PCI 3DS Certification

PCI 3DS Certification

PCI 3DS Core Security Standard and PCI 3DS SDK are two independent standards that define the security controls over different areas of a 3DS environment.

PCI 3DS SDK is the security standard applicable to entities that develop 3DS Software Development Kits (SDK), as defined in the EMV ® 3-D Secure SDK Specification.

PCI 3DS Core Security Standard is a set of security requirements and assessment procedures required to assess EMV’s 3D Secure Core security protocol and core functions. PCI 3DS enhances secure user authentication by adding an extra layer of security during CNP transactions.

The EMV® 3-D Secure entities are namely:

  • 3DS Directory Server (DS)
    The 3DS directory server maintains a lists of card ranges for which authentication may be available and coordinates communication between the 3DSS and ACS to determine whether authentication is available for a particular card number and device type.
  • 3DS Access Control Server (ACS)
    The 3DS ACS contains authentication rules and is controlled by the Issuer. The ACS verifies whether authentication is available for a card number and device type, and authenticates specific transactions.
  • 3DS Server (3DSS)
    The 3DS Server provides the functional interface between the 3DS Requestor Environment flows and the Directory Server (DS) and the components falls under bank/merchant entities that handles payment request environments

All the necessary physical and logical security requirements and assessments are defined underthe EMV 3-D Secure Protocol and Core Functions Specification.

The requirements are organized in two parts:

  1. Baseline Security Requirements: - A baseline of technical and operational security requirements designed to protect the 3DS data environment (3DE).
  2. 3DS Security Requirements: - Security requirements to protect 3DS data and processes.

As your PCI 3DS compliance partner, QRC will assist and assess you at each step of your compliance activity, right from scope definition until attaining compliant status. 

Scope Definition

  • Scope of PCI 3DS Core Security Standard applicable to 3DS Environment that typically includescomponents that handleACS, DS and/or 3DSs functions. The system components that facilitate 3DS transactions include network devices, servers, and applications.
  • Any other system component that handles 3DS Date falls in scope of the assessment. The certified professionals analysed the business infrastructure and defines the scope for 3DS assessment

Gap Assessment

  • Qualified professional will determine the gaps in the controls and provide a Gap Assessment Report.
  • Further, we provide the necessary support for recommendation and remediation as per business requirement.


  • Provide regular status report to all the concerned person for better visibility of the project.
  • Account for client requirements and customize everything accordingly.

Assessment and Certification

Post assessment for compliance with the PCI 3DS compliance requirements over all EMV’s 3D Secure Core Components standards and its component namely, 3DS Server, 3DS Directory Server & Access Control Server and ensuring that all gaps are closed post assessment. QRC proceeds with release of the certificates.

  • Security Improvementin the CNP Payment transactions:
    PCI 3DS helps major card brands to assist their consumers authenticate their identity when making card-not-present transactions by providing an additional security layer, helpingin prevention of unauthorized CNP transactions.

    Compliance with 3DS ensures physical and logical security of EMV 3DS transactions.
  • Avoid costly fines:
    Avoiding any fines/penalties imposed by banks and other regulatory entities on lieu of any information security crisis and fight fraud more effectively without sacrificing the customer experience.
  • Sustain Your Business:
    Increase in business brand as being compliant withPCI 3DS ensures growth in reputation.
  • Improve customer relationship
  • Getting your applicationvalidated under PCI 3DS SDK guidelinesshowcases that the company has a strong commitment to protect and secure their data.

Get Free Consultation