Visa 3-D Secure (3DS) 2.0 Product Provider (ACS) Pre-Implementation Guide and Checklist - V 1.0

Visa 3-D Secure (3DS) 2.
0 Product
Provider (ACS) Pre-Implementation
Guide and Checklist
Version 1.0
14 SEP 2018
Visa Confidential
Important Information on Confidentiality and Copyright
© 2018. All Rights Reserved.
This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or
disclosed, in whole or in part, to merchants, cardholders or any other person without prior written
permission from Visa.
The trademarks, logos, trade names and service marks, whether registered or unregistered (collectively
the “Trademarks”) are Trademarks owned by Visa. All other trademarks not attributed to Visa are the
property of their respective owners.
THIS GUIDE IS PROVIDED ON AN "AS IS,” “WHERE IS,” BASIS, “WITH ALL FAULTS” KNOWN AND
UNKNOWN. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, VISA EXPLICITLY
DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, REGARDING THE LICENSED WORK AND TITLES,
INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
AND NON-INFRINGEMENT.
THE INFORMATION CONTAINED HEREIN IS PROPRIETARY AND CONFIDENTIAL AND MUST BE

MAINTAINED IN CONFIDENCE IN ACCORDANCE WITH THE TERMS AND CONDITIONS OF THE
LICENSE OR OTHER APPLICABLE AGREEMENT BETWEEN YOU AND VISA INC., VISA INTERNATIONAL
SERVICE ASSOCIATION, AND/OR VISA EUROPE LIMITED.
Note: This document is not part of the Visa Rules. In the event of any conflict between any content in
this document, any document referenced herein, any exhibit to this document, or any communications
concerning this document, and any content in the Visa Rules, the Visa Rules shall govern and control.
14 SEP 2018 Visa Confidential ii

Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use exclusively in managing their Visa programs. It must
not be duplicated, published, distributed or disclosed, in whole or in part, to merchants, cardholders or any other person without prior written permission from Visa.
© 2018 Visa. All Rights Reserved.
Contents
Visa 3-D Secure (3DS) 2.0 Product Provider (ACS) Pre-Implementation Guide and Checklist
Contents
Introduction ................................................................................................................................................................... 5
Overview ....................................................................................................................................................................................... 5
Audience....................................................................................................................................................................................... 6
Scope ............................................................................................................................................................................................. 6
Document Organization ......................................................................................................................................................... 7
To Learn More ............................................................................................................................................................................ 7
Contact Information ................................................................................................................................................................. 7
1 Prerequisites .......................................................................................................................................................... 8
1.1 Complete EMVCo 3DS Testing .................................................................................................................................. 8
1.2 Sign Visa’s 3DS Program Agreement ...................................................................................................................... 8
1.3 Obtain a Visa Business ID ............................................................................................................................................ 9
2 Visa Security Requirements .............................................................................................................................. 10
2.1 PCI 3DS and PCI DSS Compliance .......................................................................................................................... 10
2.2 Visa’s 3DS Security Program .................................................................................................................................... 11
3 Visa 3DS 2.0 Product Testing ........................................................................................................................... 12
3.1 Application Package .................................................................................................................................................... 12
3.2 Product Provider Registration.................................................................................................................................. 12
3.3 Test Analyst Review ..................................................................................................................................................... 13
3.4 Granting Access ............................................................................................................................................................. 13
3.5 Testing ACS Software .................................................................................................................................................. 13
3.6 Approval Process .......................................................................................................................................................... 14
3.7 Next Steps ....................................................................................................................................................................... 14
4 Digital Certificates ............................................................................................................................................... 15
4.1 Overview .......................................................................................................................................................................... 15
4.2 Certificate Request ....................................................................................................................................................... 15
4.3 Certificate Request Review........................................................................................................................................ 16
4.4 Certificate Issuance ...................................................................................................................................................... 16
5 Begin Implementation........................................................................................................................................ 17
14 SEP 2018 Visa Confidential iii

