PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Tracked metadata: Sourced from EMVCo's public document index. PCI Watch records each document's details and its extracted text so changes can be tracked over time; the document PDF itself is hosted by EMVCo.
View on EMVCo.com →

EMV® 3-D Secure Approval Administrative Process

v1.6 Type Approval Process
3-D Secure
Extracted document text

EMVCo's index flattens the document's layout, so this text is best used for searching and comparing versions rather than reading end-to-end.

This document is large; EMVCo's index truncates its extracted text, so the excerpt below is partial.

EMV® 3-D Secure Approval Administrative Process Version 1.6 May 2026 © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page ii / vii Legal Notice This document is subject to change by EMVCo at any time. This document does not create any binding obligations upon EMVCo or any third party regarding the subject matter of this document, which obligations will exist, if at all, only to the extent set forth in separate written agreements executed by EMVCo or such third parties. In the absence of such a written agreement, no product provider, test laboratory or any other third party should rely on this document, and EMVCo shall not be liable for any such reliance. No product provider, test laboratory or other third party may refer to a product, service or facility as EMVCo approved, in form or in substance, nor otherwise state or imply that EMVCo (or any agent of EMVCo) has in whole or part approved a product provider, test laboratory or other third party or its products, services, or facilities, except to the extent and subject to the terms, conditions and restrictions expressly set forth in a written agreement with EMVCo, or in an approval letter, compliance certificate or similar document issued by EMVCo. All other references to EMVCo approval are strictly prohibited by EMVCo. Under no circumstances should EMVCo approvals, when granted, be construed to imply any endorsement or warranty regarding the security, functionality, quality, or performance of any particular product or service, and no party shall state or imply anything to the contrary. EMVCo specifically disclaims any and all representations and warranties with respect to products that have received evaluations or approvals, and to the evaluation process generally, including, without limitation, any implied warranties of merchantability, fitness for purpose or noninfringement. All warranties, rights and remedies relating to products and services that have undergone evaluation by EMVCo are provided solely by the parties selling or otherwise providing such products or services, and not by EMVCo, and EMVCo will have no liability whatsoever in connection with such products and services. This document is provided "AS IS" without warranties of any kind, and EMVCo neither assumes nor accepts any liability for any errors or omissions contained in this document. EMVCO DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT, AS TO THIS DOCUMENT. EMVCo makes no representations or warranties with respect to intellectual property rights of any third parties in or in relation to this document. EMVCo undertakes no responsibility to determine whether any implementation of this document may violate, infringe, or otherwise exercise the patent, copyright, trademark, trade secret, know-how, or other intellectual property rights of third parties, and thus any person who implements any part of this document should consult an intellectual property attorney before any such implementation. Without limiting the foregoing, this document may provide for the use of public key encryption and other technology, which may be the subject matter of patents in several countries. Any party seeking to implement this document is solely responsible for determining whether its activities require a license to any such technology, including for patents on public key encryption technology. EMVCo shall not be liable under any theory for any party's infringement of any intellectual property rights in connection with this document. © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page iii / vii Revision Log – Version 1.6 The following changes have been made to the document since the publication of Version 1.5. Some of the numbering and cross references in this version have been updated to reflect changes introduced by the published bulletins. The numbering of existing requirements did not change, unless explicitly stated otherwise. Incorporated changes described in the following Specification Updates: • None Other editorial changes: • Section 7.4.3 updated to allow Test Client Agent to be provided either by Product Provider or Test Platform Provider. © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page iv / vii Contents 1 Introduction ................................................................................................................... 1 1.1 Audience ................................................................................................................ 1 1.2 Normative References ............................................................................................ 2 1.3 Definitions .............................................................................................................. 5 1.4 Notational Conventions ........................................................................................ 10 2 Approval Overview...................................................................................................... 11 2.1 Scope of 3-D Secure Approval ............................................................................. 11 2.2 Protocol Version Selection.................................................................................... 11 2.3 3-D Secure Approval Test Environment................................................................ 12 2.4 Structure of the Approval Process ........................................................................ 13 2.5 Implementation Conformance Statement (ICS) Submission Rules ....................... 15 2.6 EMVCo Approval Fee Structure............................................................................ 17 3 Roles and Responsibilities......................................................................................... 18 3.1 EMVCo 3DS Approval Secretariat ........................................................................ 18 3.2 Test Laboratory .................................................................................................... 18 3.3 Test Platform Provider .......................................................................................... 19 3.4 3DS Component Product Provider........................................................................ 19 3.5 EMVCo................................................................................................................. 19 4 Approval Procedure .................................................................................................... 20 4.1 Product Provider Registration ............................................................................... 21 4.2 Product Provider and Test Platform Services ....................................................... 21 4.3 Product Provider and Test Laboratory Operations ................................................ 22 4.4 Product Provider Preparation for Approval Request ............................................. 26 4.5 Letter of Approval Request Package .................................................................... 26 4.6 EMVCo Review and Approval .............................................................................. 27 4.7 Approval with Conditions ...................................................................................... 28 4.8 Expiration of a Letter of Approval and Re-Approval .............................................. 28 5 Test Plan Updates and New Protocol Version .......................................................... 