3-D Secure

Systems and Compliance Testing

Policies and Procedures Guide

Visa Inc.
January 2014

TABLE OF CONTENTS
1.0 Document Overview ...................................................3
1.1

Audience ........................................................................................................... 3

1.2

Introduction ....................................................................................................... 3

1.3

Systems Testing ............................................................................................... 3

1.4

Compliance Testing .......................................................................................... 4

1.5

Contact Information ........................................................................................... 4

2.0 Products Tested .........................................................5

2.1

Access Control Server ...................................................................................... 5

2.2

Merchant Server Plug-in Component ................................................................ 5

3.0 3-D Secure Systems Testing ......................................5

3.1

Enrollment ......................................................................................................... 6

3.2

Scheduling ........................................................................................................ 6

3.3

Setting up Systems Testing .............................................................................. 7

3.4

Beginning Systems Testing............................................................................... 7

4.0 3-D Secure Compliance Testing ................................7

4.1

Enrollment ......................................................................................................... 7

4.2

Scheduling ........................................................................................................ 8

4.3

Interface with Compliance Test Facility Test Harness ...................................... 9

4.4

Required Compliance Test................................................................................ 9

4.5

Completion of Compliance ................................................................................ 9

4.6

Subsequent Compliance Process ................................................................... 10

5.0 3-D Secure Testing Fees .........................................10

5.1

3-D Secure Systems Testing Fees ................................................................. 10

5.2

3-D Secure Compliance Testing Fees ............................................................ 10

5.3

Technical Support and Maintenance Availability ............................................. 11

5.4

Payment Methods ........................................................................................... 11

6.0 Letter of Compliance Conditions ..............................11

7.0 Component Renewal Policy.... 13

3-D Secure Systems and Compliance Testing

Policies and Procedures Guide
January 2014

1.0 Document Overview

1.1

Audience
This document is for vendors that develop and implement components according to the
3-D Secure specifications. There are two types of testing addressed in this document,
Systems Testing and Compliance Testing. In this document vendor refers to (Member,
Merchant or Vendor).
Readers should review this policies and procedures document in its entirety before
starting 3-D Secure Systems and Compliance Testing.

Disclaimer
The policies and procedures in this document may be changed at any time. Visa
reserves the right to make changes. Visa will provide enrolled vendors with reasonable
notice of all changes. Current documents are posted on the Visa website at
https://technologypartner.visa.com/Library/.
Successful completion of 3-D Secure Compliance Testing does not guarantee suitability
for a particular purpose, nor does the completion of 3-D Secure Compliance Testing
guarantee complete interoperability with all other products, even if they also have
completed 3-D Secure Compliance Testing.
1.2

Introduction
3-D Secure Payment authentication is the process of verifying cardholder account
ownership during a purchase transaction in an online commerce environment.
Visa has developed the Three-Domain Secure (3-D Secure) protocol to improve
transaction performance online and to accelerate the growth of electronic commerce.
The objective is to benefit all participants by providing Issuers with the ability to
authenticate cardholders during an online purchase, thus reducing the likelihood of
fraudulent usage of Visa cards and improving transaction performance.

1.3

Systems Testing
The 3-D Secure Systems Testing allows vendors to test their 3-D Secure products using
end-to-end component connectivity prior to beginning Compliance Testing. The results
of Systems Testing are available for review during the system test cycle. Systems
Testing serves as a tool to prepare the vendor for 3-D Secure Compliance Testing.
Note: Systems Testing is not a stress test environment. The environment is available to
vendors as a unit and system test environment only. Abuse of the facility will result in
immediate termination of access to the test facility.

Page 3

Copyright 2004-2014 Visa Inc.

3-D Secure Systems and Compliance Testing

Policies and Procedures Guide
January 2014

1.4

Compliance Testing
Compliance Testing is completed using Visas Compliance Test Facility.
To complete Compliance Testing, 3-D Secure vendors must test each of their
components using the compliance test cases supported by the Test Facility. The test
cases exercise a products functionality to determine its conformity with the 3-D Secure
protocol and messaging specifications.
No product may be represented as 3-D Secure compliant until it has completed the
testing described in this document and has received a 3-D Secure compliance letter
from Visa.

