PCI 3DS Compliance Experts

PCI 3DS Compliance Experts: Qualified 3DS Assessors for ACS, 3DSS & DS

Cianaa’s team of Qualified 3DS Assessors (3DS QSAs) brings deep technical expertise across the full 3DS authentication stack — from certification through to ongoing risk management and remediation support.

3DS QSA + QSA qualified
All 3 component types
APAC focus
PCI SSC Listed
Team credentialsQualified 3DS QSAs
Multi-Cert Team
3DS QSA · QSA · CISM · CISA
3DS QSA
PCI 3DS Assessor
QSA
PCI DSS Assessor
CISM
Info Sec Mgmt
CISA
IT Audit
Only a 3DS QSA can issue a valid PCI 3DS ROC
Combined PCI DSS + 3DS
One coordinated engagement
Trusted by payment authentication teams across APAC
SparkDatacomInland RevenueVodafoneHumm GroupCCLFidelityIllionPlan BXplore
Why credentials matter

PCI 3DS Compliance Experts You Can Trust

Our assessors hold active 3DS QSA qualifications issued by the PCI Security Standards Council — the only qualification that authorises the issuance of a PCI 3DS Report on Compliance. Self-assessment is not permitted under PCI 3DS — only a 3DS QSA can write and validate the ROC.

3DS QSA

Qualified 3DS Assessor (3DS QSA) Certification

Our assessors hold active 3DS QSA qualifications issued by the PCI Security Standards Council — the only qualification that authorises the issuance of a PCI 3DS Report on Compliance.

QSA

Qualified Security Assessor (QSA) Qualification

Our team also holds PCI DSS QSA qualifications, enabling integrated assessments that address both PCI DSS and PCI 3DS obligations simultaneously for in-scope organisations.

CISM

Information Security Management Expertise

Certified Information Security Managers on the team bring governance, risk, and control expertise that strengthens risk management and policy outputs for 3DS programmes.

CISA

IT Audit & Assurance Background

Certified Information Systems Auditors with audit methodology experience ensure evidence collection and testing procedures are rigorous and defensible.

Areas of expertise

Areas of 3DS Compliance Expertise

Our 3DS experts cover the full scope of PCI 3DS requirements — from technical cryptographic controls to governance and risk management frameworks.

Cryptographic Security

Deep expertise in the cryptographic requirements underpinning 3DS authentication — key lifecycle management, HSM controls, authentication value (AV) generation, and algorithm compliance for ACS environments.

3DS Protocol Architecture

Hands-on knowledge of the EMVCo 3DS Core Specification v2.x — including message flows between 3DSS, DS, and ACS components, TLS mutual authentication, and API security controls.

Network & Infrastructure Security

Assessment of network segmentation, firewall architecture, intrusion detection, and cloud or on-premise infrastructure controls for all three 3DS component environments.

Risk Management

Design and execution of formal PCI 3DS risk assessments, risk register development, treatment planning, and management sign-off support — aligned to ISO 27005 and NIST methodologies.

Penetration Testing

Coordinating and reviewing penetration testing of 3DS environments to meet PCI 3DS requirements — including scope definition, methodology alignment, and findings remediation support.

Governance & Policy

Development and review of security policies, incident response plans, vendor management frameworks, and security awareness programmes required under PCI 3DS governance obligations.

Services

3DS Compliance Services from Cianaa

From initial readiness through to final ROC delivery and year-round advisory support, our 3DS experts cover every stage of your compliance journey.

PCI 3DS Certification Assessment

Full formal assessment of your ACS, 3DSS, or DS environment against the PCI 3DS Standard, culminating in a Report on Compliance (ROC) and Attestation of Compliance (AOC) issued by a Qualified 3DS Assessor.

Learn about 3DS Certification

3DS Readiness & Gap Assessment

A pre-assessment review of your 3DS environment against PCI 3DS requirements, identifying gaps and producing a prioritised remediation roadmap before the formal certification assessment begins.

