform Provider and it may be reviewed during the qualification phase and audit. Test Platform Provider shall provide a description of the customization and evidence on why EMVCo testing is not impacted. If this document doesn’t exist, the customization may be reviewed during audit. 3.2.2 1. 2. 3. 4. Test Scripts Development Requirements The Test Platform Providers shall implement the Test Scripts associated to the Test Cases described in the active EMV 3DS Test Plans [TC 3DS]. The Test Platform Providers can select the 3DS Component(s) they want to support. The Test Platform Providers shall use the latest activated EMV 3DS Test Plans. For SDK-testing: a. The Test Platform Providers shall implement an interface to their platform allowing the Product Provider to upload additional images and/or video as evidence for manual visual validation for applicable test cases (MANUAL_PP). Test Platform shall make this evidence available to laboratory personnel for verification purposes. Test Platform shall track the history of the visual validation evidence attachment(s) for the period defined in section 3.7.4 and ensure material cannot be replaced after the laboratory review. b. The Test Platform Providers shall implement a mechanism allowing Laboratory personnel to visually validate SDK component UIs for the relevant SDK test cases. This includes the display of the reference UI and the SDK UI captured through the reference test application used for SDK component testing. If the SDK UI capturing is made through a video, Test Platform Provider shall offer a way to identify or isolate a specific frame in the video. The Test Platform Provider shall implement the 3DS Test Plan changes according to the schedule provided by EMVCo. 3.2.3 Harness and SUT Requirements 1. The Test Platform shall comply with the SUT Requirements [SUT REQ] for the supported 3DS Components. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 Page 16 / 55 2. The Test Platform shall comply with the Test Harness for Split-SDK [HARNES] if it supports Split-SDK testing. 3.2.4 1. 2. Reference/Requestor Application The Test Platform Provider shall develop a reference/requestor application that may be used by the Default-SDK Product Provider to test their 3DS component. The Product Provider may update this reference/requestor application to align with the Product Provider’s SUT. For Split-SDK testing, the Test Client Agent development is under Product Provider responsibility. 3.2.5 1. 2. 3. 4. 5. Test Session and User Interface Requirements The Test Platform shall support self-service usage by Product Providers without assistance from the Test Platform Provider personnel. The Test Platform shall support help menu to provide assistance on the functionality of the testing application. The Product Provider shall be able to select the component and the supported Protocol Version for Pre-Compliance testing, which will remain in effect during Compliance testing. The Product Provider shall have the possibility to select test cases to run during PreCompliance testing. Before moving to Compliance testing, the Product Provider shall be reminded that the Product shall have obtained acceptable results for all applicable Test cases during PreCompliance, using the same version of their Product under test. During Compliance testing, the Test Platform shall automatically identify test cases applicable to the SUT based on o the selected 3DS Product Component, o the supported ICS options, o the 3DS Protocol Version selected by the Product Provider. 6. For Pass* management, Test Platform is suggested to continue testing even if Json schema validation of the PRes message sent by the System Under Test fails. 7. During Compliance testing, the Test Platform shall run, in an automated way and in single run, all the test cases of each test plan without interruption and/or manual operation (except for tests identified as MANUAL_PP where mandatory cardholder interaction or additional human verification-related evidence is required). There is no limit to the number of test plan executions as long as compliance is performed in a single run for the automated tests. 8. It may happen that a few test cases are failing during a Compliance test session. This can be due to but is not limited to network connectivity issues and this is not necessarily due to a defect of the Product being tested. For that reason, during Compliance Testing, it is authorized to re run test cases of the test session that have failed under the following conditions: o The number of failing test cases shall not exceed 2% of the total number of test cases in the test session (all applicable test cases across all test suites), © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 Page 17 / 55 o The re-run shall be automated and part of the same test session (no interruption of the Compliance test session), except for the MANUAL_PP tests which can be (re)executed individually o A maximum of 2 retries per failing test case is authorized If the above conditions are not met, a new Compliance test session shall be run entirely. Note: A manual verification of the reason of the failure(s) shall be made by the Laboratory (with the help of the Test Platform Provider and the Product Provider) for all test cases that have been retried until successful outcome. The purpose is to ensure that the failure that triggered the retry can be justified and it is not hiding a Product defect. 