S2 E8: Getting to Know PCI 3DS

Getting to Know PCI 3DS


Jordan Eisner: Alright. Welcome back, everybody. I’m your host, Jordan Eisner, and this is Compliance Pointers, where we talk about information security, information privacy, regulatory compliance, and all the latest and greatest in that space.

Today, we’re going to be talking about getting to know PCI 3DS, and we’re fortunate to have two 3DS QSAs join us. Brandon Breslin, who’s a senior manager here at CompliancePoint over our assurance practice and specializing in PCI, and Michael Barnes, also specializing in PCI, who’s a Senior Security Consultant with CompliancePoint.

Brandon, I think you just celebrated a year, right?

Brandon Breslin: A couple of days ago, it just hit the year mark.

Jordan Eisner: Awesome. Before that, you were at Crow for a long time working in their PCI practice. So quite a background PCI.

Michael, you’re going to have to reference your QSA number, because I always like to ask you about that, because I know that you’re one of the OGs.

Brandon Breslin: He’s in the single digits.

Michael Barnes: Yes, 007-005.

Jordan Eisner: There you go. Right. So for the PCI gurus out there, they know what that means.

Michael Barnes: Yeah, it means I’ve been doing it since 2006.

Jordan Eisner: There you go. You’ve been with us, what, over three years?

Michael Barnes: No, just over two years now.

Jordan Eisner: It seems like over three with the impact you’ve made.

Brandon Breslin: With his experience, he’s been doing this a while.

Jordan Eisner: Right. For our audience, these are very humble guys. I will try and get them to brag on themselves, but they won’t.

But we’ll dive right into the topic then. So we’ll talk about PCI 3DS, which my understanding, just comparing it to Nintendo 3DS, just means that it’s 3D imaging, you don’t need glasses or am I way off topic?

Brandon Breslin: Exactly. I think we’re done here. That’s pretty much it.

Jordan Eisner: Tell us about PCI 3DS. It was newer to me last year, and I don’t know a lot about it, so I’m interested in this session today, and hopefully some questions that can gear it for people that don’t know a lot about it, right? And hear from you who do know a lot about it. So tell us about.

Brandon Breslin: Yeah. So it’s a standard that’s similar to PCI DSS that is maintained and provisioned by the PCI council. Those who are not familiar with PCI, that’s originally started from the card brand, representative from the card brands, that created a governing body for the data security standard for handling cardholder data. So debit cards, credit cards, as that’s transmitted, stored, processed, all of the above.

Specifically for 3DS, that is a card-not-present messaging protocol. So it’s specifically for e-commerce merchants. Not all e-commerce merchants are, you know, needing to be compliant with that, which we’ll get into in a little bit, but it’s specifically for intending to reduce fraud on transactions, right?

So it places an additional authentication layer from the merchant side. If you are, you know, accepting payments, if you’re a cardholder, you go on, you have to make an additional authentication layer. A lot of this happens in the background. You don’t know about it as a cardholder, but that is the intent of the standard.

Specifically, similar to PCI, it’s provisioned by the PCI council. It came out in 2017. They’re actually due for a refresh because it’s with new technologies coming out. There are always, you know, new vulnerabilities that are associated with e-commerce transactions, right? So they’re due for a refresh. Hopefully later this year, they’re in the request for comments phase. They published a draft, but haven’t made any final versions yet.

Jordan Eisner: And jokes aside, there’s nothing three-dimensional.

Brandon Breslin: Nothing three-dimensional.

Jordan Eisner: Just the name, just a catchy name.

Brandon Breslin: All flat 2D here.

Jordan Eisner: Okay. How do you know if it applies to your organization?

Brandon Breslin: Yeah. So I mentioned it’s card not present. So kind of similarities versus differences, PCI, 3DS, right? This is only for card not present, whereas PCI DSS is card present and card not present or any other payment methods that you may handle or any other ways that you could take payments, process, transmit, store, all of the above, right?

So for 3DS, it’s only for e-commerce. So when we say e-commerce, for those that may not be familiar, that would be web payments. Traditional web browser, mobile browser, native apps, iOS, Android, all of those. So if you’re making payments online, then 3DS needs to be at the forefront.

So that’s the first question. For your organization, do you accept online card payments? If that’s the case, you need to look at 3DS. Talk with your acquirer, talk with your payment brand that you work with, Visa, MasterCard, AMEX, Discover, whoever it is, right. Ask them if you need to be compliant with 3DS. Most likely you already know if you’re a certain threshold.

