PCI 3DS Attestation

3DS Attestation: Validate Your 3-Domain Secure Environment

Achieve formal PCI 3DS attestation for your Access Control Server, 3DS Server, or Directory Server — and demonstrate compliance with EMVCo and card brand requirements.

3DS QSA-qualified
ACS · 3DSS · DS
Asia-Pacific focus
3DS QSA-led
Standard PCI 3DS Standard
3 Component Types
ACS · 3DSS · Directory Server
ACS
Access Control
3DSS
3DS Server
DS
Directory
SHARED
Common Controls
Only a 3DS QSA can issue a valid PCI 3DS ROC
Qualified 3DS Assessors
PCI SSC listed company
Trusted by payment authentication teams across APAC
SparkDatacomInland RevenueVodafoneHumm GroupCCLFidelityIllionPlan BXplore
The basics

What Is 3DS Attestation?

3DS Attestation is the formal process by which 3-Domain Secure (3DS) system components — including the 3DS Server (3DSS), Access Control Server (ACS), and Directory Server (DS) — are independently tested and validated against the EMVCo 3DS Core Specification and the PCI 3DS Security Standard.

The PCI Security Standards Council (PCI SSC) established the PCI 3DS Standard to address security risks specific to the 3DS authentication ecosystem. Unlike PCI DSS, which covers cardholder data environments broadly, PCI 3DS focuses narrowly on the infrastructure that handles 3DS authentication data — a high-value target for attackers seeking to intercept or manipulate authentication flows.

Attestation is performed by a Qualified 3DS Assessor (3DS QSA) and results in a Report on Compliance (ROC) submitted to the relevant payment networks or acquirers. Only 3DS QSAs can write and validate the ROC.

Who needs it

Who Needs 3DS Attestation?

Any organisation that operates 3DS components in a live payment authentication environment is required to complete PCI 3DS attestation. This includes:

Access Control Server (ACS) Operators

Issuers and processors that operate an ACS to authenticate cardholders during 3DS transactions must attest the ACS environment annually.

3DS Server (3DSS) Operators

Merchants and payment service providers running a 3DS Server to initiate authentication requests must attest the 3DSS environment.

Directory Server (DS) Operators

Payment network operators and processors running a DS to route authentication requests between 3DS Servers and ACS components require attestation.

Card-Issuing Banks & Financial Institutions

Banks issuing co-branded or proprietary cards using 3DS authentication for online transactions must attest their ACS implementations.

Payment Processors & Acquirers

Processors who integrate 3DS components into their hosted payment environments need attestation to satisfy card brand mandates.

Third-Party 3DS Technology Vendors

Technology providers whose software products implement 3DS Server or ACS functionality for multiple clients often seek independent attestation to commercialise their solutions.

Coverage

What Does a 3DS Attestation Cover?

The PCI 3DS attestation scope is defined by the component type. Each component has its own set of security requirements addressing data protection, access control, network security, and protocol integrity.

Access Control Server (ACS)

Cardholder authentication, cryptographic key management, authentication value (AV) generation, and HSM controls — the security backbone of 3DS authentication for issuers.

3DS Server (3DSS)

Authentication request initiation, secure session handling, message integrity, and TLS mutual authentication with Directory Server endpoints.

Directory Server (DS)

Message routing between 3DSS and ACS, attestation management, network availability, and protocol-level integrity controls.

Shared Requirements (All Components)

Network security, access control, vulnerability management, logging and monitoring, incident response, and governance applied across all 3DS component types.

Our process

The 3DS Attestation Process

Cianaa’s structured 3DS attestation engagement follows a clear five-phase approach, from scoping through to final ROC delivery and remediation sign-off.

Phase 1

Scoping & Readiness

Identify which 3DS components are in scope, define environment boundaries, and conduct a gap analysis against PCI 3DS requirements.

Phase 2

Documentation Review

Assess policies, procedures, architecture diagrams, data flow documentation, and vendor agreements for compliance evidence.

Phase 3

Technical Testing

Perform hands-on testing of cryptographic controls, network segmentation, access management, and logging against PCI 3DS requirements.

Phase 4

Findings & Remediation

Issue a detailed findings report. Support your team in remediating gaps before final assessment conclusions are drawn.

Phase 5

ROC Delivery

Produce and submit the Report on Compliance (ROC) and Attestation of Compliance (AOC) to card brands and acquirers.

Benefits

Benefits of 3DS Attestation

Beyond satisfying regulatory and card brand requirements, PCI 3DS attestation delivers measurable security and business value.

Card Brand Mandate Compliance

Visa, Mastercard, and other major schemes require 3DS Attestation for ACS and 3DSS operators. Attestation avoids scheme fines and potential transaction blocking.

Reduced Fraud Liability

Attested 3DS authentication shifts chargeback liability from merchants to issuers for fraudulent transactions, directly protecting revenue.

Stronger Authentication Security

The attestation process identifies and remediates weaknesses in your 3DS environment before attackers can exploit authentication flows.

