PCI 3DS Core Security Standard is a set of security requirements and assessment procedures required to assess EMV’s 3D Secure Core security protocol and core functions. The Three-Domain Secure (3DS) is an EMVCo messaging protocol that enables consumers to authenticate themselves with their card issuer when making card-not-present e-commerce and m-commerce purchases.

There are three domains in the 3DS specification :

  • Acquirer Domain

  • Issuer Domain

  • Interoperability Domain

The standard requirements are organized in two parts:

  • Baseline Security Requirements : - A baseline of technical and operational security requirements designed to protect the 3DS data environment (3DE).

  • 3DS Security Requirements : - Security requirements to protect 3DS data, processes and technologies

PCI 3DS Core Security Standard defines a set of security requirements and assessment procedures required to assess EMV’s 3D Secure Core security protocol and core functions. PCI 3DS enhances secure user authentication by adding an extra layer of security during CNP transactions.

The EMV® 3-D Secure entities under PCI 3DS consideration are :

  • 3DS Directory Server (DS)

  • 3DS Access Control Server (ACS)

  • 3DS Server (3DSS)

All the necessary physical and logical security requirements and assessments are defined under the EMV 3-D Secure Protocol and Core Functions Specification. The controls defined in the standard protect the confidentiality and integrity of the 3DS transaction.

what we offer

The key to implementing robust security controls lies in identifying the right scope, recognizing the difference between compliance and security and in sustaining compliance after successful control implementation.


Business Understanding

Evaluating business process and environment to understand the in-scope elements


Scope Finalization

Finalize the scope elements and prepare the requirement documentation


Readiness Assessment

Identify the potential challenges that might arise during requirement implementation


Risk Assessment

Identifying and analyzing the risks in the information security posture


Data Flow Assessment

Conducting thorough systems analysis to evaluate data flow and possible leakages


Documentation Support

Assist you with list of policy and procedure to help you in validation or evidence collection


Remediation Support

Support you by recommending solutions to compliance challenges


Awareness Training

Conduct awareness sessions for your Team and personnel involved in the scope


Scans And Testing

Identify critical vulnerabilities in your system with a robust testing approach


Evidence Review

Review of the evidence collected to assess their maturity, in line with the compliance


Final Assessment and Attestation

Post successful assessment, we get you attested for compliance with our audit team


Continuous Compliance Support

Support you in maintaining compliance by providing guidelines

frequently asked questions

The PCI 3DS Core Security Standard requirements  are organized into the following sections : 
● Baseline Security Requirements : 
These set of technical and operational security requirements are designed to protect environments where 3DS functions are performed. These requirements reflect general information security principles and practices common to many industry standards, and should be considered for any type of environment."

● 3DS Security Requirements:   
These set of requirements provide security controls specifically intended to protect 3DS data, technologies, and processes.

The PCI 3DS Core Security Standard applies to entities that perform or provide the following functions, as defined in the EMVCo 3DS Core Specification : 
● 3DS Server (3DSS)   
● 3DS Directory Server (DS)
● 3DS Access Control Server (ACS)

Some third-party service providers that can impact these 3DS functions, or the security of the environments where these functions are performed, may also be required to meet PCI 3DS requirements as applicable to the provided service.

The PCI 3DS Data Matrix is a separate document that supports the PCI 3DS Core Security Standard and identifies a number of data elements common to 3DS transactions. The data elements identified in the PCI 3DS Data Matrix include those considered to be 3DS sensitive data, which are subject to specific data protection requirements, and certain cryptographic key types that are subject to HSM requirements.

The PCI 3DS Core Security Standard and PCI DSS are separate, independent standards each intended for specific types of entities. The Standard applies to 3DS environments where 3DSS, ACS, and/or DS functions are performed, while PCI DSS applies wherever payment card account data is stored, processed or transmitted. 

The deliverables of PCI 3DS certification is: 
●        Attestation of Compliance (AOC).
●        Report of Compliance (ROC).
●        Certificate of Compliance (COC).

Related Updates

LinkedIn Facebook Twitter Youtube

We use cookies to enhance your user experience. By continuing to browse, you hereby agree to the use of cookies. Know more Privacy Policy & Cookies Policy.