Frequently Asked Question
Can a PCI 3DS Assessment result in a finding of “Compliant” if some requirements are not tested?
Version 1.0 of the PCI 3DS ROC and AOC do not include an option to report requirements as “not tested”. Because the assessor has not determined whether such requirements could be applicable or whether they have been met, any PCI 3DS requirements that have not been tested must be marked as “Not in Place” and the overall compliance status marked as “Not Compliant”.
Support for “not tested” responses is planned for inclusion in a future update to the PCI 3DS ROC and AOC. Requirements identified as “not tested” would also result in a finding of “Not Compliant”.