1.5

Contact Information

1.5.1 Visa Inc. 3-D Secure

Information specific to 3-D Secure Systems and Compliance Testing may be obtained
from Visa Inc. as per below. Test scheduling, questions, and required agreements
should be directed to 3dcompliance@visa.com.
Visa website:
E-mail:
Mailing address:

Telephone:
Facsimile:

https://technologypartner.visa.com/Library/

3dcompliance@visa.com
Visa Inc.
3-D Secure Systems and Compliance
Testing Office
(M4-3B)
Post Office Box 8999
San Francisco, CA 94128-8999
United States
+1-650-432-2441
+1-650-432-2408

1.5.2 Compliance Test Facility

During testing, any testing inquiries should be directed to the Compliance Test Facility
listed below.

Compliance Test
Facility contact:
E-mail:

http://www.3dsecuretestfacility.com
cthsupport@visa.com

3-D Secure Systems and Compliance Testing

Policies and Procedures Guide
January 2014

2.0 Products Tested

The following 3-D Secure components are part of 3-D Secure Systems and Compliance
Testing:
Access Control Server
Merchant Server Plug-in
All 3-D Secure vendors must test each of their components in the Testing Facility.
Compliance Testing is required to ensure that the product is in compliance with Visa 3-D
Secure Protocol Specification, Core Functions and Functional requirements documents.
2.1

Access Control Server

The Access Control Server (ACS) is run by or on behalf of an Issuer. The ACS has two
functions: to verify whether a given card number is enrolled in 3-D Secure and whether
authentication is available, and to authenticate the cardholder for a specific transaction.
The ACS interacts with:
The Merchant Server Plug-in (visa the cardholder browser)
The Visa Directory
The Authentication History Server

2.2

Merchant Server Plug-in Component

The Merchant Server Plug-in (MPI) is run by or on behalf of an on-line merchant. The
MPI creates and processes payment authentication messages, then returns control to
the merchant software. As part of processing the authentication response message from
the Issuer, the MPI may validate the digital signature in the message; alternatively, this
function may be performed by a separate Acquirer domain server, or by the Acquirer or
a third party.
The MPI interacts with:
The Visa Directory
The Access Control Server (via the cardholder browser)
The Validation Server (if run separately)
Compliance Testing is performed on each 3-D Secure component independently, even
though a vendor may offer multiple components as a bundle.

3.0 3-D Secure Systems Testing

The 3-D Secure Systems Testing provides an environment where a vendor can test their
products against the 3-D Secure test harness. The test harness simulates the
functionality of all 3-D Secure baseline components. This gives the vendor the
opportunity to perform development testing of their component prior to Compliance
Page 5

Copyright 2004-2014 Visa Inc.

3-D Secure Systems and Compliance Testing

Policies and Procedures Guide
January 2014

Testing. Therefore, Systems Testing gives you the advantage of assessing your
products readiness prior to entering Compliance Testing.
3.1

Enrollment
To enroll in 3-D Secure Systems Testing, a vendor must:
o
o
o

Review and sign the Visa Inc. 3-D Secure Systems and Compliance Testing
Agreement,
Complete the Visa Inc. 3-D Secure Systems and Compliance Testing Exhibit A:
Request For Testing Services Form,
Complete, sign and email both documents in PDF format to Visa Inc.
(3dcompliance@visa.com) along with wiring the Systems Testing fees to Visa
Inc. as described below.

3.1.1 Visa Inc. 3-D Secure Systems and Compliance

Agreement

Testing

The Visa Inc. 3-D Secure Systems and Compliance Testing Agreement must be
reviewed and signed by the vendor, and submitted together with the Exhibit A: Request
For Testing Services Form and the Systems Testing fees. The Visa Inc. 3-D Secure
Systems and Compliance Testing Agreement can be downloaded from
https://technologypartner.visa.com/Library/. The Agreement is only required once as long as the
most current agreement is on file.

3.1.2 Exhibit A: Request For Testing Services Form

Exhibit A: Request For Testing Services Form can be obtained from
https://technologypartner.visa.com/Library/. The Request for Testing Services Form includes
vendor contact information as well as details of the components to be tested. It must be
completed and submitted together with the Visa Inc. 3-D Secure Systems and
Compliance Testing Agreement and the Systems Testing fees. The Request For Testing
Services Form is required with each component submitted for testing.

