Document Comparison
PCI-3DS-Data-Matrix-v1_1.pdf
→
PCI-3DS-Data-Matrix-v1.2.pdf
37% similar
7 → 9
Pages
1753 → 2358
Words
21
Content Changes
Content Changes
21 content changes. 13 administrative changes (dates, page numbers) hidden.
Added
p. 1
PCI 3DS Data Matrix Version 1.2
January 2026 1.2 Added Table of Contents Added EMV Related Publications section Updated Introduction section Updated Table 1 as follows:
Added the following data elements:
• 3DS Requestor App URL
• Challenge Additional Code
• Challenge Entry Box
• Challenge Entry Box 2
• Challenge Data Entry 2
• Device Binding Information Text
• Device Binding Data Entry
• Trust List Information Text
• Trust List Data Entry Fixed typos for the following:
• Expandable Information Label (removed "1")
• Expandable Information Text (removed "1") Deleted the following:
• Challenge Information Text
• does not exist in v2.2 and v2.3.1
• Challenge HTML Data Entry for Browser flow as this data element is not defined.
Added 3DS SDK Data Matrix section to support, at a minimum, being referenced from the PCI Secure Software Standard.
January 2026 1.2 Added Table of Contents Added EMV Related Publications section Updated Introduction section Updated Table 1 as follows:
Added the following data elements:
• 3DS Requestor App URL
• Challenge Additional Code
• Challenge Entry Box
• Challenge Entry Box 2
• Challenge Data Entry 2
• Device Binding Information Text
• Device Binding Data Entry
• Trust List Information Text
• Trust List Data Entry Fixed typos for the following:
• Expandable Information Label (removed "1")
• Expandable Information Text (removed "1") Deleted the following:
• Challenge Information Text
• does not exist in v2.2 and v2.3.1
• Challenge HTML Data Entry for Browser flow as this data element is not defined.
Added 3DS SDK Data Matrix section to support, at a minimum, being referenced from the PCI Secure Software Standard.
Added
p. 3
EMV® 3-D Secure Protocol and Core Functions Specification EMV® 3-D Secure SDK Specification EMV® 3-D Secure SDK
• Device Information EMV® 3-D Secure Split-SDK Specification Introduction This document, the PCI 3DS Data Matrix, describes 3DS related data elements common to EMV® 3DS transactions. This document is referenced within other PCI Standards where 3DS related sensitive data elements may be present and need to be accounted for in the scope of an assessment. The data elements encompass the 3DS Server (3DSS), 3DS Directory Server (DS), 3DS Access Control Server (ACS), and 3DS SDKs.
3DSS, DS, and ACS Sensitive Data Elements
• Table 1: A subset of data elements from the EMV® 3-D Secure Protocol and Core Functions Specification that are generally present on the 3DS Server (3DSS), 3DS Directory Server (DS), and the 3DS Access Control Server (ACS).
• Device Information EMV® 3-D Secure Split-SDK Specification Introduction This document, the PCI 3DS Data Matrix, describes 3DS related data elements common to EMV® 3DS transactions. This document is referenced within other PCI Standards where 3DS related sensitive data elements may be present and need to be accounted for in the scope of an assessment. The data elements encompass the 3DS Server (3DSS), 3DS Directory Server (DS), 3DS Access Control Server (ACS), and 3DS SDKs.
3DSS, DS, and ACS Sensitive Data Elements
• Table 1: A subset of data elements from the EMV® 3-D Secure Protocol and Core Functions Specification that are generally present on the 3DS Server (3DSS), 3DS Directory Server (DS), and the 3DS Access Control Server (ACS).
Added
p. 5
Table 1: 3DSS, DS, and ACS Sensitive Data Elements Category 3DS Data Element Description Storage Permitted 3DSS DS ACS 3DS Authentication Data Authentication Value A cryptographic value generated by the ACS to provide a way, during authorisation processing, for the authorisation system to validate the integrity of the authentication result. The AV algorithm is defined by each Payment System.
Added
p. 6
N/A N/A No App-Based ACS HTML HTML provided by the ACS in the CRes message. Utilized in the HTML UI type during the Cardholder challenge. N/A N/A Yes Challenge Additional Code Indicates to the ACS that the Cardholder selected the additional choice. N/A N/A No Challenge Additional Information Text Additional text provided by the ACS/Issuer to Cardholder during the Challenge Message exchange that could not be accommodated in the Challenge Information Text field.
