PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

PCI_SSC_3DS_SDK_v1.x_Technical_FAQs_10Mar2022.pdf PCI_SSC_3DS_SDK_v1.x_Technical_FAQs_Aug2022.pdf
92% similar
6 → 6 Pages
1814 → 1978 Words
11 Content Changes

Content Changes

11 content changes. 5 administrative changes (dates, page numbers) hidden.

Added p. 4
Q4 August 2022: Requirement 1.1 (Security Checks) states in T.1.1.7 to “confirm the 3DS SDK detects when its code or execution has been tampered with.” It may not be possible for a 3DS SDK to implement integrity mechanisms that can satisfy this criterion. In the event it is not technically achievable, how should the requirement be assessed? A The 3DS SDK must implement integrity checking mechanisms as per requirement 1.1.

The 3DS SDK Lab must determine if the implementation is sufficient. In the event there are technical limitations to the efficacy of the integrity implementation, the 3DS SDK Lab must clearly document within the PCI 3DS SDK ROV:

• The extent that the integrity mechanisms implemented mitigate the compromise of the 3DS SDK.

• The technical (logical) limitations of the run-time integrity implementation, and why these limitations cannot be resolved.

• The residual risk to the integrity of the 3DS SDK that exists due …
Modified p. 2
The use of “PCI 3DS SDK Security Standard” or “PCI 3DS SDK” refers to the current version of the PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure SDK, as published on the PCI SSC website (www.pcisecuritystandards.org).
§ The use of “PCI 3DS SDK Security Standard” or “PCI 3DS SDK” refers to the current version of the PCI 3DS Security Requirements and Assessment Procedures for EMV® 3-D Secure SDK, as published on the PCI SSC website (www.pcisecuritystandards.org).
Modified p. 2
The use of “EMVCo 3DS SDK Specification” refers to the EMV® 3-D Secure SDK Specification, as published by EMVCo (www.emvco.com).
§ The use of “EMVCo 3DS SDK Specification” refers to the EMV® 3-D Secure SDK Specification, as published by EMVCo (www.emvco.com).
Modified p. 4
Q4 April 2021: How is the 3DS SDK expected to perform checks to determine whether the 3DS SDK was installed from an approved source? A This requirement is under revision. Some platforms and versions provide functions or APIs to determine the source from which an application package was installed (for example: PackageManager.getInstallSourceInfo on Android). Where such methods or APIs are unavailable, it is not expected that the 3DS SDK provide for such functionality.
Q5 April 2021: How is the 3DS SDK expected to perform checks to determine whether the 3DS SDK was installed from an approved source? A This requirement is under revision. Some platforms and versions provide functions or APIs to determine the source from which an application package was installed (for example: PackageManager.getInstallSourceInfo on Android). Where such methods or APIs are unavailable, it is not expected that the 3DS SDK provide for such functionality.
Modified p. 4
Q5 April 2021: How is the 3DS SDK expected to respond when checks indicate the 3DS SDK was not installed from an approved source? The requirement states that the 3DS SDK should make the information available to the ACS, but Assessment Procedure T.1.2.4 indicates that the 3DS SDK should terminate 3DS transaction processing upon detection. A This requirement is under revision. Per the requirement, the information is expected to be made available to the ACS for further decision-making where possible. …
Q6 April 2021: How is the 3DS SDK expected to respond when checks indicate the 3DS SDK was not installed from an approved source? The requirement states that the 3DS SDK should make the information available to the ACS, but Assessment Procedure T.1.2.4 indicates that the 3DS SDK should terminate 3DS transaction processing upon detection. A This requirement is under revision. Per the requirement, the information is expected to be made available to the ACS for further decision-making where possible. …
Modified p. 4 → 5
Q6 April 2021: How is the 3DS SDK expected to convey the results of checks to determine whether the 3DS SDK was installed from an approved source to the ACS? The ACS does not provide any dedicated fields to report this information. A This requirement is under revision. It may be possible to pass the results of the checks to the ACS along with other general device information. It is not expected that the ACS provider develop custom server-side functionality …
