PCI Compliance and 3D Secure 2

Serious efforts have been made to combat against the ever-increasing levels of CNP (card-not-present fraud), which has jumped to record levels (around $14.2 billion annually) in recent years. Anyone that uses a credit card, consumers and vendors alike, is a potential target for this threat.

To maximize protection and increase consumer confidence towards online payments, the new 3-D Secure 2 protocol has been developed, along with various machine learning and biometrics algorithms. This protocol has been designed to fit within new standards set by the PCI SSC (Payment Card Industry Security Standards Council). These supporting standards are explained in three new documents:

• The PCI 3DS Core Security Standard is the main document, and provides specifications and defines security measures for data types, transaction processes, and environments. Since environments can vary between merchants/issuers, these specifications are focused more on transaction environments as a general overview.
• PCI 3DS Data Matrix is used to categorize the various types of data types used within 3D Secure transactions and determine whether the data is valid or not. The two main categories are 3DS Sensitive Data and 3DS Cryptographic Keys.
• PCI 3DS SDK ensures that any mobile application that uses 3DS has pre-defined security standards.

These documents can be viewed on the PCI website.

The new PCI standards apply to and support the three domains that make up the 3DS protocol:

• The Merchant/Acquirer Domain (3DS Server), where the bank or the merchant handles payment requests and other interactions in the requesting environment.
•  The Interoperability Domain (3DS Directory Server), where the credit card company supporting 3DS authenticates, validates, routes, and maintains data flow between server entities.
• The Issuer Domain (3DS Access Control Server) is managed by the bank issuing the card, and determines whether or not authentication is available for a specific card.

Since the main purpose of the new PCI Security Standards and 3DS protocol is to prevent fraudulent transactions by online criminals, the various functionalities are designed to specifically address the continually changing marketplace and rapidly increasing threat levels.