PCI 3DS Audit

Stage 1: Pre-Audit (GAP Assessment)

This stage prepares your organization for the formal PCI 3DS assessment by defining scope, reviewing the 3DS environment, and identifying gaps that should be addressed before certification.

• Initial Scoping: Collection and review of key information required to define the assessment scope and audit boundaries.
• Architecture and Data Flow Review: Analysis of system architecture, authentication flows, integrations, and trust relationships within the 3DS environment.
• 3DS Environment Identification: Identification of all systems, components, services, and supporting infrastructure included in scope.
• Gap Analysis: Identification of missing controls, weak configurations, operational weaknesses, and documentation gaps.
• Remediation Recommendations: Practical guidance for improving security controls, configurations, policies, and procedures prior to certification.

Deliverable: GAP Analysis Report and Remediation Plan with prioritized recommendations to support PCI 3DS compliance readiness.

Stage 2: PCI 3DS Certification Audit

This stage performs the formal assessment of your 3DS environment against the PCI 3DS Security Requirements. The audit verifies whether required controls are properly implemented, supported by evidence, and operating effectively in practice.

• Final Scope Confirmation: Validation of in-scope systems, services, interfaces, and network boundaries.
• Evidence Collection: Review of logs, technical configurations, screenshots, procedures, and supporting documentation.
• Stakeholder Interviews: Verification of operational practices, control ownership, and day-to-day security responsibilities.
• Remote Control Validation: Demonstration of key controls such as access management, key handling, system administration, and monitoring.
• Control Compliance Assessment: Evaluation of implemented controls against applicable PCI 3DS requirements.
• Remediation Validation: Review of corrective actions and closure evidence before final acceptance, where applicable.

Deliverable: PCI 3DS Audit Report, including:

• Assessment results against applicable PCI 3DS requirements
• Identified gaps, observations, and remediation actions
• Validation of implemented controls and supporting evidence
• Preparation of the Attestation of Compliance (AOC), where applicable
• Support for submission to relevant card schemes, such as Visa and Mastercard

Remediation activities are typically expected to be completed within defined timelines, depending on the applicable card scheme requirements and the nature of the findings.

Stage 3: Advisory Support

Advisory support is provided to help your organization address identified gaps, strengthen control effectiveness, and maintain certification readiness after the assessment.

• Compliance Guidance: Support in interpreting PCI 3DS requirements and understanding their practical application.
• Remediation Support: Assistance with implementing corrective actions, improving control design, and strengthening documentation.
• Ongoing Consultation: Remote support through meetings, email communication, and follow-up review sessions.
• Extended Support Period: Advisory services may be provided for an agreed post-assessment period, depending on engagement scope.
• Timely Responses: Support is delivered within agreed service timelines to help maintain momentum during remediation.

Deliverable: Ongoing PCI 3DS Advisory Support to assist with remediation, evidence preparation, and continued compliance readiness.

Basis of Work

The audit is conducted using recognized PCI assessment methodologies and security best practices to ensure a consistent, reliable, and evidence-based evaluation of the 3DS environment.

• PCI 3DS Security Requirements: Core requirements for securing 3DS environments and related authentication services.
• PCI DSS: Supporting security framework relevant to payment system protection and control alignment.
• PCI SSC Assessment Methodology: Industry-recognized approach for control validation, evidence review, and reporting.

The assessment is typically performed remotely and covers a defined 3DS environment scope, with the flexibility to extend scope where required by architecture, service dependencies, or card scheme expectations.