Security Guidance and Best Practices

Before starting development using the 3DS SDK, it is important to consider the security implications, and how to best protect sensitive data. While the SDK takes care of many security functions, as detailed in the EMVCo 3DS SDK specification, there are other considerations that need to be taken into account.

Communication with 3DS Server

While communication with the 3DS Server is outside the scope of the 3DS SDK itself, the data transmitted, both generated from the 3DS SDK and otherwise, should be properly secured according to payment system security standards. Annex D of the EMVCo Protocol and Core Functions Specification provides guidance that has been summarized below. These standards would be appropriate for communication between the 3DS SDK and 3DS Server:

TLS 1.2 or higher should be used, with key lengths as follows:

RSA: 2048 bits or longer.
ECC: 256 bits or longer.

One of the following cipher suites should be used:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

Curve P-256 shall be used and indicated in the cipher suite extension.

Protection of Sensitive Cardholder Data

Much of the data used for authentication is outside the scope of the 3DS SDK, and is transmitted to the 3DS Server outside of any authentication parameters. This sensitive data includes anything from the card number itself to cardholder contact details.

Protection includes the above secure transmission, as well as protection on the device itself. This may include either not saving the data locally, or encrypting it properly if stored.

Cleanup the ThreeDS2Service Instance

Make sure to cleanup the SDK after you are finished with 3-D Secure. This can be done using the cleanup method like so:

	// ...
    ThreeDS2Service.INSTANCE.cleanup(applicationContext);

Versioning

The 3DS SDK version is formatted as a.b.c, where a is the major version, b is the minor version, and c is the build number. Using 2.2.8067 as an example, the major version is 2, the minor version is 2, and the build number is 8067. The build number increments every day starting from a base date of January 1st, 2000. The build number can be a 4 or 5 digit value with a maximum value of 99999.

The version can be retrieved at runtime using the ThreeDS2Service object's getSDKVersion method. This version is in our official 3DS SDK versioning format, and supercedes any other locations that may provide some or all of the same information in different formats, such as this documentation or our website pages.

Issue Reporting

Vulnerabilities and issues can be reported to our support team via email at support@nsoftware.com. When contacting us, please do not include sensitive data including, but not limited to, credit card account numbers or private customer data. If necessary, we can provide a link for secure sharing of sensitive information.

When sensitive data is shared it must be encrypted before being provided (for instance using PGP).

Updates

Updates to the 3DS SDK are made available on our website. Builds there are updated periodically, as well as when critical security updates are made. When the builds are updated, an email notification will be sent out to email addresses used when ordering, or addresses manually added to our list here: https://www.nsoftware.com/company/mlist.aspx

No updates are pushed directly to deployed applications. It would instead be required to obtain the latest builds and integrate it them into the application. When updating, care should be taken to ensure the integrity of transactions already in progress.

Changelogs

When a bug is resolved, entries for the fixes and new features are added to a changelog, which is available on our website. Each entry includes the date, build number, and details on what was changed, as well as how it might affect applications developed using our SDKs. The 3DS SDK changelog can be found on our website here: https://www.nsoftware.com/changelogs/in/3dsecure/sdk

This log is also available in RSS format, and can be consumed using any RSS reader. The links for this feed is the same as above, but with rss appended to the URL: https://www.nsoftware.com/changelogs/in/3dsecure/sdk/rss

Security Checks

The Security Checks section contains details on the security checks performed during initialization of the SDK, as well as checks made periodically at runtime. The guidance in that section should be followed to make sure your application knows about these issues, and responds accordingly.

Application Security

While the 3DS SDK performs a variety of security checks, there are cases that cannot be detected by the 3DS SDK. As with any application, measures should be taken by the developer to guard against security concerns such as side loading. For example, developer options should be disabled on the device.

/n software 3-D Secure V2 Android Edition Website Download Support Questions / Feedback?
	Security Guidance and Best Practices Before starting development using the 3DS SDK, it is important to consider the security implications, and how to best protect sensitive data. While the SDK takes care of many security functions, as detailed in the EMVCo 3DS SDK specification, there are other considerations that need to be taken into account. Communication with 3DS Server While communication with the 3DS Server is outside the scope of the 3DS SDK itself, the data transmitted, both generated from the 3DS SDK and otherwise, should be properly secured according to payment system security standards. Annex D of the EMVCo `Protocol and Core Functions Specification` provides guidance that has been summarized below. These standards would be appropriate for communication between the 3DS SDK and 3DS Server: TLS 1.2 or higher should be used, with key lengths as follows: RSA: 2048 bits or longer. ECC: 256 bits or longer. One of the following cipher suites should be used: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Curve P-256 shall be used and indicated in the cipher suite extension. Protection of Sensitive Cardholder Data Much of the data used for authentication is outside the scope of the 3DS SDK, and is transmitted to the 3DS Server outside of any authentication parameters. This sensitive data includes anything from the card number itself to cardholder contact details. Protection includes the above secure transmission, as well as protection on the device itself. This may include either not saving the data locally, or encrypting it properly if stored. Cleanup the ThreeDS2Service Instance Make sure to cleanup the SDK after you are finished with 3-D Secure. This can be done using the `cleanup` method like so: // ... ThreeDS2Service.INSTANCE.cleanup(applicationContext); Versioning The 3DS SDK version is formatted as a.b.c, where a is the major version, b is the minor version, and c is the build number. Using `2.2.8067` as an example, the major version is 2, the minor version is 2, and the build number is 8067. The build number increments every day starting from a base date of January 1st, 2000. The build number can be a 4 or 5 digit value with a maximum value of 99999. The version can be retrieved at runtime using the `ThreeDS2Service` object's `getSDKVersion` method. This version is in our official 3DS SDK versioning format, and supercedes any other locations that may provide some or all of the same information in different formats, such as this documentation or our website pages. Issue Reporting Vulnerabilities and issues can be reported to our support team via email at support@nsoftware.com. When contacting us, please do not include sensitive data including, but not limited to, credit card account numbers or private customer data. If necessary, we can provide a link for secure sharing of sensitive information. When sensitive data is shared it must be encrypted before being provided (for instance using PGP). Updates Updates to the 3DS SDK are made available on our website. Builds there are updated periodically, as well as when critical security updates are made. When the builds are updated, an email notification will be sent out to email addresses used when ordering, or addresses manually added to our list here: https://www.nsoftware.com/company/mlist.aspx No updates are pushed directly to deployed applications. It would instead be required to obtain the latest builds and integrate it them into the application. When updating, care should be taken to ensure the integrity of transactions already in progress. Changelogs When a bug is resolved, entries for the fixes and new features are added to a changelog, which is available on our website. Each entry includes the date, build number, and details on what was changed, as well as how it might affect applications developed using our SDKs. The 3DS SDK changelog can be found on our website here: https://www.nsoftware.com/changelogs/in/3dsecure/sdk This log is also available in RSS format, and can be consumed using any RSS reader. The links for this feed is the same as above, but with rss appended to the URL: https://www.nsoftware.com/changelogs/in/3dsecure/sdk/rss Security Checks The Security Checks section contains details on the security checks performed during initialization of the SDK, as well as checks made periodically at runtime. The guidance in that section should be followed to make sure your application knows about these issues, and responds accordingly. Application Security While the 3DS SDK performs a variety of security checks, there are cases that cannot be detected by the 3DS SDK. As with any application, measures should be taken by the developer to guard against security concerns such as side loading. For example, developer options should be disabled on the device.
Copyright (c) 2023 /n software inc. - All rights reserved. /n software 3-D Secure V2 Android Edition - Version 2.2 [Build 8522]

/n software 3-D Secure V2 Android Edition