Professional Documents
Culture Documents
0 Product
Provider (ACS) Pre-Implementation
Guide and Checklist
Version 1.0
14 SEP 2018
Visa Confidential
Important Information on Confidentiality and Copyright
This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or
disclosed, in whole or in part, to merchants, cardholders or any other person without prior written
permission from Visa.
The trademarks, logos, trade names and service marks, whether registered or unregistered (collectively
the “Trademarks”) are Trademarks owned by Visa. All other trademarks not attributed to Visa are the
property of their respective owners.
THIS GUIDE IS PROVIDED ON AN "AS IS,” “WHERE IS,” BASIS, “WITH ALL FAULTS” KNOWN AND
UNKNOWN. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, VISA EXPLICITLY
DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, REGARDING THE LICENSED WORK AND TITLES,
INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
AND NON-INFRINGEMENT.
Note: This document is not part of the Visa Rules. In the event of any conflict between any content in
this document, any document referenced herein, any exhibit to this document, or any communications
concerning this document, and any content in the Visa Rules, the Visa Rules shall govern and control.
Contents
Introduction ................................................................................................................................................................... 5
Overview ....................................................................................................................................................................................... 5
Audience....................................................................................................................................................................................... 6
Scope ............................................................................................................................................................................................. 6
Document Organization ......................................................................................................................................................... 7
To Learn More ............................................................................................................................................................................ 7
Contact Information ................................................................................................................................................................. 7
1 Prerequisites .......................................................................................................................................................... 8
1.1 Complete EMVCo 3DS Testing .................................................................................................................................. 8
1.2 Sign Visa’s 3DS Program Agreement ...................................................................................................................... 8
1.3 Obtain a Visa Business ID ............................................................................................................................................ 9
2 Visa Security Requirements .............................................................................................................................. 10
2.1 PCI 3DS and PCI DSS Compliance .......................................................................................................................... 10
2.2 Visa’s 3DS Security Program .................................................................................................................................... 11
3 Visa 3DS 2.0 Product Testing ........................................................................................................................... 12
3.1 Application Package .................................................................................................................................................... 12
3.2 Product Provider Registration.................................................................................................................................. 12
3.3 Test Analyst Review ..................................................................................................................................................... 13
3.4 Granting Access ............................................................................................................................................................. 13
3.5 Testing ACS Software .................................................................................................................................................. 13
3.6 Approval Process .......................................................................................................................................................... 14
3.7 Next Steps ....................................................................................................................................................................... 14
4 Digital Certificates ............................................................................................................................................... 15
4.1 Overview .......................................................................................................................................................................... 15
4.2 Certificate Request ....................................................................................................................................................... 15
4.3 Certificate Request Review........................................................................................................................................ 16
4.4 Certificate Issuance ...................................................................................................................................................... 16
5 Begin Implementation........................................................................................................................................ 17
Introduction
Visa’s 3DS 2.0 Product Provider implementation process involves 4 groups of activities:
Overview
Visa ACS Pre-Implementation activities will vary depending on the ACS implementation type.
Hosting ACS
Service Software Issuer Issuer
ACS Pre-Implementation Activity Provider Vendor Buys Builds
Visa 3DS 2.0 Product Testing Required YES YES YES YES
Definitions
• ACS Hosting Service Provider is a Product Provider that develops and provides ACS hosted
services for End Users.
• ACS Product Provider is a company, entity, or individual that develops and/or operates ACS
software. Examples of an ACS Product Provider can include: an ACS Server Hosting Service
Provider, an ACS Software Vendor, or an Issuer building their own ACS.
1When buying 3rd Party ACS software, an Issuer must use ACS software that has successfully completed BOTH EMVCo 3DS
Testing and Visa 3DS 2.0 Product Testing. Issuers are reminded to request copies of EMVCo and Visa Approval/Compliance
Letters as proof from the ACS Software Vendors that EMVCo and Visa 3DS 2.0 Product Testing has been completed. 3DS
software that has successfully completed testing is also listed on EMVCo’s Approved 3DS Product List and Visa’s 3DS
Compliant Product List respectively.
• ACS Software Vendor is a Product Provider that develops ACS software to sell to End Users
(e.g., Issuers, or Issuer Processors).
