One of the main problems of non-contact transactions (Card not-present – CNP) with payment cards (those in which it is not necessary to insert, slide or bring the physical card closer to a reader) has to do with the authentication of the cardholder at the time of making the transaction.
Unlike face-to-face transactions, in which the owner requires the presence of 2 authentication factors (the plastic of the card and the PIN, in non-contact transactions it is usually uses the same authentication factor twice (the PAN and the CVV2, both of which are printed on the plastic), so that a criminal who has access to this data would have the possibility of making fraudulent transactions.
In October 2017, in the framework of the PCI Europe Community Meeting held in Barcelona (Spain), the PCI SSC announced the result of several years of work: the integration of the 3D-Secure (3DS) standard with the rest of the PCI SSC standards (PCI 3DS Core Security Standard). This standard is based on the EMV® 3-D Secure (3DS) protocol and the objective of this integration is the creation of a transversal framework that allows the massive implementation of this security protocol in e-commerce environments (e -commerce) and purchases through mobile phones (m-commerce).
What is 3-D Secure (3DS)?
EMV® Three-Domain Secure (3-D Secure or 3DS) is an anti-fraud messaging protocol that allows consumers to authenticate themselves with the issuer of their payment card at the time of non-contact transactions (CNP ). It is an additional security layer that helps prevent unauthorized transactions in e-commerce environments and, in turn, protects fraud trading.
At the time the transaction is made, the issuer of the card (ie the bank of the cardholder who issued the plastic) asks the owner for additional authentication data to the CVV2, which can usually be :
- A PIN
- A password or the answer to a secret question
- A code of a coordinate card.
- A code sent via SMS to a registered mobile phone.
- A one-time password (“One Time Password” – OTP) generated by an electronic device or an application installed on a mobile phone.
The objective is that access to this additional data is only from the issuing bank, which is why the trade and any other intermediate entity should only receive the response to said validation: approved or not.
It is called “Three Domains” due to the interaction of three main actors:
- The domain of the trade / acquirer
- The domain of the issuer
- The interoperability domain (for example, a payment system)
What is the scope of application of PCI 3-D Secure (PCI 3DS)?
The new document “PCI 3DS Core Security Standard”, published by the PCI SSC, defines the logical and physical requirements and evaluation procedures for those entities that provide or execute the following functions, established in the document EMV®3-D Secure Protocol and Core Functions Specification:
- 3DS Server (3DSS): provides the functional interface between the environment from which the 3DS functionality is requested and the directory server (DS).
- 3DS Directory Server (DS): manages the list of card ranges for which authentication is available and coordinates communication between the 3DS server (3DSS) and the access control server (ACS) to determine which authentication is available for a particular card number and type of device.
- 3DS Access Control Server (ACS): the ACS contains the authentication rules and is controlled by the issuer. Verify what type of authentication is available and authenticate the specific transaction.
Therefore, the applicability of this new standard will be linked to those environments where ACS, DS or 3DSS functions are performed. Typically, it contemplates the 3DS environment (3DS Environment), which contains the system components involved in executing 3DS transactions, as well as the components that support the 3DE.
What is the content of the PCI 3DS Core Security standard?
The new “PCI 3DS Core Security” standard is divided into two parts:
- Baseline Security Requirements, which provide the technical and operational security requirements designed to protect environments where 3DS functions are performed. These requirements reflect the general principles and practices of information security common to multiple industry standards and should be considered in any type of environment.
- 3DS Security Requirements, which describes specific security controls to protect data from 3DS transactions, technologies and processes.
Additionally, the standard is accompanied by the following documents:
- PCI 3DS Data Matrix, which lists the elements of a 3DS transaction and describes its level of confidentiality and storage possibility.
- PCI 3DS SDK Security Standard, which defines the requirements and testing procedures for 3DS software development packages (“3DS Software Development Kits”), following the specifications of the EMV® 3-D Secure-SDK Specification document.