Payment Card Industry 3-D Secure (PCI 3DS)

Sensitive 3DS SDK data elements collected by the 3DS SDK in association with 3DS transactions are securely deleted after 3DS transaction processing is complete and never retained, unless retention is explicitly permitted.
Assessment Procedures:
T.2.2.1 Referencing the information produced in T.2.1.1, the tester shall examine vendor materials and other evidence, including source code, to confirm that each of the sensitive 3DS SDK data elements is securely deleted after use and that the methods used ensures that each sensitive 3DS SDK data element is rendered irretrievable to any subsequent process, component, functions, or applications after secure deletion.

T.2.2.2 Where secure deletion is prevented by the nature of the 3DS SDK operating environment (e.g., through virtualized memory and garbage-collection processes), the tester shall examine vendor materials and other evidence to confirm that additional protections have been implemented beyond secure deletion of the data element, and that such protections are sufficient to be considered equal to industry best practice.

T.2.2.3 Where additional protections or secure deletion methods are required to be implemented to compensate for lack of direct memory access in the 3DS SDK operating platform, the tester shall confirm that these methods are covered by the reverse- engineering protections tested under Requirement 1.4, “Protection against Reverse Engineering,” and that any cryptography used is covered under the testing of Requirement 3.1, “Approved Algorithms and Modes of Operation.”
T.2.2.4 The tester shall test the 3DS SDK by performing a series of 3DS operations, ensuring that these cover all functionality provided by the 3DS SDK to confirm that each of the sensitive 3DS SDK data elements covered in T.2.1.1 is rendered irretrievable in accordance with the methods identified in T.2.2.1 through T.2.2.3.

Note: This testing must be performed against a 3DS test host/harness that provides all required 3DS functionality and data elements, and allows for the monitoring of traffic to the 3DS SDK. This testing may also require assistance from the 3DS SDK Vendor to disable protections in the software that would otherwise prevent the use of these types of tools.
Guidance:
Sensitive 3DS SDK data elements collected in conjunction with 3DS transactions should only be retained for as long as required to complete that transaction. After 3DS transaction processing is complete, any and all locations where the sensitive 3DS SDK data elements have been retained should be securely wiped or overwritten, or the sensitive 3DS SDK data elements rendered irretrievable such that any subsequent process, component, function, application, entity, etc., within the environment may not capture the information. Only in circumstances where the retention of specific sensitive 3DS SDK data elements is explicitly permitted should they be retained after 3DS transaction processing is complete. Refer to Table 2, “Sensitive 3DS SDK Data Elements,”in the “Scope of Security Requirements” section for more information.