Market Credibility

Third-party vendors with attested 3DS components can demonstrate compliance to prospective clients, accelerating enterprise sales cycles.

Regulatory Alignment

PCI 3DS attestation aligns with SCA (Strong Customer Authentication) requirements under PSD2 in Europe, supporting multi-region compliance strategies.

Operational Resilience

The attestation process surfaces gaps in logging, incident response, and availability controls — improving overall authentication infrastructure reliability.

Why Cianaa

Why Choose Cianaa for 3DS Attestation?

Cianaa’s assessors hold Qualified 3DS Assessor (3DS QSA) status and have conducted assessments across ACS, 3DSS, and DS environments for issuers, processors, and technology vendors across the Asia-Pacific region.

Qualified 3DS Assessors (3DS QSA)

Our team holds active PCI SSC 3DS QSA qualifications, meeting the mandatory requirement for issuing a valid 3DS Report on Compliance.

Deep Technical Expertise

We understand the cryptographic and protocol-level requirements of the 3DS specification — not just the compliance checkbox layer.

Practical Gap Remediation Support

We don’t just identify gaps — we work alongside your engineering and security teams to resolve findings efficiently before final assessment.

Multi-Component Experience

We have assessed ACS, 3DSS, and DS environments across varied technology stacks, cloud platforms, and on-premise deployments.

Asia-Pacific Focus

Based in Australia and New Zealand, we understand regional card scheme requirements and maintain relationships with local acquirers and processors.

Streamlined ROC Delivery

Our structured evidence-gathering process minimises disruption to your operations and ensures on-time delivery of the ROC and AOC.

Complimentary · No Obligation

Free 3DS Attestation Readiness Check

30 minutes with a Qualified 3DS Assessor who’ll scope your environment, identify your 3DS components, and outline what attestation actually involves — no commitment, no sales pitch.

Component scope identification
Gap analysis preview
Indicative cost & timeline
ROC pathway recommendation
Book Your Free Check
3DS QSA-led call 30-min commitment 1 business-day response
FAQ

Frequently Asked Questions

What is the difference between PCI DSS and PCI 3DS?
PCI DSS addresses the security of cardholder data environments — anywhere payment card data is stored, processed, or transmitted. PCI 3DS is a separate, narrower standard that applies specifically to the 3-Domain Secure authentication ecosystem: the 3DS Server, Access Control Server, and Directory Server. Organisations operating 3DS components may be subject to both standards simultaneously, but the requirements, evidence, and assessor qualifications differ.
Is 3DS Attestation mandatory?
Yes, for organisations operating ACS, 3DSS, or DS components in live payment environments. Visa and Mastercard mandate PCI 3DS compliance for these entities. Non-compliance can result in scheme fines, transaction blocking, or removal from network participation. The specific mandate timeline and enforcement mechanism varies by card brand and region — contact us to clarify your obligations.
How long does a 3DS attestation assessment take?
Assessment duration depends on the number of components in scope, the complexity of your environment, and how much pre-assessment remediation is required. A focused single-component assessment (e.g., ACS only) typically takes 4–8 weeks from kick-off to final ROC. Multi-component assessments or environments with significant gaps may take 10–16 weeks. A readiness review at the start of the engagement helps set accurate timelines.
How often do we need to reattest?
PCI 3DS requires annual reattestation. A new Report on Compliance (ROC) must be completed each year. In addition to the annual formal assessment, you must maintain ongoing compliance throughout the year — including timely patching, access reviews, and log monitoring — which Cianaa can support through interim advisory engagements.
Can we attest multiple 3DS components in a single engagement?
Yes. If your organisation operates more than one 3DS component type (for example, both a 3DS Server and an Access Control Server), Cianaa can scope a combined assessment covering all applicable components in a single engagement. This is often more efficient than separate assessments, as shared requirements — such as governance, logging, and incident response — can be assessed once across all components.
What is a Qualified 3DS Assessor (3DS QSA)?
A Qualified 3DS Assessor (3DS QSA) is an individual attested by the PCI SSC to conduct PCI 3DS assessments and issue Reports on Compliance. The 3DS QSA qualification requires passing PCI SSC training and examinations specific to the 3DS standard. Organisations must engage a 3DS QSA to produce a valid ROC — self-assessment is not permitted for PCI 3DS. Cianaa’s assessors hold active 3DS QSA qualifications.
Get started

Ready to Pursue 3DS Attestation?

Speak with a Qualified 3DS Assessor to scope your assessment, understand your obligations, and map a clear path to attestation.

3DS QSA-qualified · APAC focus · 1 business-day response

Continue your PCI 3DS journey

All 3DS services →
Risk

PCI 3DS Risk Management

Build a defensible risk management programme that satisfies PCI 3DS requirements at attestation time.

View service
Experts

PCI 3DS Compliance Experts

Meet Cianaa’s Qualified 3DS Assessors and learn how we approach ACS, 3DSS, and DS engagements.

Meet the team
PCI DSS

What is PCI Compliance?

Already running PCI 3DS components? You’re likely subject to PCI DSS too. Start here for the complete picture.

Read the guide