Terminology
Definitions for PCI terminology used throughout this document are provided in the general PCI Glossary on the PCI SSC website at https://www.pcisecuritystandards.org/pci_security/glossary. Additionally, Table 1 below includes terms that are used in this PCI 3DS SDK Security Standard:
Term: 3-D Secure (3DS)
Definition: As defined in the EMV® 3-D Secure Protocol and Core Functions Specification: an authentication protocol that enables the secure processing of payment and non-payment card transactions.
Term: 3-D Secure (3DS) Requestor App
Definition: An application on a consumer device that facilitates a 3-D Secure transaction through the use of a 3DS SDK. The 3DS Requestor App is enabled through integration with the 3DS SDK.
Term: 3DS Software Development Kit (3DS SDK)
Definition: A component that is incorporated into the 3DS Requestor App. The 3DS SDK performs functions related to 3-D Secure on behalf of the 3DS Server and the Access Control Server.
Term: 3DS SDK Laboratory (Lab)
Definition: A PCI-recognized laboratory that is qualified by PCI SSC to perform PCI 3DS SDK evaluations.
Term: 3DS SDK Vendor
Definition: An entity that develops, releases, maintains, and supports 3DS SDKs.
Term: Access Control Server (ACS)
Definition: A component of the 3DS core infrastructure that contains the cardholder authentication rules. The ACS is controlled by the issuer, verifies whether authentication is available for a card number and device type, and authenticates 3DS-enabled transactions.
Term: Attestation of Validation (AOV)
Definition: The AOV is a form for 3DS SDK Vendors to attest to the results of a PCI 3DS SDK Security Assessment, as documented in the Report on Validation (ROV).
Term: Deterministic Random Number Generator (DRNG)
Definition: An algorithm for generating a sequence of numbers that resembles random numbers but is not considered truly random.
Term: Hook or “hooking” attacks
Definition: A technique used to alter the behavior of an operating system, applications, or other software components by intercepting messages or events passed between software components.
Term: HTML mode
Definition: An HTML interface provided by the 3DS SDK and used to render code to allow a user to interact with 3DS functionality. HTML mode is often associated with the use of the WebView class on Android and the UIViewController class on iOS. Similar functionality may be represented by other terms or classes on other operating systems.
Term: Native mode
Definition: An interface native to the underlying operating system and used to render code to allow a user to interact with 3DS functionality.
Term: Reasonable justification or reasonably justified
Definition: An explanation of why a decision was made using fair, objective, measurable, and balanced information.
Term: Report on Validation (ROV)
Definition: A report documenting detailed results from a PCI 3DS SDK Security Assessmen.
Term: Resiliency
Definition: The extent to which software can maintain normal operations in adverse conditions, including the ability of software to defend itself from attacks.
Term: Rooted or jailbroken device
Definition: A condition where smartphones, tablets, and other devices running mobile operating systems (such as Android or iOS) allow users to obtain privileged control of the operating system’s subsystems. “Jailbreaking” is often associated with iOS devices, while “rooting” is typically associated with Android devices. Different terms representing the same concept may be associated with other operating systems, but for the purposes of this standard the terms rooting or jailbreaking are used.
Term: Security testing
Definition: Security testing is a process of identifying flaws related to elements of confidentiality, integrity, and resiliency in the assessed system component(s) and security mechanisms. The process usually includes, but is not limited to, activities such as threat modeling, code reviews, vulnerability assessment, penetration testing, fuzz testing, etc.
Term: Sideloading attacks
Definition: The act of installing an application obtained from an (untrusted) source other than an official application repository for the device (e.g., the App Store for iOS and Google Play for Android).
Term: Tester
Definition: An individual or agent of the PCI 3DS SDK Lab performing the PCI 3DS SDK Assessment (in whole or in part).
The following resources contain additional terminology references:
▪ EMV® 3-D Secure Protocol and Core Functions Specification (www.emvco.com)
▪ EMV® 3-D Secure SDK Specification (www.emvco.com)
