Security Guidance and Best Practices
Before starting development using the 3DS SDK, it is important to consider the security implications, and how to best protect sensitive data. While the SDK takes care of many security functions, as detailed in the EMVCo 3DS SDK specification, there are other considerations that need to be taken into account.
Communication with 3DS ServerWhile communication with the 3DS Server is outside the scope of the 3DS SDK itself, the data transmitted, both generated from the 3DS SDK and otherwise, should be properly secured according to payment system security standards. Annex D of the EMVCo Protocol and Core Functions Specification provides guidance that has been summarized below. These standards would be appropriate for communication between the 3DS SDK and 3DS Server:
TLS 1.2 or higher should be used, with key lengths as follows:
- RSA: 2048 bits or longer.
- ECC: 256 bits or longer.
One of the following cipher suites should be used:
Protection of Sensitive Cardholder DataMuch of the data used for authentication is outside the scope of the 3DS SDK, and is transmitted to the 3DS Server outside of any authentication parameters. This sensitive data includes anything from the card number itself to cardholder contact details.
Protection includes the above secure transmission, as well as protection on the device itself. This may include either not saving the data locally, or encrypting it properly if stored.
Cleanup the ThreeDS2Service InstanceMake sure to cleanup the SDK after you are finished with 3-D Secure. This can be done using the cleanup method like so:
// ... ThreeDS2Service.INSTANCE.cleanup(applicationContext);
VersioningThe 3DS SDK version is formatted as a.b.c, where a is the major version, b is the minor version, and c is the build number. Using 2.2.8067 as an example, the major version is 2, the minor version is 2, and the build number is 8067. The build number increments every day starting from a base date of January 1st, 2000. The build number can be a 4 or 5 digit value with a maximum value of 99999.
The version can be retrieved at runtime using the ThreeDS2Service object's getSDKVersion method. This version is in our official 3DS SDK versioning format, and supercedes any other locations that may provide some or all of the same information in different formats, such as this documentation or our website pages.
Issue ReportingVulnerabilities and issues can be reported to our support team via email at email@example.com. When contacting us, please do not include sensitive data including, but not limited to, credit card account numbers or private customer data. If necessary, we can provide a link for secure sharing of sensitive information.
When sensitive data is shared it must be encrypted before being provided (for instance using PGP).
UpdatesUpdates to the 3DS SDK are made available on our website. Builds there are updated periodically, as well as when critical security updates are made. When the builds are updated, an email notification will be sent out to email addresses used when ordering, or addresses manually added to our list here: https://www.nsoftware.com/company/mlist.aspx
No updates are pushed directly to deployed applications. It would instead be required to obtain the latest builds and integrate it them into the application. When updating, care should be taken to ensure the integrity of transactions already in progress.
ChangelogsWhen a bug is resolved, entries for the fixes and new features are added to a changelog, which is available on our website. Each entry includes the date, build number, and details on what was changed, as well as how it might affect applications developed using our SDKs. The 3DS SDK changelog can be found on our website here: https://www.nsoftware.com/changelogs/in/3dsecure/sdk
This log is also available in RSS format, and can be consumed using any RSS reader. The links for this feed is the same as above, but with rss appended to the URL: https://www.nsoftware.com/changelogs/in/3dsecure/sdk/rss