Payment Card Industry 3-D Secure (PCI 3DS)

T.4.2.2 The tester shall determine whether the vendor explicitly allows for potential threats to remain un-addressed and, if so, the tester shall confirm that ranking/categorization levels are considered acceptable for this (as assessed in Requirement 4.1, “Threat and Vulnerability Analysis”), and that either this ranking process or another process explicitly involves a step to document and justify why it is acceptable to not address this vulnerability specifically.
T.4.2.3 The tester shall interview personnel responsible for the implementation of defensive strategies and confirm that they know of and understand the policy and procedure requirements for this process.

T.4.2.4 Referencing the documented threats and vulnerabilities sampled in Requirement 4.1, “Threat and Vulnerability Analysis,” the tester shall determine whether any vulnerabilities have been not specifically remediated and, if so, confirm that this is due to the correct and documented steps involved in the policy and procedures identified in T.4.2.1. Where all vulnerabilities have been addressed, the tester shall obtain more evidence to address this testing requirement. If vendor policy is to mitigate all threats and vulnerabilities, the tester shall require an increased sample size to confirm that each and every threat has been addressed.
Guidance:
Once threats, attack vectors, and attack scenarios are identified, they should be mitigated. 3DS SDK Vendors should define and implement mechanisms to protect the 3DS SDK from those risks and reduce the likelihood and impact of their exploitation. Any known risks that are not addressed or do not reduce the likelihood and impact of the exploitation of those risks to a reasonable level should be justified.