Payment Card Industry 3-D Secure (PCI 3DS)

The 3DS SDK intercepts all external URL requests made by the HTML UI rendered (both during loading of the UI and on user action) and handles these requests within the 3DS SDK. Such requests are not passed to the device’s operating system or the Internet.
Assessment Procedures:
T.2.8.1 The tester shall examine vendor materials and other evidence, including source code, and the findings in T.2.7.1 to confirm that URL requests made by the UI in HTML mode are handled within the 3DS SDK itself and are not passed to the device’s operating system or any other component (internal or external).

T.2.8.2 The tester shall examine vendor materials and other evidence, including source code, to determine what web elements the 3DS SDK is configured to handle, and to confirm that these methods are created and used in a way that mitigates attacks and prevents references to external content that is not supplied by the Access Control Server (ACS).
T.2.8.3 Using the information determined in T.2.8.2, the tester shall test the 3DS SDK by attempting to inject HTML references in ACS response(s), and observe the operation of the 3DS SDK to confirm that the UI processes running in HTML mode are handled by the 3DS SDK and are not passed to the device operating system or other component(s)(internal or external).

Note: This testing must be performed with a test host/harness that allows for such injection.
Guidance:
When the 3DS SDK makes API calls to the ACS that are rendered in HTML mode, those calls, as well as the responses, should not be available outside the 3DS SDK. HTML content generated by the ACS and displayed in HTML mode by the 3DS SDK should not reference content from other external sites. The intent of this requirement is to reduce the 3DS SDK’s attack profile and to protect against the inadvertent leakage of sensitive 3DS SDK data elements to unauthorized parties.