30 5.1 Test Plan Version Numbering in Specification Related Updates ........................... 30 5.2 Test Plan Updates with existing 3DS Protocol Version ......................................... 31 5.3 New 3DS Protocol Version Release ..................................................................... 32 5.4 Multiple Protocol Version Support......................................................................... 32 © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page v / vii 6 Change Management .................................................................................................. 33 6.1 Product Changes.................................................................................................. 33 6.2 Bridging Message Extension Testing on an Approved 3DS Product ..................... 34 6.3 Change in Corporate Identity or Contact Information ............................................ 35 6.4 Re-Issuance of LOA ............................................................................................. 36 7 Appendix...................................................................................................................... 37 7.1 Registration Page ................................................................................................. 37 7.2 Product Provider Forms........................................................................................ 37 7.3 How to Contact EMVCo........................................................................................ 37 7.4 Test Applications .................................................................................................. 37 7.5 SUT Requirements and Harness .......................................................................... 38 7.6 Examples of Minor and Major Changes ................................................................ 38 © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page vi / vii Figures Figure 2.1: 3-D Secure Testing Architecture........................................................................ 12 Figure 2.2: 3DS Approval Process Overview ...................................................................... 13 Figure 4.1: 3DS Component Product Approval Procedure .................................................. 20 Figure 5.1: Overlapping Period .......................................................................................... 31 Figure 5.2: Migration Period ............................................................................................... 32 © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page vii / vii Tables Table 1.1: Normative References.......................................................................................... 2 Table 1.2: EMV 3-D Secure Specifications............................................................................ 2 Table 1.3: EMV 3-D Secure Approval Documents................................................................. 3 Table 1.4: EMV 3-D Secure Approval Forms ........................................................................ 4 Table 1.5: Definitions ............................................................................................................ 5 Table 1.6: Abbreviations ..................................................................................................... 10 Table 5.1: Test Plan Version structure ................................................................................ 30 © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page 1 / 39 1 Introduction The EMV® 3-D Secure authentication protocol is based on a three-domain model where the Acquirer Domain and Issuer Domain are connected by the Interoperability Domain for the purpose of authenticating a Cardholder during an electronic commerce (e-commerce) transaction or to provide identity verification and account confirmation. 3DS Specifications are owned and managed by EMVCo and are used by third-parties to develop Products based on this protocol. EMVCo is also responsible for the testing and approval (via recognised Test Platform Providers and Test Laboratories) of all third-party component Products developed for the various 3-D Secure programs to ensure compliance with the specification(s). The EMV 3-D Secure Testing and Approval Process is a comprehensive program for 3-D Secure Component Products that includes: • Registration • Pre-Compliance testing • Compliance testing • Approval A list of all approved 3-D Secure Component Products is maintained by EMVCo on EMVCo’s website. This EMV 3-D Secure Approval - Administrative Process, describes the 3-D Secure Approval process and also describes the forms to be completed by all parties involved in the process. Forms are available on EMVCo website. 1.1 Audience The target audience for this document is: • 3-D Secure Component Product Providers delivering one or more of the following components: o 3DS SDK (Default-SDK, Split-SDK variants) o 3DS Server o Directory Server (DS) o Access Control Server (ACS) • Test Platform Provider • Test Laboratories recognised to validate the Compliance testing results © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 1.2 Normative References Page 2 / 39 Table 1.1: Normative References Reference [ISO 9001/2] Document Title ISO 9001/2 - Quality Assurance Requirements Version 2nd edition [ISO10011] ISO 10011 - Guidelines for Auditing Quality Systems — 1993 Part 1: Auditing [ISO Guide 2] ISO/IEC Guide 2 - General Terms and Their Definitions 6th edition Concerning Standardisation and Related Activities [ISO17025] ISO/IEC 17025 - General Criteria for the Operation of Testing Laboratories/General Requirements for the Competence of Testing and Calibration Laboratories Latest version [ISO27001] ISO/IEC 27001 - Information security management systems Requirements Latest version Table 1.2: EMV 3-D Secure Specifications Reference Publication Name Version [PCF 3DS] EMV 3-D Secure Protocol and Core Functions All active versions Specifications [SDK 3DS] EMV 3-D Secure SDK Specifications All active versions [SPLIT SDK] EMV 3-D Split-SDK Specification All active versions [DEV 3DS] EMV 3-D Secure SDK Device Information All active versions [3DS BME] EMV 3-D Secure Bridging Message Extension 2.0 or higher [VER 3DS] EMV 3DS Version Number Management - Protocol Latest version Version 2.3.0 & above [SB 3DS] All EMV 3-D Secure applicable Specification Bulletins Latest version [SB 3DS 255] EMV 3-D Secure Specification Bulletin 255 – 3DS Latest version Specification Version Configuration [FAQ 3DS] EMV 3DS – Testing FAQ Latest version © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Table 1.3: EMV 3-D Secure Approval Documents Page 3 / 39 Reference Publication Name Version Distribution [LAB 3DS] EMV 3-D Secure Approval - Laboratory Last Available Recognition Requirements Publicly Available [TP 3DS] EMV 3-D Secure Approval – Test Last Available Platform Requirements Publicly Available [TP ACC] EMV 3-D Secure - Test Platform Last Available Provider Recognition and Test Platform Qualification Process Publicly Available [TC 3DS] EMV 3-D Secure Test Plan Latest Available Restricted to per Protocol Laboratories and Version Test Platform Providers MAN ICS EMV 3-D Secure Approval - ICS Form - Last Available Instruction Manual Publicly Available [SUT REQ] Test Requirements Last Available - for all Systems Under Test - for ACS as System Under Test - for 3DS Default-SDK and SplitSDK as System Under Test - for DS as System Under Test - for 3DS Server as System Under Test Publicly Available [HARNES] Test Harness for Split-SDK as System Last Available Under Test Publicly Available [AB01 3DS] EMV 3-D Secure Approval Bulletin n°1 Last Available – 3-D Secure Approval Fees Publicly Available [AB19 3DS] EMV 3-D Secure Approval Bulletin n°19 Last Available – Selectable EMV® 3-D Secure Protocol Versions During an Approval Publicly Available [AB20 3DS] EMV 3-D Secure Approval Bulletin n°20 Last Available – LOA Reference Numbers Publicly Available [AB 3DS] All EMV 3-D Secure applicable Last Available Approval Bulletins Publicly Available © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Table 1.4: EMV 3-D Secure Approval Forms Page 4 / 39 Reference Publication Name [REG 3DS] 3-D Secure – Product Provider Registration Form [ICS 3DS] [RFA 3DS] 3-D Secure - Implementation Conformance Statement 3-D Secure – Request for Approval Version Web form on EMVCo website Latest Available Latest Available © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 1.3 Definitions The following terms are used in these specifications: Page 5 / 39 Table 1.5: Definitions Term Definition 3DS Approval Bulletin Public notification released to communicate updates to the 3-D Secure Approval Process (Test Plan activation date or process updates). 