3.2

Scheduling
To participate in Systems Testing, the vendor must first complete the Visa Inc. 3-D
Secure Systems and Compliance Testing Agreement. The Exhibit A: Request For
Testing Services Form must be completed for each component. This can be obtained
from https://technologypartner.visa.com/Library/. Each product that is enrolled in Systems
Testing will be assigned a position in the testing queue, on a first come, first served
basis. Vendors are assigned dates upon receipt of the completed Exhibit A: Request For
Testing Services Form, Authentication Services Testing Agreement, and the Systems
Testing fee.

3-D Secure Systems and Compliance Testing

Policies and Procedures Guide
January 2014

Visa Inc. will allocate a consecutive twenty-one calendar day period to the vendor for
Systems Testing, during which the vendor will be able to test their product and receive
technical support during normal business workdays, India Standard Time. There is
limited technical assistance available during the Systems Test period. Each vendor is
allowed five hours of technical support. The Systems Test Facility is available for testing
twenty-four hours a day, seven days a week.
The output results from the Systems Test runs are available for review by the vendor by
downloading them from the Compliance Testing Facility.
If a vendor is not ready to test their product during the twenty-one consecutive calendar
day period allocated by Visa Inc., the vendor will be re-assigned to the end of the testing
queue.
Visa reserves the right to re-allocate time slots as warranted if it is deemed that a vendor
is abusing the queuing system.
3.3

Setting up Systems Testing

Upon receipt of the Visa Inc. 3-D Secure Systems and Compliance Testing Agreement,
Exhibit A: Request For Testing Services Form and the Systems Testing fees, Visa Inc.
will provide the vendor the 3-D Secure Systems Test Facility website in order for the
vendor to schedule their Systems Test. The Systems Test Facility will contact the
vendors technical point of contact specified on the Exhibit A: Request For Testing
Services Form.
The systems test cases will be made available on the 3-D Secure Systems Test Facility
website for secure download.

3.4

Beginning Systems Testing

Prior to the start of testing, the vendor must contact the Systems Test Facility for
certificates and connectivity information. Certificates are supplied by the Systems Test
Facility and are valid only during the test period.
Note: The Systems Test Facility is not a stress test environment. The environment is
available to vendors as a unit and system test environment only. Abuse of the facility will
result in immediate termination of access to the Systems Test Facility.

4.0 3-D Secure Compliance Testing

The 3-D Secure Compliance Tests check a component for compliance with the
3-D Secure specifications.

4.1

Enrollment
To enroll in 3-D Secure Compliance Testing, a vendor must:
Page 7

Copyright 2004-2014 Visa Inc.

3-D Secure Systems and Compliance Testing

Policies and Procedures Guide
January 2014

o
o
o
o

Review and sign the Visa Inc. 3-D Secure Systems and Compliance Testing
Agreement,
Complete the Visa Inc. 3-D Secure Systems and Compliance Testing Exhibit A:
Request For Testing Services Form,
Complete the Visa Inc. 3-D Secure Systems and Compliance Testing
Questionnaire, and
Complete, sign where appropriate and email all three documents in PDF format
to Visa Inc. (3dcompliance@visa.com) along with wiring the Compliance Testing
fees to Visa Inc as described below.

3.1.3 Visa Inc. 3-D Secure Systems

Agreement

and Compliance Testing

The Visa Inc. 3-D Secure Systems and Compliance Testing Agreement must be
reviewed and signed by the vendor, and submitted together with Exhibit A: Request For
Testing Services Form and the Compliance Testing fees. Visa Inc. 3-D Secure Systems
and Compliance Testing Agreement can be downloaded from
https://technologypartner.visa.com/Library/.

4.1.1 Exhibit A: Request For Testing Services Form

Exhibit A: Request For Testing Services Form can be obtained from
https://technologypartner.visa.com/Library/. The Request for Testing Services Form includes
vendor contact information as well as details of the components to be tested. It must be
completed and submitted together with the Visa Inc. 3-D Secure Systems and
Compliance Testing Agreement and the Compliance Testing fees.
To change the technical contact or other product information, the vendor should submit
an updated Exhibit A: Request For Testing Services Form to Visa Inc.

