PCI ISA
Card Skimmer
A physical device, often attached to legitimate card-reading device, designed to illegitimately capture and/or store the information from a payment card.
Memory Scraping Attacks
Malware activity that examines and extracts data that resides in memory as it is being processed or which is has not been properly flushed or overwritten
RADIUS
- remote authentication dial in user service
Backup
A copy of data that is made in case the original data is lost or damaged. The backup can be used to restore the original data.
Index Token
A cryptographic token that replaces the PAN, based on a given index for an unpredicatable value.
Network access control (NAC)
A method of implementing security at the network layer by restricting the availability of network resources to endpoint devices according to a defined security policy
AES
Abbreviation for "Advanced Encryption Standard." Block cipher used in symmetric cryptography adopted by NIST in November 2001
ANSI
Acronym for "American National Standards Institute" Private, non-profit organization that administers and coordinates the US voluntary standardization and conformity assessment system
ASV
Acronym for "approved Scanning Vendor". Company approved by the PCI SSC to conduct external vulnerability scanning services.
AOC
Acronym for "attestation of compliance". The AOC is a form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Self-Assessment Questionnaire or Report on Compliance
AOV
Acronym for "attestation of validation". The AOV is a form for PA_QSAs to attest to the results of a PA_DSS assessment, as documented in the PA-DSS Report on Validation.
AAA
Acronym for "authentication, authorization, and accounting." Protocol for authenticating a user based on their verifiable identity, authorizing a user based on their user rights, and accounting for a user's consumption of network resources
Acquirer
Also referred to as "merchant bank," "acquiring bank," or "acquiring financial institution". Entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance
Audit Log
Also referred to as audit trail. Chronological record of system activities. Provides an independently verifiable trail sufficient to permit reconstruction, review, and examination of sequence of environments and activities surrounding or leading to operation, procedure, or event in a transaction from inception to final results.
BAU
An acronym for "business as usual".
Lightweight Directory Access Protocol -LDAP
Authentication and authorization data repository utilized for querying and modifying user permissions and granting access to protected resources.
Service Provider
Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of anther intity.
Authentication Credentials
Combination of the user ID or account ID plus the authentication factors used to authenticate and individual, device, or process
PVV PIN verification Value
Discretionary value encoded in magnetic stripe of payment card
Administrative Access
Elevated or increased privileges granted to an account in order for that account ot manage systems, networks and/or applications.
Payment Processor
Entity engaged by a merchant or other entity to handle payment card transactions on their behalf.
Issuer
Entity that issues payment cards or performs, facilitates, or supports issuing services including but not limited to issuing banks and issuing processors.
Authorization
In the context of access controls, authorization is the granting of access or other rights to a user, program, or process. In the context of a a payment card transaction, authorization occurs when a merchant receives transaction approval after the acquirer to validates the transaction with the issuer/processor.
Application
Includes all purchased and custom software programs or groups of programs, including both internal and external applications.
Access Control
Mechanisms that limit availability of information or information-processing resources only to authorized persons or applications
Rainbow Table Attack
Method of data attack using a pre-computed table of hash strings to identify the original data source, usually for cracking password or cardholder data hashes
Ingress Filtering
Method of filtering inbound network traffic such that only explicitly allowed traffic is permitted to enter the network
Egress Filtering
Method of filtering outbound network traffic such that only explicitly allowed traffic is permitted to leave the network.
Network Security Scan
Process by which the entity's system are remotely checked for vulnerabilities through use of a manual or automated tools
Re-Keying
Process of changing cryptographic keys.
Authentication
Process of verifying identity of an individual, device, or process.
Anti-Virus
Program or software capable of detecting, removing, and protecting against various forms of malicious software including viruses, worms, Trojans
Network Time Protocol (NTP)
Protocol for synchronizing the clocks of computer systems, network devices and other system components
SSH
Protocol suite providing encryption for network services like remote login or remote file transfer
QIR
Qualified Integrator or Reseller
Non-Console Access
Refers to logical access to a system component that occurs over a network interface rather than via a direct, physical connection to the system component
NMAP
Security scanning software that maps networks and identifies open ports in network resources
File Integrity Monitoring
Technique or technology under which certain files or logs are monitored to detect if they are modified.