3DS Approval Communication Restricted notification released to communicate to the Laboratories and/or Test Platform Providers updates to the 3-D Secure Approval Process (Test Plan activation dates, Test Case or Test Platform issues, testing guidelines, or process updates). 3DS Component Recognition A 3-D Secure Component that will be approved. There are four 3DS components (A.k.a. Product): • 3DS SDK (Default-SDK or Split-SDK variants) • 3DS Server • Directory Server (DS) • Access Control Server (ACS) Formal recognition by EMVCo that an auditor or Test Laboratory or Test Platform Provider is competent to carry out specific functions as defined by EMVCo 3-D Secure approval procedures. Active/Activation Refers to the condition that a Protocol Version, Test Plan version or a specific Test Plan Implementation is deployed on an EMVCo Recognised Test Platform and becomes available for Product Provider to execute. Active Protocol The list of the active Protocol Versions is provided in the latest 3DS Specification Bulletin 255 [SB 3DS 255]. Approval Acknowledgment by EMVCo that the specified Product has demonstrated sufficient compliance to the EMV Specifications for its stated purpose. Compliance Meeting all requirements and any implemented optional requirements for a given specification. Compliance Testing The execution by a Test Platform of a defined set of tests against requirements described in a specification to determine sufficient compliance with that specification. EMVCo The organisation that manages the EMV Specifications and their related testing processes. © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page 6 / 39 Term Definition EMVCo Recognised Laboratory An independent, impartial entity that has been audited by an EMVCo Qualified Auditor for compliance with EMVCo 3DS laboratory requirements and has received a Letter of Recognition from EMVCo, entitling it to perform 3DS testing and test report validation. EMVCo Recognised Test Platform Provider An independent impartial entity that has been audited by an EMVCo Qualified Auditor for compliance with EMVCo 3DS Test Platform Requirements and has received a Letter of Recognition from EMVCo entitling it to provide 3DS Test Platform services. EMVCo 3DS The EMVCo entity that manages the 3-D Secure Approval process Approval Secretariat defined in this document. Contact: 3ds_approval@emvco.com. EMVCo Qualified Auditor An independent, impartial entity that has received a Letter of Qualification from EMVCo, entitling it to verify conformance to EMV defined Approval procedures. EMVCo Qualified Test Platform A Test Platform for which the Test Platform Provider has received a Letter of Qualification from EMVCo. EMVCo 3DS Approval Contract Contract signed between EMVCo and the Product Provider before starting Pre-Compliance or Compliance testing. Functional Evaluation All Laboratory actions to perform the Pre-Compliance Testing review and Compliance Testing Report validation. Implementation Conformance Statement (ICS) Form completed by the Product Provider which identifies the protocol level supported and listing all optional functions as specified in the reference specifications supported by the component to be approved. ICS Reference Number Unique identification number assigned by EMVCo to an ICS approved by EMVCo. Inactive/Deactivation Date Refers to the condition that a Protocol Version, Test Plan version or a specific Test Plan Implementation is phased out on an EMVCo Recognised Test Platform and becomes unavailable for Product Provider to execute. Incoming Test Plan Version Refers to the latest Test Plan to be activated or newly activated on the Test Platform. See also Outgoing Test Plan definition International Organisation for Standardisation (ISO) An international body that provides standards for financial transactions and telecommunication messages. ISO works in conjunction with the International Telecommunication Union (ITU) for standards that affect telecommunications. ISO supports specific technical committees and work groups to promulgate and maintain financial service industry standards. © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page 7 / 39 Term Definition Laboratory or Test Laboratory A facility recognised by EMVCo to perform 3-D Secure Compliance Testing Report validation. Letter of Recognition Written statement that confirms the formal recognition by EMVCo that a Test Platform Provider or Test Laboratory has been audited and recognised by EMVCo to carry out specific functions as defined by EMVCo approval procedures. Letter of Approval Written statement that documents the decision of EMVCo that a specified Product component has demonstrated sufficient compliance to the EMV Specifications on the date of testing. Letter of Qualification Written statement that documents the decision of EMVCo that a Test Platform has demonstrated sufficient compliance to support and operate EMVCo test plans and requirements. Letter of Revocation Written statement that documents the decision of EMVCo that a Test Platform is no longer an EMVCo Qualified Test Platform and that the Test Platform Provider’s EMVCo Test Document License Agreement is terminated. Major Change A change to a Product Provider’s component or its functionality where the Product Provider can no longer attest that the modified component continues to comply with the EMV Specifications, unless otherwise specified by EMVCo. Migration Period Period where both a newer Protocol Version and an older Protocol Version are available for selection by the Product Provider to perform testing for a Letter of Approval. EMVCo determines the date when the older Protocol Version is no longer available for selection. After this date, the older Protocol Version can no longer be selected for approval testing. Minor Change A change to a Product Provider’s component or its functionality where the Product Provider can attest that the modified component continues to comply with the EMV Specifications, unless otherwise specified by EMVCo. Multi-Protocol Version Support 3DS components are required to support all active Protocol Versions as defined in [PCF 3DS] Requirement 311 and in the latest 3DS Specification Bulletin 255 [SB 3DS 255]. This rule is applied in Compliance testing to include the highest Protocol Version selected and all lessor active Protocol Versions. Outgoing Test Plan Version Refers to a Test Plan version to be deactivated on the Test Platform. See Incoming Test Plan definition Overlapping Period Period where both the Incoming and Outgoing Test Plan under a single Protocol Version are active and supported on the Test Platform. This period ends when the Outgoing Test Plan Version becomes inactive. © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page 8 / 39 Term Definition Pass Star (Pass*) Pass* are acceptable deviations for Test Cases for situations outside the Product Provider’s control. Pre-Compliance Testing An approval process test phase where Product Providers can access the same defined set of Compliance tests allowing debug, analysis and review of the compliance with that specification. Product A 3-D Secure Component submitted for approval. Product Provider Entity submitting a 3-D