4.1.2 Compliance Testing Questionnaire

The Compliance Testing Questionnaire can be obtained from
https://technologypartner.visa.com/Library/ and returned to Visa Inc. prior to the authorization of
any testing. The questionnaire includes information that will help to avoid any delays.
This information is necessary to better assist you through Visas 3-D Secure Compliance
testing process.
4.2

Scheduling Compliance Testing

To participate in Compliance Testing, the vendor must have first completed the Visa Inc.
3-D Secure Systems and Compliance Testing Agreement. The Exhibit A: Request For
Testing Services Form, and Questionnaire must be completed for each submission of
each component. These forms can be obtained from https://technologypartner.visa.com/Library/.
Each product that is enrolled in Compliance Testing will be assigned a position in the
testing queue, on a first come, first served basis. Vendors are assigned dates upon

3-D Secure Systems and Compliance Testing

Policies and Procedures Guide
January 2014

receipt of the completed Exhibit A: Request For Testing Services Form, the Compliance
Testing fee, and the completed questionnaire.
Visa Inc. will allocate a consecutive ten calendar day period to the vendor for
Compliance Testing, during which the vendor will be able to test their product and
receive technical support. There is limited technical assistance available during the
Compliance Test period.
If the vendors component is not available or ready to test their product during the time
slot allocated by Visa Inc., the vendor will be re-assigned to the end of the testing queue.
Visa reserves the right to re-allocate time slots as warranted if it is deemed that a vendor
is abusing the queuing system.
4.3

Interface with Compliance Test Facility Test Harness

Vendors may need to modify the interface between their 3-D-Secure component
infrastructure and the Compliance Test harness hosted at the Compliance Test Facility.
Vendors must provide all hardware, personnel, and other resources required for
Compliance Testing. The Compliance Test Facility will execute all tests required for
compliance with 3-D Secure and the vendors enrolled component must process each
test correctly.

4.4

Required Compliance Test

The Compliance Test Facility will administer all tests applicable to the component under
test. For example, for the Compliance of a Merchant Server Plug-in, all Merchant Server
Plug-in tests will be run. No tests from any other component will be used.
The vendor must notify the Compliance Test Facility of all configuration options
supported by the component. These options are such that different configurations yield
different results. That is, if one setting of the configuration option would permit users to
process one group of 3-D Secure messages and another setting would permit use of a
different group of messages, the results for both will be evaluated. The objective is to
ensure that the end user cannot run any code that has not satisfactorily completed
Compliance Testing and validation. Final Compliance Test results will be presented to
Visa for final evaluation and confirmation of completion.

4.5

Completion of Compliance
Once a product successfully completes 3-D Secure Compliance Testing, a letter will be
provided by Visa Inc. acknowledging 3-D Secure compliance. This entitles the product:
To be represented as 3-D Secure compliant, and
To be listed on https://technologypartner.visa.com/Library/ as 3-D Secure compliant.
Visa Inc. has the exclusive right to grant a vendor an acknowledgement of 3-D Secure
compliance for a specific product.

Page 9

Copyright 2004-2014 Visa Inc.

3-D Secure Systems and Compliance Testing

Policies and Procedures Guide
January 2014

Visa Inc. determines whether to grant an acknowledgement of 3-D Secure compliance

based on the test results of Compliance Testing. Visa Inc. reviews the test results and
determines if the product is in compliance of 3-D Secure protocol and issues the letter of
acknowledgement to vendor. The vendor must receive a Letter of Compliance for their
product to be considered compliant. If any changes are made to the component after the
vendor has received a Letter of Compliance, that changed component is not in
compliance, and the product developed should not imply otherwise. Please refer to
chapter 6 regarding compliance conditions.
Vendors must undergo Compliance Testing and validation by Visa Inc. each time they
modify a 3-D Secure product to incorporate enhancements or to accommodate revisions
to the 3-D Secure protocol.
4.6

Subsequent Compliance Process

If changes are made to the 3-D Secure protocol, vendors with products(s)
previously acknowledged by Visa Inc. as compliant must repeat compliance.

