PCI 3DS

PCI 3DS overview

Europay, Mastercard, and Visa (EMV) three-domain secure (3-D Secure or 3DS) is an EMVCo messaging protocol that enables cardholders to authenticate with their card issuers when making card-not-present (CNP) online transactions. The specification aims at securing authentication and identity verification in mobile and browser-based applications. The additional security layer helps prevent unauthorized CNP transactions and protects the merchant from exposure to CNP fraud.

The three domains in the EMVCo specification include:

  • Acquirer domain: 3DS transactions are initiated from the acquirer domain. The components under this domain are the 3DS Server (3DSS), requester environment, integrator, and acquirer.
  • Interoperability domain: Facilitates the transfer of transaction information between the acquirer domain and issuer domain. The components under this domain are the 3DS Directory Server (DS), Directory Server Certificate Authority (DS-CA), and authorization system.
  • Issuer domain: 3DS transactions are authenticated in the issuer domain. The components under this domain are the 3DS Access Control Server (ACS), cardholder, consumer device, and issuer.

The three critical EMV 3DS components or functions across these domains include:

  • 3DS Server (3DSS)
  • 3DS Directory Server (DS)
  • 3DS Access Control Server (ACS)

The PCI 3DS Core Security Standard provides a framework for these critical EMV 3DS functions to implement security controls that support the integrity and confidentiality of 3DS transactions. The standard applies to entities that perform or provide these functions (3DSS, DS, and ACS), as defined in the EMVCo 3DS Core Specification. Third-party service providers that can impact these 3DS functions, or the security of the environments where these functions are performed, may also be required to meet PCI 3DS requirements. Whether an entity is required to validate compliance with the PCI 3DS Core Security Standard is defined by the individual payment brand compliance programs.

Azure and PCI 3DS

Microsoft retained a qualified 3DS assessor company to conduct an assessment of the PCI 3-D Secure Environment (3DE) hosted on Azure in accordance with the PCI 3DS Core Security Standard. The 3DS assessor determined that Azure PCI 3DS service provider environment meets applicable PCI 3DS controls and issued an Attestation of Compliance (AoC) for the Azure PCI 3DS environment.

You can download the following attestation documents as part of the Azure PCI 3DS package (zipped archive) from the Service Trust Portal (STP) PCI DSS reports section:

  • Azure PCI 3DS Attestation of Compliance (AoC) provides evidence that Azure complies with the PCI 3DS Core Security Standard based on a PCI 3DS assessment conducted by a qualified 3DS assessor.

  • Azure PCI 3DS Shared Responsibility Matrix supports you with implementing and documenting security controls for a system built on Azure.

    • Understanding the shared responsibility for implementing security controls in a cloud environment is essential when you are building systems and using services in Azure. Implementing a specific security control may be the responsibility of Azure, your responsibility, or a shared responsibility between you and Azure. Different cloud service models affect the way that responsibilities are shared between you and Azure.
    • Azure doesn't directly perform the functions of a 3DS Server (3DSS), 3DS Directory Server (DS), or 3DS Access Control Server (ACS). You have the ability to host your own 3DS environment on Azure using services offered. The Azure PCI 3DS shared responsibility matrix describes the Azure 3DS assessment scope and illustrates the PCI 3DS compliance responsibilities for you and Azure. It is intended to be used by you and your compliance advisors to understand the scope of the Azure PCI 3DS assessment and expectations for responsibilities when using Azure services as part of your 3DS environments (3DE). It is your responsibility to assess and understand your full scope of responsibility for implementing security controls and ensuring security controls are implemented in accordance with your compliance obligations.
    • Azure best practices and recommendations should be taken into consideration.
  • Azure PCI 3DS whitepaper provides you with guidance on the PCI 3DS Core Security Standard and how the Azure 3DE can be utilized to implement your 3DE on Azure. The whitepaper addresses the following key areas:

    • Provides an overview of the 3DS domains
    • Examines the relationship between the PCI Data Security Standard (DSS) and 3DS Core Security Standard
    • Defines the responsibilities shared by Azure and you to meet the 3DS Core Security Standard requirements

    If you're a 3DS entity, you can choose to outsource the hosting and management of your hardware security module (HSM) infrastructure to a third-party service provider if the applicable requirements are met. If you're performing 3DS functions and use the Azure environment for hosting your 3DE, you're still subject to the PCI 3DS Core Security Standard, and must have your environment assessed for all applicable requirements.

Applicability

  • Azure

Services in scope

Azure services that you can use to support your 3DE are listed in the Azure PCI 3DS Attestation of Compliance (AoC).

Audit reports

You can access Azure PCI 3DS audit documents from the Service Trust Portal (STP) PCI DSS reports section. For instructions on how to access audit reports, see Audit documentation. The following documents are included with the Azure PCI 3DS package (zipped archive):

  • Attestation of Compliance (AoC)
  • Shared Responsibility Matrix
  • Whitepaper

Frequently asked questions

Why does the Attestation of Compliance (AoC) cover page say "December 2017"?
The December 2017 date on the cover page is when the AoC template was published. Refer to Section 3 with signatures for the date of the assessment.

How long is the PCI 3DS AoC valid?
The effective period for compliance begins upon passing the audit and receiving the AoC from the 3DS assessor and ends one year from the date the AoC is signed.

How can I get the Azure PCI 3DS audit documentation?
For links to audit documentation, see Audit reports.

What Azure regions and services are in scope for the assessment?
Refer to "Locations" and "Description of Environment" in Section 2 for a list of Azure regions and services in scope for the PCI 3DS assessment.

Who has to comply with the PCI 3DS Core Security Standard?
The standard is intended for companies that manage or provide 3DS functions, specifically: 3DSS, DS, and ACS. It provides guidelines for identifying and implementing appropriate security controls to protect the 3DS transaction process.

What is the relationship between the PCI 3DS Core Security Standard and PCI DSS?
The PCI 3DS Core Security Standard and PCI DSS are separate standards, each intended for specific types of entities. The PCI 3DS Core Security Standard applies to 3DS environments where 3DSS, DS, and ACS functions are performed, while PCI DSS applies wherever payment card account data is stored, processed or transmitted.

How should a 3DS entity manage an environment covered by both PCI 3DS and PCI DSS?
If you're a 3DS entity that stores, processes, or transmits payment card account data, you will have a defined 3DS environment (3DE) and a defined cardholder data environment (CDE). If account data is present in the environment where 3DS functions are performed, that environment would be considered both a 3DE and a CDE. Where the 3DE and CDE are combined in the same environment, you may be able to implement security controls that meet requirements in both standards.

Whether you're required to validate compliance with the PCI 3DS Core Security Standard and/or PCI DSS is defined by the individual payment brand compliance programs. For more information, see the PCI 3DS Core Security Standard FAQ document.

Where do I begin my organization's PCI 3DS compliance efforts for a solution deployed on Azure?
The information that the PCI Security Standards Council (PCI SSC) makes available is a good place to learn about specific compliance requirements. The PCI SSC publishes the PCI 3DS Core Security Standard and supporting documents that explain how you can help protect your 3DS transaction process. In addition to the Azure PCI 3DS Attestation of Compliance (AoC), Microsoft provides guidance documents such as the Azure PCI 3DS Shared Responsibility Matrix and Azure PCI 3DS whitepaper to help you meet your own compliance requirements.

Resources