PCI 3DS

PCI certifications

PCI 3DS (Payment Card Industry 3-D Secure) is a security standard developed by the PCI Security Standards Council (PCI SSC) to safeguard the authentication process for online transactions. It plays a vital role in protecting against payment fraud and ensures a secure payment environment within the 3-D Secure ecosystem.

Just like the Patronus charm in the Harry Potter series creates a powerful barrier against dark forces, PCI 3DS serves as a shield, protecting cardholder data from unauthorised access and fraudulent activities.

PCI 3DS,PCI 3DS Assessment,PCI 3DS audit,PCI 3DS Certification
PCI 3DS certification is crucial for organisations performing one of three roles defined in the standard. The first role is the 3DS Server (3D Secure Server), which manages the transaction authentication process on behalf of merchants or payment service providers. The second role is ACS (Access Control Server), which is operated by card-issuing banks and is responsible for verifying the cardholder’s identity during the authentication process. The third role is the DS (Directory Server), which directs authentication requests to the appropriate ACS and manages the exchange of information between the participants. Your role in the process is defined by the card organisations.

How can we help you?

With PCI 3DS QSA accreditation and extensive experience conducting PCI 3DS assessments both in the UK and abroad, we offer full support in the PCI 3DS certification process. We help you identify your role within the 3DS ecosystem (3DS Server, ACS, or DS), assess your environment, identify areas for improvement, and perform a compliance audit.

We will also help you prepare the necessary certification documents, assist with submission to the card organisations, and provide a Marketing Certificate to boost customer confidence in your brand. Just like a Patronus offers a sense of security and peace, we ensure that your payment environment is properly protected and ready for certification.

How we will work with you?

Stage 1

Scoping

The first step in PCI 3DS certification is to define the scope and identify your role in the payment process. We work with you to pinpoint the technology, processes, personnel, and suppliers involved in processing 3DS data or impacting its security. Remember, the responsibility for scoping lies with you, but we are happy to assist with any questions you may have. We also recommend reading this article for further insights.

Stage 2

Gap
analysis

This optional step is best suited for new clients who are unsure whether they are ready for a PCI 3DS audit. During the gap analysis, we simulate a certification audit, highlight non-conformities, and suggest areas for improvement. We will also provide actionable recommendations for overcoming any challenges you may face.

Stage 3

Certification
audit

The certification audit can be carried out remotely, on-site, or in a hybrid format. You can read more about what it involves and how the process works here. Within two weeks of completing the audit, you will receive a list of the required documents and evidence to submit to us (this is known as the tracker).

Stage 4

Corrections and
evidence collection

You will have up to 90 days to provide the necessary audit evidence or implement corrections based on our observations. Remember, the sooner you submit the evidence, the faster we can finalise the audit documentation.

Stage 5

Reporting

This phase is where we compile the audit report based on the documents and evidence provided. The report is a highly detailed document (over 650 pages) describing your card environment. We also conduct a QA process before issuing the report to you. The entire process typically takes up to one month.

Stage 6

Finishing

This is the step we look forward to most. If the outcome is positive, you will receive an Attestation of Compliance (AOC) document for electronic signature. Once the audit is complete, we will assist with registration with the card organisations and issue a Marketing Certificate.

Certification audit

A certification audit combines both on-site and remote activities to verify your compliance with the PCI 3DS standard. The audit consists of four key elements:

1.

Interviews Before the audit, we will provide an agenda and topics we want to discuss with your staff or suppliers. The purpose of these interviews is to get a better understanding of your organisation, responsibilities, and management processes for handling card data.

2.

Configuration Review The next step involves reviewing and verifying the configuration of your environment. We will ask your team to demonstrate how systems, devices, and tools such as access control systems or alarm systems are configured. During this review, we will often request audit evidence to ensure compliance.

3.

Review of Management Processes We will assess how you manage your card environment. This includes reviewing change logs, evidence of log reviews, patching sessions, and other management activities that help maintain a secure environment.

4.

Documentation Review This step is typically done remotely. We will ask for a list of documents detailing your card environment, network diagrams, policies, and procedures. Please ensure that these documents are up-to-date, with the latest review date no more than 12 months old.

After the audit, we will provide a set of observations, documents, and evidence in one document, which we call a tracker. The idea behind the tracker is that once you provide all the required items, we can start working on the final audit report.

Don't buy a pig in a poke -
request a free consultation and check how we can assist you.

Free consultation
Contact form
PCI 3DS,PCI 3DS Assessment,PCI 3DS audit,PCI 3DS Certification

Use the contact form or contact us directly.

Patronusec Sp z o. o.

Head Office:
ul. Święty Marcin 29/8
61-806 Poznań, Polska

KRS: 0001039087
REGON: 525433988
NIP: 7831881739
D-U-N-S: 989454390
LEI: 259400NAR8ZOX1O66C64