Enquire about readiness review

PCI 3DS Risk Management

Design and execution of your mandatory PCI 3DS risk assessment programme — including asset identification, threat analysis, risk register development, treatment planning, and management sign-off support.

Learn about 3DS Risk Management

Remediation Advisory

Hands-on technical advisory support to help your engineering and security teams remediate gaps identified during readiness reviews or formal assessments — reducing time to certification.

Enquire about remediation support

Ongoing Compliance Retainer

Year-round advisory support to maintain your 3DS compliance posture — monitoring regulatory changes, providing guidance on environment changes, and preparing documentation for annual reassessment.

Enquire about retainer options

Combined PCI DSS + 3DS Assessments

Integrated assessments covering both PCI DSS and PCI 3DS obligations in a single coordinated engagement — reducing duplication, cost, and disruption for organisations subject to both standards.

Learn about PCI DSS Assessments
Who we work with

Organisations We Work With

Our PCI 3DS compliance experts work with a wide range of organisations operating 3DS components — from global card issuers to fintech vendors building 3DS technology products.

Card-Issuing Banks

Banks operating Access Control Servers for cardholder authentication must certify their ACS annually. We guide issuers through the full certification and ongoing compliance cycle.

Payment Processors

Processors operating 3DS Server environments for merchants require PCI 3DS certification. We assess 3DSS environments and support processors in meeting card brand mandates.

Directory Server Operators

Organisations running Directory Servers for routing 3DS authentication messages require a separate DS certification. Our experts assess DS environments against PCI 3DS DS requirements.

Fintech & Technology Vendors

Technology companies building 3DS Server or ACS products for commercial sale work with us to certify their platforms — a critical step in gaining enterprise client adoption.

Payment Service Providers

PSPs offering 3DS-enabled payment services to merchants need to certify the 3DS components in their hosted environments. We scope and assess PSP 3DS environments efficiently.

Asia-Pacific Organisations

Based in Australia and New Zealand, we serve organisations across the Asia-Pacific region navigating both PCI 3DS requirements and regional regulatory overlays like APRA and RBNZ obligations.

How we engage

How We Engage

From first contact to final ROC delivery, our process is structured to minimise disruption to your operations and deliver certification efficiently.

Step 1

Initial Discovery Call

We discuss your environment, component types in scope, timelines, and any known gaps to scope the right engagement for your situation.

Step 2

Readiness Review

Optional but recommended — a gap analysis against PCI 3DS requirements to identify issues before the formal assessment begins, reducing rework and delay.

Step 3

Formal Assessment

Documentation review, technical testing, and interviews conducted by Qualified 3DS Assessors against the full PCI 3DS Standard for each in-scope component.

Step 4

Remediation Support

We support your team in addressing findings before conclusions are finalised — providing technical guidance and reviewing evidence of remediation.

Step 5

ROC & AOC Delivery

Final Report on Compliance and Attestation of Compliance issued and submitted to the relevant card brands, acquirers, or payment networks.

What sets us apart

What Sets Our 3DS Experts Apart

3DS QSA-Qualified, PCI SSC Listed

Our assessors are formally qualified by the PCI SSC and Cianaa is listed as an approved 3DS Assessor company — a non-negotiable requirement for valid ROC issuance.

Technical Depth, Not Just Process

We assess cryptographic controls, protocol implementations, and network architecture at a technical level — not just documentation compliance.

All Three Component Types

Experience assessing ACS, 3DSS, and DS environments means we can handle combined assessments and understand inter-component dependencies.

Remediation-Oriented Approach

We work with your team to fix issues — not just report them. This partnership approach gets clients to certification faster with less friction.

Integrated PCI DSS + 3DS Capability

Holding both QSA and 3DS QSA qualifications, we can run combined assessments that satisfy both PCI DSS and PCI 3DS requirements in a single coordinated engagement.

