Payment Card Industry 3-D Secure (PCI 3DS)

The 3DS SDK implements run-time data protection techniques to protect the 3DS SDK instance from being accessed by unauthorized third-party applications and/or libraries.
Assessment Procedures:
T.2.6.1 Referencing the sensitive 3DS SDK data elements identified in T.2.1.1 and the protection features determined through other testing, the tester shall confirm that protections against extraction or determination are provided for each sensitive 3DS SDK data element.
T.2.6.2 The tester shall examine vendor materials and other evidence, including source code, and test the 3DS SDK to determine what sensitive 3DS SDK data elements may be most susceptible to side-channel attacks, such as cache timing or other attack methods, and to confirm that such attacks are not feasible given the implemented protections.

T.2.6.3 The tester shall examine vendor materials and other evidence, including source code, and test the software to determine what sensitive 3DS SDK data elements may be most susceptible to exposure through code injection or code reuse attacks, and to confirm such attacks are not feasible given implemented protections.

T.2.6.4 The tester shall examine vendor materials and other evidence, including source code, and test the 3DS SDK to determine what sensitive 3DS SDK data elements may be most susceptible to exposure through hooking methods (remote and local) and reverse-engineering attacks, and to confirm that such attacks are not feasible given other protections.

T.2.6.5 The tester shall test the 3DS SDK by attempting to subvert any third-party components or services relied upon by the 3DS SDK to determine whether any sensitive 3DS SDK data elements are used by the 3DS SDK that are not already confirmed to be passed to that third-party component or service as per testing under Requirement 2.3, “Use of Third-Party Services”. Where third-party components or services are known to receive sensitive 3DS SDK data elements, the tester shall attempt to extract the sensitive values from these services during operation of the 3DS SDK to confirm the sensitive 3DS SDK data elements are not exposed to extraction or determination through code injection, code reuse, reverse engineering, and the use of hooking (remote or local) methods.
Guidance:
Code injection, code reuse, local and remote hooks, reverse-engineering attacks and side-channel attacks (for example, cache side-channel or timing attack) are often used to execute code in the context of target process or to extract sensitive information from the target systems and applications. Various defense techniques exist to make attacks significantly harder, including dynamic or artificial software diversity, compression and randomization, etc. Properly implemented runtime application self-protection (RASP) and/or anti-debugging or anti-hooking techniques may be used to satisfy this requirement.