Frequently Asked Question
What types of 3DS components are in scope for Requirement P2-7 in the PCI 3DS Core Security Standard?
Requirements P2-7.1 and P2-7.2, which relate to data center and CCTV security, apply to 3DS Directory Server (DS) and 3DS Access Control Server (ACS) systems.
As noted in the Overview section of Requirement P2-7, the DS and ACS systems are critical components of the 3DS infrastructure that require a secure facility with elevated physical security controls to restrict, manage, and monitor all physical access.
The requirements in P2-7 are recommended, but not required, for locations where only a 3DS Server (3DSS) is present. Refer to the PCI 3DS Core Security Standard for information about the different 3DS components.
As noted in the Overview section of Requirement P2-7, the DS and ACS systems are critical components of the 3DS infrastructure that require a secure facility with elevated physical security controls to restrict, manage, and monitor all physical access.
The requirements in P2-7 are recommended, but not required, for locations where only a 3DS Server (3DSS) is present. Refer to the PCI 3DS Core Security Standard for information about the different 3DS components.
Originally published: December 2020
Article Number: 1488
Related
-
What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
-
Does PCI SSC consider guidance from other standards organizations when making updates to PCI standards?
-
If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?
Featured FAQ Articles
Featured
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Is the PCI DSS Attestation of Compliance intended to be shared?
-
How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?
-
Where do I direct questions about complying with PCI standards?
-
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Most Popular
-
What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
-
Does PCI SSC consider guidance from other standards organizations when making updates to PCI standards?
-
If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Can a compensating control be used for requirements with a periodic or defined frequency, where an entity did not perform the activity within the required timeframe?
Most Recently Updated
-
How does encrypted cardholder data impact PCI DSS scope for third-party service providers?
-
Does PCI SSC provide a list of PCI DSS-compliant third-party service providers?
-
How does encrypted cardholder data impact PCI DSS scope?
-
What effect does the use of a PCI-listed P2PE solution have on a merchant's PCI DSS validation?
-
Are Mobile Payments on COTS (MPoC)™ solutions, Software-based PIN Entry on COTS (SPoC)™ solutions, or Contactless Payments on COTS (CPoC™) solutions eligible for a P2PE Solution approval?