PCI SSC and the payment brands

The standard represents a baseline of technical and operational requirements designed to protect cardholder data and is maintained by PCI Security Standards Council (PCI SSC) – a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. The standard is enforced by the payment brands, namely VISA, MasterCard, Amex, JCB and Discover.

Who is it for?

The PCI 3DS Core Security Standard applies to entities that perform or provide the following
functions, as defined in the EMVCo 3DS Core Specification:

• 3DS Server (3DSS)
• 3DS Directory Server (DS)
• 3DS Access Control Server (ACS)

Where a third-party service can impact 3DS functionality or the security of the 3DS
Environment (3DE), the applicable PCI 3DS requirements will need to be identified and
implemented for that service. While the ultimate responsibility for the security of the 3DE
and 3DS Data lies with the 3DS entity, service providers may be required to demonstrate
compliance with the applicable PCI 3DS requirements based on the service provided.

The standard

The requirements in the PCI 3DS Core Security Standard are organized into the following

  • Part 1: Baseline Security Requirements, which provide technical and operational
    security requirements designed to protect environments where 3DS functions are
    performed. These requirements reflect general information security principles and
    practices common to many industry standards, and should be considered for any
    type of environment.
  • Part 2: 3DS Security Requirements, which provide security controls specifically
    intended to protect 3DS data, technologies, and processes.

Why should my organisation be PCI DSS compliant?

The answer is quite simple, keep your systems secure, and customers can trust you with their sensitive payment card information. When you stay compliant, you are part of the solution – a united, global response to fighting payment card data compromise.