And then the next step is if you are an organization that actually handles 3DS components, which are authenticating that transaction, that additional authentication layer that we talked about, you’re likely already compliant with 3DS or you’re going through that process.

Jordan Eisner: Okay. Go over one more time. You said, so card not present transactions, as opposed to doing both card and card not present transaction?

Brandon Breslin: Right, exactly. So in the traditional PCI DSS sense, that would be for transactions if you’re going in person, right? If you’re a traditional brick and mortar retail shop, that would be actually inserting or swiping your card at the reader that’s card present, whereas card not present is, you know, typing your card into a web browser.

For example, if you go to amazon.com, they have the virtual shopping cart, you buy an item, you type in your card number, that would be a traditional e-commerce transaction. And that piece of entering the card number and then authenticating you as the card holder to that merchant and ultimately being able to complete the transaction is where 3DS comes into play.

So this is, again, the whole goal of it is to prevent fraud, making sure that, you know, somebody out there can’t just use your card number on any site and make payments.

Jordan Eisner: Okay. So would a majority of organizations within e-commerce be required under 3DS?

Brandon Breslin: Ultimately, either directly or indirectly, right? So whether, if you’re a larger merchant, you’re most likely engaged with a third-party service provider already for 3DS, or if you are using a third-party for payments, then they are using a third-party service provider, right? So it may be that indirect or third-party relationship. So you as the merchant may not be reaching out to a third-party service provider to actually say, hey, can you authorize all of our transactions for us? But if you’re using a third-party to actually, you know, process the transactions for you, they have likely already contracted. So it’d be a fourth party to the merchant, third party to the processor.

Jordan Eisner: Ok. Wrapping my head around all that.

So Michael, switching to you maybe, what are the benefits of 3DS?

Michael Barnes: Well, yeah, and at a high level, I’m talking about 3DS, it does stand for three domains secure. And the reason that’s important is because obviously the card brands, Visa, MasterCard particularly, are ensuring those transactions, right? And they want to reduce fraud.

And so the three domains, the intention is that when you do an e-commerce transaction, it’s very difficult to authenticate that the person entering the information is the actual cardholder.

So when you register, for instance, as Brandon pointed out, your device, your iPhone, or your Android device, or your web browser, you’re actually authenticating where you’re making that transaction from. And there’s a directory service, which is one of the domains that authenticates that that is a valid origination for a transaction. And it’s supposed to be transparent to the customer. So customers who are cardholders, who are making purchases, find it comforting knowing that their device has been authenticated as a valid place to make transactions, that they know that their card isn’t going to be used somewhere else, not by them.

And merchants benefit because of the streamlined nature of what 3DS does, makes it easier for the cardholder to complete a transaction. Because the biggest concern for merchants is abandoned shopping carts. Because the brands want to make it, they want to add some complexity, right, to entering cardholder data so that there’s less fraud. They want to make it more difficult for the fraudsters to actually steal cardholder data and use those card, credit cards for illegitimate purchases, fraudulent purchases.

Jordan Eisner: But they don’t want to make it too more difficult to buy.

Michael Barnes: That’s right. But you don’t want to make it so difficult that the legitimate purchaser abandons their cart because it just becomes too complicated.

So they have these solutions in order to make it simple to register your device, whether it be your computer or your smartphone, as a place where you can complete a purchase without having to go through too many steps and making it complicated.

Jordan Eisner: That makes sense to me.

Michael Barnes: And then of course, the benefit for the brands, of course, is that they then have a better reliability of fraud reduction and they might also provide a lower cost per transaction to the merchants if they implement the solution.

Brandon Breslin: Absolutely. And it may help also for the listeners just to give some historical context of 3DS. So right now, even though they are in the final first version of the security standard of the requirements still from 2017 that they’re about to shift over to the second iteration of that, we are actually in the second iteration of the 3DS technology.

When I say the technology, I mean, encompassing the entire process of authenticating the card to that card holder, reaching out to the acquiring bank, reaching out to the third 3DS service provider, all of those processes, the technology, the core technology that they’re using is now in its second iterative process.

The original process used to be when you would type your card number in, the user, so the card holder, actually got a prompt and had to do a one-time passcode, a unique, some type of unique identifier. Now you don’t see that as the card holder. It’s all being done in the background.

Amazon, let’s stick with our example, right? If you’re making a purchase on Amazon, you’re not seeing the authentication of the card holder to that card number, to the user perspective. It’s all being done in the background. Something just to think about as well when it comes to the technology of this.

Jordan Eisner: Yeah, no, that’s interesting.

