Juniper research reported that card fraud (CNP fraud), which is committed by card-not–present criminals, will hit $71 Billion between 2017-2021. This includes remote physical goods transactions, which are the primary target of online fraudsters.
In the next few years, this will average $14.2 million annually. CNP fraud, which is expected to be 4X higher than physical, points-of-sale fraud (POS), in 2018, will continue to grow as eCommerce and mCommerce become more popular.
CNP fraud does not pose a threat far away but is a present danger that does not discriminate. Anyone can become a victim.
Customers and vendors need protection against sophisticated cybercriminals, who are becoming increasingly sophisticated in security breaches.
The good news is there are advanced prevention and detection tools available that could protect everyone involved in CNP transactions.
3D Secure was identified as one of the most effective tools against CNP fraud, alongside machine learning and biometrics.
In conjunction with the 3DS2 protocol’s finalization this year, PCI SSC (Payment Card Industry Security Standards Council), has released a new standard for 3DS2 support.
What is it? And how does it integrate with EMVCo’s newest 3D Secure Protocol?
Three brand new documents
Three new documents should be noted:
- PCI 3DS Core Security Standard
- PCI 3DS Data Matrix
- Standard Security Standard: PCI 3DSSDK
These documents can be downloaded at the PCI Security Standards Council Website.
Core Security Standard
The PCI 3DS Core Security Standard or simply PCI 3DS is the supporting standard. This standard defines security measures for specific 3DS environments. We’ll be discussing them below.
It provides baseline security controls for merchants and consumers within the 3DS environment.
The standard is split into two main sections.
The Baseline security requirement is the first section. It explains technical and operational security requirements that are created to protect various environments in 3D Secure. Because it is primarily focused on transaction environments, it provides a broad overview that can be applied across various industry standards.
The second section 3DS security requirements is focused on 3D Secure data and technologies. It also provides security controls to support these functions.
The PCI 3DS Data Matrix, a supporting documentation to be used together with the PCI 3DS, is the PCI 3DS Data Matrix. It is used to identify data elements most commonly found in 3D Secure transactions.
It basically consists of two tables that contain different data categories, a 3DS Data Element with descriptions of each 3D Secure Core component, and the PCI 3DS Data Element.
The first table contains 3DS sensitive data that must conform to PCI 3DS Core Security Standard specifications, while the second contains 3DS encryption keys that must generate and store in an HSM.
Different data categories include Authentication Challenge Data or Public Key Data.
The PCI 3DS SDK Security security standard is the last document. This is an independent standard that aims to provide security controls to allow 3DSSDK implementations to be secure.
It is intended for companies that create 3DS Software Development Kits. The goal is to make sure that these SDKs are designed with consumer security foremost in mind.
Does the PCI 3DS Core Security Standard affect you?
The PCI 3DS was developed with three core security components in mind. They are 3DS Server (3DSS), 3DS Directory Server (DS), and 3DS Access Control Server 3DS.
Each of them is part of one of three ecosystem domains that make up the 3DS protocols (i.e. 3 Domains).
The 3DS Server, also known as the merchant/acquirer Domain, is responsible for handling interactions between the 3DS Demandor environments, 3DS environments, and messaging.
The 3DS Directory Server comes under the Interoperability Domain. It is usually managed by a network of payment providers and includes the following functions.
Authenticates 3DS Server Requests while validating the 3DS requestor to be trusted and registered.
Routes 3DS messages to and from the 3DS Server, ACS.
Maintains account information and ACS routing data.
The 3DS Security Access Control Server (ACS) is part of Issuer Dom. This system is managed by account issues. It verifies whether authentication is available for a given card, performs a risk assessment for frictionless flows (if required), and manages cardholder challenges when necessary (through standardized message).
Compliance with the PCI 3DS Core Security Standard will be required if your organization performs any one of these functions.
It is important to remember that even if the core functions you perform are not yours, you still must comply with the standard in the event that you are a third-party provider who could have an impact on 3D Secure or any security of it.
The PCI SSC issued the new standard to specifically address 3DS2 Protocol environments.
This goal is to increase security for online payments. As mentioned previously, CNP fraud continues to increase. Online criminals use increasingly sophisticated techniques to access customer account details and to facilitate fraudulent transactions.
The online marketplace is changing, and mobile transactions will continue to be dominant in the coming years.
The different functionalities of the 3DS2 Protocol make it more adaptable to the changing marketplace and growing threat levels. It makes it a favorite defense mechanism against online payment fraud.
As such, PCI 3DS Core Security Standard is designed to support the 3DS 2 authentication system by helping to protect 3D Secure components which are crucial to the transaction.