1

3-D Secure SDK Specification

| 3-D Secure 2.0 Workshop 2

3-D Secure 2.0 SDK Overview The SDK specifications were published by EMVCo in January 2017 to enable 3DS authentication in mobile-based apps

SDK Specification – Jan 2017

SDK Device Information – Jan 2017

Describes the device identification parameters

collected by the SDK

Provides framework for creation of testable SDK the handles all of the functionality of 3DS within apps

Provides insight on the implementation of the SDK

SDK Technical Guide – March 2017

A B C

| 3-D Secure 2.0 Workshop 3

What is the 3DS SDK Design Specification? An SDK, or Software Development Kit, is a programming package that allows a developer to provide specific functionality within an app

Security requirements &

guidelines

Definition of consistent &

testable interfaces

UI mapping framework &

best practices

Data & error handling

requirements & guidelines

The 3DS SDK specification provides the framework for creation of a testable

SDK that handles all of the functionality of 3DS within apps

P

P

P

P

3DS SDK Spec is not:

• Distributable software

package

• Detail of how to develop 3-D

Secure SDK interfaces

• Detail on how to implement

/ develop requirements

• Detail on how to code UI

X

A

| 3-D Secure 2.0 Workshop 4

SDK Component Architecture

Source: EMVCo - EMV® 3-D Secure – SDK Specification version 2.0.0, January 2017

| 3-D Secure 2.0 Workshop 5

SDK Transaction Lifecycle

Source: EMVCo - EMV® 3-D Secure – SDK Specification version 2.0.0, January 2017

Phase Description

Initialization

The initialization phase shall take place either

during Merchant App startup as a background

task or when a transaction is initiated. In this

phase, the SDK shall collect device information

and perform security checks.

This phase shall take place only once during a

single 3-D Secure Requestor App session.

Obtain Authentication Request Parameters

The 3-D Secure SDK shall encrypt the device

information that it collects during initialization

and return this information along with the SDK

information to the 3-D Secure Requestor App.

Cardholder Authentication If a challenge is required, the 3-D Secure SDK shall

perform cardholder authentication.

Cleanup

The cleanup phase shall be called only once

during a single 3-D Secure Requestor App session

to free up resources that are used by the 3-D

Secure SDK and purge ephemeral keys that were

in use.

| 3-D Secure 2.0 Workshop 6

Frictionless Flow

Source: EMVCo - EMV® 3-D Secure – SDK Specification version 2.0.0, January 2017

| 3-D Secure 2.0 Workshop 7

Challenge Flow

Source: EMVCo - EMV® 3-D Secure – SDK Specification version 2.0.0, January 2017

| 3-D Secure 2.0 Workshop 8

What is 3-D Secure SDK Device Information? Device Information shall be used to identify mobile devices in the 3-D Secure ecosystem

Example Common Parameters

The 3-D Secure SDK Device Information document describes the device identification parameters

that shall be collected by the 3-D Secure SDK

Example Device-specific Parameters

Source: EMVCo - EMV® 3-D Secure – SDK Device Information version 2.0.0, January 2017

B

| 3-D Secure 2.0 Workshop 9

What is 3-D Secure SDK Device Information? Device Information also includes environmental information

Security Warnings

The 3DS SDK shall check the condition of the device during initialization. The SDK shall make the

result of the checks available as a list of warnings to the Merchant App and include them in the

Device Information JSON data

Source: EMVCo - EMV® 3-D Secure – SDK Device Information version 2.0.0, January 2017

B

Security

Warning ID

Description Severity Level

SW01 The device is jailbroken. HIGH

SW02 The integrity of the SDK has been tampered. HIGH

SW03 An emulator is being used to run the App. HIGH

SW04 A debugger is attached to the App. MEDIUM

SW05 The OS or the OS version is not supported. HIGH

| 3-D Secure 2.0 Workshop 10

What is 3-D Secure SDK Device Information? Additional examples of common device information

Source: EMVCo - EMV® 3-D Secure – SDK Device Information version 2.0.0, January 2017

B

| 3-D Secure 2.0 Workshop 11

What is 3-D Secure SDK Device Information? Additional examples of common device information (continued)

Source: EMVCo - EMV® 3-D Secure – SDK Device Information version 2.0.0, January 2017

B

| 3-D Secure 2.0 Workshop 12

What is the 3-D Secure SDK Technical Guide? Provides insight on the implementation of the SDK. Examples and code samples are contained in the technical guide to give guidance on how a certain functionality can be implemented

Content Description

Overview and Scope • Covers the iOS, Android and Windows Phone platforms

• EMVCo does not intend to maintain the SDK Technical Guide

Implementation of Transaction Flows • SDK initiation

• Frictionless flow, challenge flow

Security & Cryptography

• Device data encryption

• Diffie-Hellman process, JWS signature checking

• Encryption of CReq / decryption of CRes

• Implementation of security requirements

User Interface Implementation • Navigation, examples, UI Customization, accessibility

Merchant Implementation Considerations

• Including 3DS 2.0 SDK in 3DS Requestor App implementation

• SDK initiation, transaction initiation

• Implementing the AReq / ARes-phase

• Deciding to proceed to challenge flow

• Returning to 3DS Requestor App from SDK

Source: EMVCo - EMV® 3-D Secure – SDK Technical Guide – DRAFT – Dec 2016

C