PCI ISA

Card Skimmer

A physical device, often attached to legitimate card-reading device, designed to illegitimately capture and/or store the information from a payment card.

Memory Scraping Attacks

Malware activity that examines and extracts data that resides in memory as it is being processed or which is has not been properly flushed or overwritten

RADIUS

- remote authentication dial in user service

Backup

A copy of data that is made in case the original data is lost or damaged. The backup can be used to restore the original data.

Index Token

A cryptographic token that replaces the PAN, based on a given index for an unpredicatable value.

Network access control (NAC)

A method of implementing security at the network layer by restricting the availability of network resources to endpoint devices according to a defined security policy

AES

Abbreviation for "Advanced Encryption Standard." Block cipher used in symmetric cryptography adopted by NIST in November 2001

ANSI

Acronym for "American National Standards Institute" Private, non-profit organization that administers and coordinates the US voluntary standardization and conformity assessment system

ASV

Acronym for "approved Scanning Vendor". Company approved by the PCI SSC to conduct external vulnerability scanning services.

AOC

Acronym for "attestation of compliance". The AOC is a form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Self-Assessment Questionnaire or Report on Compliance

AOV

Acronym for "attestation of validation". The AOV is a form for PA_QSAs to attest to the results of a PA_DSS assessment, as documented in the PA-DSS Report on Validation.

AAA

Acronym for "authentication, authorization, and accounting." Protocol for authenticating a user based on their verifiable identity, authorizing a user based on their user rights, and accounting for a user's consumption of network resources

Acquirer

Also referred to as "merchant bank," "acquiring bank," or "acquiring financial institution". Entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance

Audit Log

Also referred to as audit trail. Chronological record of system activities. Provides an independently verifiable trail sufficient to permit reconstruction, review, and examination of sequence of environments and activities surrounding or leading to operation, procedure, or event in a transaction from inception to final results.

BAU

An acronym for "business as usual".

Lightweight Directory Access Protocol -LDAP

Authentication and authorization data repository utilized for querying and modifying user permissions and granting access to protected resources.

Service Provider

Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of anther intity.

Authentication Credentials

Combination of the user ID or account ID plus the authentication factors used to authenticate and individual, device, or process

PVV PIN verification Value

Discretionary value encoded in magnetic stripe of payment card

Administrative Access

Elevated or increased privileges granted to an account in order for that account ot manage systems, networks and/or applications.

Payment Processor

Entity engaged by a merchant or other entity to handle payment card transactions on their behalf.

Issuer

Entity that issues payment cards or performs, facilitates, or supports issuing services including but not limited to issuing banks and issuing processors.

Authorization

In the context of access controls, authorization is the granting of access or other rights to a user, program, or process. In the context of a a payment card transaction, authorization occurs when a merchant receives transaction approval after the acquirer to validates the transaction with the issuer/processor.

Application

Includes all purchased and custom software programs or groups of programs, including both internal and external applications.

Access Control

Mechanisms that limit availability of information or information-processing resources only to authorized persons or applications

Rainbow Table Attack

Method of data attack using a pre-computed table of hash strings to identify the original data source, usually for cracking password or cardholder data hashes

Ingress Filtering

Method of filtering inbound network traffic such that only explicitly allowed traffic is permitted to enter the network

Egress Filtering

Method of filtering outbound network traffic such that only explicitly allowed traffic is permitted to leave the network.

Network Security Scan

Process by which the entity's system are remotely checked for vulnerabilities through use of a manual or automated tools

Re-Keying

Process of changing cryptographic keys.

Authentication

Process of verifying identity of an individual, device, or process.

Anti-Virus

Program or software capable of detecting, removing, and protecting against various forms of malicious software including viruses, worms, Trojans

Network Time Protocol (NTP)

Protocol for synchronizing the clocks of computer systems, network devices and other system components

SSH

Protocol suite providing encryption for network services like remote login or remote file transfer

QIR

Qualified Integrator or Reseller

Non-Console Access

Refers to logical access to a system component that occurs over a network interface rather than via a direct, physical connection to the system component

NMAP

Security scanning software that maps networks and identifies open ports in network resources

File Integrity Monitoring

Technique or technology under which certain files or logs are monitored to detect if they are modified.

