Payment Card Industry 3-D Secure (PCI 3DS)

T.2.3.2 Referring to the information produced in T.2.1.1, the tester shall examine vendor materials and other evidence, including source code, to determine all sensitive 3DS SDK data elements that are passed to third-party components or services.

Note: Validation of this requirement must also consider whether the 3DS SDK has any advertising, machine learning, data collection, logging, tracking, or security features which rely on third-party components, features, or external services. This list of items is to be considered a minimum set and is not considered exhaustive of all potential third-party features which must be considered under this requirement.
T.2.3.3 Where third-party services are used, interfaced with, or operated by the 3DS SDK, the tester shall examine vendor materials and other evidence to confirm the vendor provides reasonable and documented justifications for the use of each third- party system or components and that the vendor maintains processes for addressing vulnerabilities in those systems or components in accordance with Requirement 4.4, “Vulnerability Identification and Monitoring.”

T.2.3.4 The tester shall test the 3DS SDK by performing a series of 3DS operations, ensuring that these cover all functionality provided by the 3DS SDK, to determine how any third-party components or services are utilized during this operation and which data elements are sent to third parties. The tester shall confirm this correctly and completely aligns with the vendor materials and evidence provided in T.2.3.1 and T.2.3.2.

Note: This testing must be performed against a 3DS test host/harness that provides all required 3DS functionality and data elements, and allows for the monitoring of traffic to the 3DS SDK. This testing may also be achieved through operation of the 3DS SDK in a virtualized environment that allows for monitoring the memory and storage of the system during processing, through the use of tools to monitor the data elements during operation on a physical device, or other means that will allow for confirmation of the use of third-party components and services. It is noted that this testing may require assistance from the 3DS SDK Vendor to disable protections in the software that would otherwise prevent the use of these types of tools.
T.2.3.5 The tester shall test the 3DS SDK by performing a series of 3DS operations, ensuring that these cover all functionality provided by the 3DS SDK, and observe the traffic output from and received by the 3DS SDK to determine whether any of this traffic is external or extraneous to the 3DS test host to which the SDK is communicating, whether any sensitive 3DS SDK data elements are communicated through these channels, and if so, confirm that they correctly and completely align with the information provided in T.2.3.2.

T.2.3.6 The tester shall determine the functionality provided by the 3DS SDK during testing and confirm that this correctly and completely aligns with the information provided in T.2.3.1 to T.2.3.4.

T.2.3.7 The tester shall examine vendor materials and other evidence to confirm that use of third-party services is only implemented where this is a reasonably justified and documented part of the 3DS SDK architecture.
Guidance:
The use of third-party services or components should be carefully controlled and justified. Control over sensitive information may no longer reside with the 3DS SDK Vendor once sensitive information is shared or made accessible to third-party services or components, and 3DS SDK Vendors should consider the ramifications of third-party misuse or disclosure of such information.