Breaking Down PCI for 3D Secure: How does it fit in with the 3DS2 Protocol?

3D Secure & PCI DSS

According to reports by Juniper research, card-not-present fraud (CNP fraud) is set to hit $71 billion between 2017 and 2021 alone, with remote physical goods purchases being the main target area for online fraudsters.

That’s an average of around $14.2 billion annually over the next few years. And as eCommerce and mCommerce channels are becoming more popular with consumers, CNP fraud is set to be 4X greater than physical, point of sale (POS) fraud in 2018.

CNP fraud is therefore not a distant threat but a very real and current danger that does not discriminate. Anyone can become a target.

Consumers and vendors alike need protection against savvy cybercriminals that are becoming increasingly sophisticated in their security breaches.

The good news is that there are equally sophisticated (and even more advanced) prevention and detection solutions that could provide protection for everyone involved in the CNP transaction cycle.

3D Secure, along with machine learning and biometrics, have been identified as the most effective tools for the fight against CNP fraud.

And with the 3DS2 protocol being finalised this year, the PCI SSC (Payment Card Industry Security Standards Council) has released a new standard to support the 3DS2 protocol specifically.

So what is it and how does it fit in with EMVCo’s latest 3D Secure protocol?

Three new documents

There are three new documents to be aware of:

  • PCI 3DS Core Security Standard
  • PCI 3DS Data Matrix
  • PCI 3DS SDK Security Standard

These documents can be downloaded from the PCI’s Security Standards Council website.

PCI 3DS Core Security Standard

The PCI 3DS Core Security Standard (or simply PCI 3DS) is the main supporting standard and defines appropriate security measures within specific 3DS environments (which we’ll discuss below).

It provides and defines baseline physical and logical security controls to increase the protection provided to consumers and merchants within the 3DS environment.

The standard is broken up and organised into two main sections.

The first section, Baseline Security Requirement, takes a look at technical and operational security specifications, which are formulated to protect the different environments in which 3D Secure is implemented. As it’s focused towards transaction environments, it’s more of a general overview that can be applied to various industry standards.

The second section, 3DS Security Requirements, focuses specifically on 3D Secure data, technologies and processes, and provides security controls for these functions.

PCI 3DS Data Matrix

The PCI 3DS Data Matrix is a supporting document to be used in conjunction with the PCI 3DS. It serves to identify data elements which are commonly found within 3D Secure transactions.

It basically contains two tables of different data categories, a corresponding 3DS Data Element with descriptions and whether or not the data is permitted to be stored within the scope of PCI 3DS for the different 3D Secure core components.

The first table contains 3DS Sensitive Data that needs to adhere to specific PCI 3DS Core Security Standard requirements, while the second table contains 3DS Cryptographic Keys that are required to be generated and stored in an HSM (hardware security module).

Different data categories include Authentication Challenge Data, Public Key Data and Cardholder Challenge Data, to name a few.

PCI 3DS SDK Security Standard

The last document is the PCI 3DS SDK Security standard. This is actually an independent standard that aims to define the security controls required to facilitate secure 3DS SDK implementations.

It’s targeted towards companies that create 3DS Software Development Kits (SDK’s) that are used in 3D Secure mobile transactions (specifically app-based). The purpose is to ensure that these SDK’s are designed, first and foremost, with consumer security in mind.

Does the PCI 3DS Core Security Standard apply to you?

The PCI 3DS was formulated with three core security components of the 3D Secure protocol in mind, namely 3DS Server (3DSS), 3DS Directory Server (DS) and 3DS Access Control Server (ACS).

Each of these form part of one of the ecosystem domains that together make up the 3DS protocol (i.e. 3 Domains).

Briefly, the 3DS Server (3DSS) is part of the Merchant/Acquirer Domain with the purpose of handling the interaction between the 3DS Requestor environment, the 3DS environment and messaging.

The 3DS Directory Server (DS) falls under the Interoperability Domain (normally managed by a payment network) with the following functions:

  • Authenticates the 3DS Server requests while validating the 3DS requestor as trusted and registered.
  • Routes 3DS messages between the 3DS Server and the ACS.
  • Maintains account and ACS routing data.

Finally, the 3DS Access Control Server (ACS) is part of the Issuer Domain (system managed by account issuers) and is responsible for verifying whether authentication is available for a specific card, provides a risk-based assessment for frictionless flows (if appropriate) and  manages the cardholder challenge when required (through standardised messages).

If your organisation performs any of these functions, then you will be required to comply with the PCI 3DS Core Security Standard.

It’s also worth remembering that even if you do not directly perform any of these core functions, you might still have to comply with the standard if you are a third-party provider that could potentially have an impact on the 3D Secure environment, or the security thereof.

Why exactly did the PCI SSC issue the new standard, specifically addressing the 3D Secure environment?

The main purpose is to improve the overall security of online payments. We’ve mentioned earlier how the threat of CNP fraud is growing every year, with online criminals employing increasingly more sophisticated techniques to obtain customer account data and using it to process fraudulent transactions.

In addition, the online marketplace is changing and mobile payments are set to dominate in the coming years.

The various functionalities of the improved 3DS 2 protocol provide it with the ability to address the changing marketplace and increasing threat levels, which makes it a preferred defence mechanism against online payment fraud.

As such, the PCI 3DS Core Security Standard will support the effectiveness of the 3DS 2 authentication environment by helping to secure the 3D Secure components that are critical to the transaction process.

PCI SSC Senior Director of Data Security Standards, Emma Sutcliffe, summed it up perfectly in one sentence: “A new and improved EMV® 3DS protocol together with these PCI Security Standards will enhance the security of 3DS infrastructures and transactions and improve dynamic authentication for e-commerce and m-commerce environments.”