Payment Card Industry 3-D Secure (PCI 3DS)

The 3DS SDK collects and retains only the sensitive 3DS SDK data elements absolutely necessary for the software to perform its intended purpose and functionality, and only for the duration necessary.
Assessment Procedures:
T.2.1.1 The tester shall examine vendor materials and other evidence to determine all sensitive 3DS SDK data elements used or required by the 3DS SDK Vendor evidence should account for the name of the data element collected, the duration for which the data element is retained, how the data element is stored (e.g., in memory only, in the OS file system, in an OS storage mechanism such as a key store, in a device mechanism such as a Trusted Execution Environment, etc.), and how the data element is securely deleted after storage.
T.2.1.2 The tester shall examine vendor evidence and other materials, including source code, to determine the functionality provided by the 3DS SDK and confirm that the functionality contained within the 3DS SDK correctly aligns with the vendor materials and evidence supplied and assessed in T.2.1.1.
T.2.1.3 Given the output of T.2.1.1 and T.2.1.2, the tester shall reference Table 2, “Sensitive 3DS SDK Data Elements,” to confirm that the list of sensitive 3DS SDK data elements identified in T.2.1.1 is exhaustive and correct given the functionality of the 3DS SDK under evaluation. Where sensitive 3DS SDK data elements are collected that are not required for the attested functionality, the tester shall note this as a non-compliance.
T.2.1.4 For each sensitive 3DS SDK data element identified in T.2.1.1, the tester shall determine whether the element is retained, and confirm that all sensitive 3DS SDK data elements that are retained are allowed to be retained, as noted in Table 2, “Sensitive 3DS SDK Data Elements.”

T.2.1.5 The tester shall test the 3DS SDK by performing a series of 3DS operations, ensuring that these cover all functionality provided by the 3DS SDK, to confirm that all sensitive 3DS SDK data elements used by the 3DS SDK correctly and completely align with the sensitive 3DS SDK data elements identified in T.2.1.1.

T.2.1.6 The tester shall test the 3DS SDK by performing a series of 3DS operations to determine how the sensitive 3DS SDK data elements are stored and retained, and confirm that the use and retention of sensitive 3DS SDK data elements correctly and completely aligns with the details provided in T.2.1.1.

Note: This testing may be achieved through operation of the 3DS SDK in a virtualized environment that allows for monitoring the memory and storage of the system during processing, through the use of tools to monitor the data elements during operation on a physical device, or other means that will allow for confirmation of the use the memory and storage space of the 3DS SDK operating environment. It is also noted that this testing may require assistance from the 3DS SDK Vendor to disable protections in the software that would otherwise prevent the use of these types of tools.
Guidance:
To ensure that the 3DS SDK does not disclose sensitive 3DS SDK data elements to unauthorized parties, the 3DS SDK should only collect the sensitive 3DS SDK data elements absolutely necessary to perform its expected functionality. Collecting sensitive 3DS SDK data elements that do not directly support the functionality of the 3DS SDK presents the opportunity for the information to be overlooked, mishandled, or otherwise insufficiently protected.