About This Document
Document Structure
This document is organized into the following two sections:
- 3DS SDK Security Requirements and Assessment Procedures – The security requirements and assessment procedures that apply specifically to a 3DS SDK version. The following topics are covered under this section:
- 3DS SDK Integrity Protection
- Sensitive Information Protection
- Use of Cryptography
- 3DS SDK Vendor Requirements and Assessment Procedures – The security requirements and assessment procedures that apply specifically to a 3DS SDK Vendor. The following topics are covered under this section:
- Risk and Vulnerability Management
- Stakeholder Guidance
Requirements Architecture
The Security Requirements and Assessment Procedures defined within this standard are presented in the following format:
Security Objective – Identifies the high-level security objective that the 3DS SDK or 3DS SDK Vendor is required to meet. Security objectives are broadly stated to enable 3DS SDK Vendor flexibility in determining the best methods to achieve the stated security objective. However, it is expected that the 3DS SDK Vendor produces clear and unambiguous evidence to illustrate that the chosen methods are appropriate, sufficient, and properly implemented to satisfy the security objective. Below the security objective, additional information has been provided to help both 3DS SDK Vendors and PCI 3DS SDK Labs understand the intent behind the security objective.
Requirements – Specific security controls or activities that must be implemented by the 3DS SDK or 3DS SDK Vendor (in addition to any other activities specified by the 3DS SDK Vendor) to support the overarching security objective.
Assessment Procedures – Describe the expected testing activities to be performed by the PCI 3DS SDK Lab to validate whether an 3DS SDK or 3DS SDK Vendor has met a particular security objective and its associated requirements. The assessment procedures are intended to provide the 3DS SDK Vendor and the PCI 3DS SDK Lab with a common understanding of the assessment activities to be performed. The specific methods and items examined, and the personnel interviewed, should be appropriate for the security objective and associated requirements being assessed, and for each 3DS SDK Vendor’s particular implementation.
Guidance – Additional information to help 3DS SDK Vendors and PCI 3DS SDK Labs understand the intent of each requirement. The guidance may also include best practices that should be considered as well as examples of controls or methods that—when properly implemented—may meet the intent of the requirement. This guidance is not intended to preclude other methods that an entity may use to meet a requirement, nor does it replace or extend the requirements to which it refers.