Secure component for approval. Protocol Version Protocol Version defines the interoperability between the 3DS Secure components. Protocol Version format is MAJOR.MINOR.PATCH and it is defined in [VER 3DS] Qualification Process to obtain formal recognition by EMVCo that a Test Platform has sufficiently implemented the Test Cases for a particular EMVCo Test Plan or type of EMVCo testing. Registration Number A unique identification number assigned by EMVCo to a Product Provider. Request for Approval A form completed by the Product Provider that accompanies a 3-D Secure Component Compliance Testing report submission to EMVCo for approval. Selectable Protocol The list of the selectable Protocol Versions for a 3DS approval is provided in [AB 3DS 19] Specification Bulletin Notification released to communicate updates to the EMV specifications. System Under Test (SUT) The 3-D Secure Component (may include hardware with identified Operating System) that is being evaluated for its compliance with EMVCo specification and for receipt of LOA. Test Any activity that aims at verifying the compliance of a selected Product or process to a given requirement under a given set of conditions. Test Case A description of the actions required to achieve a specific test objective. Test Case Bulletin Notification released to communicate updates to the EMV Test Plan. Test Script The implementation of an individual Test Case. Test Plan Specification describing all Test Cases that have to be run to verify the compliance of a 3DS component to a version of 3DS Secure protocol and Core Functions Specification and 3DS Secure SDK Specification. © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page 9 / 39 Term Definition Test Plan The total collection of all test scripts that implement the individual Test Implementation (Test Cases for a particular Test Plan version. Suite) Test Platform (or 3DS An online test system that has been EMVCo recognised for 3DS Test Platform) testing. The Test Platform executes 3-D Secure test plans and test cases which SUTs use for 3DS compliance approval. Test Platform Provider Entity developing and hosting the Test Platform, in accordance with EMV Test requirements. Test Report A report created by a Test Laboratory that contains the results of Compliance Testing for a 3-D Secure Component. Testing Agreement Agreement(s) under which the Product Provider receives access to the Test Platform and Test Laboratory services. See Section 2.4.2 for more information. © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 1.4 Notational Conventions 1.4.1 Abbreviations The abbreviations listed in Table 1.6 are used in this document. Abbreviation 3DS 3DSS ACS DS BME ICS LOA RFA SDK SUT TPP Table 1.6: Abbreviations Description EMV 3-D Secure 3DS Server Access Control Server Directory Server Bridging Message Extension Implementation Conformance Statement Letter Of Approval Request for Approval Software Development Kit System Under Test Test Platform Provider Page 10 / 39 1.4.2 Terminology and Conventions The following words are used often in these specifications and have a specific meaning: Shall Defines a product or system capability which is mandatory. May Defines a product or system capability which is optional or a statement which is informative only and is out of scope for these specifications. Should Defines a product or system capability which is recommended. © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page 11 / 39 2 Approval Overview EMV 3DS Approval is the process that tests a Product for compliance with the EMV 3-D Secure Specifications. The following sections identify the scope, purpose, structure, 3DS concept and the roles and responsibilities. 2.1 Scope of 3-D Secure Approval EMVCo testing comprises four components of the 3-D Secure environment: • 3DS SDK (Default-SDK or Split-SDK variants) • 3DS Server • Directory Server (DS) • Access Control Server (ACS) The 3DS SDK, 3DS Server, DS and ACS shall comply with the EMV 3-D Secure Protocol and Core Functions Specifications [PCF 3DS], Specification Bulletins [SB 3DS] and EMV® 3DS Testing FAQ – [FAQ 3DS]. In addition, 3DS SDK components shall comply with the EMV 3-D Secure SDK Specifications [SDK 3DS], the EMV 3-D Secure SDK-Device Information [DEV 3DS] and Specification Bulletins [SB 3DS]. Lastly the Split-SDK variants shall comply with the EMV 3-D Secure Split-SDK Specifications [SPLIT SDK] 2.2 Protocol Version Selection Several 3DS Protocol Versions may be active simultaneously. When this occurs, the Product Provider may select the Protocol Version against which its Product is tested and approved. The list of Selectable Protocol Versions is documented in the Approval Bulletin 019 [AB19 3DS]. The Product is ultimately tested against the selected Protocol Version and all previous active versions of the protocol (see the list of active Protocol Versions in the latest 3DS Specification Bulletin 255 [SB 3DS 255]). Please refer to section 5.3 in this document for details about the Protocol Version selection process and the options offered. © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page 12 / 39 2.3 3-D Secure Approval Test Environment 3DS components are remotely tested over the Internet using a 3-D Secure Test Platform. Some of these components may require specific Application Programming Interfaces to be developed in order to facilitate testing with the 3-D Secure Test Platform. Figure 2.1: 3-D Secure Testing Architecture © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 2.4 Structure of the Approval Process Figure 2.2: 3DS Approval Process Overview Page 13 / 39 © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page 14 / 39 2.4.1 Product Provider Registration The 3-D Secure Component Product Providers shall first register with EMVCo. Registration is processed using the EMVCo website. Registration form data is automatically shared between EMVCo and the recognised Test Platform Providers and Laboratories. Product Provider Registration is required only once for the Component Product Provider, no matter the amount of Product approval requests submitted to EMVCo. Product Provider Registration, including the EMVCo 3DS Approval Contract signature by the Product Provider and EMVCo, is mandatory before Pre-Compliance or Compliance Testing can begin. 2.4.2 Testing Agreements The Product Provider is responsible for securing access to a Test Platform and the services of a Test Laboratory through one of the following options: • A Product Provider may execute a Testing Agreement with a Test Platform Provider for access to a Test Platform and a Testing Agreement with a Test Laboratory for laboratory services. The Test Platform Provider and Test Laboratory will maintain separate interfaces for the Product Provider to manage issues that the Product Provider may encounter during Pre-Compliance and Compliance Testing. • A Product Provider may execute a Testing Agreement with a Test Platform Provider for access to a Test Platform and a Testing Agreement with a Test Laboratory for laboratory services. The Test Laboratory will provide a single interface to Product Provider during Pre-Compliance and Compliance Testing that allows the management of issues that the Product Provider may encounter during Pre-Compliance and Compliance Testing. For this option, the Test Laboratory must have entered into a written agreement with the Test Platform Provider that allows the Test Laboratory to manage issues that Product Providers may encounter during Pre-Compliance and Compliance Testing with the Test Platform. • A Product Provider may execute a Testing Agreement with a Test Laboratory for both access to a Test Platform and laboratory services. For this option, the Test Laboratory must have entered into a written agreement with the Test Platform Provider that allows the Test Laboratory to offer Product Providers online access to the Test Platform and to manage issues that Product Providers may encounter during Pre-Compliance and Compliance Testing with the Test Platform. When the Testing Agreement for access to the Test Platform (which may be with either the Test Platform Provider or the Laboratory) is completed, the Product Provider will receive access credentials to connect their components to the Test Platform, where they may execute, and schedule tests for their components at their own discretion. 