So let’s talk about the framework, right? Not the whole thing. We don’t have enough time on this podcast or we don’t want to put our audience through that. But highlight some of the major requirements in 3DS that I think are meaningful for our listeners.

Brandon Breslin: Yes, I can give maybe some initial background and then Michael, you could dive in further if you wanted.

So there’s two parts for 3DS. Most companies that are doing 3DS are likely also doing a PCI DSS assessment. So we’ve kind of talked a little bit about comparing and contrasting those. They can be done at the same time. Might make it difficult on resourcing, but it’s possible.

There’s a part one and a part two of the requirements. Part one is associated with the 3DS requirements. So if you’re doing a DSS requirement, a DSS assessment, and the 3DE, which is the environment for the 3DS assessment is located within the CDE, which is the cardholder data environment, which is the scope of the PCI DSS assessment.

If that 3DE is included within the CDE, then you can rely on the PCI DSS assessment for part one. I know that was a little bit confusing, but basically in layman’s terms, you can cut the assessment in half if you are relying on the PCI DSS assessment. It has to be done within 12 months of each other, and it has to be 3DE within the CDE.

The second part is specifically to 3DS, and I’ll let Michael give an overview of that.

Michael Barnes: Sure, the second part really focuses on those components that make up the three-domain secure environment. And there are different components to it.

The most secure part of that is HSM, Hardware Security Modules. And that’s the part where a third-party service provider is providing those secure transactions in the background. And the part two assessment really focuses on those environments. Sometimes we call them SCIFs, or Special Compartmented Information Facilities. They’re really locked down. They’re usually a lot more locked down than your standard PCI cardholder data environment, because there’s a lot of key management exercise that goes into that aspect of the 3DS.

So as Brandon was saying, organizations that have undergone a full PCI DSS assessment that are also hosting a part of the 3DS lifecycle will generally have that physically included in their cardholder data environment. And that’s what makes it a little bit more simple.

If they do not have a cardholder data environment in the traditional sense as a processor or some kind of service provider, and they’re just hosting a particular part of the 3DS, they would have to go through the entire part one and part two. And there’s a lot of overlap with the part one and part two.

There are additional physical security controls in the part two that look to be redundant to the physical security of part one, but they really focus in, as I said, on these hardware security modules, which is the heart of the security triad, if you will.

Jordan Eisner: Got it.

And you’ve talked about the relationship between PCI DSS and 3DS. Expand on that a little bit further.

Brandon Breslin: Yeah. We’ve hit on a couple things, like you said. I think they’re similar. They’re kind of like cousins, right?So DSS covers the basics of all the card payments, whereas 3DS gets very specific about online transactions.

If you’re DSS compliant, you have a great foundation, but there will be extra steps to tackle for 3DS. And I will say the assessment lifecycle itself is also very similar. So if you have worked with a QSA, planning, scoping, fieldwork, reporting, all of that is going to be almost identical for a 3DS assessment as a PCI DSS assessment. The process of having a third party QSA attest to the environment is exactly the same.

As it relates to comparing and contrasting those frameworks itself, scope is the biggest difference, right. So PCI DSS, all aspects of handling cardholder data, credit cards, debit cards, you name it, handling security of those. 3DS is specifically the authentication piece of card not present transactions.

So PCI DSS, like we talked about earlier, covers all of the payment channels and everything in between.

3DS is just for card not present transactions. For 3DS, specifically the goals are, you know, that extra authentication layer to fight payment fraud. Whereas DSS is just to get a baseline understanding of compliance against your environment to the standard.

And Michael, did you want to add any into that as well? Just comparing and contrasting PCI and 3DS and DSS or any other thoughts on that?

Michael Barnes: Only that the 3DS and the part two particularly is just such a higher threshold of obligation to control sensitive encryption technologies and keys, key components. There’s just a very high threshold of multifactor authentication into everything, dual control. It’s just very, very rigorous when it comes to the security of those components.

Brandon Breslin: Yeah, great, great addition. I will say also, we’ve been focusing on the differences. They’re also very complimentary, right? So complying with DSS, PCI DSS, does make 3DS compliance easier since many of those security basics or fundamentals, if you will, are addressed. However, 3DS compliance does not guarantee full PCI DSS compliance. I think it’s important to clarify that. 3DS is just one aspect or facet of the PCI ecosystem, whereas PCI DSS is the full shebang of all requirements that would need to be compliant for your environment to get that attestation of compliance in a compliant fashion.

