Document Comparison
FAQs_for_PCI_3DS_Core_Security_Standard.pdf
→
Overview-PCI-3DS-Core-Security-Standard.pdf
78% similar
6 → 6
Pages
2030 → 2144
Words
4
Content Changes
Content Changes
4 content changes. 6 administrative changes (dates, page numbers) hidden.
Added
p. 3
• 3DS Access Control Server (ACS) Where a third-party service can impact 3DS functionality or the security of the 3DS Environment (3DE), the applicable PCI 3DS requirements will need to be identified and implemented for that service. While the ultimate responsibility for the security of the 3DE and 3DS Data lies with the 3DS entity, service providers may be required to demonstrate compliance with the applicable PCI 3DS requirements based on the service provided. Refer to the section “Use of Third-Party Service Providers / Outsourcing” in the PCI 3DS Core Security Standard for further details on the use of third-party service providers.
Q 6: Who is qualified to assess the PCI 3DS Core Security Requirements? A: Only 3DS Assessors who have satisfied all 3DS Core Assessor Qualification Requirements applicable to employees of 3DS Assessor Companies and are listed on the PCI SSC 3DS assessor website are qualified to assess the PCI …
Q 6: Who is qualified to assess the PCI 3DS Core Security Requirements? A: Only 3DS Assessors who have satisfied all 3DS Core Assessor Qualification Requirements applicable to employees of 3DS Assessor Companies and are listed on the PCI SSC 3DS assessor website are qualified to assess the PCI …
Removed
p. 3
• 3DS Access Control Server (ACS) Third-party service providers that can impact these 3DS functions, or the security of the environments where these functions are performed, may also be required to meet PCI 3DS requirements as applicable to the provided service.
Modified
p. 3
Whether an entity is required to validate compliance with the PCI 3DS Core Security Standard is defined by the individual payment brand compliance programs.
Whether an entity is required to validate compliance with the PCI 3DS Core Security Standard is defined by the individual payment brand compliance programs. Contact information for the payment brands can be found in FAQ #1142, "How do I contact the payment brands?" on the PCI SSC website.
Removed
p. 4
Q 6: Who is qualified to assess the PCI 3DS Core Security Requirements? A: A two-phase approach will be implemented to qualify assessors to perform 3DS Assessments:
• From Q4 2017, P2PE Assessors and existing 3-D Secure v1 Visa assessors that are also QSAs will be able to perform PCI 3DS Assessments after completing a short online training module. This grandfathering arrangement will be in place for two years. At that time, these assessors will be subject to the qualification requirements defined below.
• From early 2018, a qualification path will be available for QSAs with at least three years’ QSA experience and at least one industry-recognized certification in both information security and IT audit (as defined in QSA Qualification Requirements section 3.2). Additionally, QSAs wishing to perform PCI 3DS Assessments will be required to attend training and pass an examination.
Details of training and qualification requirements for assessors will be provided in …
• From Q4 2017, P2PE Assessors and existing 3-D Secure v1 Visa assessors that are also QSAs will be able to perform PCI 3DS Assessments after completing a short online training module. This grandfathering arrangement will be in place for two years. At that time, these assessors will be subject to the qualification requirements defined below.
• From early 2018, a qualification path will be available for QSAs with at least three years’ QSA experience and at least one industry-recognized certification in both information security and IT audit (as defined in QSA Qualification Requirements section 3.2). Additionally, QSAs wishing to perform PCI 3DS Assessments will be required to attend training and pass an examination.
Details of training and qualification requirements for assessors will be provided in …