• Issuer Buys is a Visa financial institution that buys their ACS software from an ACS Software
Vendor.
• Issuer Builds is a Visa financial institution that develops ACS software for Issuer’s own use.
Audience
This Pre-Implementation Guide and Checklist is intended for ACS Product Providers including Hosting
Service Providers, Software Providers who are developing 3DS 2.0 software to connect with Visa’s 3DS
2.0 Directory Server. A separate Pre-Implementation Guide and Checklist is available for 3DS Server
Product Providers.
Scope
This Access Control Server (ACS) Product Provider Pre-Implementation Guide and Checklist provides
an overview of ACS PRE-IMPLEMENTATION activities that parties creating 3DS 2.0 ACS software need
to satisfy BEFORE a Visa 3DS 2.0 implementation project can begin.
The activities in Visa’s Pre-Implementation phase are designed to ensure that a Product Provider’s ACS
software
• Complies with EMV 2 3DS 2.0 specification
• Complies with Visa security requirements, and
• Complies with Visa’s 3DS 2.0 Program requirements
Visa’s Pre-Implementation requirements must be satisfied before a Product Provider’s 3DS 2.0 product
can be used to connect to Visa’s 3Ds 2.0 Directory Server.
2 EMV is a registered trademark or trademark of EMVCo LLC in the United States and other countries.
Document Organization
This ACS Pre-Implementation Guide and Checklist is organized into the following sections, one for
each group of Pre-Implementation activities:
• Prerequisites
• Visa Security Requirements
• Visa 3DS 2.0 Product Testing
• Digital Certificates
• Next Steps
• Appendix with Checklists
To Learn More
More information about 3DS 2.0 can be found on the links below:
• Visit EMVCo’s website for more information on EMVCo’s 3DS specifications or EMVCo’s 3DS
Product Approval Process.
• Visit Visa Technology Partner website for more information on Visa’s 3DS 2.0 program and Visa’s
3DS 2.0 Product Testing.
Contact Information
1 Prerequisites
BEFORE any Visa Pre-Implementation activity can begin, an ACS Product Provider must complete the
following activities:
Complete EMVCo 3DS Testing
Sign Visa Agreement
Obtain a Visa Business ID 3
An ACS Product Provider must complete EMVCo 3DS Testing before Visa 3DS 2.0 Product Testing can
begin. When a Product Provider’s ACS software successfully completes EMVCo’s 3DS Testing, they
will:
Receive a Letter of Approval (LOA)
Receive an EMVCo ACS Reference Number
ACS Software Vendors must sign Visa’s 3DS Product Provider Agreement to participate in Visa’s 3DS
Security Program.
ACS Hosting Service Providers must sign Visa’s Approved Program Agreement for 3DS Security
Program to participate in Visa’s 3DS Security Program.
The Visa Approved Program Agreement for 3DS Security Program is noted here to ensure that an ACS
Product Provider not already participating in Visa’s 3DS Security Program, begin this activity early. The
application process for Visa’s 3DS Security Program is described in Chapter 2.
ACS Hosting Service Providers who have already signed Visa’s Approved Program Agreement for 3DS
Security Program and who are already participating in Visa’s 3DS Security Program are listed on Visa’s
Global Registry of Service Providers, filter by Validation Type “ACS” and Service Provider Type “ACS
Vendor”.
For an ACS Service Provider 4, a Visa BID is assigned as part of Visa’s 3rd Party Agent Registration
process. Visa’s 3rd Party Agent Registration process which is facilitated by the issuer, is also a step in
Visa 3DS Security Program. The Visa Business ID is provided once the ACS Service Provider receives
their PCI Attestation of Compliance (AOC) and sends its confirmation to Visa’s 3rd Party Agent
Registration.
Must comply with PCI 3DS Core Security Requirements and PCI DSS Security Requirements AND
Must participate in Visa’s 3DS Security Program (described below).
ACS Service Providers must provide proof that they have completed and are current with Visa Security
Requirements before Visa 3DS 2.0 Product Testing can begin.