N/A N/A Yes Challenge Data Entry Contains the data that the Cardholder entered into the Native UI text field. N/A N/A No Challenge Data Entry 2 Contains the data that the Cardholder entered into the second Native UI text field, if available. N/A N/A No Challenge HTML Data Entry Data that the Cardholder entered into the HTML UI. N/A N/A No Challenge Entry Box Defines the setting of an entry box in the Native UI OTP/Text Template (Challenge …
N/A N/A Yes Challenge Data Entry Contains the data that the Cardholder entered into the Native UI text field. N/A N/A No Challenge Data Entry 2 Contains the data that the Cardholder entered into the second Native UI text field, if available. N/A N/A No Challenge HTML Data Entry Data that the Cardholder entered into the HTML UI. N/A N/A No Challenge Entry Box Defines the setting of an entry box in the Native UI OTP/Text Template (Challenge …
Added
p. 7
N/A N/A Yes Trust List Data Entry Cardholder response to trust list prompt. The ACS needs to store this information for later transactions. N/A N/A Yes
Added
p. 8
No N/A Yes The 3DS cryptographic keys included in Table 2 are required to be generated and managed in an HSM, in accordance with the PCI 3DS Core Security Standard HSM requirements and are also subject to all other cryptography and key management requirements in the PCI 3DS Core Security Standard.
Added
p. 9
Table 3: 3DS SDK Sensitive Data Elements 3DS SDK Data Element Type Description Protection Requirements Retention by 3DS SDK Allowed? Device information Includes consumer device information and encrypted device data, and transaction data that the SDK receives through the API from the 3DS Requestor Application.
3DS (Ephemeral) Public Key Data Includes the ACS Ephemeral Public Key (QT) and the 3DS SDK Ephemeral Public Key (QC). I No 3DS (Ephemeral) Private Key Data Internal 3DS SDK ephemeral private keys and session keys. C & I No 3DS Authentication Challenge Data Data that the SDK receives from the ACS in a CRes message.
Data that the SDK sends to the ACS in a CReq message.
User interaction and data entry on the challenge dialogue page.
3DS SDK Static Data Information about the 3DS SDK specifically. Includes the 3DS SDK reference number and 3DS SDK Application ID (sdkAppID), DS Public Key, SDK Type, SDK Max Timeout.
3DS (Ephemeral) Public Key Data Includes the ACS Ephemeral Public Key (QT) and the 3DS SDK Ephemeral Public Key (QC). I No 3DS (Ephemeral) Private Key Data Internal 3DS SDK ephemeral private keys and session keys. C & I No 3DS Authentication Challenge Data Data that the SDK receives from the ACS in a CRes message.
Data that the SDK sends to the ACS in a CReq message.
User interaction and data entry on the challenge dialogue page.
3DS SDK Static Data Information about the 3DS SDK specifically. Includes the 3DS SDK reference number and 3DS SDK Application ID (sdkAppID), DS Public Key, SDK Type, SDK Max Timeout.
Removed
p. 3
• Table 2: 3DS Cryptographic Keys with HSM Requirements
Table 1 identifies storage permissions for the applicable data elements. Table 2 identifies 3DS cryptographic key types with HSM requirements.
Note: If PCI Account Data is present, this data would need to be protected in accordance with PCI DSS. Refer to Appendix B of the PCI 3DS Core Security Standard for guidance on PCI DSS applicability.
Table 1 identifies storage permissions for the applicable data elements. Table 2 identifies 3DS cryptographic key types with HSM requirements.
Note: If PCI Account Data is present, this data would need to be protected in accordance with PCI DSS. Refer to Appendix B of the PCI 3DS Core Security Standard for guidance on PCI DSS applicability.
Modified
p. 3 → 4
3DS SDK Sensitive Data Elements
Modified
p. 3 → 4
• A subset of data elements from the EMV® 3-D Secure Protocol and Core Functions Specification that are subject to specific requirements in the PCI 3DS Core Security Standard.
• Table 2: A subset of cryptographic key types from the EMV® 3-D Secure Protocol and Core Functions Specification that are required to be generated and stored in an HSM.
Modified
p. 3 → 4
• A subset of cryptographic key types from the EMV® 3-D Secure Protocol and Core Functions Specification that are required to be generated and stored in an HSM.
• Table 3: A subset of data elements from the EMV® 3-D Secure SDK related specifications that are generally present within a 3DS SDK.
Modified
p. 4
3DSS, DS, and ACS Sensitive Data Elements The data elements identified in Table 1 are subject to the PCI 3DS Core Security Standard requirements that apply to 3DS sensitive data.
Modified
p. 4 → 5
Device Information Device information gathered by the 3DS SDK from a Consumer Device. This is JSON name value pairs that as a whole is Base64 encoded. Only appears as clear text under this data element name in AReq between DS and ACS.
Temp1 Yes Yes Device Information Device information gathered by the 3DS SDK from a Consumer Device. This is JSON name value pairs that as a whole is Base64 encoded. Only appears as clear text under this data element name in AReq between DS and ACS.
Modified
p. 4 → 5
Public Key Data ACS Ephemeral Public Key (QT) Public key component of the ephemeral key pair (dT, QT) generated by the ACS and used to establish session keys between the 3DS SDK and the ACS.
No No2 N/A Public Key Data ACS Ephemeral Public Key (QT) Public key component of the ephemeral key pair (dT, QT) generated by the ACS and used to establish session keys between the 3DS SDK and the ACS.