Contents
Appendix – Pre-Implementation Checklists .......................................................................................................... 18

A.1 Hosting Service Provider............................................................................................................................................ 19
A.2 ACS Software Vendor .................................................................................................................................................. 20
A.3 Issuer Buys ....................................................................................................................................................................... 21
A.4 Issuer Builds .................................................................................................................................................................... 22
14 SEP 2018 Visa Confidential iv

Prerequisites
Introduction
Visa’s 3DS 2.0 Product Provider implementation process involves 4 groups of activities:
Overview
Visa ACS Pre-Implementation activities will vary depending on the ACS implementation type.
ACS Implementation Type
Hosting ACS
Service Software Issuer Issuer
ACS Pre-Implementation Activity Provider Vendor Buys Builds
EMVCo Testing Required YES YES NO 1 YES
PCI DSS & PCI 3DS Assessment Required YES NO NO NO
Visa 3DS Security Program Participation YES NO NO NO
Obtain Visa Business ID YES NO NA NA
Visa 3DS 2.0 Product Testing Required YES YES YES YES
Definitions
• ACS Hosting Service Provider is a Product Provider that develops and provides ACS hosted
services for End Users.
• ACS Product Provider is a company, entity, or individual that develops and/or operates ACS
software. Examples of an ACS Product Provider can include: an ACS Server Hosting Service
Provider, an ACS Software Vendor, or an Issuer building their own ACS.
1When buying 3rd Party ACS software, an Issuer must use ACS software that has successfully completed BOTH EMVCo 3DS
Testing and Visa 3DS 2.0 Product Testing. Issuers are reminded to request copies of EMVCo and Visa Approval/Compliance
Letters as proof from the ACS Software Vendors that EMVCo and Visa 3DS 2.0 Product Testing has been completed. 3DS
software that has successfully completed testing is also listed on EMVCo’s Approved 3DS Product List and Visa’s 3DS
Compliant Product List respectively.
14 SEP 2018 Visa Confidential 5

Prerequisites
• ACS Software Vendor is a Product Provider that develops ACS software to sell to End Users
(e.g., Issuers, or Issuer Processors).
• Issuer Buys is a Visa financial institution that buys their ACS software from an ACS Software
Vendor.
• Issuer Builds is a Visa financial institution that develops ACS software for Issuer’s own use.
Audience
This Pre-Implementation Guide and Checklist is intended for ACS Product Providers including Hosting
Service Providers, Software Providers who are developing 3DS 2.0 software to connect with Visa’s 3DS
2.0 Directory Server. A separate Pre-Implementation Guide and Checklist is available for 3DS Server
Product Providers.
Scope
This Access Control Server (ACS) Product Provider Pre-Implementation Guide and Checklist provides
an overview of ACS PRE-IMPLEMENTATION activities that parties creating 3DS 2.0 ACS software need
to satisfy BEFORE a Visa 3DS 2.0 implementation project can begin.
The activities in Visa’s Pre-Implementation phase are designed to ensure that a Product Provider’s ACS
software
• Complies with EMV 2 3DS 2.0 specification
• Complies with Visa security requirements, and
• Complies with Visa’s 3DS 2.0 Program requirements
Visa’s Pre-Implementation requirements must be satisfied before a Product Provider’s 3DS 2.0 product
can be used to connect to Visa’s 3Ds 2.0 Directory Server.
2 EMV is a registered trademark or trademark of EMVCo LLC in the United States and other countries.

Prerequisites
Document Organization
This ACS Pre-Implementation Guide and Checklist is organized into the following sections, one for
each group of Pre-Implementation activities:
• Prerequisites
• Visa Security Requirements
• Visa 3DS 2.0 Product Testing
• Digital Certificates
• Next Steps
• Appendix with Checklists
To Learn More
More information about 3DS 2.0 can be found on the links below:
• Visit EMVCo’s website for more information on EMVCo’s 3DS specifications or EMVCo’s 3DS
Product Approval Process.
• Visit Visa Technology Partner website for more information on Visa’s 3DS 2.0 program and Visa’s
3DS 2.0 Product Testing.
Contact Information
Email questions about ACS Pre-Implementation activities to gctv3dsts@visa.com.

