PCI 3DS Audit

PCI 3DS v1.0: the standard that strengthens the security of the EMV® 3‑D Secure ecosystem.
It protects critical processes, sensitive data, and user authentication with robust controls designed for ACS, DS, and 3DS Server. A foundational requirement to ensure secure and trustworthy digital transactions.

The PCI 3DS v1.0 (2017) standard, published by the PCI SSC, establishes the security requirements and assessment procedures for the main components of the EMV® 3‑D Secure ecosystem: ACS, DS, and 3DS Server. This framework defines both the physical and logical controls needed to protect critical authentication functions, as well as the associated processes and data. The standard is structured into two sections: the baseline security requirements for the 3DS environment and the specific requirements aimed at safeguarding the processes and information managed by participating entities.

Phases of the 3DS Audit

Phase I: Preparation and Kick‑off

Stage I: Audit Preparation

The objective of this phase is to structure and plan all activities associated with the audit and to develop an initial audit plan, which must later be reviewed and approved by the parties involved.

A preliminary audit schedule will be presented below, along with a sample work agenda, which will serve as a reference for organizing and coordinating the planned tasks.

Once this initial audit plan has been defined and validated, a date will be proposed for the kick‑off meeting, during which the start of the process will be formalized and the objectives, expectations, and responsibilities of all participants will be aligned.

Stage II: Kick‑off Meeting

The date on which this meeting is held will be considered the official start of the audit. In addition, three key objectives will be addressed during the session:

  • Confirm the final scope of the audit, ensuring that it aligns with what has been defined and expected by all parties.

  • Present and explain the phases of the audit process to all participants, ensuring a shared understanding of the approach and planned activities.

  • Finalize the audit plan and identify key stakeholders, defining responsibilities and points of contact to ensure the proper execution of the work.

Phase II: Audit

Stage I: Document Review

This stage involves a thorough examination of the regulatory framework applicable to the 3DS environment, including policies, procedures, operational guidelines, reports, and any other relevant documentation.

To ensure the proper execution of this phase, it is essential to have all current regulatory documentation available from the beginning of the audit.

As a result of this stage, any potential non‑conformities related to the PCI 3DS regulatory framework will be identified.

 

Stage II: Procedural Review

In this stage, the main objective is to validate—through data‑gathering meetings—that the procedures described in the documentation developed to meet the applicable 3DS requirements are being executed correctly and in accordance with what has been established.

The outcome of this stage will be the identification of any potential non‑conformities related to the execution of the 3DS‑related procedures within the scope of the audit.

Stage III: Technical Reviews

The objective of this stage is to validate—through technical reviews—that the configurations described in the documentation developed to meet the applicable 3DS requirements, and which apply to the assessed organizations, are correctly implemented.

As in the procedural review stage, the execution of the technical reviews must be carried out in accordance with the established audit plan.

 

Stage IV: Follow‑up and Remediation of Non‑Conformities

At the end of each audit stage, a follow‑up sheet will be sent containing all identified non‑conformities. Once the audit has been completed, and depending on the receipt of remediation evidence, updated versions of the follow‑up sheet will be issued.

Phase III: Development of Compliance Documentation

Stage I: Development of Compliance Documentation

This stage begins once all non‑conformities identified during the audit process have been resolved. Its purpose is to complete all documentation required to formally validate compliance, including:

  • Report on Compliance (RoC)

  • Attestation of Compliance (AoC)

Both documents constitute the final evidence of compliance and will be prepared in accordance with the requirements established for certification.

Etapa II: QA de Documentos de Cumplimiento

Una vez finalizada la elaboración de los documentos relativos a la validación del cumplimiento. Se realizará una revisión independiente para verificar que dichos documentos cumplen los estándares de calidad establecidos.

Fase IV: Entrega de Resultados

All documentation demonstrating compliance with the 3DS requirements within the defined audit scope will be delivered.