5.0 3-D Secure Testing Fees

5.1

3-D Secure Systems Testing Fees

Effective March 1, 2004, the Systems Testing fee is for a consecutive twenty-one
calendar day period. If testing requires more than a consecutive twenty-one calendar
day period, an additional Systems Testing fee must be paid.
Fees for Systems Testing using the 3-D Secure Systems Test Facility are as follows:
Systems Testing Fee

USD $5,000

Covers a single, consecutive 21 calendar day period

Per Access Control Server (ACS), Merchant Plug-in (MPI)
Remote access to the Systems Test Facility via the Internet
5.2

3-D Secure Compliance Testing Fees

Effective March 1, 2004, the Compliance Testing fee is for a consecutive ten calendar
day period. If the testing requires more than a consecutive ten calendar day period, an
additional Compliance Testing fee must be paid.
Fees for Compliance Testing using the 3-D Secure Compliance Test Facility are as
follows:
Compliance Testing Fee
USD $10,000
Covers a single, consecutive 10 calendar day period
Per Access Control Server (ACS), Merchant Plug-in (MPI)
Remote testing from the Compliance Test Facility via the Internet

3-D Secure Systems and Compliance Testing

Policies and Procedures Guide
January 2014

5.3

Technical Support and Maintenance Availability

Technical support is available to vendors that enroll in the 3-D Secure Systems and
Compliance Testing. For technical support, please use the email address in Section
1.5.2 for the Compliance Test Facility.

5.4

Payment Methods
Systems and Compliance Testing fees are due upon enrollment and are to be made
payable to Visa Inc. in US dollars. Payment is to be made electronically via bank wire.
Vendors are responsible for payment of any wire transfer fee levied by the initiating
bank.
Vendors sending wire payments through their bank to Visas bank account should notify
Visa Inc. to expect such payment via e-mail to: 3dcompliance@visa.com. When sending
testing fee payments electronically, vendors should include a description line formatted
as follows: vendorname3Dsecure71112.
Electronic bank wire payments should be sent to:
Bank of America
555 California Street
San Francisco, CA 94137
United States
Account: 14990-02709
ABA #: 121000358
Vendorname3Dsecure71112
SWIFT code: BOFAUS3N

6.0 Letter of Compliance Conditions

Purpose
This chapter discusses the legal conditions and restrictions that are associated with Visa
Inc.s Letter of Compliance.
Visa Inc. performs limited testing to ascertain a Products compliance with any required
specifications. Visa Inc.s limited testing program is not designed to establish the
functionality of a compliant Product in all potential conditions in which it may be used.
This letter of compliance does not in any circumstances include or imply any guarantees,
assurances or warranties that the Product will operate in all possible settings or in
connection with any other compliant product.
This compliance notice applies only to products that are identical to the Product
submitted for compliance testing. A product should not be considered to be in
compliance, nor promoted as compliant, if any aspect of the product is different from that
which was submitted for compliance testing, even if the product conforms to the basic
Product description contained in this letter.
Page 11

Copyright 2004-2014 Visa Inc.

3-D Secure Systems and Compliance Testing

Policies and Procedures Guide
January 2014

All products submitted for compliance testing are required to be submitted pursuant to
Visa Inc.s 3-D Secure Compliance Testing Policies and Procedures. The compliance
letter is subject in all respects to the terms and conditions of the policies and procedures
document.
Even though this Product was submitted for compliance testing, as described in this
letter, the manufacturer of each product shall be responsible for compliance with all
applicable specifications and for all liabilities resulting from the use or distribution of the
product. Vendors may communicate to Visa Inc. customer banks, financial institutions,
merchants and service providers that the Product has received a letter of compliance,
provided, however, that all written communications referring to Visas letter of
compliance shall contain the following legend:
When granted, Visa Inc.s letter of compliance is provided by Visa Inc. to ensure
certain operational characteristics important to Visa Inc.s systems as a whole,
but Visa Inc.s letter of compliance does not under any circumstances include
any endorsement or warranty regarding the functionality, quality, security or
performance of any particular product or service. Visa Inc. does not warrant any
products or services provided by third parties. This letter of compliance does not
under any circumstances include or imply any product warranties from Visa Inc.,
including, without limitation, any implied warranties of merchantability, fitness for
purpose, or non-infringement, all of which are expressly disclaimed by Visa Inc.
All rights and remedies regarding products and services, which have received a
letter of compliance by Visa Inc., shall be provided by the party providing such
products or services, and not by Visa Inc.
All products submitted for testing are required to be submitted pursuant to an
Authentication Services Testing Agreement supplied by Visa Inc. (the
Agreement). The letter of compliance shall be void and of no effect if you have
not submitted to Visa Inc. an executed Agreement. The approval granted in this
letter is subject in all respects to the terms and conditions of the Agreement.
This letter of compliance does not supersede additional regional program
requirements and/or testing requirements as may be imposed by national testing
bodies, financial institutions, network services providers, or other customers.
Manufacturer is encouraged to ensure that testing requirements from all relevant
parties have been met and approvals granted prior to sale or installation of the
product.

