PCI 3DS certification

As a PCI 3DS (Three Domain Secure or 3-D Secure) certifier in Europe, USA and LAC (Latin America and Caribbean) we promote its compliance as it provides an additional layer of security that helps prevent unauthorized transactions in card-not-present environments such as e-commerce. Our clients are companies that have implemented a 3DS solution and must be certified with acceptance brands such as Visa, MasterCard and American Express.

PCI 3DS compliance allows:

  • To create a transversal framework that allows the massive implementation of this security protocol in e-commerce and m-commerce or mobile commerce environments.
  • To prevent unauthorized transactions in e-commerce environments for customers of certified companies.
  • To protect companies against fraud.
  • To convey confidence and security to your customers.

What is PCI 3D SECURE?

EMV Three Domain Secure (3DS), is an anti-fraud messaging protocol that allows consumers to authenticate with their payment card issuer at the time of a non-face-to-face (CNP) transaction in e-commerce environments.

This additional layer of security helps prevent unauthorized transactions in the e-commerce environment while protecting the merchant against fraud.

A certification aimed at those suppliers involved in environments where ACS, DS or 3DSS functions are performed.

Why get certified with us?

  • We have auditors with extensive international experience.
  • We certify PCI DSS, PCI 3DS, PCI PIN, and PCI Card Production.
  • Automatic evidence tracking tool.
  • Consulting and auditing in Spanish and English.

Which are the consequences of not getting certified?

  • Non-acceptance of the product to operate with Visa and MasterCard brands.
  • Increased vulnerability to fraud.
  • Heavy penalties and fines.
  • Loss of customer confidence.
  • Economic losses that can even lead to the closure of a business.

Frequently asked questions

It is called "Three Domain Secure" due to the interaction of three main actors:

  • The commerce.
  • The card issuer.
  • The network processing the payment, i.e. the bank of the user making the purchase.

At the time of the transaction, the card issuer requests additional authentication data from the cardholder, which may include:

  • A password or the answer to a secret question
  • A code from a coordinate card
  • A code sent by SMS to a registered mobile phone
  • A single-use key.

The purpose of this verification is to authenticate the cardholder.

The entire process takes approximately 2 months:

  • Planning: 2 days
  • Auditing: 3 days
  • Documentation and delivery of certificates: 7 weeks
  • Total time: 8 weeks

More about PCI 3DS

This certification defines the logical and physical requirements, as well as the evaluation procedures, for those entities that provide or execute the following functions established in the EMV®3-D Secure Protocol and Core Functions Specification document. PCI 3DS is composed of three crucial components: the Access Control Server (ACS), the Directory Server (DS) and the 3DS Server (3DSS).

  • 3DS Server (3DSS): Provides the functional interface between the 3DS authentication request environment and the directory server (DS).
  • 3DS (DS) directory server: It manages the list of card ranges for which authentication is available and coordinates the communication between the 3DS server (3DSS) and the access control server (ACS) to determine whether 3D-Secure authentication is available for a particular card and a particular access device.
  • 3DS Access Control Server (ACS): It is a server that contains the authentication rules and is controlled by the issuing entity. This server checks if the authentication is valid and authenticates the user in the related banking transactions.

What is the relationship between the PCI DSS and the PCI 3DS Core Security standard?

Depending on the form of implementation, a 3D Secure environment can be part of a payment card data environment or completely separate. If a 3DS environment contains card data, it may be subject to PCI DSS compliance.

Certification methodology

The evaluation method is carried out through the following steps:

  1. Initial Training Course
  2. During this phase, general concepts and key points for compliance are addressed and awareness is promoted within the organization.

  3. Expert advice
  4. Conduct interviews and review the necessary documentation to establish and record the active processes and vendors involved that will determine the scope of PCI 3DS.

  5. GAP Analysis
  6. GAP analysis for new customers, by gathering information to analyze all existing security processes and determine the organization's level of compliance.

  7. Accompaniment and advice
  8. A 3DS-SA consultant will provide ongoing advice throughout the implementation process.

  9. On-site audit
  10. We retrieve information to determine proper PCI 3DS compliance. The assessment is included in the final ROC (Report of Compliance) and AOC (Attestation of Compliance) report along with any other requested documentation.

  11. Final review
  12. Prepares documentation of PCI 3DS compliance status and subsequent ROC and AOC reporting.

Do you need to comply with PCI 3DS?

Send us an email to info@botech.info or fill out the following contact form.