Prerequisites
1 Prerequisites
BEFORE any Visa Pre-Implementation activity can begin, an ACS Product Provider must complete the
following activities:
 Complete EMVCo 3DS Testing
 Sign Visa Agreement
 Obtain a Visa Business ID 3
1.1 Complete EMVCo 3DS Testing
An ACS Product Provider must complete EMVCo 3DS Testing before Visa 3DS 2.0 Product Testing can
begin. When a Product Provider’s ACS software successfully completes EMVCo’s 3DS Testing, they
will:
 Receive a Letter of Approval (LOA)
 Receive an EMVCo ACS Reference Number
EMVCo approved 3DS Products are listed on EMVCo’s website
1.2 Sign Visa’s 3DS Program Agreement
ACS Software Vendors
ACS Software Vendors must sign Visa’s 3DS Product Provider Agreement to participate in Visa’s 3DS
Security Program.
ACS Hosting Service Providers
ACS Hosting Service Providers must sign Visa’s Approved Program Agreement for 3DS Security
Program to participate in Visa’s 3DS Security Program.
The Visa Approved Program Agreement for 3DS Security Program is noted here to ensure that an ACS
Product Provider not already participating in Visa’s 3DS Security Program, begin this activity early. The
application process for Visa’s 3DS Security Program is described in Chapter 2.
3 Software Vendors are not required to have a Visa BID.

Prerequisites
ACS Hosting Service Providers who have already signed Visa’s Approved Program Agreement for 3DS
Security Program and who are already participating in Visa’s 3DS Security Program are listed on Visa’s
Global Registry of Service Providers, filter by Validation Type “ACS” and Service Provider Type “ACS
Vendor”.
1.3 Obtain a Visa Business ID
For an ACS Service Provider 4, a Visa BID is assigned as part of Visa’s 3rd Party Agent Registration
process. Visa’s 3rd Party Agent Registration process which is facilitated by the issuer, is also a step in
Visa 3DS Security Program. The Visa Business ID is provided once the ACS Service Provider receives
their PCI Attestation of Compliance (AOC) and sends its confirmation to Visa’s 3rd Party Agent
Registration.
4 Software Vendors are not required to have a Visa BID.

Visa Security Requirements
2 Visa Security Requirements

ACS Service Providers 5 6
 Must comply with PCI 3DS Core Security Requirements and PCI DSS Security Requirements AND
 Must participate in Visa’s 3DS Security Program (described below).
ACS Service Providers must provide proof that they have completed and are current with Visa Security
Requirements before Visa 3DS 2.0 Product Testing can begin.
2.1 PCI 3DS and PCI DSS Compliance
PCI Security Requirements can be found on PCI Security Standards Council website
• Use Filter by “3DS” to locate PCI 3DS Core Security Requirements and related files
• Use Filter by “PCI DSS” to locate PCI DSS Security Requirements and related files
2.1.1 Complete PCI Assessments
ACS Service Providers who are compliant with Visa security requirements will need to have a current
and valid PCI 3DS Core Attestation of Compliance (AOC) showing:
 Part 1 – 3DS Entity and 3DS Assessor Info is completed
 Part 2a – For PCI DSS AOC: Type of service(s) assessed. 3-D Secure Hosting Provider is checked
 Part 2a – For PCI 3DS AOC: 3DS function(s) assessed. Access Control Server (ACS)
 Part 3 – Report on Compliance (ROC) date is current (i.e., not expired)
 Part 3 – Compliant checkbox is “checked”
 Part 3b – 3DS Entity Attestation is signed and dated
 Part 3c – 3DS Assessor Acknowledgement is signed and dated
PCI 3DS Core AOCs that do not satisfy these criteria OR show an expired date in Part 3 are not current
or valid PCI 3DS AOCs, and do not satisfy Visa’s Security Requirements.
5 For Issuers using a Hosted ACS Service Provider, the Hosted ACS Service Provider is responsible for PCI assessments and
certification.
6 For Issuers developing their Own ACS Software Solution or using an Integrated ACS Approach for authentication are
responsible for their own PCI compliance - a PCI assessment is not required prior to Visa 3DS 2.0 Product Testing.

