3DS Attestation: Validate Your 3-Domain Secure Environment
Achieve formal PCI 3DS attestation for your Access Control Server, 3DS Server, or Directory Server — and demonstrate compliance with EMVCo and card brand requirements.
What Is 3DS Attestation?
3DS Attestation is the formal process by which 3-Domain Secure (3DS) system components — including the 3DS Server (3DSS), Access Control Server (ACS), and Directory Server (DS) — are independently tested and validated against the EMVCo 3DS Core Specification and the PCI 3DS Security Standard.
The PCI Security Standards Council (PCI SSC) established the PCI 3DS Standard to address security risks specific to the 3DS authentication ecosystem. Unlike PCI DSS, which covers cardholder data environments broadly, PCI 3DS focuses narrowly on the infrastructure that handles 3DS authentication data — a high-value target for attackers seeking to intercept or manipulate authentication flows.
Attestation is performed by a Qualified 3DS Assessor (3DS QSA) and results in a Report on Compliance (ROC) submitted to the relevant payment networks or acquirers. Only 3DS QSAs can write and validate the ROC.
Who Needs 3DS Attestation?
Any organisation that operates 3DS components in a live payment authentication environment is required to complete PCI 3DS attestation. This includes:
Access Control Server (ACS) Operators
Issuers and processors that operate an ACS to authenticate cardholders during 3DS transactions must attest the ACS environment annually.
3DS Server (3DSS) Operators
Merchants and payment service providers running a 3DS Server to initiate authentication requests must attest the 3DSS environment.
Directory Server (DS) Operators
Payment network operators and processors running a DS to route authentication requests between 3DS Servers and ACS components require attestation.
Card-Issuing Banks & Financial Institutions
Banks issuing co-branded or proprietary cards using 3DS authentication for online transactions must attest their ACS implementations.
Payment Processors & Acquirers
Processors who integrate 3DS components into their hosted payment environments need attestation to satisfy card brand mandates.
Third-Party 3DS Technology Vendors
Technology providers whose software products implement 3DS Server or ACS functionality for multiple clients often seek independent attestation to commercialise their solutions.
What Does a 3DS Attestation Cover?
The PCI 3DS attestation scope is defined by the component type. Each component has its own set of security requirements addressing data protection, access control, network security, and protocol integrity.
Access Control Server (ACS)
Cardholder authentication, cryptographic key management, authentication value (AV) generation, and HSM controls — the security backbone of 3DS authentication for issuers.
3DS Server (3DSS)
Authentication request initiation, secure session handling, message integrity, and TLS mutual authentication with Directory Server endpoints.
Directory Server (DS)
Message routing between 3DSS and ACS, attestation management, network availability, and protocol-level integrity controls.
Shared Requirements (All Components)
Network security, access control, vulnerability management, logging and monitoring, incident response, and governance applied across all 3DS component types.
The 3DS Attestation Process
Cianaa’s structured 3DS attestation engagement follows a clear five-phase approach, from scoping through to final ROC delivery and remediation sign-off.
Scoping & Readiness
Identify which 3DS components are in scope, define environment boundaries, and conduct a gap analysis against PCI 3DS requirements.
Documentation Review
Assess policies, procedures, architecture diagrams, data flow documentation, and vendor agreements for compliance evidence.
Technical Testing
Perform hands-on testing of cryptographic controls, network segmentation, access management, and logging against PCI 3DS requirements.
Findings & Remediation
Issue a detailed findings report. Support your team in remediating gaps before final assessment conclusions are drawn.
ROC Delivery
Produce and submit the Report on Compliance (ROC) and Attestation of Compliance (AOC) to card brands and acquirers.
Benefits of 3DS Attestation
Beyond satisfying regulatory and card brand requirements, PCI 3DS attestation delivers measurable security and business value.
Card Brand Mandate Compliance
Visa, Mastercard, and other major schemes require 3DS Attestation for ACS and 3DSS operators. Attestation avoids scheme fines and potential transaction blocking.
Reduced Fraud Liability
Attested 3DS authentication shifts chargeback liability from merchants to issuers for fraudulent transactions, directly protecting revenue.
Stronger Authentication Security
The attestation process identifies and remediates weaknesses in your 3DS environment before attackers can exploit authentication flows.
Market Credibility
Third-party vendors with attested 3DS components can demonstrate compliance to prospective clients, accelerating enterprise sales cycles.
Regulatory Alignment
PCI 3DS attestation aligns with SCA (Strong Customer Authentication) requirements under PSD2 in Europe, supporting multi-region compliance strategies.
Operational Resilience
The attestation process surfaces gaps in logging, incident response, and availability controls — improving overall authentication infrastructure reliability.
Why Choose Cianaa for 3DS Attestation?
Cianaa’s assessors hold Qualified 3DS Assessor (3DS QSA) status and have conducted assessments across ACS, 3DSS, and DS environments for issuers, processors, and technology vendors across the Asia-Pacific region.
Qualified 3DS Assessors (3DS QSA)
Our team holds active PCI SSC 3DS QSA qualifications, meeting the mandatory requirement for issuing a valid 3DS Report on Compliance.
Deep Technical Expertise
We understand the cryptographic and protocol-level requirements of the 3DS specification — not just the compliance checkbox layer.
Practical Gap Remediation Support
We don’t just identify gaps — we work alongside your engineering and security teams to resolve findings efficiently before final assessment.
Multi-Component Experience
We have assessed ACS, 3DSS, and DS environments across varied technology stacks, cloud platforms, and on-premise deployments.
Asia-Pacific Focus
Based in Australia and New Zealand, we understand regional card scheme requirements and maintain relationships with local acquirers and processors.
Streamlined ROC Delivery
Our structured evidence-gathering process minimises disruption to your operations and ensures on-time delivery of the ROC and AOC.
Free 3DS Attestation Readiness Check
30 minutes with a Qualified 3DS Assessor who’ll scope your environment, identify your 3DS components, and outline what attestation actually involves — no commitment, no sales pitch.
Frequently Asked Questions
What is the difference between PCI DSS and PCI 3DS?
Is 3DS Attestation mandatory?
How long does a 3DS attestation assessment take?
How often do we need to reattest?
Can we attest multiple 3DS components in a single engagement?
What is a Qualified 3DS Assessor (3DS QSA)?
Ready to Pursue 3DS Attestation?
Speak with a Qualified 3DS Assessor to scope your assessment, understand your obligations, and map a clear path to attestation.
Continue your PCI 3DS journey
All 3DS services →PCI 3DS Risk Management
Build a defensible risk management programme that satisfies PCI 3DS requirements at attestation time.
View servicePCI 3DS Compliance Experts
Meet Cianaa’s Qualified 3DS Assessors and learn how we approach ACS, 3DSS, and DS engagements.
Meet the teamWhat is PCI Compliance?
Already running PCI 3DS components? You’re likely subject to PCI DSS too. Start here for the complete picture.
Read the guide