Local Knowledge, Global Standards

Asia-Pacific based with deep understanding of how global PCI standards interact with APRA, RBNZ, and regional card scheme requirements for local clients.

Complimentary · No Obligation

Talk to a Qualified 3DS Assessor

30 minutes with a 3DS QSA who’ll review your environment, identify the right service path (certification / readiness / risk / remediation), and map out a realistic engagement — no commitment, no sales pitch.

Component scope identification
Right service path recommendation
Combined PCI DSS + 3DS option
Indicative cost & timeline
Book Your Free Discovery Call
3DS QSA-led call 30-min commitment 1 business-day response
FAQ

Frequently Asked Questions

What is a Qualified 3DS Assessor (3DS QSA) and why does it matter?
A Qualified 3DS Assessor (3DS QSA) is an individual certified by the PCI Security Standards Council (PCI SSC) to conduct formal PCI 3DS assessments and issue Reports on Compliance. Unlike PCI DSS, PCI 3DS does not permit self-assessment — organisations must engage a 3DS QSA from a PCI SSC-approved company to produce a valid ROC. Cianaa’s assessors hold active 3DS QSA qualifications, maintained through annual training and renewal.
Can you assess all three 3DS component types — ACS, 3DSS, and DS?
Yes. Cianaa has experience assessing all three PCI 3DS component types: the Access Control Server (ACS), the 3DS Server (3DSS), and the Directory Server (DS). Each component type has distinct requirements under the PCI 3DS Standard, and our assessors have hands-on experience with each. For organisations operating multiple component types, we can scope a combined assessment covering all in-scope components efficiently.
How do you approach combined PCI DSS and PCI 3DS assessments?
Many organisations subject to PCI 3DS are also within scope for PCI DSS — particularly issuers, processors, and PSPs. Our team holds both QSA and 3DS QSA qualifications, enabling integrated assessments that address both standards in a single coordinated engagement. We identify overlapping requirements and shared evidence, reducing duplication and the overall time your team spends on compliance activities.
How long does a PCI 3DS assessment typically take?
Assessment duration depends on the number of components in scope, environment complexity, and the level of readiness at engagement start. A single-component assessment typically takes 4–8 weeks from kick-off to final ROC. Multi-component assessments or environments with significant gaps may take 10–16 weeks. We recommend starting with a readiness review to identify gaps early and set accurate timeline expectations.
Do you offer support between annual assessments?
Yes. Maintaining compliance throughout the year — not just at assessment time — is critical for PCI 3DS. We offer ongoing advisory retainers that include guidance on environment changes, triggered risk reassessments, policy and procedure reviews, and preparation of documentation for the next annual cycle. Many clients find ongoing support reduces the effort and cost of each annual assessment by maintaining a continuously audit-ready state.
Are you able to work with organisations outside Australia and New Zealand?
Yes. While Cianaa is headquartered in Australia and New Zealand and has deep knowledge of Asia-Pacific regulatory requirements, we work with organisations across the region and internationally. PCI 3DS is a global standard, and our assessors are qualified to conduct assessments for any organisation subject to PCI SSC standards regardless of geography. Please contact us to discuss your location and engagement requirements.
Start the conversation

Talk to a PCI 3DS Compliance Expert Today

Whether you’re starting your first 3DS certification or looking for ongoing compliance support, our Qualified 3DS Assessors are ready to help.

3DS QSA + QSA qualified · APAC focus · 1 business-day response

Explore our PCI 3DS services

All 3DS services →
Certification

3DS Certification

Achieve formal PCI 3DS certification for your ACS, 3DSS, or Directory Server environment.

View service
Risk

PCI 3DS Risk Management

Build and maintain a defensible risk management programme that satisfies PCI 3DS requirements.

View service
PCI DSS

PCI Compliance Assistance

QSA-led, end-to-end PCI DSS compliance assistance — from gap assessment to certified AOC.

View service