Visa Security Requirements
2.2 Visa’s 3DS Security Program
 ACS Service Providers must participate in Visa’s 3DS Security Program.
2.2.1 Application Process
ACS Service Providers not already participating in Visa’s 3DS Security Program can apply by sending a
letter to their regional Visa Risk Representative expressing their intent to participate in the Visa 3DS
Security Program.
• Canada/LAC/U.S.: AVPAmericas@visa.com
• AP/CEMEA: ACS@visa.com
• Europe: Europe3DS@visa.com
Process Overview
• In response to the email, the regional Visa Risk Representative will send a 3DS application
package.
The ACS Service Provider must complete application package and return the completed
application to Visa for review.
• The Visa Risk Representative reviews the submitted documents to confirm the ACS Service
Provider meet Visa’s 3DS Security Program requirements to proceed with application process
and responds to applicant.
• If the application package is approved, the ACS Service Provider will schedule an On-site
Security Assessment. An On-site Security Assessment is performed by a Qualified Security
Assessor (QSA).
A list of PCI approved 3-D Secure Security assessors (PCI 3DS QSA) can be found on
https://www.pcisecuritystandards.org/
• Once the 3DS security assessment is completed and Visa has received the PCI 3DS Report of
Compliance (ROC) and Attestation of Compliance (AOC), Visa will provide Visa’s Approved
Program Agreement for 3DS Security Program for signing.
• Upon execution of the Approved Program Agreement for 3DS Security Program, Visa provides a
Letter of Approval and will add the ACS Service Provider to the list of Global Registry of Service
Providers at the next monthly update.

Visa 3DS 2.0 Product Testing
3 Visa 3DS 2.0 Product Testing

 A Product Provider’s ACS software must successfully complete Visa 3DS 2.0 Product Testing
before it can be used to connect to Visa’s 3Ds 2.0 Directory Server.
3.1 Application Package
The Product Provider must prepare a Visa 3DS 2.0 Product Testing application package to initiate Visa
3DS 2.0 Product Testing.
3.1.1 Contents
Visa 3DS 2.0 Product Testing application package for an ACS must include:
 COPY OF EMVCo Letter of Approval (LOA) with the corresponding EMVCo Reference Number
for the Product Provider’s ACS that will be tested.
 COPY OF PCI 3DS AOC AND/OR PCI DSS AOC (if software will be connecting to Visa’s DS)
 SIGNED COPY OF Visa 3DS Product Provider Agreement (ACS Software Vendors ONLY)
 COPY OF Visa’s 3DS Annual Letter of Approval 7 from Visa’s 3DS Security Program.
 INCLUDE Visa Business ID in the application package email.
3.1.2 Email Address
Completed 3DS 2.0 application packages can be emailed to gctv3dsts@visa.com.
3.2 Product Provider Registration
Use the Visa 3DS Test Suite to register the Product Provider and the ACS software with Visa.
• Click on the ‘Click here to enroll’ link on the Login page to access the Enrollment page
• The following information is needed to complete registration:
- Visa Business ID and
- EMVCo Reference Number
• When done select the Submit button to send the completed registration to Visa
7 Reference Section 2.2.1, last bullet.

3.3 Test Analyst Review
A Visa Test Analyst will review

• Completeness of Visa 3DS 2.0 Product Testing application package
• Completeness of the Registration
- Visa Business ID and Product Provider info match
- All fields are completed
Incomplete application packages or incomplete registrations will delay the process or will not be
processed.
3.4 Granting Access
Once registration is verified, the Visa Test Analyst

• Enables Product Provider’s login access to the Visa 3DS Test Suite
• Notifies Product Provider that registration is complete by email
Product Provider can

• Create certificates to connect their ACS or 3DS Server software to the Visa 3DS Test Suite.
Details can be found in the Visa 3DS Test Suite User Guide 8.
• Run tests
Questions can be emailed to gctv3dsts@visa.com
3.5 Testing ACS Software
The Visa 3DS Test Suite is a self-test testing service.

