Request for Comments: PCI 3DS SDK and 3DS Core Security Standards
From 18 October to 17 November 2021, eligible PCI SSC stakeholders are invited to review and provide feedback on the currently published PCI 3DS SDK Security Standard and the PCI 3DS Core Security Standard during a 30-day request for comments (RFC) period. The full list of stakeholders eligible to participate can be found on the PCI SSC RFC webpage.
The two RFCs – one for each standard – will run concurrently and will be available to primary contacts through the PCI SSC portal, including instructions on how to access the documents and submit feedback. Eligible stakeholders will also receive instructions via email. As a reminder, participants are required to accept a Non-Disclosure Agreement (NDA) to download the document. Please review the RFC Process Guide for more information.
Please note that PCI SSC can only accept comments that are submitted via the PCI SSC portal and received within the defined RFC period.
Background on the PCI 3DS SDK and 3DS Core Security Standards
The PCI 3DS Core (v1.0) and the 3DS SDK (v1.1) Security Standards were published in 2017 and 2018, respectively.
EMV® Three-Domain Secure (3DS) is an EMVCo messaging protocol that enables consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce and m-commerce purchases. The PCI 3DS Core Security Standard provides a framework for three critical EMV® 3DS components—Access Control Server (ACS), Directory Server (DS), and 3DS Server—to implement physical and logical security controls to support the integrity and confidentiality of the 3DS transaction process.
A 3DS Software Development Kit (SDK) is software for facilitating cardholder authentication that is embedded in a merchant mobile app. When a cardholder initiates an in-app (mobile) transaction, the 3DS SDK communicates with 3DS Core Components to authenticate the cardholder. Intended for developers and vendors of 3DS SDK products, the PCI 3DS SDK Security Standard is focused on ensuring 3DS SDK products are designed and developed to meet specific security objectives.
Please review our resource guide, What to Know Before Participating in a PCI SSC RFC, for more information on the PCI SSC RFC process.