To facilitate third-party validation of the 3DS SDK, 3DS SDK Vendors must produce clear and sufficient evidence that confirms they have satisfied the security objectives and requirements within this standard. The Assessment Procedures identified for each requirement describe the expected testing activities to be performed to validate whether the 3DS SDK and 3DS SDK Vendor have met the requirements. All Assessment Procedures specified are expected to be performed by a PCI 3DS SDK Lab. Each testing method is described in further detail below:
- Examine: The PCI 3DS SDK Lab critically evaluates data evidence. Common examples of such evidence include software design and architecture documents (electronic or physical), source code, configuration and metadata files, and security testing results.
- Interview: The PCI 3DS SDK Lab converses with 3DS SDK Vendor personnel. The purpose of interviews may include determining how an activity is performed, whether an activity is performed as defined, and whether personnel have particular knowledge or understanding of specific policies, processes, responsibilities, or concepts.
- Test: The PCI 3DS SDK Lab evaluates the 3DS SDK code or the operation of the 3DS SDK using a variety of security testing tools and techniques. Examples of such tools and techniques might include the use of static and dynamic analysis, interactive application security testing, and software composition analysis tools; and techniques such as fuzz testing or penetration testing. It shall be up to the PCI 3DS SDK Lab to determine the specific tools or techniques most appropriate to use to validate whether the 3DS SDK or 3DS SDK Vendor meets a specific 3DS SDK requirement.
- Observe: The PCI 3DS SDK Lab observes an activity or views something within the software or execution environment. An example includes observing the software perform a function or respond to input to confirm the 3DS SDK is operating as expected.
The Assessment Procedures provide both the 3DS SDK Vendors and PCI 3DS SDK Labs with a common understanding of the expected assessment activities to be performed. The specific items to be examined, observed, or analyzed, and personnel to be interviewed should be appropriate for the requirement being assessed and for each 3DS SDK Vendor’s unique 3DS SDK products. It is at the discretion of the PCI 3DS SDK Labs to determine the appropriateness or adequacy of the evidence provided by the vendor to support each requirement.
When documenting the assessment results, the PCI 3DS SDK Lab identifies the testing activities performed and the results of each activity. While it is expected that the PCI 3DS SDK Lab will perform all Assessment Procedures identified for each requirement, it may also be possible for a requirement to be validated using different or additional assessment procedures. In such cases, the lab should document why assessment procedures that differ from those identified in this standard were used, and how those assessment procedures provide at least the same level of assurance as would have been achieved using the assessment procedures defined within this standard. Where terms such as “periodic,” “appropriate,” and “reasonable” are used in the assessment procedures, it is the 3DS SDK Vendor’s responsibility to define and defend its approach to satisfying applicable requirements. However, it is ultimately up to the PCI 3DS SDK Lab whether to accept the vendor’s justification given the risks applicable to the vendors 3DS SDK product and the extent to which the 3DS SDK Vendor has mitigated those risks.