PCI Security Requirements can be found on PCI Security Standards Council website
• Use Filter by “3DS” to locate PCI 3DS Core Security Requirements and related files
• Use Filter by “PCI DSS” to locate PCI DSS Security Requirements and related files
ACS Service Providers who are compliant with Visa security requirements will need to have a current
and valid PCI 3DS Core Attestation of Compliance (AOC) showing:
Part 1 – 3DS Entity and 3DS Assessor Info is completed
Part 2a – For PCI DSS AOC: Type of service(s) assessed. 3-D Secure Hosting Provider is checked
Part 2a – For PCI 3DS AOC: 3DS function(s) assessed. Access Control Server (ACS)
Part 3 – Report on Compliance (ROC) date is current (i.e., not expired)
Part 3 – Compliant checkbox is “checked”
Part 3b – 3DS Entity Attestation is signed and dated
Part 3c – 3DS Assessor Acknowledgement is signed and dated
PCI 3DS Core AOCs that do not satisfy these criteria OR show an expired date in Part 3 are not current
or valid PCI 3DS AOCs, and do not satisfy Visa’s Security Requirements.
5 For Issuers using a Hosted ACS Service Provider, the Hosted ACS Service Provider is responsible for PCI assessments and
certification.
6 For Issuers developing their Own ACS Software Solution or using an Integrated ACS Approach for authentication are
responsible for their own PCI compliance - a PCI assessment is not required prior to Visa 3DS 2.0 Product Testing.
ACS Service Providers not already participating in Visa’s 3DS Security Program can apply by sending a
letter to their regional Visa Risk Representative expressing their intent to participate in the Visa 3DS
Security Program.
• Canada/LAC/U.S.: AVPAmericas@visa.com
• AP/CEMEA: ACS@visa.com
• Europe: Europe3DS@visa.com
Process Overview
• In response to the email, the regional Visa Risk Representative will send a 3DS application
package.
The ACS Service Provider must complete application package and return the completed
application to Visa for review.
• The Visa Risk Representative reviews the submitted documents to confirm the ACS Service
Provider meet Visa’s 3DS Security Program requirements to proceed with application process
and responds to applicant.
• If the application package is approved, the ACS Service Provider will schedule an On-site
Security Assessment. An On-site Security Assessment is performed by a Qualified Security
Assessor (QSA).
A list of PCI approved 3-D Secure Security assessors (PCI 3DS QSA) can be found on
https://www.pcisecuritystandards.org/
• Once the 3DS security assessment is completed and Visa has received the PCI 3DS Report of
Compliance (ROC) and Attestation of Compliance (AOC), Visa will provide Visa’s Approved
Program Agreement for 3DS Security Program for signing.
• Upon execution of the Approved Program Agreement for 3DS Security Program, Visa provides a
Letter of Approval and will add the ACS Service Provider to the list of Global Registry of Service
Providers at the next monthly update.
The Product Provider must prepare a Visa 3DS 2.0 Product Testing application package to initiate Visa
3DS 2.0 Product Testing.
3.1.1 Contents
Visa 3DS 2.0 Product Testing application package for an ACS must include:
COPY OF EMVCo Letter of Approval (LOA) with the corresponding EMVCo Reference Number
for the Product Provider’s ACS that will be tested.
COPY OF PCI 3DS AOC AND/OR PCI DSS AOC (if software will be connecting to Visa’s DS)
SIGNED COPY OF Visa 3DS Product Provider Agreement (ACS Software Vendors ONLY)
COPY OF Visa’s 3DS Annual Letter of Approval 7 from Visa’s 3DS Security Program.
INCLUDE Visa Business ID in the application package email.
Use the Visa 3DS Test Suite to register the Product Provider and the ACS software with Visa.
• Click on the ‘Click here to enroll’ link on the Login page to access the Enrollment page
• The following information is needed to complete registration:
- Visa Business ID and
- EMVCo Reference Number
• When done select the Submit button to send the completed registration to Visa
Incomplete application packages or incomplete registrations will delay the process or will not be
processed.
8 The Visa 3DS Test Suite User Guide is located on the left-navigation bar of the Visa 3DS Test Suite after login.
• When ready, Product Provider submits Test Results to a Visa Test Analyst for evaluation.
• The Visa Test Analyst confirms that the tests were successfully performed.
• The Visa Test Analyst prepares an Approval Letter for the Product Provider whose 3DS Product
successfully completes testing. This Approval Letter will include an Approval ID.
• The Product Provider’s 3DS Product is added to Visa’s 3DS 2.0 Compliant Vendor Software List
which is located on the Visa Technology Partner Website.
