PCI 3DS
PCI certifications
PCI 3DS (Payment Card Industry 3-D Secure) is a security standard developed by the PCI Security Standards Council (PCI SSC) to safeguard the authentication process for online transactions. It plays a vital role in protecting against payment fraud and ensures a secure payment environment within the 3-D Secure ecosystem.
Just like the Patronus charm in the Harry Potter series creates a powerful barrier against dark forces, PCI 3DS serves as a shield, protecting cardholder data from unauthorised access and fraudulent activities.

How can we help you?
With PCI 3DS QSA accreditation and extensive experience conducting PCI 3DS assessments both in the UK and abroad, we offer full support in the PCI 3DS certification process. We help you identify your role within the 3DS ecosystem (3DS Server, ACS, or DS), assess your environment, identify areas for improvement, and perform a compliance audit.
We will also help you prepare the necessary certification documents, assist with submission to the card organisations, and provide a Marketing Certificate to boost customer confidence in your brand. Just like a Patronus offers a sense of security and peace, we ensure that your payment environment is properly protected and ready for certification.
How we will work with you?
Stage 1
Scoping
The first step in PCI 3DS certification is to define the scope and identify your role in the payment process. We work with you to pinpoint the technology, processes, personnel, and suppliers involved in processing 3DS data or impacting its security. Remember, the responsibility for scoping lies with you, but we are happy to assist with any questions you may have. We also recommend reading this article for further insights.
Stage 2
Gap
analysis
This optional step is best suited for new clients who are unsure whether they are ready for a PCI 3DS audit. During the gap analysis, we simulate a certification audit, highlight non-conformities, and suggest areas for improvement. We will also provide actionable recommendations for overcoming any challenges you may face.
Stage 3
Certification
audit
The certification audit can be carried out remotely, on-site, or in a hybrid format. You can read more about what it involves and how the process works here. Within two weeks of completing the audit, you will receive a list of the required documents and evidence to submit to us (this is known as the tracker).
Stage 4
Corrections and
evidence collection
You will have up to 90 days to provide the necessary audit evidence or implement corrections based on our observations. Remember, the sooner you submit the evidence, the faster we can finalise the audit documentation.
Stage 5
Reporting
This phase is where we compile the audit report based on the documents and evidence provided. The report is a highly detailed document (over 650 pages) describing your card environment. We also conduct a QA process before issuing the report to you. The entire process typically takes up to one month.
Stage 6
Finishing
This is the step we look forward to most. If the outcome is positive, you will receive an Attestation of Compliance (AOC) document for electronic signature. Once the audit is complete, we will assist with registration with the card organisations and issue a Marketing Certificate.
Certification audit
A certification audit combines both on-site and remote activities to verify your compliance with the PCI 3DS standard. The audit consists of four key elements:
Interviews Before the audit, we will provide an agenda and topics we want to discuss with your staff or suppliers. The purpose of these interviews is to get a better understanding of your organisation, responsibilities, and management processes for handling card data.
Configuration Review The next step involves reviewing and verifying the configuration of your environment. We will ask your team to demonstrate how systems, devices, and tools such as access control systems or alarm systems are configured. During this review, we will often request audit evidence to ensure compliance.
Review of Management Processes We will assess how you manage your card environment. This includes reviewing change logs, evidence of log reviews, patching sessions, and other management activities that help maintain a secure environment.
Documentation Review This step is typically done remotely. We will ask for a list of documents detailing your card environment, network diagrams, policies, and procedures. Please ensure that these documents are up-to-date, with the latest review date no more than 12 months old.
After the audit, we will provide a set of observations, documents, and evidence in one document, which we call a tracker. The idea behind the tracker is that once you provide all the required items, we can start working on the final audit report.
Don't buy a pig in a poke -
request a free consultation and check how we can assist you.
