PCI SSC Launches New 3DS Payment Standards

Written by

Payment card body PCI Security Standards Council has posted several updates designed to improve the security of authentication infrastructure, third party accountability and software design.

At its annual European community meeting in Barcelona this week, PCI SSC CTO Troy Leach claimed: “Dynamic authentication is becoming increasingly important to securing payments in an omni-channel world.”

As a result, the standards body has released enhanced requirements for multi-factor authentication (MFA) in PCI DSS v3.2, building on guidance published earlier this year on how to properly implement MFA to prevent ID fraud.

Some 81% of hacking-related breaches use weak, default or stolen passwords, according to Verizon’s latest DBIR.

When it comes to e-commerce fraud specifically, the 3-D Secure (3DS) protocol adds an extra authentication step to help boost payment security.

The PCI SSC said it has enhanced security further via two new standards.

First, the PCI 3DS Core Security Standard defines controls to protect the environments of organizations that manage, provide or assess 3DS Access Control Server (ACS), Directory Server (DS), and 3DS Server components. 

Second, the PCI 3DS SDK Security Standard has been unveiled to help improve security for organizations developing 3DS SDKs for use in mobile-based 3DS transactions.

Consumer and retail fraud including online shopping accounted for 700,000 incidents in the UK for the year ending June 2017, according to ONS figures.

PCI SSC said it’s working on additional standards to promote software lifecycle awareness; basically aimed at reducing potential bugs in code that could be exploited by hackers or introduce integrity issues.

This will address the growing dependence on software to manage various aspects of payment transactions and the relationship between cardholders, merchants and their financial partners, said the council.

Finally, it is seeking to drive greater accountability for third parties by introducing additional security testing for providers in PCI DSS 3.2; prioritizing software developer education; and through the Qualified Integrator Reseller (QIR) program, which seeks to bolster security in the installation and maintenance of payment systems.

“From the development to the installation of payment products to the ongoing monitoring for malicious attacks, security remains a shared responsibility,” Leach told attendees at the show.

“Whether it is a software developer, cloud administrator or someone installing a POS for a merchant down the street, there should be a recognition of the accountability each service provider to protect payment data to the best of their ability and be able to demonstrate that level of effort to their business partners.”

What’s hot on Infosecurity Magazine?