What Our Clients Say


At Grupo AR, we highly value the brand protection service provided by Internet Security Auditors for its comprehensive and proactive approach. Their highly qualified team enables us to identify and mitigate risks that could affect the AR Construcciones brand and its different companies. Many thanks for your support!
Nestor Ivan Melo Ballen
Director of Cybersecurity
Grupo AR
As CEO of Beruby, we worked with Internet Security Auditors when we urgently needed to complete a PCI DSS Attestation of Compliance. The entire process was extremely fast, efficient, and professional. Their team provided us with excellent support, demonstrating strong technical expertise and a high level of commitment. Without a doubt, we recommend their services to any company in need of cybersecurity solutions.
Miguel Acosta
Global CEO
Beruby
At Grupo Arbulu, we have worked closely with Internet Security Auditors on the implementation of advanced cybersecurity measures. Thanks to their expertise, we have significantly strengthened our ability to detect and mitigate cyber risks. Their thorough audits and tailored solutions have reinforced our security infrastructure, ensuring the protection of our data and the continuity of our operations.
Marcos Montes de Oca
CIO
Grupo Arbulu
As CISO at Intaremit S.A., the importance we place on logical security is extremely high. Not only because the PCI‑CPP standard requires us to perform four internal and external vulnerability scans and an annual internal and external penetration test, but also because of the security and peace of mind our company aims to provide to each and every one of our customers.We have been working and collaborating with IsecAuditors for more than 10 years thanks to their experience, commitment, and close support, and I therefore recommend them without hesitation.
Sergio Sainz de la Maza
CISO
Intaremit S.A.
As CFO of Fleurop – Interflora Spain, we have been working with Internet Security Auditors for years in the areas of consulting and GDPR compliance. As Interflora is a company fully oriented toward online commerce, the professional services provided by ISEC Auditors give us the support, security, and peace of mind that all our activities remain aligned with GDPR requirements.
Francisco Tébar Prada
CFO Southern Europe (Spain, Italy, Portugal and Romania)
Fleurop - Interflora España
As CFO of Saint Louis University – Madrid Campus, I have had the opportunity to work with Internet Security Auditors, S.L. They have been an indispensable partner in implementing the requirements established by GDPR: preparing the record of processing activities, developing privacy policies, drafting the necessary data‑protection agreements with our service providers, and complementing all of this with thorough training for our staff—an essential element to ensure full compliance with the law. I would like to highlight their availability to address questions and their ability to translate the legal framework into concrete and understandable actions. Their periodic internal audits are efficient and allow us to stay up to date, correcting any deviations in a timely manner.I highly recommend Internet Security Auditors, S.L. to anyone seeking a successful implementation and ongoing oversight of personal data protection within their organization. 
Victoria Villarreal Palazón
Vice-Rector & Associate Vice President Chief Financial Officer
Saint Louis University, Spain
Working with Internet Security Auditors has been a positive experience in every respect. Their team combines strong technical expertise with a great willingness to collaborate, which has strengthened our security posture and regulatory compliance.
Andres Mejia
Head of GRC
PAYVÁLIDA
On behalf of Outsourcing SAS BIC, we would like to express our sincere appreciation for the commitment, professionalism, and dedication demonstrated throughout the implementation of the PCI DSS compliance project in our call center. Thanks to your expertise and guidance at every stage of the process, we were able to establish a secure environment that meets the industry’s most demanding payment‑security requirements, significantly strengthening our security controls and data‑protection practices. We especially value your team’s willingness to provide clear solutions, effective training, and smooth communication, all of which were key to achieving our objectives on time and with full confidence.
Yulian Colmenares
Information Security Officer
OUTSOURCNG SAS BIC
Working with Internet Security Auditors has been a highly satisfactory experience. Their support throughout our migration to the ISO/IEC 27001:2022 standard, the execution of internal audits, and the PCI DSS certification process has been essential in strengthening our information security management system. We especially value the professionalism and interpersonal skills of their team, which have made this collaboration a relationship of trust and great value for Neurona.
Ricardo Andrés Cárdenas Galvis
Information Security and Continuity Officer
Neurona
The strategic support provided by Internet Security Auditors as our CISOaaS has been essential in strengthening our internal team. Their expertise perfectly complements the work of our CISO and has enabled us to accelerate the maturity of our cybersecurity program.
CISO
RACC

Do not hesitate to contact us if you need more information

Send us your questions and we will get in touch with you as soon as possible.

CAPTCHA