Visa Inc.'s letter of compliance is granted solely in connection with the product tested
and to the submitting vendor. Such letter of compliance may not be assigned,
transferred or sublicensed, either directly or indirectly, by operation of law or otherwise.
Only those 3-D Secure product manufacturers receiving a Visa Inc. letter of compliance
for a product may claim that they have the letter of compliance.

3-D Secure Systems and Compliance Testing

Policies and Procedures Guide
January 2014

Visa Inc. compliance may be revoked at any time. Because this compliance may be
revoked at any time, no third party should rely on this letter at any time without first
confirming the continued effectiveness of the compliant product with Visa Inc. Visa
Inc.reserves the right to modify the terms or duration of this compliance at its sole
discretion.

7.0 Component Renewal Policy

When a component is recognized as meeting the necessary requirements of 3-D Secure
Compliance Testing, Visa Inc. issues a letter of compliance to the vendor and assigns a
renewal date to the compliant product. The renewal date is communicated to the vendor
in the letter of compliance and appears on the Visa Inc. 3-D Secure Compliant Vendor
Software list. The renewal date is usually 2 year(s) after the date of compliance. The
date allows Visa to review a product as it is approaching its renewal date to ensure that
meets Visa Inc.s current policies and that it continues to support the version of the 3-D
Secure Protocol that the component was tested against. Visa Inc.s current policies are
identified below.
When the product is approaching its renewal date, and if it is eligible for renewal, the
vendor can submit a request for renewal form. In completing and signing the form, the
vendor is stating that no changes have been made to the compliant product and the
vendor continues to support the identified compliant product. Once the 3-D Secure
vendor confirms that no changes have been made to the product, and it meets Visa
Inc.s current policies, the product is eligible for renewal and will continue to be listed on
the Visa Compliant Vendor Software List.
If a product is not eligible for renewal, the vendor will be advised. The product will be
removed from the Visa Compliant Vendor Software list the month following the renewal
date.
Renewals are linked to the conditions contained in the letter of compliance sent to the
vendor when the product is verified as being compliant. If problems are identified with
the product after it has been recognized as being compliant, or extension of a renewal
was granted, Visa Inc. reserves the right to revoke the verification of compliance and
extension of renewal at any time.
Vendors seeking an extension of the renewal date in their compliance letter for a product
that no longer meets Visa Inc.s current policies due to a Visa client seeking to use their
product will be asked to identify the client to Visa Inc. Visa Inc. will then contact the Visa
regional office where the client is located and seek confirmation that the client wishes to
use a product that no longer meets Visa Inc.s current policies. The Visa region will then
be asked to provide a recommendation back to Visa Inc. whether the extension sought
by the vendor should be granted.
Vendors are encouraged to be aware of the renewal date assigned to their compliant
product.
Visa Inc.s current policies for renewals include:
Page 13

Copyright 2004-2014 Visa Inc.

3-D Secure Systems and Compliance Testing

Policies and Procedures Guide
January 2014

3-D Secure product must meet a version of the protocol that is currently supported by
Visa Inc. Products that are compliant with versions of the protocol that are no longer
supported by Visa Inc. are not eligible for renewal.

3-D Secure product must be in compliance with any necessary enhancements published by
Visa Inc. to the protocol version supported.
The above policies are subject to change by Visa Inc. at any time without notice to any
party.
For questions on Visa Inc.s 3-D Secure Compliance Renewal Policy, please contact
3dcompliance@visa.com.