PCI 3DS certification
As a PCI 3DS (Three Domain Secure or 3-D Secure) certifier in Europe, USA and LAC (Latin America and Caribbean) we promote its compliance as it provides an additional layer of security that helps prevent unauthorized transactions in card-not-present environments such as e-commerce. Our clients are companies that have implemented a 3DS solution and must be certified with acceptance brands such as Visa, MasterCard and American Express.
PCI 3DS compliance allows:
- To create a transversal framework that allows the massive implementation of this security protocol in e-commerce and m-commerce or mobile commerce environments.
- To prevent unauthorized transactions in e-commerce environments for customers of certified companies.
- To protect companies against fraud.
- To convey confidence and security to your customers.
What is PCI 3D SECURE?
EMV Three Domain Secure (3DS), is an anti-fraud messaging protocol that allows consumers to authenticate with their payment card issuer at the time of a non-face-to-face (CNP) transaction in e-commerce environments.
This additional layer of security helps prevent unauthorized transactions in the e-commerce environment while protecting the merchant against fraud.
A certification aimed at those suppliers involved in environments where ACS, DS or 3DSS functions are performed.
Why get certified with us?
- We have auditors with extensive international experience.
- We certify PCI DSS, PCI 3DS, PCI PIN, and PCI Card Production.
- Automatic evidence tracking tool.
- Consulting and auditing in Spanish and English.
Which are the consequences of not getting certified?
- Non-acceptance of the product to operate with Visa and MasterCard brands.
- Increased vulnerability to fraud.
- Heavy penalties and fines.
- Loss of customer confidence.
- Economic losses that can even lead to the closure of a business.
Frequently asked questions
It is called "Three Domain Secure" due to the interaction of three main actors:
- The commerce.
- The card issuer.
- The network processing the payment, i.e. the bank of the user making the purchase.
At the time of the transaction, the card issuer requests additional authentication data from the cardholder, which may include:
- ONE PIN
- A password or the answer to a secret question
- A code from a coordinate card
- A code sent by SMS to a registered mobile phone
- A single-use key.
The purpose of this verification is to authenticate the cardholder.
The entire process takes approximately 2 months:
- Planning: 2 days
- Auditing: 3 days
- Documentation and delivery of certificates: 7 weeks
- Total time: 8 weeks
More about PCI 3DS
This certification defines the logical and physical requirements, as well as the evaluation procedures, for those entities that provide or execute the following functions established in the EMV®3-D Secure Protocol and Core Functions Specification document. PCI 3DS is composed of three crucial components: the Access Control Server (ACS), the Directory Server (DS) and the 3DS Server (3DSS).
- 3DS Server (3DSS): Provides the functional interface between the 3DS authentication request environment and the directory server (DS).
- 3DS (DS) directory server: It manages the list of card ranges for which authentication is available and coordinates the communication between the 3DS server (3DSS) and the access control server (ACS) to determine whether 3D-Secure authentication is available for a particular card and a particular access device.
- 3DS Access Control Server (ACS): It is a server that contains the authentication rules and is controlled by the issuing entity. This server checks if the authentication is valid and authenticates the user in the related banking transactions.
What is the relationship between the PCI DSS and the PCI 3DS Core Security standard?
Depending on the form of implementation, a 3D Secure environment can be part of a payment card data environment or completely separate. If a 3DS environment contains card data, it may be subject to PCI DSS compliance.
Certification methodology
The evaluation method is carried out through the following steps:
- Initial Training Course
- Expert advice
- GAP Analysis
- Accompaniment and advice
- On-site audit
- Final review
During this phase, general concepts and key points for compliance are addressed and awareness is promoted within the organization.
Conduct interviews and review the necessary documentation to establish and record the active processes and vendors involved that will determine the scope of PCI 3DS.
GAP analysis for new customers, by gathering information to analyze all existing security processes and determine the organization's level of compliance.
A 3DS-SA consultant will provide ongoing advice throughout the implementation process.
We retrieve information to determine proper PCI 3DS compliance. The assessment is included in the final ROC (Report of Compliance) and AOC (Attestation of Compliance) report along with any other requested documentation.
Prepares documentation of PCI 3DS compliance status and subsequent ROC and AOC reporting.
Do you need to comply with PCI 3DS?
Send us an email to info@botech.info or fill out the following contact form.