Upload
buidat
View
219
Download
0
Embed Size (px)
Citation preview
| 3-D Secure 2.0 Workshop 2
3-D Secure 2.0 SDK Overview The SDK specifications were published by EMVCo in January 2017 to enable 3DS authentication in mobile-based apps
SDK Specification – Jan 2017
SDK Device Information – Jan 2017
Describes the device identification parameters
collected by the SDK
Provides framework for creation of testable SDK the handles all of the functionality of 3DS within apps
Provides insight on the implementation of the SDK
SDK Technical Guide – March 2017
A B C
| 3-D Secure 2.0 Workshop 3
What is the 3DS SDK Design Specification? An SDK, or Software Development Kit, is a programming package that allows a developer to provide specific functionality within an app
Security requirements &
guidelines
Definition of consistent &
testable interfaces
UI mapping framework &
best practices
Data & error handling
requirements & guidelines
The 3DS SDK specification provides the framework for creation of a testable
SDK that handles all of the functionality of 3DS within apps
P
P
P
P
3DS SDK Spec is not:
• Distributable software
package
• Detail of how to develop 3-D
Secure SDK interfaces
• Detail on how to implement
/ develop requirements
• Detail on how to code UI
X
A
| 3-D Secure 2.0 Workshop 4
SDK Component Architecture
Source: EMVCo - EMV® 3-D Secure – SDK Specification version 2.0.0, January 2017
| 3-D Secure 2.0 Workshop 5
SDK Transaction Lifecycle
Source: EMVCo - EMV® 3-D Secure – SDK Specification version 2.0.0, January 2017
Phase Description
Initialization
The initialization phase shall take place either
during Merchant App startup as a background
task or when a transaction is initiated. In this
phase, the SDK shall collect device information
and perform security checks.
This phase shall take place only once during a
single 3-D Secure Requestor App session.
Obtain Authentication Request Parameters
The 3-D Secure SDK shall encrypt the device
information that it collects during initialization
and return this information along with the SDK
information to the 3-D Secure Requestor App.
Cardholder Authentication If a challenge is required, the 3-D Secure SDK shall
perform cardholder authentication.
Cleanup
The cleanup phase shall be called only once
during a single 3-D Secure Requestor App session
to free up resources that are used by the 3-D
Secure SDK and purge ephemeral keys that were
in use.
| 3-D Secure 2.0 Workshop 6
Frictionless Flow
Source: EMVCo - EMV® 3-D Secure – SDK Specification version 2.0.0, January 2017
| 3-D Secure 2.0 Workshop 7
Challenge Flow
Source: EMVCo - EMV® 3-D Secure – SDK Specification version 2.0.0, January 2017
| 3-D Secure 2.0 Workshop 8
What is 3-D Secure SDK Device Information? Device Information shall be used to identify mobile devices in the 3-D Secure ecosystem
Example Common Parameters
The 3-D Secure SDK Device Information document describes the device identification parameters
that shall be collected by the 3-D Secure SDK
Example Device-specific Parameters
Source: EMVCo - EMV® 3-D Secure – SDK Device Information version 2.0.0, January 2017
B
| 3-D Secure 2.0 Workshop 9
What is 3-D Secure SDK Device Information? Device Information also includes environmental information
Security Warnings
The 3DS SDK shall check the condition of the device during initialization. The SDK shall make the
result of the checks available as a list of warnings to the Merchant App and include them in the
Device Information JSON data
Source: EMVCo - EMV® 3-D Secure – SDK Device Information version 2.0.0, January 2017
B
Security
Warning ID
Description Severity Level
SW01 The device is jailbroken. HIGH
SW02 The integrity of the SDK has been tampered. HIGH
SW03 An emulator is being used to run the App. HIGH
SW04 A debugger is attached to the App. MEDIUM
SW05 The OS or the OS version is not supported. HIGH
| 3-D Secure 2.0 Workshop 10
What is 3-D Secure SDK Device Information? Additional examples of common device information
Source: EMVCo - EMV® 3-D Secure – SDK Device Information version 2.0.0, January 2017
B
| 3-D Secure 2.0 Workshop 11
What is 3-D Secure SDK Device Information? Additional examples of common device information (continued)
Source: EMVCo - EMV® 3-D Secure – SDK Device Information version 2.0.0, January 2017
B
| 3-D Secure 2.0 Workshop 12
What is the 3-D Secure SDK Technical Guide? Provides insight on the implementation of the SDK. Examples and code samples are contained in the technical guide to give guidance on how a certain functionality can be implemented
Content Description
Overview and Scope • Covers the iOS, Android and Windows Phone platforms
• EMVCo does not intend to maintain the SDK Technical Guide
Implementation of Transaction Flows • SDK initiation
• Frictionless flow, challenge flow
Security & Cryptography
• Device data encryption
• Diffie-Hellman process, JWS signature checking
• Encryption of CReq / decryption of CRes
• Implementation of security requirements
User Interface Implementation • Navigation, examples, UI Customization, accessibility
Merchant Implementation Considerations
• Including 3DS 2.0 SDK in 3DS Requestor App implementation
• SDK initiation, transaction initiation
• Implementing the AReq / ARes-phase
• Deciding to proceed to challenge flow
• Returning to 3DS Requestor App from SDK
Source: EMVCo - EMV® 3-D Secure – SDK Technical Guide – DRAFT – Dec 2016
C