The Payment Card Industry (PCI) Security Standards Council (SSC), a global organization responsible for developing, promoting and reassessing the PCI Data Security Standard for merchants, recently made several announcements pertaining to EMV 3-D Secure and software security.
At this year’s PCI Europe Community Meeting in October, the PCI Council discussed its plans to further support EMV 3-D Secure.
As reported in September 2016, the Council joined forces with EMVCo—the global technical body facilitating the acceptance and interoperability of secure payment transactions—to work on a messaging protocol that would increase online transaction security. Called EMV 3-D Secure 2.0, it would enable consumers to validate the usage of their credit cards with card issuers when making online purchases via PC web browsers, thus providing an extra layer of security precautions against data breaches and fraud
Fast forward one year later, and the Council made two new security standards public to add further protection: The PCI 3DS Core Security Standard and the PCI 3DS SDK Security Standard.
As reported in an October 2017 article by Finextra, an independent news source that focuses on worldwide financial technology: “The PCI 3DS Core Security Standard defines appropriate security controls to protect these specific 3DS environments, which are critical to the 3DS transaction process.”
“The PCI 3DS SDK Security Standard supports the EMV® 3-D Secure SDK Specification, which defines EMV® 3DS requirements for entities developing 3DS Software Development Kits (SDK) for use in mobile-based 3DS transactions,” it continues.
In early 2018, the Council will reveal a supporting validation program for this standard.
“EMV® 3DS solutions will make it increasingly difficult for criminals to obtain cardholder data (CHD) in online payment channels,” PCI SSC International Director Jeremy King tells Finextra. “As CNP fraud continues to be a challenge here in Europe and globally, PCI SSC is pleased to be able to provide support for the secure implementation of these solutions.”
“Dynamic authentication is becoming increasingly important to securing payments in an omni-channel world,” explains PCI SSC Chief Technology Officer Troy Leach in the article.
The PCI Council is also in the midst of creating a new standard pertaining to software security.
According to an official announcement by the Council in late October, it will also be implementing new software standards in the future. One focuses on commercial off-the-shelf (COTS) devices and a new software-based PIN entry.
“The standard will help mobile solution providers to develop products that enable merchants to securely accept PIN-based payments with the PIN entered on a COTS device,” it states.
Other updates aim to further secure payment software and security, with the Council “developing a software security framework consisting of two new standards and supporting programs to address secure design and development of modern payment software,” continues the announcement.
Additionally, it states, the PCI SSC recently launched an educational microsite with resources to help inform merchants about "payment data security essentials."
Interested in learning more? Here’s some additional information about what the PCI Data Security Standard is.