Michael Barnes: Also, another high-level thing to think about, I wanted to make a point that when we talk about three domains secure, any organization that’s undergoing a 3DS may only be dealing with one or two components of that three domain. You may be dealing only with HSMs and the access control server. You may only be dealing with the directory server, for instance, or you may only be dealing with the merchant-side web services that’s providing the 3DS access. So your 3DS scope that would not encompass all three portions of those three domains, usually just one or two.

Jordan Eisner: So you said something there, Brandon you clarified right, that 3DS compliant doesn’t make you DSS compliant. If you are DSS compliant though, how will that impact your 3DS compliance efforts?

Brandon Breslin: Yeah, right out of the gate, it gives you that strong PCI foundation, right?

So if you are PCI DSS certified, that already tells the world that you understand the requirements, you’ve taken those steps, you put compliance and security first, right? You’ve taken that initiative to not only comply with the requirements, but really focus on how do we make our organization have a stronger security, robust process mindset foundation, right? Having that security mindset is critical because it means that your organization is prioritizing security, creates an easier transition to 3DS.

Again, the controls are very similar. So a lot of those, we didn’t go into the level of detail for part one, but a lot of those part one controls, since they do overlap, that helps you in that transition.

And to Michael’s point, the part two controls are very specific and targeted to the components that you may have or to the service provider that you are using, right? So that’s something we haven’t really talked about is if you are in the 3DS space or using a service provider that’s in the 3DS space, you don’t have to get to that granularity, that you are passing the liability onto them and you’re relying on your vendor management process internally to make sure that they are compliant with those corresponding 3DS requirements because they are handling that on behalf of your organization. Obviously you have to do your due diligence to make sure you’re comfortable with that vendor and you’re willing to work with them, but that also helps with that process.

And then the last piece is QSA familiarity, right? I mean, if you’ve done a full-blown PCI DSS assessment already, you’re most likely working with, well, you would be working with a QSA already, or you have worked with them in the past unless you’re doing a SAQ internally. So, you can engage with a QSA that’s also 3DS certified that would also help in that transition process.

Jordan Eisner: I don’t know, we’ve bounced around a little bit in the podcast. This has been a lot of good information from you guys. To put a bow on it, you talked about some of these things earlier in a roundabout way, but maybe finishing touches, walk our listeners through the validation process.

Brandon Breslin: So the validation process for 3DS is very similar to PCI DSS. You have to identify those reporting requirements right out of the gate, right? So if you don’t know first and foremost, if you have to be PCI 3DS compliant, work with your acquirer, work with your payment brands that you talk with, that you transmit data with, understand, hey, they may be expecting a 3DS report and you don’t know about it, right? So have that conversation with them first.

Work with a QSA, CompliancePoint is a QSA and a 3DS QSA. So we do both, we can do both at the same time. We’ve done that for numerous clients this year already. So that is an option as well.

And then as it relates to the PCI 3DS life cycle, if you will, for the assessment, it’s gonna be very similar to PCI DSS. So planning with your QSA, scoping out the 3DE, the specific scope for that 3DS assessment, going through fieldwork, doing walkthroughs, interviews, remote evidence review, onsite assessments, and then doing a report. There is a 3DS ROC, a report on compliance that’s very similar to DSS. So there’s a separate one for that. And then there’s also an AOC as well.

Jordan Eisner: I’m trying to remember you said earlier, if your 3DE is in your CDE.

Brandon Breslin: Yeah, if your 3DE is in the CDE, you can rely on part one from the DSS assessment.

Jordan Eisner: Yeah, we’ll have a scripted breakdown of this podcast for our listeners, right? If you need to go back and reference some of those outcomes.

Brandon Breslin: Absolutely.

Jordan Eisner: That’s always the case on these, on the Compliance Pointers podcast, right? The regulations and the requirements weren’t hard enough. We have all these different acronyms and names formed are complicated even more.

Brandon Breslin: The PCI council loves to use their acronyms.

Jordan Eisner: Well, Brandon, Michael, thank you guys so much for your time. As Brandon mentioned, CompliancePoint is a registered 3DS QSA. I’d encourage anybody listening, if you’ve got questions, go to our website, compliancepoint.com and schedule a meeting with us from the website. Maybe talk about your 3DS questions or your DSS questions.

You can find Michael, Brandon, myself on LinkedIn. Happy to connect with anybody that way as well. Or if you want to email directly into CompliancePoint, it’s connect@compliancepoint.com.

And if you’re listening and you’re liking the content, please leave us a review and tell others about us. That’s it. Thanks everyone.

Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.