2.4.3 Pre-Compliance Testing The purpose of Pre-Compliance testing is to perform the 3DS Test Cases before Compliance Testing to ensure that a 3-D Secure Component is ready for Compliance Testing. PreCompliance can be used for Product debugging. Pre-Compliance Testing for a 3-D Secure Component is performed with an online self-service Test Platform which provides 3DS protocol test scenarios. Pre-Compliance Testing is mandatory to ensure that the System Under Test (SUT) is ready for Compliance Testing. Product Providers shall first successfully complete at minimum one round of Pre-Compliance Testing before starting the Compliance Testing on the same Product. All open issues or failures must be addressed. The final Pre-Compliance report shall be reviewed and validated by an EMVCo recognised Laboratory. © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page 15 / 39 2.4.4 Compliance Testing After the Laboratory confirms that the Product has met Pre-Compliance requirements, the Laboratory assists the Product Provider with ICS approval from EMVCo. After the ICS is submitted to EMVCo, the Product Provider can continue with Compliance Testing. The Compliance results are required to be validated by the Laboratory that will generate a Test Report for EMVCo review. No changes of or in the Product are permitted during Compliance Testing. If any change is required for any reason (failures, etc), a new full Compliance Testing shall be run. See section 4.3.3. for more details. 2.4.5 Approval When Compliance Testing is performed successfully, the Product Provider requests the approval of the Product(s) and at that time pays the corresponding fees for Approval to EMVCo. The Laboratory, on behalf of the Product Provider, then submits the Test Report to the EMVCo 3DS Approval Secretariat for review and subsequent approval. Upon successful review of the Test Report and payment of the fees, an LOA of the approved Product is issued and sent to the Product Provider. The approved Product is then listed on the EMVCo website. 2.5 Implementation Conformance Statement (ICS) Submission Rules 2.5.1 ICS Submission Overview The Implementation Conformance statement (ICS) is a pdf form that describes the technical information of the Product submitted for Approval. After completion, the ICS form shall be submitted to the EMVCo 3DS Approval Secretariat as described in section 4.3. The ICS form can be downloaded from the EMVCo website. Generate ICS Data ICS data can be generated by the Test Platform or manually entered directly in the ICS form (and imported in the Test Platform). When the Product Provider uses the Test Platform to generate the ICS data, then the Test Platform can automatically generate an XML ICS data input file that can be imported into the ICS form. Create ICS to be submitted to EMVCo 1. To import the XML file into the ICS PDF, the Product Provider shall: a. Open the ICS PDF b. Click the Import button on the top of the form’s first page c. Select the XML file previously created for import d. Save the completed ICS form © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page 16 / 39 2. When the ICS is complete, it shall be submitted as such to the Laboratory for verification (the PDF shall be readable, and data can be extracted). The Product Provider shall confirm to the Laboratory that the data of the ICS is complete and correct. 3. The Laboratory verifies that the ICS is complete and coherent, and if correct, the Laboratory shall insert its digital signature on the last page of the form proving to EMVCo that the ICS is correctly filled and confirming that the Product Provider agreed it is the final appropriate one. After submission to EMVCo, the ICS rules described in sections 2.5.2 and 2.5.3 apply (Laboratory is responsible of the ICS correctness). 4. When signed, the Laboratory submits the ICS form to the EMVCo 3DS Approval Secretariat, as described in section 2.5.2. Note: An ICS Form – Instruction Manual [MAN ICS] provides detailed instructions on how to fill the ICS form Note: During an overlapping period (see section 5.2), the Test Platform Provider/Laboratory shall inform the Product Provider of the activation of the new version of Test Plan. 2.5.2 ICS Rules The following rules apply to ICS submission: • The submitted ICS must be the latest ICS version (PDF format) available on EMVCo website, capable of importing/exporting XML format and shall be digitally signed by the Laboratory at the time of submission to EMVCo. • The ICS may support optional features. The Product Provider selects the options supported by its Product. • Note: Approval will not be granted if the testing fails for test case(s) associated to option(s) selected in the ICS. For instance, if a Product Provider selects the testing of the optional functionalities defined in [3DS BME], all test cases related to [3DS BME] will have to pass to obtain a LOA for the Product. The Laboratory supplies the signed Product Provider ICS to EMVCo for approval. The Product Provider can start Compliance testing only after approval and signature of the ICS by EMVCo. • If EMVCo approves the ICS, EMVCo will issue a unique ICS number and digitally sign the ICS. EMVCo returns the ICS to the Laboratory. The Laboratory can share the approved ICS with the Product Provider. • If the ICS is filled incorrectly, a decline fee applies to the Laboratory. • An ICS is valid for 90 days from approval by EMVCo. 2.5.3 ICS Replacement The following rules apply to initial ICS submission: • ICS replacement applies to any change in the ICS made after the approval of the ICS by EMVCo. • After the start of a Compliance Testing session, ICS replacement (following rules of the previous bullet) is allowed only for an administrative information update (e.g., Product name or typo), and is not allowed for any functional information update (e.g., any software change that results in updated feature and new product version). © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page 17 / 39 • One free ICS replacement is allowed during the ICS life cycle. The ICS life cycle starts when the ICS is submitted to EMVCo and finishes when the Product is approved or declined. Any subsequent ICS replacement request will be charged to the Product Provider. • Same rules described in section 2.5.2 apply (Laboratory submits the replacement ICS). • The Laboratory shall ensure that any ICS replacement is not made to hide a failure in the Product (such as deactivation of a function because this function is not working properly). • The ICS replacement is no longer allowed after the submission of the Test Report to EMVCo. • Replaced ICS will be verified and signed as initial one. The ICS Number remains the same as the initial number and is versioned due to the ICS Signature date change. Note: The ICS decline process applies to the initial ICS submission as well as to any other ICS replacement request(s) (charged or not charged to the Product Provider). Any error reported by EMVCo will be charged to the Laboratory, as the Laboratory is responsible for reviewing the Product Provider ICS, prior to its submission to EMVCo. Note: Any change that is made to a Product component that requires a new compilation and/or a new build shall result in a change in the ICS (at minimum, the version of the Product component shall change). 