• Test results (i.e., pass or fail) are available immediately
• CAVV Testing is required for ACSs. CAVVs are created using Visa test CAVV keys
• A User Guide is available
8 The Visa 3DS Test Suite User Guide is located on the left-navigation bar of the Visa 3DS Test Suite after login.

3.6 Approval Process
• When ready, Product Provider submits Test Results to a Visa Test Analyst for evaluation.
• The Visa Test Analyst confirms that the tests were successfully performed.
• The Visa Test Analyst prepares an Approval Letter for the Product Provider whose 3DS Product
successfully completes testing. This Approval Letter will include an Approval ID.
• The Product Provider’s 3DS Product is added to Visa’s 3DS 2.0 Compliant Vendor Software List
which is located on the Visa Technology Partner Website.
3.7 Next Steps
For Software Vendors who only plan to license their 3DS 2.0 ACS software to issuers or other 3rd
parties to operate, use, and connect to Visa’s 3DS 2.0 Directory Server, this is the last Pre-
Implementation step.
For Product Providers, Service Providers, Issuers, or Issuer Processors who are developing 3DS 2.0
Access Control Server (ACS) software and who plan to connect the 3DS 2.0 software to Visa’s 3DS 2.0
Directory Server should continue to the next section DIGITAL CERTIFICATES.

Digital Certificates
4 Digital Certificates
 Product Providers, Service Providers, or Issuers, who are developing 3DS 2.0 ACS software and
who plan to connect the 3DS 2.0 software to Visa’s 3DS 2.0 Directory Server, will need to request
Visa digital certificates.
4.1 Overview
Digital certificates are used to connect Visa’s 3DS 2.0 Directory Server. 3DS 1.0.2 certificates cannot be
used to connect to the Visa 3DS 2.0 Directory Server.
For 3DS 2.0, ACSs will need 2 certificates:

• One connectivity certificate 9 and
• One signing certificate
4.2 Certificate Request
4.2.1 Forms
The below 3 forms need to be completed to request Visa certificates for a 3DS 2.0 ACS:
• One Certificate Request Form for an ACS connectivity certificate
• One Certificate Request Form for an ACS signing certificate
• One Authorized Contact Registration Form to establish authorized certificate Requestors and
Receivers.
Turnaround is 7 to 10 business days. Incomplete forms or forms with contacts that are not listed on
the Authorized Contact Registration Form will delay the review process and certificate issuance.
4.2.2 Email Address
Email completed Digital Certificate Request Forms or questions to: certificates@visa.com
9 Visa’s connectivity certificate includes both client and server functions.

Digital Certificates
4.3 Certificate Request Review
Visa reviews the submitted Digital Certificate Request Forms to confirm that:
• Certificate Requestor’s product is listed on Visa’s 3DS 2.0 Approved Products List located on the
Visa Technology Partner page
• Certificate Request forms are complete.
• Domain ownership and any Certificate Authority Authorization (CAA) restrictions are verified
• Certificate requestors and receivers are listed as authorized contacts with Visa.
4.4 Certificate Issuance
Once the review has successfully completed, certificate(s) are created and emailed to the designated
certificate receiver.
4.4.1 Last Pre-Implementation Step
Visa 3DS 2.0 Certificates are received. This is the last Pre-Implementation step.

Begin Implementation
5 Begin Implementation
Once Pre-Implementation is complete, IMPLEMENTATION activities which include connecting to Visa’s
3DS 2.0 Directory Server can begin. Visa’s 3DS 2.0 Implementation Guides provide more details.
IMPLEMENTATION steps will vary depending on the type of entity:

• ACS Product Providers can license their software to Issuers or Issuer Processors to operate and
use.
• Host Service Providers can begin connecting their ACS software to Visa’s 3DS 2.0 Directory
Server and onboarding clients.
• Issuers or issuer processors can work with their Visa representatives and Visa support teams to
initiate implementation projects, as appropriate.
If there are questions or issues, please contact gctv3dsts@visa.com.

