Payment Card Industry 3-D Secure (PCI 3DS)

Sensitive 3DS SDK data elements are not hard-coded in 3DS SDK code unless explicitly permitted.
Assessment Procedures:
T.2.5.1 Referring to testing performed in Requirement 2.4, “Protection against Disclosure through Unintended Channels,” the tester shall confirm that sensitive 3DS SDK data elements are not hardcoded in the 3DS SDK except where the vendor has maintained reasonable and documented justification for their use.

T.2.5.2 The tester shall test the 3DS SDK by performing a series of 3DS operations, ensuring that these cover all functionality provided by the 3DS SDK, and observe the use of sensitive 3DS SDK data elements across multiple operations and executions of the 3DS SDK. Where sensitive 3DS SDK data elements appear to have the same value or a limited range of values, the tester shall confirm that these values correctly and completely align with those values noted in T.2.5.1.

Note: This testing must be performed against a 3DS test host/harness that has been confirmed to provide all required 3DS functionality and data elements.
Guidance:
The 3DS SDK, as part of its normal functionality, will be exposed to and handle various sensitive 3DS data elements. For example, the directoryServerIDs public keys will be issued after certification and stored by the 3DS SDK. It is fairly trivial to reverse-engineer mobile applications (for example, using dex2jar or JAD) and perform analysis on the source code itself with intent to harvest hard-coded sensitive information. To prevent that, the 3DS SDK should not store any sensitive 3DS SDK data elements in the source code unless explicitly permitted. Instead⎯in the case of cryptographic keys, for example⎯the 3DS SDK could fetch the data from an HSM, then store the keys locally utilizing the most secure storage options (for example, keychain, key store, or shared preferences) provided by the operating system where appropriate. Refer to Table 2, “Sensitive 3DS SDK Data Elements,” in the “Scope of Security Requirements” section for more information on which sensitive 3DS SDK data elements are permitted to be retained.