9. During Compliance testing, the Test Platform shall execute the Test Scripts in a nonpredictable way by an SUT, no information, such as Test Case identifier, shall be provided to SUT to identify the Test Case under execution. 10. During Compliance testing, the Test Platform Provider shall offer the possibility to the Product Provider to configure the number of test cases that will be run at a time so that it can adapt this configuration to the performance of its SUT. 3.2.6 Public Key Infrastructure Management 1. The Test Platform shall ensure that secure links established between the System under Test and the Test Platform are as described in [PCF 3DS]. a) Test Platform shall use certificates signed by the Test Platform CA when the 3DS Server or ACS is the System Under Test. b) Test Platform shall provide DS with the option to use certificates signed by DS’s own CA or the Test Platform CA. c) Test Platform shall use certificates signed by a commercial CA when the SDK is the System Under Test. 2. For all the security functions, the Test Platform shall use the certificates that are generated by certificate authorities as described in [PCF 3DS]. 3.2.7 Test Plan Selection The 3DS Test Platform shall support more than one version of a test plan which can be for the same or different 3DS Protocol Versions or for a Message Extension. In addition, regression test plans shall also be supported. Regression testing here refers to subset of test cases from other test plans. Examples are described below. 3.2.7.1 Test Plan Identification 3DS test plans are identified by four-digit test plan version number (2.N.M.x) where • 2 = 3DS protocol specification major version • N = specification minor version • M = specification patch version • x = Test Plan version for Protocol Version 2.N.M 3DS Protocol Versions are identified by the first three digits (2.N.M). © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 Page 18 / 55 3DS Test Plan versions are identified by the four digits (2.N.M.x). For Message Extensions, the test plan naming convention follows four-digit version numbering (J.K.L.d), where • J = Major version number of the Message Extension • K = specification minor version • L = Major version of the Test Plan • d = Minor version of the Test Plan (editorial) Note: the 5th digit documents the implementation of the 3DS Test Plan on a Test Platform, see section 3.7.1, Software Configuration Management. 3.2.7.2 Regression Testing Regression test plan can be used: ▪ In case of product update, to test that the SUT global behaviour is not impacted by the implemented changes ▪ To optimize testing for products being re-approved For example, regression testing is performed when adding a new feature, such as Message Extension, to an already approved product. Regression test plan(s) are JSON files, delivered with the related test plans (eg. Message Extension) and consists of a selection of test cases to be executed from the Main Test Plan(s). Main Test Plan identification is defined in the section 3.2.7.1. The following two scenarios, as explained in Error! Reference source not found. and 3.2.7.2.2, are currently defined for regression testing, and further scenarios may be defined at EMVCo’s discretion. 3.2.7.2.1 All 3DS products re-approval This process applies to all 3DS products that have already obtained a 3DS LOA 2.2.0 or 2.3.1 for a given Operating System and are applying for re-approval for 3DS Protocol Version 2.3.1 for the same Operating System and same Implementation Conformance Statement (ICS) options before the expiration of the previous LOA (ICS of the new product shall be received before the expiration of the former product and OS version of the new product may be higher than the OS version of the expiring product). Table 3.1 indicates the application of Regression test list. This list includes all 2.2.0 test cases that shall be run during Pre-Compliance and Compliance test sessions. