At BOTECH, together with our partners, we promote PCI 3DS compliance, an additional security layer that helps prevent unauthorized transactions in e-commerce environments
To create a transversal framework that allows the massive implementation of this security protocol in e-commerce and m-commerce or mobile commerce environments.
Preventing unauthorized transactions in e-commerce environments.
Protecting businesses against fraud.
Transmitting confidence and security to consumers and establishments.
What is PCI 3D SECURE?
EMV Three Domain Secure (3DS) is an anti-fraud messaging protocol that allows consumers to authenticate with their payment card issuer at the time of a non- presential (CNP) transaction.
This additional security layer helps prevent unauthorized transactions in e commerce environments while protecting the trade from fraud.
Frequently Asked Questions
Why is it called 3D Secure?
It is called Three Domains due to the interaction of three main actors:
- The trade domain/acquirer
- The issuer´s domain
- The interoperability domain
How does PCI 3D Secure work?
At the time of the transaction, the card issuer asks the cardholder for additional authentication data from the CVV2, which may be:
- A PIN.
- A password or the answer to a secret question.
- A code from a coordinate card.
- A code sent via SMS to a registered mobile phone.
- A one-time key.
The purpose of this check is to ensure that access to this additional data is only by the issuing bank, which is why the merchant or other intermediate entity should only receive the response to such validation.
What is the scope of PCI 3DS?
This standard defines the logical and physical requirements, as well as the evaluation procedures for those entities that provide or execute the following functions, established in the EMV®3-D Secure Protocol and Core Functions Specification document:
- 3DS Server (3DSS): provides the functional interface between the environment from which the 3DS functionality is requested and the directory server (DS).
- 3DS Directory Server (DS): manages the list of card ranges for which authentication is available and coordinates communication between the 3DS server (3DSS) and the access control server (ACS) to determine which authentication is available for a particular card number and device type.
- 3DS Access Control Server (ACS): the ACS contains the authentication rules and is controlled by the issuer. It checks what type of authentication is available and authenticates the specific transaction.
What is the relationship between the PCI DSS standard and the PCI 3DS Core Security standard?
Depending on the form of implementation, a 3D Secure environment can be part of a payment card data environment (Cardholder Data Environment CDE) or be completely separate. If a 3DS environment contains card data, it may be subject to PCI DSS compliance.
The evaluation method is performed through the following steps:
1. Initial Training Course
During this phase, topics on general concepts, key points for compliance are addressed and awareness within the organization is promoted.
2. Expert advice
Conducting interviews and reviewing the necessary documentation to establish and record the active processes and the suppliers involved that will determine the scope of PCI 3DS.
3. Free GAP Analysis
Free GAP Analysis for new clients, by collecting information, in order to analyze all existing security processes and determine the level of compliance of the organization.
4. Accompaniment and advice
A QSA consultant conducts monthly visits for ongoing advice throughout the implementation process.
We retrieve information to determine the due compliance of the PCI 3DS.The evaluation is included in the final report ROC (Report on Compliance) and AOC (Attestation of Compliance).
6. Final revision
Prepares the documentation of the PCI 3DS compliance status and the subsequent preparation of the ROC and AOC report.