Payment Card Industry 3-D Secure (PCI 3DS)

The user interface (UI) rendered by the 3DS SDK (both in Native and HTML modes) is isolated and secured such that user information (including authentication data) displayed and captured by the 3DS SDK is not accessible to any unauthorized process outside the 3DS SDK.
Assessment Procedures:
T.2.7.1 The tester shall examine vendor materials and other evidence, including source code, to identify all OS functions or other third-party features the 3DS SDK relies upon for the passing and rendering of UI elements.

T.2.7.2 The tester shall examine vendor materials and other evidence, including source code, to confirm that security features are implemented to protect the UI against access by other applications.

T.2.7.3 The tester shall test the 3DS SDK by attempting to modify, capture, or otherwise undermine the security of the 3DS SDK UI to confirm that any user information captured and displayed by the 3DS SDK is not accessible to any unauthorized process outside of the 3DS SDK.
Guidance:
UI isolation is necessary to ensure that sensitive 3DS SDK data elements cannot be leaked to any unauthorized component or process outside the 3DS SDK. Sensitive 3DS SDK data elements contained in the UI components rendered by the 3DS SDK can be inadvertently accessible to unauthorized components and processes unless adequately protected. Protection methods include restricting access to the UI components as well as controlling inter-process communications and event handling. For example, when an application goes into the background, it could prevent screen capturing by the underlying OS by intercepting the applicationDidEnterBackground event to control what information is shared with iOS⎯e.g., splash screen or blurred window snapshot⎯or preventing manual and automatic screenshots altogether by setting FLAG_SECURE on Android.