2.6 EMVCo Approval Fee Structure The following Product Providers fee structure applies: • Request for Approval (initial submission and change product submission), for: o 3DS SDK (Default-SDK or Split-SDK variant) o 3DS Server o Directory Server o Access Control Server • Adding the testing of Bridging Message Extension (BME) • Extension of an expiring LOA • ICS Replacement (starting at 2nd replacement) • LOA re-issuance (see section 6.3 for details) The following Laboratory fee structure applies: • Declined ICS/Report Note: The amount of each fee is published in 3DS Approval Bulletin 001 [AB01 3DS]. © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page 18 / 39 3 Roles and Responsibilities The following sections define the 3DS Approval Process participant’s roles and responsibilities. 3.1 EMVCo 3DS Approval Secretariat The EMVCo 3DS Approval Secretariat (3ds_approval@emvco.com) is responsible for managing approval and communicating status to third parties and for the administration and maintenance of an approval database. The main tasks of the EMVCo 3DS Approval Secretariat are: • Register Product Providers • Verify and approve ICS • Follow up Request For Approvals • Issue 3DS Product Letters of Approval • Maintain the Approved 3DS Products list • Answer queries and questions from Test Platform Providers and Test Laboratories regarding on-going approval sessions 3.2 Test Laboratory The Test Laboratory is an entity recognised by EMVCo to perform the review of the PreCompliance Testing results and the validation of the Compliance Testing results of 3DS Components. When recognised, a Laboratory Recognition Number is assigned to the Test Laboratory and the Laboratory is listed on the EMVCo website. The main tasks of the Test Laboratory are: • Manage their recognition & maintenance with EMVCo • Review the Pre-Compliance Testing results conducted by the Product Provider • Validate that the Implementation Conformance Statement (ICS) is complete and all sections and fields are consistent • Send the ICS to EMVCo on behalf of Product Provider • Validate the Compliance testing results conducted by the Product Provider • Issue the Test Report in an electronic format as defined by EMVCo • Send the Test Report to the EMVCo 3DS Secretariat on behalf of the Product Provider © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page 19 / 39 3.3 Test Platform Provider The Test Platform Provider is the entity that manages the online Test Platform services used for Pre-Compliance Testing and for Compliance Testing. The main tasks of the Test Platform Provider are: • Manage their recognition & maintenance with EMVCo • Offer online access to their Test Platform to the Product Provider for Pre-Compliance and Compliance Testing • Manage the qualification of the Test Platform for the various supported Test Plans • Manage the issues that a Product Provider may encounter during Pre-Compliance and Compliance Testing with the Test Platform 3.4 3DS Component Product Provider The 3DS Component Product Provider is the entity responsible for submitting the 3DS components for approval, in compliance with approval procedures and for notifying EMVCo when changes are made to approved 3DS components. 3.5 EMVCo EMVCo defines approval requirements and evaluates operational results. EMVCo provides the following services: • Recognises organisations that perform audits to establish Test Laboratory recognition • Defines mandatory Test Laboratory recognition requirements and manages Test Laboratory recognition • Sets Test Laboratory audit time frame • Manages Test Laboratory appeals process and resolves recognition disputes • Determines the applicability of the EMV Specifications and associated EMV test plan and test requirements • Defines Test Platform requirements • Defines mandatory Test Platform qualification requirements and manages Test Platform qualification • Defines mandatory Test Platform Provider recognition requirements and manages Test Platform Provider recognition • Evaluates Test Report to determine if approval requests should be granted • Notifies the appropriate EMVCo working group of warranted specification corrections, clarifications, and enhancements that result from the conditional approval process • Evaluates failure complaints to determine if approval revocation is appropriate • Communicates approval status to the EMVCo 3DS Approval Secretariat for subsequent communication to all participating payment systems © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page 20 / 39 4 Approval Procedure This section describes the Approval Procedure followed by 3DS Components Product Providers, Laboratories, and EMVCo. Note that Pre-Compliance Testing is not part of the formal approval procedure, as its purpose is for internal debugging/checking that is performed by the Component Product Provider. However, the Pre-Compliance Testing results shall be verified by the Test Laboratory prior to performing the Compliance Testing. Figure 4.1: 3DS Component Product Approval Procedure © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page 21 / 39 4.1 Product Provider Registration Product Provider Registration provides the Component Product Provider with entry into the EMVCo approval process. 4.1.1 Registration Steps The registration process is composed of the following steps: • The Component Product Provider enters registration information on the EMVCo Registration Web page. • The Product Provider will receive a confirmation email from EMVCo 3DS Approval Secretariat with the following additional information: o Link to the EMVCo 3DS Approval Contract (DocuSign) o Appropriate contact information • The Product Provider shall sign the EMVCo Test Contract with DocuSign. • When the EMVCo 3DS Approval Contract is countersigned by the EMVCo 3DS Testing Group Chair, the EMVCo 3DS Approval Contract is sent back to the Product Provider by DocuSign. • A unique Registration Number is assigned to the Product Provider. This number is automatically shared by EMVCo with the Test Platform Provider. 4.1.2 Contract with EMVCo The Product Provider must execute the EMVCo defined 3DS Approval contract before performing any Pre-Compliance or Compliance Testing. This contract stipulates, amongst other provisions, the Product Provider’s acceptance of all specifications, procedures, terms and conditions governing EMV 3-D Secure Approval. The EMVCo 3DS Approval Contract is standard for all Product Providers to ensure consistent requirements for all participants. Contract customisation for individual Product Provider is not possible. 4.2 Product Provider and Test Platform Services The following operations shall be performed by the Product Provider and by the Test Platform Provider: The Product Provider can select any EMVCo 3DS recognised Test Platform for use in connection with its EMVCo Pre-Compliance and Compliance Testing as long as there is either a Test Platform Provider or Test Laboratory offering testing support for using the Test Platform with the Product Provider’s 3DS component. The Product Provider and the Test Platform Provider or Test Laboratory offering access to the Test Platform shall execute a Testing Agreement defining appropriate rights and obligations. At a minimum, the Testing Agreement shall contain the requirements listed in the section 4.2.1. Note: Product Providers may only select a Test Platform if the Test Platform Provider has entered into an agreement with the selected Laboratory. © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page 22 / 39 4.2.1 Agreement Requirements for Test Platform Services EMVCo requires that the Product Provider and the Test Platform Provider or Test Laboratory offering access to the Test Platform enter into an approval Testing Agreement that includes, at minimum, the following provisions: • Reference to the EMVCo 3DS Approval Contract between the Product Provider and EMVCo • Agreement of mutual cooperation in providing specific information and assistance • Lead time for the execution of the Compliance Testing • Arrangement for the preparation of System Under Test • Provisions for issue resolution (upon agreement between Test Platform Providers and Test Laboratories, issue resolution may be delegated to Test laboratories) 4.3 Product Provider and Test Laboratory Operations 4.3.1 Testing Steps The following operations shall be performed by the Product Provider