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 Page 19 / 55 Table 3.1: Regression test list application in 3DS product re-approval Expiring product 2.2.0 or 2.3.1 New product 2.3.1 2.3.1 Testing Full Test Suite 2.2.0 Testing Regression test list 2.2.0 or 2.3.1 2.2.0 No previous Product No previous Product 2.3.1 (different options and/or features and/or OS) 2.2.0 2.2.0 Full Test Suite n/a n/a 2.3.1 Full Test Suite Full Test Suite Full Test Suite Full Test Suite Full Test Suite 3.2.7.2.2 Addition of the Testing against BME 2.0 after the approval of a 3DS Product If a Product Provider has an existing LOA, they may request additional testing to support BME 2.0. In this scenario, as illustrated in Table 3.2, BME 2.0 test plan is fully run for the selected BME 2.0 data sets (Test Plan covering BME features). Additionally, regression testing is executed using the regression test list which lists all 2.2.0 test cases that shall be run during the Pre-Compliance and Compliance test sessions. Table 3.2: Regression test list application in BME product approval SUT 3DS LOA BME 2.0 Test Plan without Test without BME Plan BME 3DS Regression testing LOA with supported BME options As Regression Test Plans are not stand-alone test plans but a selection of tests from main test plans, the rules defined in the following sections (where applicable) still apply. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 Page 20 / 55 3.2.7.3 Single Protocol Version | Multiple Test Plans | Overlapping Period When a new version of a test plan and/or test plan implementation is released for a given 3DS 2.N.M. specification (i.e. for the same one specification), • An “overlapping period” occurs where the two Test Plan versions (2.N.M.x) and (2.N.M.x+1) coexist for the same Protocol Version 2.N.M are both running on the Test Platform. Note: An “overlapping period” can also occur - when two versions of Test Plan Implementation (such as 2.N.M.x.i and 2.N.M.x.i+1) coexist for the same test plan version (2.N.M.x) that are both running on the Test Platform. - when the specification patch version is incremented (such as 2.N.M.x and 2.N.M+1.x) and two versions of Test Plan Implementation for different patch version of the Protocol Version are both running on the Test Platform. For the purpose to ease the understanding, the rest of the document will depict and demonstrate “overlapping” using the scenario of both Test Plan Versions under same Protocol Version. • During an Overlapping Period o Only the new Test Plan version (2.N.M.x+1) shall be selectable by the Product Providers on its effective date for new or existing test projects in Pre-Compliance Testing phase on the Test Platform. Existing PreCompliance test projects shall restart testing with the new Test Plan Version (2.N.M.x+1). o The older Test Plan version (2.N.M.x) is only available for test projects in Compliance Testing phase where their ICS forms have already been submitted to EMVCo. Figure 3.1: Overlapping Period © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 Page 21 / 55 3.2.7.4 Multiple Protocol Version | Multiple Test Plans | Migration Period When EMVCo releases a new Protocol Version of the 3DS specification (minor version N of the Protocol Version is incremented), • A “migration period” occurs where there are selectable Test Plans for more than one Protocol Version running on the Test Platform. • During a migration period, Product Providers can select the Protocol Version they want to test against. • EMVCo will announce the activation of a new Test Plan for a new Protocol Version and the end of a migration period if applicable (decommission date) and allow enough notice to Product Providers before making a test plan for the given Protocol Version non-selectable, and thus ending the migration period. Note: Update of the patch version of a Protocol Version is not considered as a new protocol as it relates to functional fixes or security updates. Consequently, when the patch version M of a Protocol Version is incremented, it is managed as an overlapping period and not as a migration period. Figure 3.2: Migration Period Note: An "Active Protocol" does not necessarily mean the Protocol Version is still selectable on the Test Platform. A Protocol Version may remain active but not selectable after the migration period for this Protocol Version. The deactivation of a Protocol Version will be announced by EMVCo. © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 Page 22 / 55 3.2.8 Multi-Protocol Version Support The Test Platform shall run automatically all Test Plans of the "Active Protocols" that precede the Protocol Version selected by the Product Provider (The list of the “Active Protocols” is provided in [SB 3DS 255]. The Test Platform shall perform the testing of all Test Plans automatically and in a single run. Figure 3.3: Multi-Protocol Version Support 3.2.8.1 Example 1: Migration Period between 2 Selectable Protocols and Overlapping Period for 2 Test Plan Versions 3.2.8.1.1 Protocol Versions and Test Plans at T1 • T1 = Time Marker #1 • 2 active and Selectable Protocols (Migration Period) o Protocol Version 2.N.M is active and selectable o Protocol Version 2.N+1.M is active and selectable o Protocol Version 2.N+2.M and associated test plan is not yet active and is not selectable • 2 active Test Plan Versions (Overlapping Period) for 2.N.M Protocol Version o Test Plan Version 2.N.M.x is active but not selectable o