Document Comparison
PCI_SSC_3DS_Core_v1.x_Technical_FAQs_Apr2021.pdf
→
PCI_3DS_Core_v1.x_Technical_FAQs_Sep2023.pdf
83% similar
4 → 5
Pages
1123 → 1406
Words
3
Content Changes
Content Changes
3 content changes. 6 administrative changes (dates, page numbers) hidden.
Added
p. 4
However, effective upon the publication of this Technical FAQ, it is no longer exclusively required of a non-console HSM access solution to be evaluated by an independent laboratory to verify compliance with ISO 13491.
An alternative set of requirements for a non-console HSM access solution are as follows. Note these requirements below, if met in their entirety, can be used to satisfy the currently published requirements P2-6.2.1 through P2-6.2.5. If using these alternative requirements, make a note of this Technical FAQ in the ROC for each respective requirement and include the appropriate assessment & documentation to validate the requirements as stated have been satisfied.
• (P2-6.2.1) Non-console HSM access for the purposes of management and configuration requires the use of MFA.
• (P2-6.2.2) Non-console HSM access for the purposes of management and configuration is performed using a secure channel.
• (P2-6.2.3) Secret or private cryptographic keys, key components, and/or key shares input to or …
An alternative set of requirements for a non-console HSM access solution are as follows. Note these requirements below, if met in their entirety, can be used to satisfy the currently published requirements P2-6.2.1 through P2-6.2.5. If using these alternative requirements, make a note of this Technical FAQ in the ROC for each respective requirement and include the appropriate assessment & documentation to validate the requirements as stated have been satisfied.
• (P2-6.2.1) Non-console HSM access for the purposes of management and configuration requires the use of MFA.
• (P2-6.2.2) Non-console HSM access for the purposes of management and configuration is performed using a secure channel.
• (P2-6.2.3) Secret or private cryptographic keys, key components, and/or key shares input to or …
Modified
p. 1
Payment Card Industry 3-D Secure (PCI 3DS) Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server Technical FAQs for use with Version 1.0
Payment Card Industry 3-D Secure (PCI 3DS) Security Requirements and Assessment Procedures for EMV® 3-D Secure Core Components: ACS, DS, and 3DS Server Technical FAQs for use with Version 1.x
Modified
p. 4
Q 3 April 2021: Can compensating controls be used to meet Requirement P2-6.2.1? A No. Requirement P2-6.2.1 requires personnel with logical access to HSMs to access those HSMs either using the HSM console or using a non-console access solution that has been evaluated to relevant sections of ISO 13491 (as noted in the PCI 3DS Core Requirement). At this time, there are no acceptable alternatives to this requirement and any remote access solutions used to access and administer the HSM …
Q 3 September 2023: Can compensating controls be used to meet Requirement P2-6.2.1? A No. Requirement P2-6.2.1 requires personnel with logical access to HSMs to access those HSMs either using the HSM console or using a non-console access solution.