and by the Test Laboratory: • The Product Provider can select any EMVCo 3DS recognised Test Laboratory that provides testing support for their 3DS component for the purpose of achieving EMV 3DS Compliance Testing. The Product Provider and Test Laboratory shall execute a Laboratory Testing Agreement defining appropriate rights and obligations. At a minimum, the Testing Agreement shall contain the requirements listed in the section 4.3.2. Note: Product Providers may only select a Laboratory if the Laboratory has entered into an agreement with the Test Platform Provider for the selected Test Platform. • Prior to running Compliance operations, the Product Provider shall run the PreCompliance Testing and provide the results to the Test Laboratory for review. Laboratory will assess if the Compliance Testing can start based on the review of the Pre-Compliance Testing. Unless instructed otherwise by EMVCo, the conditions to start Compliance Testing are that: o The Product passes successfully all the Test Cases present in the applicable Test Plans and associated Test Case Bulletins/Communications. Note: Test Cases that are conditioned by an option in the ICS are Not Applicable (N/A) if the option is not supported by the SUT. o If some Test Cases fail, the laboratory and Product Provider shall ensure that the issues will eventually be considered as acceptable exceptions by EMVCo (Pass*)... Note: The issues accepted by EMVCo may still lead to an approval with condition (see section 4.7) More details on the laboratory rules can be found in the Laboratory Recognition Requirements specification [LAB 3DS]. • The Product Provider completes an Implementation Conformance Statement (ICS) with the chosen laboratory for each Product that it submits. The ICS format and content requirements are determined by EMVCo (Refer to section 2.5). © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page 23 / 39 • The Test Laboratory supplies a copy of the Product Provider-supplied ICS to EMVCo for review prior to the start of the Compliance Testing process. The copy shall be verified and digitally signed by the Laboratory (Refer to section 2.5). The submission of the ICS to EMVCo is the formal start of the Compliance phase (and the end of Pre-Compliance phase). • Compliance Testing shall be performed online by the Product Provider after approval of the ICS by EMVCo. During Compliance Testing, the Test Platform shall run, in an automated way and in single run all the test cases of each test plan without interruption and/or manual operation on the final Product Component (except mandatory cardholder interaction such as one-type password typing or selection of a choice presented to cardholder during a challenge flow). • When agreed by the Product Provider, Compliance Testing results are sent to the Laboratory, who analyses and prepares the Test Report. • The Test Laboratory shall validate the Compliance Testing results of the 3DS Component(s) in accordance with the following rules: o The Product passes successfully all the active Test Cases present in the applicable Test Plans and associated Test Case Bulletins/Communications. Note: Test Cases that are conditioned by an option in the ICS are Not Applicable (N/A) if the option is not supported. o If some Test Cases fail, EMVCo has already communicated that the issues are considered as acceptable exceptions because they will not affect interoperability (Pass*). Note: The issues accepted by EMVCo may still lead to an approval with condition (see section 4.7) More details on the laboratory rules can be found in the Laboratory Recognition Requirements specification [LAB 3DS]. • The Test Laboratory shall send the final Test Report to the Product Provider for approval before official submission to EMVCo. • The Product Provider prepares the Request For Approval (RFA) form and submits it to EMVCo. EMVCo then issues the invoice for the Product Provider. The RFA can only be sent after the ICS has been approved by EMVCo. • The Product Provider submits payment to EMVCo based on the received invoice. • When agreed by the Product Provider, the Test Laboratory shall submit the Test Report to EMVCo and ensure the Product Provider has submitted its completed Request For Approval form. Note: Note: An Approved ICS is valid for 90 calendar days. If the related Request For Approval is not submitted and the invoice is not paid within that period, all related documents to this approval request are no longer valid (ICS, RFA, report) and the Product Provider needs to restart a new process from the beginning by submitting a new ICS. If an approved ICS has expired, the Test Laboratory will evaluate if new Pre-Compliance Testing is also required in addition to Compliance Testing, given the potential for Product component modifications or the new Test Plan releases and the rules defined in this section. In such cases the payment of the first invoice is not reimbursed and a new invoice will be created. Test Laboratory is responsible for ensuring that the latest ICS form is used for submission. © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page 24 / 39 4.3.2 Agreement Requirements between Test Laboratories and Product Providers EMVCo requires that the Product Provider and the Test Laboratory enter into an approval Testing Agreement that includes, at minimum, the following provisions: • Reference to the EMVCo 3DS Approval Contract between the Product Provider and EMVCo • Agreement of mutual cooperation in providing specific information and assistance • Lead time for the execution of the Compliance Testing • Arrangement for the preparation of System Under Test • Recognition that no infringement on the freedom of the Test Laboratory will be allowed during or after testing • Agreement on downloading the Pre-Compliance Testing Results from the Test platform and the right to review. • Agreement on downloading the Compliance Testing Report from the Test platform and the right to validate the report and send to EMVCo • Provisions for issue resolution 4.3.3 System Under Test Management • Required Testing Agreements have been signed and Product is ready to be tested • Product Provider shall prepare the System Under Test including the 3DS Component (Product). • The System Under Test shall be accessible by the Test Platform all the time during Compliance Testing. • The configuration of the System Under Test, for example OS Name and Version shall be in conformance with the ICS declaration. Any change in the configuration of the System Under Test that impacts the content of the ICS requires a new ICS submission (under the ICS replacement rules described in section 2.5.3). • After the start of the Compliance Testing session, no changes are allowed in the Product Component. Change in the Product Component requires restarting the Compliance Testing session from the beginning and the approval of a new version of the ICS (Test Laboratory evaluates if a new Pre-Compliance Testing is required given the Product component modification). • Changes in the System Under Test may require restarting the Compliance Testing session from the beginning depending on the Test Laboratory assessment. • For the SDK Component, Product Providers are responsible for taking screen or video captures used during testing, and to provide these captures to the Test Laboratory in charge of the Compliance Testing. • The Product Provider must ensure that the System Under Test associated to the Test Report submitted to EMVCo for evaluation remains unaltered and usable in a timely manner during the evaluation process. © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page 25 / 39 4.3.4 Test Report The results of the Compliance Testing are combined in one signed report (called the Test Report), which includes, at minimum, the following items: • Identification of the Test Laboratory (Laboratory Registration Number) • Identification of the Laboratory location where the test results have been validated • Identification of the Product Provider (Product Provider Registration Number) • Implementation Conformance Statement Reference Number • Identification of the Product Component (Name, Version and Build Number) • EMVCo specifications/Test Plan version used for test • Identification of the Test Platform, • Dates the test were performed (start date and end date) • A summary Test Report including: o The Compliance tests that were executed with a pass or fail indication (for each Protocol Version tested). o A detailed description from the Test Laboratory of failed tests including access to the detailed test results logs for each reported discrepancy in the failed test and reference to the applicable Pass*. For each failure, Product Provider may also provide its own comment on the failure. o A detailed description of the 3DS component modifications that may have been required for the purpose of executing the EMV Test Cases. 