Test Plan Version 2.N.M.x+1 is active and selectable • Other Test Plans for N+1 Protocol Version o Test Plan Version 2.N+1.M.y is active and selectable © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 Page 23 / 55 3.2.8.1.2 Product Provider options at T1 • A Product Provider can decide to test its Product against Protocol Version 2.N.M. o Test plan 2.N.M.x+1 will automatically be selected by the Test Platform (except if ICS was submitted to EMVCo before activation of Test plan 2.N.M.x+1) • A Product Provider can decide to test its Product against Protocol Version 2.N+1.M. o Test plans 2.N+1.M.y and 2.N.M.x+1 (Multi-Protocol Version support testing) will automatically be selected by the Test Platform 3.2.8.2 Example 2: Migration Period between 3 Selectable Protocols and Overlapping Period for 2 Test Plan Versions 3.2.8.2.1 Protocol Versions and Test Plans at T2: • T2 = Time Marker #2 • 3 active and Selectable Protocols (Migration Periods) o Protocol Version 2.N.M is active and selectable o Protocol Version 2.N+1.M is active and selectable o Protocol Version 2.N+2.M is active and selectable • 2 active Test Plan Versions (Overlapping Period) for 2.N.M Protocol Version o Test Plan 2.N.M.x is active but not selectable o Test Plan 2.N.M.x+1 is active and selectable • Other Test Plans for N+1, and N+2 Protocol Versions o Test Plan 2.N+1.M.y is active and selectable o Test Plan 2.N+2.M.z is active and selectable 3.2.8.2.2 Product Provider options at T2: • A Product Provider can decide to test its Product against Protocol Version 2.N.M. o Test plan 2.N.M.x+1 will automatically be selected by the Test Platform (except if ICS was submitted to EMVCo before activation of Test plan 2.N.M.x+1) • A Product Provider can decide to test its Product against Protocol Version 2.N+1.M. o Test plans 2.N+1.M.y and 2.N.M.x+1 (Multi-Protocol Version support testing) will automatically be selected by the Test Platform • A Product Provider can decide to test its Product against Protocol Version 2.N+2.M. o Test plans 2.N+2.M.z, 2.N+1.M.y and 2.N.M.x+1 (Multi-Protocol Version support testing) will automatically be selected by the Test Platform © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 Page 24 / 55 3.2.8.3 Example 3: Migration Period between 3 Selectable Protocols and no Overlapping Period 3.2.8.3.1 Protocol Versions and Test Plans at T3: • T3 = Time Marker #3 • 3 active and Selectable Protocols (Migration Periods) o Protocol Version 2.N.M is active and selectable o Protocol Version 2.N+1.M is active and selectable o Protocol Version 2.N+2.M is active and selectable • 3 active Test Plan Versions (No Overlapping Period) o Test Plan 2.N.M.x is not active and not selectable o Test Plan 2.N.M.x+1 is active and selectable o Test Plan 2.N+1.M.y is active and selectable o Test Plan 2.N+2.M.z is active and selectable 3.2.8.3.2 Product Provider options at T3: • A Product Provider can decide to test its Product against Protocol Version 2.N.M. o Test plan 2.N.M.x+1 will automatically be selected by the Test Platform • A Product Provider can decide to test its Product against Protocol Version 2.N+1.M. o Test plans 2.N+1.M.y and 2.N.M.x+1 (Multi-Protocol Version support testing) will automatically be selected by the Test Platform • A Product Provider can decide to test its Product against Protocol Version 2.N+2.M. o Test plans 2.N+2.M.z, 2.N+1.M.y and 2.N.M.x+1 (Multi-Protocol Version support testing) will automatically be selected by the Test Platform 3.2.8.4 Example 4: Migration Period between 2 Selectable Protocols and no Overlapping Period 3.2.8.4.1 Protocol Versions and Test Plans at T4: • T4 = Time Marker #4 • 2 active and Selectable Protocols (Migration Period) o Protocol Version 2.N.M is active but not selectable o Protocol Version 2.N+1.M is active and selectable o Protocol Version 2.N+2.M is active and selectable • 3 active Test Plan Versions (No Overlapping Period) o 2.N.M.x+1 is active but not selectable o Test Plan 2.N+1.M.y is active and selectable o Test Plan 2.N+2.M.z is active and selectable © 2019-2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Test Platform Requirements v1.4 Page 25 / 55 3.2.8.4.2 Product Provider options at T4: • A Product Provider cannot decide to test its Product against Protocol Version 2.N.M. • A Product Provider can decide to test its Product against Protocol Version 2.N+1.M. o Test plans 2.N+1.M.y and 2.N.M.x+1 (Multi-Protocol Version support testing) will automatically be selected by the Test Platform • A Product Provider can decide to test its Product against Protocol Version 2.N+2.M. o Test plans 2.N+2.M.z, 2.N+1.M.y and 2.N.M.x+1 (Multi-Protocol Version support testing) will automatically be selected by the Test Platform 3.2.8.5 Example 5: T5 – No Migration Period and no Overlapping Period 3.2.8.5.1 Protocol Versions and Test Plans at T5: • T5 = Time Marker #5 • 1 active and Selectable Protocol (No Migration Period) o Protocol Version 2.N.M i