Appendix – Pre-Implementation Checklists

Depending on the ACS implementation type, the required Pre-Implementation steps will vary.
Examples of these variations are shown below for the following 3 Product Provider types:
• Hosting Service Provider – Provides a turnkey 3DS solution including implementation and
operations management for the Visa Client. The Hosting Service Provider’s 3DS solution
connects to the Visa Directory Server.
• ACS Software Vendor – Provides only the 3DS solution component to the Visa Client. The Visa
Client is responsible for implementation, operations management, and connecting to the Visa
Directory Server. See Issuer Buys for full details.
• Issuer Buys – The Visa Client buys their ACS software from an ACS Software Vendor. The Visa
Client is responsible for implementation, operations management, and connecting to the Visa
Directory Server.
• Issuer Builds – The Visa Client develops ACS software for their own use. The Visa Client is
responsible for implementation, operations management, and connecting to the Visa Directory
Server.

A.1 Hosting Service Provider
Provides a turnkey 3DS solution including implementation and operations management for the Visa
Client. The Hosting Service Provider’s 3DS solution connects to the Visa Directory Server.
Hosting
# Activity Name Service Provider ISSUER Visa
1 Prerequisites
1a  Complete EMVCo 3DS Testing Responsible
 Receive an EMVCo ACS Reference No.
1b  Sign Visa Approved Program Agreement Responsible

for 3DS Security Program
1c  Obtain a Visa Business ID. Responsible

2a  Comply with PCI 3DS Core Security Responsible
Requirements and PCI DSS Security
Requirements
2b  Participate in Visa’s 3DS Security Responsible

Program

3a  Application Package Responsible
3b  Registration Responsible
3c  Review Package, Registration Responsible
3d  Granting Access Responsible
3e  Testing ACS Software Responsible
3f  Approval Responsible
4a  Request Responsible
4b  Review Responsible
4c  Issuance Responsible
5 Start Implementation Project Responsible

A.2 ACS Software Vendor
Software Vendor Provides only the 3DS solution component (e..g. white label solution) to the Visa
Client. The Visa Client is responsible for implementation, operations management, and connecting to
the Visa Directory Server. See Issuer Buys for full details.
# Activity Name Software Vendor ISSUER Visa
1 Prerequisites
 Receive an EMVCo ACS Reference
Number
1b  Sign Visa 3DS Product Provider Responsible

Agreement
1c  Obtain a Visa Business ID. N/A

2a  Comply with PCI 3DS Core Security N/A
Requirements and PCI DSS Security
Requirements
2b  Participate in Visa’s 3DS Security N/A

Program

4a  Request N/A
4b  Review N/A
4c  Issuance N/A
5 Start Implementation Project N/A

A.3 Issuer Buys
Software Vendor Provides only the 3DS solution component (e..g. white label solution) to the Visa
Client. The Visa Client is responsible for implementation, operations management, and connecting to
the Visa Directory Server.
# Activity Name Software Vendor ISSUER Visa
1 Prerequisites
Number
1b  Sign Visa 3DS Product Provider Responsible N/A

Agreement
1c  Obtain a Visa Business ID. N/A

2a  Comply with PCI 3DS Core Security N/A Responsible for
Requirements and PCI DSS Security Self-Compliance
Requirements
2b  Participate in Visa’s 3DS Security N/A N/A

Program

3a  Application Package Responsible Responsible
3b  Registration Responsible Responsible
3e  Testing ACS Software Responsible Responsible
4a  Request N/A Responsible
4b  Review N/A Responsible
4c  Issuance N/A Responsible
5 Start Implementation Project N/A Responsible