4.3.5 Test Records The 3DS Test Platform records of the Compliance Testing shall be kept by the Test Laboratory during a period of 3 years (or eventually by the Test Platform depending on their mutual agreement). They shall be made available for EMVCo review as requested. 3DS Test Platform records include: Compliance Testing reports, Compliance log data, and any related configuration files and/or tickets that would affect the outcome or conclusion of a test run that is submitted for EMVCo approval. © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page 26 / 39 4.4 Product Provider Preparation for Approval Request The Product Provider determines whether the test results validated by Laboratory will be submitted to EMVCo for evaluation. Submitting test results to EMVCo for evaluation indicates Product Provider acceptance that the test results are a true representation of 3DS Component performance. Test Report may be submitted to EMVCo for evaluation up to 90 calendar days from the date they are generated by the Test Laboratory. Test results that exceed the 90 calendar days validity period have expired and cannot be submitted. 3DS Component re-testing is required to create a current Test Report if the validity period is exceeded and EMVCo evaluation is desired (Test Laboratory will evaluate if new Pre-Compliance Testing is also required). 4.5 Letter of Approval Request Package The package submitted to EMVCo 3DS Approval Secretariat shall contain (not provided at the same time): • A digitally signed copy of the Implementation Conformance Statement (ICS), received from the Test Laboratory • The digitally signed Letter requesting approval (Request For Approval form) received from Product Provider • The Product Provider payment to EMVCo • The complete and unchanged Test Report received from the Test Laboratory • Any additional supporting documentation the Product Provider believes is relevant Note: The Product Provider may send to EMVCo the Request For Approval as early as possible (before the Test Report is prepared by the Laboratory) to ensure enough time to manage the fee payment. This may avoid unexpected delay in LOA issuance, as payment shall be done before the LOA is issued. © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page 27 / 39 4.6 EMVCo Review and Approval Upon receiving the package, EMVCo will: • Review the submitted Test Report and determine if approval should be granted • Issue Letter of Approval • Notify the Product Provider of approval or denial of the Product. The Letter of Approval will be sent electronically to the Product Provider, and also will be listed on the EMVCo website. The validity of an approval is two years. The 3DS Letter of Approval identifies: • The Company information • A unique Product Approval / Reference Number for the concerned 3DS Component • The 3DS Product Name • The 3DS Product Version • The Operating System Name and Version under which it was tested. • The EMV Specifications version and Specification Bulletins supported by the Product. • The Test Plan version against which it was tested. • The Expiration date of the LOA. • The options supported by the Product. • The tested Message Extension(s) (if applicable). Note: The LOA documents only the Operating System Name and Version under which the Product Component was tested. Product Providers may advertise their Product support for more than one Operating System on their own risk and responsibility. Note: EMVCo may require subsequent testing any time after the official approval (for field issues analysis for example), and may decide to require a full retesting of the Product in a new System Under Test. The costs of the subsequent testing on the Test Platform are charged to the Product Provider. Note: Directory Servers Product Providers or Directory Servers operators should subscribe to receive the list of approved EMV 3DS Products on a weekly basis, by sending an email to 3ds_approval@emvco.com. The mail shall include the email addresses that will receive the list. Note that the list of approved EMV 3DS Products is also available on EMVCo website. © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page 28 / 39 4.7 Approval with Conditions EMVCo processes may allow an approval with conditions at the discretion of EMVCo for cases of minor non-conformance that do not impact interoperability. 4.7.1 Compliance Time Frame All identified items of non-conformance must be rectified according to the stipulated time frame stated in the terms and conditions associated with an Approval with Conditions. 4.8 Expiration of a Letter of Approval and Re-Approval 4.8.1 Impact of the LOA Expiration As documented in the Protocol and Core 3DS Specifications, DS components check that SDK, ACS or 3DS Server components involved in a transaction have a valid Approval/Reference Number. Otherwise, DS components may return an error message. Once the LOA of a Product is expired, it is removed from the list of approved EMV 3DS Products on the EMVCo website. DS operators are also notified on such change and may reject transactions per 3DS specification. EMVCo does not provide any extension for expiring LOAs except for use cases described in the section 4.8.3. However, it is up to the DS operator or Payment System to determine whether an expired EMV 3DS Product can continue to operate without a valid LOA. Note: Email reminders are automatically sent by EMVCo to the product providers six months, three months, two months and one month before the expiration of their product. It is the Product providers responsibility to ensure that their contact information is still accurate with EMVCo. Please contact the 3DS Secretariat at 3ds_approval@emvco.com to report any change as described in section 6.3. 4.8.2 Product Re-Approval 3DS Components shall undergo full compliance testing to receive a new LOA before their LOAs expire. The new LOA may be requested for the same or a higher Protocol Version. During a re-approval, the Product will be tested against the latest Test Plan(s) that will implement the latest 3DS Specification Bulletin(s) of the supported Protocol Version(s). Therefore, at minimum, the expiring Product will have to be updated to support the latest 3DS Specification Bulletin(s). The exact same process as for the approval of the Initial Product will apply with the exception of the EMVCo Product Provider registration. Therefore, pre-compliance testing, submission of the Implementation Conformance Statement (ICS), compliance testing, submission of the Request for Approval (RFA), submission of the test report and payment of the approval fees will apply. The approval process may take time before testing is completed and the LOA can be delivered. For this reason, EMVCo recommends to begin the re-approval of a Product at least 2 months before its expiration and to reach out to the applicable DS operator(s) or payment system(s) on the potential gap of validity of the 3DS LOA of the expiring Product. © 2019-2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV® 3-D Secure Approval Administrative Process - Version 1.6 Page 29 / 39 4.8.3 LOA Extension Transitioning from an expiring L