Payment Card Industry 3-D Secure (PCI 3DS)

The 3DS SDK Vendor creates, maintains, and makes available guidance to all stakeholders on the appropriate and secure implementation, configuration, and use of the 3DS SDK as well as all APIs provided by the 3DS SDK.
Assessment Procedures:
T.5.1.1 The tester shall examine vendor materials and other evidence to confirm that the 3DS SDK Vendor maintains detailed security guidance for the secure implementation of the 3DS SDK, as determined in previous testing within this standard, and that such guidance contains all references required for a secure implementation and configuration of the 3DS SDK.
T.5.1.2 The tester shall confirm that vendor security guidance is made available to all software developers who will be integrating the 3DS SDK into their applications. The tester shall also confirm there are no specific legal, distribution, or other requirements that appear to prevent the distribution of the security guidance to developers who require this guidance⎯e.g., a data classification that prevents the document from being distributed to other entities.

Upon any changes and/or updates to the 3DS SDK, the 3DS SDK Vendor provides all stakeholders with a clear and unambiguous indication that updates were made, and makes available detailed information regarding the specific changes made, the functionalities that are affected, and the potential security impacts associated with those changes (for example, release notes). The relationship between the updated software and detailed information about the updates should be clear.
Assessment Procedures:
T.5.2.1 The tester shall examine vendor materials and other evidence to confirm that procedures exist to clearly communicate changes to the 3DS SDK security guidance to relevant stakeholders. This process must require the initiation of contact regarding the change from the 3DS SDK Vendor; it is not considered acceptable to post changes on a website or other location that requires the stakeholder to initiate a process to check whether changes have been made. A process involving e-mails to the stakeholders to inform them of updates is considered an acceptable example of initiation.
T.5.2.2 The tester shall examine vendor materials and other evidence to confirm that the procedures for updating the security guidance requires or includes the production of details indicating exactly what has changed in this new version. This may be in the form of release notes or a marked-up version of the document. A full trace of changes must be possible from the first release of the security guidance through the most current version.

T.5.2.3 The tester shall confirm that the change notice also includes any impacts to the functionality and/or security of the 3DS SDK, as applicable. This should include any new requirements that are conveyed to the application integrating the 3DS SDK⎯e.g., new APIs that must be called, or changes to the way in which entropy must be collected and passed to the 3DS SDK.

T.5.2.4 The tester shall confirm that the process for informing and distributing the security guidance also ensures the distribution of the change details.
Guidance:
It should be made clear to stakeholders when and to what extent changes are made to the 3DS SDK. Indicators of changes may include the advancement of version numbers or some other indicator such that any 3DS SDK stakeholders can easily associate a software release with the changes included in that release. Without change details or release notes, the impact of 3DS SDK changes⎯such as changes/updates and security patches⎯might not be fully realized and could have unintended consequences. The impact of the change should be documented so that all affected parties can plan appropriately for any processing changes.

The 3DS SDK Vendor updates security guidance whenever changes warrant updates. The criteria for determining whether updates are necessary are clearly defined by the vendor and are reasonable. At a minimum, security guidance is reviewed at least annually, and updates made whenever new or changes to functionality, security features, APIs, or configurable settings are introduced.
Assessment Procedures:
T.5.3.1 The tester shall examine vendor materials and other evidence to confirm that the vendor has a documented policy and procedure to identify when updates to the security guidance are necessary.

T.5.3.2 The tester shall examine vendor materials and other evidence to confirm that the vendor has a documented policy and procedure requiring regular reviews of the security guidance. At a minimum, there must be a procedure to review the 3DS SDK and confirm any updates required at least annually.
T.5.3.3 Where possible, the tester shall obtain previous versions of the security guidance and confirm that they have been updated and published in accordance with the vendor policy and procedure.

T.5.3.4 The tester shall interview a sample of the personnel responsible for updating the security guidance to confirm that they understand the policy and procedures for this, as well as their responsibility for maintaining and updating this document.

T.5.3.5 The tester shall confirm that the vendor policy and procedures require updates to the security guidance when new or changes to functionality, security features, APIs or configurable settings are introduced.

T.5.3.6 The tester shall interview a sample of the personnel responsible for updating the security guidance to confirm that they understand that the security guidance must be updated when new or changes to functionality, security features, APIs or configurable settings are introduced.
Guidance:
It is imperative that vendor security guidance reflect the current functionality and configuration options available in the 3DS SDK. Otherwise, new features and options might be misconfigured by the implementer. If changes to the 3DS SDK do not warrant updates to security guidance, then the justification for not making updates to implementation guidance should be reasonable. The criteria for making such determinations should also be documented to ensure consistency in application.