A.4 Issuer Builds
Issuer Builds – The Visa Client develops ACS software for their own use. The Visa Client is responsible
for implementation, operations management, and connecting to the Visa Directory Server.
# Activity Name Software Vendor Issuer Visa
1 Prerequisites
Number
1b  Sign Visa 3DS Product Provider N/A N/A

Agreement
1c  Obtain a Visa Business ID. Responsible

2a  Comply with PCI 3DS Core Security Responsible for
Requirements and PCI DSS Security Self-Compliance
Requirements
2b  Participate in Visa’s 3DS Security N/A N/A

Program

4a  Request Responsible
4b  Review Responsible
4c  Issuance Responsible
5 Start Implementation Project Responsible


Visa 3-D Secure (3DS) 2.0 Product Provider (ACS) Pre-Implementation Guide and Checklist - V 1.0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Visa 3-D Secure (3DS) 2.0 Product Provider (ACS) Pre-Implementation Guide and Checklist - V 1.0

Uploaded by

Copyright:

Available Formats

Visa 3-D Secure (3DS) 2.

© 2018. All Rights Reserved.

THE INFORMATION CONTAINED HEREIN IS PROPRIETARY AND CONFIDENTIAL AND MUST BE

14 SEP 2018 Visa Confidential ii

14 SEP 2018 Visa Confidential iii

Appendix – Pre-Implementation Checklists .......................................................................................................... 18

14 SEP 2018 Visa Confidential iv

ACS Implementation Type

EMVCo Testing Required YES YES NO 1 YES

PCI DSS & PCI 3DS Assessment Required YES NO NO NO

Visa 3DS Security Program Participation YES NO NO NO

Obtain Visa Business ID YES NO NA NA

14 SEP 2018 Visa Confidential 5

14 SEP 2018 Visa Confidential 6

Email questions about ACS Pre-Implementation activities to gctv3dsts@visa.com.

14 SEP 2018 Visa Confidential 7

1.1 Complete EMVCo 3DS Testing

EMVCo approved 3DS Products are listed on EMVCo’s website

1.2 Sign Visa’s 3DS Program Agreement

ACS Software Vendors

ACS Hosting Service Providers

3 Software Vendors are not required to have a Visa BID.

14 SEP 2018 Visa Confidential 8

1.3 Obtain a Visa Business ID

4 Software Vendors are not required to have a Visa BID.

14 SEP 2018 Visa Confidential 9

2 Visa Security Requirements

2.1 PCI 3DS and PCI DSS Compliance

2.1.1 Complete PCI Assessments

14 SEP 2018 Visa Confidential 10

2.2 Visa’s 3DS Security Program

 ACS Service Providers must participate in Visa’s 3DS Security Program.

2.2.1 Application Process

14 SEP 2018 Visa Confidential 11

3 Visa 3DS 2.0 Product Testing

3.1 Application Package

3.1.2 Email Address

Completed 3DS 2.0 application packages can be emailed to gctv3dsts@visa.com.

3.2 Product Provider Registration

7 Reference Section 2.2.1, last bullet.

14 SEP 2018 Visa Confidential 12

3.3 Test Analyst Review

A Visa Test Analyst will review

3.4 Granting Access

Once registration is verified, the Visa Test Analyst

Product Provider can

Questions can be emailed to gctv3dsts@visa.com

3.5 Testing ACS Software

The Visa 3DS Test Suite is a self-test testing service.

14 SEP 2018 Visa Confidential 13

3.6 Approval Process

3.7 Next Steps

14 SEP 2018 Visa Confidential 14

For 3DS 2.0, ACSs will need 2 certificates:

4.2 Certificate Request

4.2.2 Email Address

Email completed Digital Certificate Request Forms or questions to: certificates@visa.com

9 Visa’s connectivity certificate includes both client and server functions.

14 SEP 2018 Visa Confidential 15

4.3 Certificate Request Review

4.4 Certificate Issuance

4.4.1 Last Pre-Implementation Step

14 SEP 2018 Visa Confidential 16