PCI 3DS

PCI certifications

Don’t let compliance gaps put your 3DS payment services at risk. Patronusec ensures your organisation achieves full PCI 3DS certification, securing transactions and protecting your customers’ trust. Our experts identify vulnerabilities, close gaps fast, and streamline the entire certification process. Take control now—turn compliance into a competitive advantage and lead your market with confidence.

Secure payments. Stop fraud. Lead with confidence—adopt PCI 3DS today.

Book your free consultation
PCI 3DS
PCI 3DS certification is crucial for organisations performing one of three roles defined in the standard. The first role is the 3DS Server (3D Secure Server), which manages the transaction authentication process on behalf of merchants or payment service providers. The second role is ACS (Access Control Server), which is operated by card-issuing banks and is responsible for verifying the cardholder’s identity during the authentication process. The third role is the DS (Directory Server), which directs authentication requests to the appropriate ACS and manages the exchange of information between the participants. Your role in the process is defined by the card organisations.

How can we help you?

With PCI 3DS QSA accreditation and extensive experience conducting PCI 3DS assessments both in the UK and abroad, we offer full support in the PCI 3DS certification process. We help you identify your role within the 3DS ecosystem (3DS Server, ACS, or DS), assess your environment, identify areas for improvement, and perform a compliance audit.

We will also help you prepare the necessary certification documents, assist with submission to the card organisations, and provide a Marketing Certificate to boost customer confidence in your brand. Just like a Patronus offers a sense of security and peace, we ensure that your payment environment is properly protected and ready for certification.

Free consultation

How we will work with you?

Stage 1

Scoping

The first step in PCI 3DS certification is to define the scope and identify your role in the payment process. We work with you to pinpoint the technology, processes, personnel, and suppliers involved in processing 3DS data or impacting its security. Remember, the responsibility for scoping lies with you, but we are happy to assist with any questions you may have. We also recommend reading this article for further insights.

Stage 2

Gap
analysis

This optional step is best suited for new clients who are unsure whether they are ready for a PCI 3DS audit. During the gap analysis, we simulate a certification audit, highlight non-conformities, and suggest areas for improvement. We will also provide actionable recommendations for overcoming any challenges you may face.

Stage 3

Certification
audit

The certification audit can be carried out remotely, on-site, or in a hybrid format. You can read more about what it involves and how the process works here. Within two weeks of completing the audit, you will receive a list of the required documents and evidence to submit to us (this is known as the tracker).

Stage 4

Corrections and
evidence collection

You will have up to 90 days to provide the necessary audit evidence or implement corrections based on our observations. Remember, the sooner you submit the evidence, the faster we can finalise the audit documentation.

Stage 5

Reporting

This phase is where we compile the audit report based on the documents and evidence provided. The report is a highly detailed document (over 650 pages) describing your card environment. We also conduct a QA process before issuing the report to you. The entire process typically takes up to one month.

Stage 6

Finishing

This is the step we look forward to most. If the outcome is positive, you will receive an Attestation of Compliance (AOC) document for electronic signature. Once the audit is complete, we will assist with registration with the card organisations and issue a Marketing Certificate.

Certification audit

A certification audit combines both on-site and remote activities to verify your compliance with the PCI 3DS standard. The audit consists of four key elements:

1.

Interviews Before the audit, we will provide an agenda and topics we want to discuss with your staff or suppliers. The purpose of these interviews is to get a better understanding of your organisation, responsibilities, and management processes for handling card data.

2.

Configuration Review The next step involves reviewing and verifying the configuration of your environment. We will ask your team to demonstrate how systems, devices, and tools such as access control systems or alarm systems are configured. During this review, we will often request audit evidence to ensure compliance.

3.

Review of Management Processes We will assess how you manage your card environment. This includes reviewing change logs, evidence of log reviews, patching sessions, and other management activities that help maintain a secure environment.

4.

Documentation Review This step is typically done remotely. We will ask for a list of documents detailing your card environment, network diagrams, policies, and procedures. Please ensure that these documents are up-to-date, with the latest review date no more than 12 months old.

After the audit, we will provide a set of observations, documents, and evidence in one document, which we call a tracker. The idea behind the tracker is that once you provide all the required items, we can start working on the final audit report.

FAQ – PCI 3DS Certification

How long does the PCI 3DS certification process take?

The entire PCI 3DS certification process typically takes up to one month, encompassing all stages from scope definition and audit to final reporting and issuance of the Attestation document.

What is the cost of implementing or achieving PCI 3DS certification?

Costs depend on the specifics of your role within the 3DS ecosystem, the audit scope, and the environment’s readiness. A detailed quotation is available following a complimentary consultation to define requirements and project scope.

When can the certification process commence?

The process may commence upon scope agreement and contract signature with Patronusec. An optional gap analysis is recommended to prepare effectively for the certification audit.

What does collaboration during certification entail?

The process is divided into six stages—from scope definition, gap analysis, and audit to evidence collection, reporting, and conclusion with AOC signing. Each stage is overseen by a dedicated Patronusec consultant.

How soon will the PCI 3DS certificate be received?

Upon audit completion and submission of required evidence, the report is prepared, followed by the Attestation document (AOC). The timeframe from audit to document issuance usually spans up to one month.

What are the key elements of a PCI 3DS audit?

The audit encompasses personnel interviews, system configuration reviews, process management analysis, and examination of current documentation describing the cardholder environment.

Which roles does PCI 3DS certification cover?

The PCI 3DS standard applies to three roles: 3DS Server (transaction authentication system), ACS (Access Control Server—typically for issuing banks), and DS (Directory Server managing authentication requests).

Don't buy a pig in a poke -
request a free consultation and check how we can assist you.

Free consultation
Contact form

Use the contact form or contact us directly.

Patronusec Sp z o. o.

Head Office:
ul. Święty Marcin 29/8
61-806 Poznań, Polska

KRS: 0001039087
REGON: 525433988
NIP: 7831881739
D-U-N-S: 989454390
LEI: 259400NAR8ZOX1O66C64