For Software Vendors who only plan to license their 3DS 2.0 ACS software to issuers or other 3rd
parties to operate, use, and connect to Visa’s 3DS 2.0 Directory Server, this is the last Pre-
Implementation step.
For Product Providers, Service Providers, Issuers, or Issuer Processors who are developing 3DS 2.0
Access Control Server (ACS) software and who plan to connect the 3DS 2.0 software to Visa’s 3DS 2.0
Directory Server should continue to the next section DIGITAL CERTIFICATES.
4 Digital Certificates
Product Providers, Service Providers, or Issuers, who are developing 3DS 2.0 ACS software and
who plan to connect the 3DS 2.0 software to Visa’s 3DS 2.0 Directory Server, will need to request
Visa digital certificates.
4.1 Overview
Digital certificates are used to connect Visa’s 3DS 2.0 Directory Server. 3DS 1.0.2 certificates cannot be
used to connect to the Visa 3DS 2.0 Directory Server.
4.2.1 Forms
The below 3 forms need to be completed to request Visa certificates for a 3DS 2.0 ACS:
• One Certificate Request Form for an ACS connectivity certificate
• One Certificate Request Form for an ACS signing certificate
• One Authorized Contact Registration Form to establish authorized certificate Requestors and
Receivers.
Turnaround is 7 to 10 business days. Incomplete forms or forms with contacts that are not listed on
the Authorized Contact Registration Form will delay the review process and certificate issuance.
Visa reviews the submitted Digital Certificate Request Forms to confirm that:
• Certificate Requestor’s product is listed on Visa’s 3DS 2.0 Approved Products List located on the
Visa Technology Partner page
• Certificate Request forms are complete.
• Domain ownership and any Certificate Authority Authorization (CAA) restrictions are verified
• Certificate requestors and receivers are listed as authorized contacts with Visa.
Once the review has successfully completed, certificate(s) are created and emailed to the designated
certificate receiver.
Visa 3DS 2.0 Certificates are received. This is the last Pre-Implementation step.
5 Begin Implementation
Once Pre-Implementation is complete, IMPLEMENTATION activities which include connecting to Visa’s
3DS 2.0 Directory Server can begin. Visa’s 3DS 2.0 Implementation Guides provide more details.
Provides a turnkey 3DS solution including implementation and operations management for the Visa
Client. The Hosting Service Provider’s 3DS solution connects to the Visa Directory Server.
Hosting
# Activity Name Service Provider ISSUER Visa
1 Prerequisites
1a Complete EMVCo 3DS Testing Responsible
Receive a Letter of Approval (LOA)
Receive an EMVCo ACS Reference No.
3b Registration Responsible
3f Approval Responsible
4 Digital Certificates
4a Request Responsible
4b Review Responsible
4c Issuance Responsible
Software Vendor Provides only the 3DS solution component (e..g. white label solution) to the Visa
Client. The Visa Client is responsible for implementation, operations management, and connecting to
the Visa Directory Server. See Issuer Buys for full details.
1 Prerequisites
1a Complete EMVCo 3DS Testing Responsible
Receive a Letter of Approval (LOA)
Receive an EMVCo ACS Reference
Number
3b Registration Responsible
3f Approval Responsible
4 Digital Certificates
4a Request N/A
4b Review N/A
4c Issuance N/A
Software Vendor Provides only the 3DS solution component (e..g. white label solution) to the Visa
Client. The Visa Client is responsible for implementation, operations management, and connecting to
the Visa Directory Server.
1 Prerequisites
1a Complete EMVCo 3DS Testing Responsible
Receive a Letter of Approval (LOA)
Receive an EMVCo ACS Reference
Number
3f Approval Responsible
4 Digital Certificates
4a Request N/A Responsible
Issuer Builds – The Visa Client develops ACS software for their own use. The Visa Client is responsible
for implementation, operations management, and connecting to the Visa Directory Server.
1 Prerequisites
1a Complete EMVCo 3DS Testing Responsible
Receive a Letter of Approval (LOA)
Receive an EMVCo ACS Reference
Number
3b Registration Responsible
3f Approval Responsible
4 Digital Certificates
4a Request Responsible
4b Review Responsible
4c Issuance Responsible