Payment Card Industry 3-D Secure (PCI 3DS)

Requirements:
1.5 Protection of 3DS SDK Reference Data
3DS SDK Reference Data is securely stored within the 3DS SDK code to prevent unauthorized modification.
Assessment Procedures:
T.1.5.1 The tester shall examine vendor materials and other evidence to identify all 3DS SDK Reference Data used or required by the 3DS SDK, which must be protected against modification (see Table 2, “Sensitive 3DS SDK Data Elements”).

T.1.5.2 The tester shall examine vendor materials and other evidence to confirm that features are provided by the 3DS SDK to protect each element of the 3DS SDK Reference Data listed above. Where there is any 3DS SDK Reference Data that is not covered by these protections, the tester shall confirm that the lack of protection does not affect the security of the 3DS SDK or 3DS transaction process.

T.1.5.3 Where cryptography is implemented for the purposes of providing this protection, the tester shall confirm that the cryptographic protections include the protection of the integrity of the data. The tester shall also confirm that cryptography meets PCI requirements for strong cryptography, including applicable cryptography requirements in this standard, and that all keys used for these cryptographic operations are protected.

T.1.5.4 Where obfuscation is implemented to provide the protections, the tester shall confirm that this obfuscation is covered under testing performed in Requirement 1.4, “Protection against Reverse Engineering.”

T.1.5.5 Where device-specific features are relied upon to provide the protections, the tester shall attempt to execute the 3DS SDK on a system that either does not provide such features or has been modified to prevent the secure use of these features to confirm that the 3DS SDK does not execute when such features are absent or disabled.
T.1.5.6 The tester shall attempt to circumvent the features protecting the 3DS SDK Reference Data and modify this data in such a way that the modification is not detected by the 3DS SDK upon execution to confirm the 3DS SDK prohibits such modifications. This testing must consider the different types of protections applied and devices targeted by the SDK.
Guidance:
The 3DS SDK Version Number and 3DS SDK Reference Number are values used during 3-D Secure transactions as part of the cardholder authentication process. To properly vet the cardholder and to identify the trustworthiness of the environment in which a transaction has been created, it is important that the values are protected from unauthorized modification. Examples of methods for securely storing the 3DS SDK Reference Number or 3DS SDK Application ID (sdkAppID) in code might include obfuscation or the use of cryptography.