Removed
p. 5
N/A N/A Yes Challenge Additional Information Text Additional text provided by the ACS/Issuer to Cardholder during the Challenge Message exchange that could not be accommodated in the Challenge Information Text field.
N/A N/A No Challenge HTML Data Entry Data that the Cardholder entered into the HTML UI. N/A N/A No Challenge Information Header Header text that for the challenge information screen that is being presented.
N/A N/A Yes Challenge Information Text Text provided by the ACS/Issuer to Cardholder during the Challenge Message exchange.
N/A N/A Yes Expandable Information Label 1 Label displayed to the Cardholder for the content in Expandable Information Text 1.
N/A N/A Yes Expandable Information Text 1 Text provided by the Issuer from the ACS to be displayed to the Cardholder for additional information and the format will be an expandable text field.
N/A N/A No Challenge HTML Data Entry Data that the Cardholder entered into the HTML UI. N/A N/A No Challenge Information Header Header text that for the challenge information screen that is being presented.
N/A N/A Yes Challenge Information Text Text provided by the ACS/Issuer to Cardholder during the Challenge Message exchange.
N/A N/A Yes Expandable Information Label 1 Label displayed to the Cardholder for the content in Expandable Information Text 1.
N/A N/A Yes Expandable Information Text 1 Text provided by the Issuer from the ACS to be displayed to the Cardholder for additional information and the format will be an expandable text field.
Modified
p. 5 → 6
N/A N/A Yes Challenge Selection Information Selection information that will be presented to the Cardholder if the option is single or multi-select. The variables will be sent in a JSON Array and parsed by the SDK for display in the user interface.
N/A N/A Yes Challenge Entry Box 2 Similar to Challenge Entry Box, but for Challenge Data Entry 2 UI element characteristics. N/A N/A Yes Challenge Information Header Header text that for the challenge information screen that is being presented. N/A N/A Yes Challenge Information Label Label to modify the text provided by the Issuer to describe what is being requested from the Cardholder. N/A N/A Yes Challenge Selection Information Selection information that will be presented to the Cardholder if the …
Modified
p. 5 → 7
N/A N/A Yes Message Extension Data necessary to support requirements not otherwise defined in the 3-D Secure message must be carried in a Message Extension.
N/A N/A Yes Message Extension Data necessary to support requirements not otherwise defined in the 3- D Secure message must be carried in a Message Extension. N/A N/A Yes OOB App URL Mobile Deep link to an authentication app used in the out-of-band authentication. The App URL will open the appropriate location within the authentication app.
Removed
p. 6
N/A N/A Yes Why Information Label Label to be displayed to the Cardholder for the "why" information section.
N/A N/A Yes Authentication Challenge Data (CReq/CRes) Browser-Based Message Extension Data necessary to support requirements not otherwise defined in the 3-D Secure message must be carried in a Message Extension.
No N/A Yes Cardholder Challenge Data Challenge HTML Data Entry During a challenge, this is the HTML data exchanged between the Browser and the ACS that contains the cardholder data entered in the browser UI.
N/A N/A Yes Authentication Challenge Data (CReq/CRes) Browser-Based Message Extension Data necessary to support requirements not otherwise defined in the 3-D Secure message must be carried in a Message Extension.
No N/A Yes Cardholder Challenge Data Challenge HTML Data Entry During a challenge, this is the HTML data exchanged between the Browser and the ACS that contains the cardholder data entered in the browser UI.
Modified
p. 6 → 7
N/A N/A Yes OOB App Label Label to be displayed for the link to the OOB App URL. For example: “OOBAppLabel” : “Click here to open Your Bank App” N/A N/A Yes OOB Continuation Label Label to be used in the UI for the button that the user selects when they have completed the OOB authentication.
N/A N/A Yes OOB App Label Label to be displayed for the link to the OOB App URL. For example: “OOBAppLabel” : “Click here to open Your Bank App” N/A N/A Yes OOB Continuation Label Label to be used in the UI for the button that the user selects when they have completed the OOB authentication. N/A N/A Yes Payment System Image Sent in the initial CRes message from the ACS to the 3DS SDK to provide the URL(s) of …
Removed
p. 7
Table 2: 3DS Cryptographic Keys with HSM Requirements The 3DS cryptographic keys included in Table 2 are required to be generated and managed in an HSM, in accordance with the PCI 3DS Core Security Standard HSM requirements, and are also subject to all other cryptography and key management requirements in the PCI 3DS Core Security Standard.
Modified
p. 7 → 8
Key generated and used by Key Key Description ACS ACS Private Key* Private key PvACS used by the ACS for the ACS Signed Content JWS. The ACS shares public key PbACS, with DS CA in a CSR.
Table 2: 3DS Cryptographic Keys with HSM Requirements Key generated and used by Key Key Description ACS ACS Private Key* Private key PvACS used by the ACS for the ACS Signed Content JWS. The ACS shares public key PbACS, with DS CA in a CSR.