PCI 3DS Core Security Standard

Why it Matters

The PCI 3DS Core Security Standard helps organizations safeguard online payment transactions and reduce fraud risk in 3DS environments.

Key benefits include:

• Strengthen data protection practices

Safeguard the confidentiality and integrity of sensitive authentication and transaction data throughout the 3DS payment process.

• Enhance cybersecurity governance

Establish clear security roles and responsibilities that improve oversight, accountability, and control throughout the payment authentication lifecycle.

• Improve incident detection and response

Enable rapid identification and reporting of security incidents to better contain threats and reduce potential impacts.

• Support regulatory compliance

Align 3DS security practices with broader PCI requirements, facilitating regulatory adherence and ongoing compliance efforts.

• Increase audit readiness

Maintain comprehensive documentation and security evidence to demonstrate effective controls during PCI SSC and regulatory assessments.

How it Works

The PCI 3DS Core Security Standard structures its requirements into distinct security control domains focusing on the confidentiality, integrity, and availability of payment authentication data in 3-D Secure transactions. These domains specify security safeguards around areas such as network architecture, cryptographic protection, access management, and incident response. The standard describes a prescriptive set of controls and testing procedures, which are segmented into logical groupings that align with the payment authentication lifecycle and regulatory obligations.

Organizations implement the PCI 3DS Core Security Standard by establishing security controls that address each domain’s requirements, conducting risk assessments related to payment authentication, and integrating these safeguards into broader governance and compliance programs. Typical activities include developing and enforcing security practices around cryptographic key management, monitoring transaction activity, managing third-party service providers, and performing regular compliance assessments and testing.

Using SmartSuite, organizations can operationalize PCI 3DS by leveraging control libraries to map required controls, maintaining risk registers, and automating evidence collection for compliance audits. Policy governance features support management and approval of security policies, while workflow tools streamline remediation, compliance monitoring, and ongoing audit readiness through reporting dashboards that track adherence and highlight gaps.

Key Elements

• 3DS Environment Security Controls

Defines protective mechanisms and configuration requirements specific to 3DS transactional environments.

• Network Architecture Requirements

Specifies how network boundaries, segmentation, and connectivity must be structured to enable secure 3DS processing.

• Data Confidentiality and Integrity Measures

Describes mandatory protections to ensure the privacy and accuracy of sensitive 3DS authentication data.

• Identity and Access Management

Outlines requirements for controlling, monitoring, and reviewing user and administrator access to 3DS systems.

• Incident Response and Reporting

Establishes procedures for detecting, managing, and communicating security incidents related to 3DS operations.

• Compliance Oversight and Documentation

Organizes standards for maintaining records, conducting assessments, and demonstrating adherence to the PCI 3DS standard.

Framework Scope

The PCI 3DS Core Security Standard is adopted by payment service providers, financial institutions, and merchants involved in EMV® 3-D Secure transactions. This framework governs the security and management of 3DS environments and related systems, and is typically implemented when supporting payment authentication assurance, managing data protection risks, or meeting PCI SSC compliance assessments.

Framework Objectives

The PCI 3DS Core Security Standard defines security controls to safeguard EMV 3-D Secure transaction environments and payment data.

Protect the confidentiality, integrity, and availability of 3DS transaction information

Strengthen cybersecurity risk management practices within 3DS ecosystems

Enhance data protection measures for sensitive payment authentication credentials

Support regulatory compliance and alignment with industry security standards

Promote effective governance and ongoing oversight of 3DS security operations

Improve audit readiness and facilitate regular security assessments

Framework in Context

The PCI 3DS Core Security Standard complements PCI payment-security standards (PCI DSS, PCI SSF) and maps to broader security frameworks such as NIST CSF or ISO/IEC 27001. Organizations implement 3DS when securing card-not-present authentication, pursuing scheme certification, reducing fraud, meeting regulatory requirements, or enhancing payment operational security.

Common Framework Mappings

Organizations commonly map PCI 3DS Core requirements to established cybersecurity and payment security frameworks to harmonize controls, streamline audits, and leverage existing compliance and risk-management processes across environments.

Mapped frameworks include:

CIS Critical Security Controls

ISO/IEC 27001

NIST Cybersecurity Framework

PCI Data Security Standard (PCI DSS)

PCI PIN Transaction Security (PCI PTS)

PCI Point-to-Point Encryption (PCI P2PE)

PCI Software Security Framework (PCI SSF)

SOC 2