Secure Coding
The process of creating and implementing applications that are resistant to tampering and/or compromise
Buffer Overflow
This attack occurs when an attacker leverages a vulnerability in an application, causing data to be written to a memory area (that is, a buffer) that's being used by a different application.
SAQ P2PE
This new SAQ type has been introduced for merchants who process card data only via payment terminals included in a validated and PCI SSC-listed Point-to-Point Encryption (P2PE) solution.
Adware
Type of malicious software that, when installed, forces a computer to automatically display or download advertisements
MAC Address
Unique identifying value assigned by manufacturers to network adapters and network interface cards.
Injection Flaws
Vulnerability that is created from insecure coding techniques resulting in improper input validation, which allows attackers to relay malicious code through a web application to the underlying system.
Cross-Site Scripting (XSS)
Vulnerability that is created from insecure coding techniques, resulting in improper input validation.
Bluetoot
_____ is a wireless protocol designed for transmitting data over short distances, replacing cables.
PIN Block
a block of data used to encapsulate a PIN during processing. Defines the content of the PIN block and how it is processed to retrieve the PIN
Risk Ranking
a defined criterion of measurement based upon the the risk assessment
Masking
a method of concealing a segment of data when displayed or printed
OWASP Open Web Application Security Project
a non profit organization focused on improving the security application software
PTS PIN Transacdtion Security
a set of modular evaluation requirements managed by PCI SSC for PIN acceptance POI terminals
Message Authentication Code (MAC)
a small piece of information used to authenticate a message
Payment Applicaiton
a software application that stores, processes, or transmits cardholder data as part of the authorization or settlement, where the payment application is sold, distributed, or licensed to third parties.
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
a suite of tools, techniques and methods for risk based information security strategic assessment and planning
Network Sniffing
a technique that passively monitors or collects network communications, decodes protocols, and examines contents for information of interest.
POI point of interaction
also POS - an electronic transaction accepted product.
Network Address Translation (NAT)
also known as masquerading or IP masquerading. Change of an IP address used within one network to a different IP address known within another network, allowing an organization to have internal addresses that are visible internally, and external addresses that are only visible externally
Pad
an encryption algorithm with text combined with a random key ore "pad" that is as long as the plain-text and used only once
Payment Cards
any card that bears the logo of a founding member of PCI SSC
SAQ D
applies to any merchants who do not meet the criteria for other SAQs, as well as all service providers.
SAQ A
applies to card not present merchants who have completely outsourced all cardholder data processing functions
SAQ A-EP
applies to ecommoerce merchants who partially outsource all payment processing to PCI DSS compliant service providers
SAQ C
applies to merchants with a payment application connected to the Internet and no electronic storage of cardholder data. It normally applies to small merchants who have deployed out-of-the box software to a standalone machine for taking individual payments.
SAQ B
applies to merchants with no electronic cardholder data storage and who process payments either by standalone terminals or imprint-only machines.
Account Data
consists of cardholder data and/or sensitive authentication data
Merchant
defined as any entity that accepts payment cards bearing the logos of any of the five members of PCISSC as payment for goods or services.
SAQ C-VT
developed for a specific environment and contains some subtle differences toSAQ C. The VT stands for virtual terminals and applies to externally hosted web payment solutions for merchants with no electronic cardholder data storage.
Network Segmentaion
isolates system components that store, process, or transmit cardholder data from system components that store, process, or transmit cardholder data from systems that do not.
Compensating Controls
may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls.
Issuing Services
may include but are not limited to authorization and card personalization.
Truncation
method of rendering the full PAN unreadable by permanently removing a segment of PAN data
Organizational Independence
organizational structure that ensures there is no conflict of interest between the person or department performing the activity and the person or department assessing the activity
SDLC
phases of the development of software or computer system that includes planning, analysis, design, testing, and implementation
Risk Analysis/Risk Assessment
process that identifies valuable system resources and threats; quantifies loss exposures based on estimated frequencies and costs of occurrence; and recommends how to allocate resources to contermeasures so as to minimize total exposure
National Vulnerability Database (NVD)
the US government repository of standards based vulnerability management data
RFC 1918
the standard identified by the Internet Engineering Task Force that defines the usage and appropriate address ranges for privatenetworks
PAN primary account number
unique payment card number that identifies the issuer and the particular cardholder account
SAQ B-IP
used for merchants who process payments via standalone PTS-approved point-of-interaction (POI) devices with an IP connection to the payment processor.