Q7 April 2021: How is the 3DS SDK expected to convey the results of checks to determine whether the 3DS SDK was installed from an approved source to the ACS? The ACS does not provide any dedicated fields to report this information. A This requirement is under revision. It may be possible to pass the results of the checks to the ACS along with other general device information. It is not expected that the ACS provider develop custom server-side functionality …
Modified p. 4 → 5
Q7 April 2021: How can 3DS SDKs be submitted for publishing in an appropriate App Store if it must first be installed from an approved source? Would testing by the respective App Store prior to publishing fail because of this requirement? A This requirement is under revision. This requirement was not intended to complicate testing or acceptance by App Store providers. If such functionality prevents a 3DS SDK from being tested and accepted by an appropriate App Store, then such …
Q8 April 2021: How can 3DS SDKs be submitted for publishing in an appropriate App Store if it must first be installed from an approved source? Would testing by the respective App Store prior to publishing fail because of this requirement? A This requirement is under revision. This requirement was not intended to complicate testing or acceptance by App Store providers. If such functionality prevents a 3DS SDK from being tested and accepted by an appropriate App Store, then such …
Modified p. 4 → 5
Where automated checks are not possible, procedural and/or contractual methods to
Where automated checks are not possible, procedural and/or contractual methods to ensure the 3DS SDK is installed from an approved source may be used to satisfy this requirement. In such instances, the 3DS SDK Lab(s) should request documentation from the 3DS SDK vendor that verifies such methods are in place.
Modified p. 5
Q8 February 2022: Requirement 1.3 (Run-Time Integrity) states in T.1.3.1 to “verify that the security of the SDK cannot be compromised after the initialization phase by tampering with the execution code or parameters.” It may not be possible for a 3DS SDK to implement run-time integrity mechanisms that can satisfy this criterion. In the event it is not technically achievable, how should the requirement be assessed? A The 3DS SDK must implement run-time integrity mechanisms as per requirement 1.3.
Q9 February 2022: Requirement 1.3 (Run-Time Integrity) states in T.1.3.1 to “verify that the security of the SDK cannot be compromised after the initialization phase by tampering with the execution code or parameters.” It may not be possible for a 3DS SDK to implement run-time integrity mechanisms that can satisfy this criterion. In the event it is not technically achievable, how should the requirement be assessed? A The 3DS SDK must implement run-time integrity mechanisms as per requirement 1.3.
Modified p. 5
Q9 February 2022: In regard to Requirement 2.2 (Clearing of Sensitive 3DS SDK Data Elements), it may not be technically possible to delete all sensitive 3DS SDK data elements (in reference to Table 2 in the 3DS SDK Standard) depending on the particular architecture and the management of memory due to the underlying platform (e.g., the OS and/or hardware). In the event this is the case, how should this requirement be assessed? A The 3DS SDK must meet Requirement 2.2 …
Q10 February 2022: In regard to Requirement 2.2 (Clearing of Sensitive 3DS SDK Data Elements), it may not be technically possible to delete all sensitive 3DS SDK data elements (in reference to Table 2 in the 3DS SDK Standard) depending on the particular architecture and the management of memory due to the underlying platform (e.g., the OS and/or hardware). In the event this is the case, how should this requirement be
Modified p. 5 → 6
Q10 April 2021: Do PCI 3DS SDK requirements for ensuring the authenticity of public keys apply to Directory Server (DS) public keys? Test Requirement 3.1.10 indicates that the use any self-signed certificates is prohibited unless the authenticity of the key is ensured through the use of a secure cryptographic module (SCD). A No. DS public keys certificates are generated and signed by the Directory Server Certificate Authority which is typically operated the payment system responsible for a specific DS. The …
Q11 April 2021: Do PCI 3DS SDK requirements for ensuring the authenticity of public keys apply to Directory Server (DS) public keys? Test Requirement 3.1.10 indicates that the use any self-signed certificates is prohibited unless the authenticity of the key is ensured through the use of a secure cryptographic module (SCD). A No. DS public keys certificates are generated and signed by the Directory Server Certificate Authority which is typically operated the payment system responsible for a specific DS. The …