Secure Coding

The process of creating and implementing applications that are resistant to tampering and/or compromise

Buffer Overflow

This attack occurs when an attacker leverages a vulnerability in an application, causing data to be written to a memory area (that is, a buffer) that's being used by a different application.

SAQ P2PE

This new SAQ type has been introduced for merchants who process card data only via payment terminals included in a validated and PCI SSC-listed Point-to-Point Encryption (P2PE) solution.

Adware

Type of malicious software that, when installed, forces a computer to automatically display or download advertisements

MAC Address

Unique identifying value assigned by manufacturers to network adapters and network interface cards.

Injection Flaws

Vulnerability that is created from insecure coding techniques resulting in improper input validation, which allows attackers to relay malicious code through a web application to the underlying system.

Cross-Site Scripting (XSS)

Vulnerability that is created from insecure coding techniques, resulting in improper input validation.

Bluetoot

_____ is a wireless protocol designed for transmitting data over short distances, replacing cables.

PIN Block

a block of data used to encapsulate a PIN during processing. Defines the content of the PIN block and how it is processed to retrieve the PIN

Risk Ranking

a defined criterion of measurement based upon the the risk assessment

Masking

a method of concealing a segment of data when displayed or printed

OWASP Open Web Application Security Project

a non profit organization focused on improving the security application software

PTS PIN Transacdtion Security

a set of modular evaluation requirements managed by PCI SSC for PIN acceptance POI terminals

Message Authentication Code (MAC)

a small piece of information used to authenticate a message

Payment Applicaiton

a software application that stores, processes, or transmits cardholder data as part of the authorization or settlement, where the payment application is sold, distributed, or licensed to third parties.

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

a suite of tools, techniques and methods for risk based information security strategic assessment and planning

Network Sniffing

a technique that passively monitors or collects network communications, decodes protocols, and examines contents for information of interest.

POI point of interaction

also POS - an electronic transaction accepted product.

Network Address Translation (NAT)

also known as masquerading or IP masquerading. Change of an IP address used within one network to a different IP address known within another network, allowing an organization to have internal addresses that are visible internally, and external addresses that are only visible externally

Pad

an encryption algorithm with text combined with a random key ore "pad" that is as long as the plain-text and used only once

Payment Cards

any card that bears the logo of a founding member of PCI SSC

SAQ D

applies to any merchants who do not meet the criteria for other SAQs, as well as all service providers.

SAQ A

applies to card not present merchants who have completely outsourced all cardholder data processing functions

SAQ A-EP

applies to ecommoerce merchants who partially outsource all payment processing to PCI DSS compliant service providers

SAQ C

applies to merchants with a payment application connected to the Internet and no electronic storage of cardholder data. It normally applies to small merchants who have deployed out-of-the box software to a standalone machine for taking individual payments.

SAQ B

applies to merchants with no electronic cardholder data storage and who process payments either by standalone terminals or imprint-only machines.

Account Data

consists of cardholder data and/or sensitive authentication data

Merchant

defined as any entity that accepts payment cards bearing the logos of any of the five members of PCISSC as payment for goods or services.

SAQ C-VT

developed for a specific environment and contains some subtle differences toSAQ C. The VT stands for virtual terminals and applies to externally hosted web payment solutions for merchants with no electronic cardholder data storage.

Network Segmentaion

isolates system components that store, process, or transmit cardholder data from system components that store, process, or transmit cardholder data from systems that do not.

Compensating Controls

may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls.

Issuing Services

may include but are not limited to authorization and card personalization.

Truncation

method of rendering the full PAN unreadable by permanently removing a segment of PAN data

Organizational Independence

organizational structure that ensures there is no conflict of interest between the person or department performing the activity and the person or department assessing the activity

SDLC

phases of the development of software or computer system that includes planning, analysis, design, testing, and implementation

Risk Analysis/Risk Assessment

process that identifies valuable system resources and threats; quantifies loss exposures based on estimated frequencies and costs of occurrence; and recommends how to allocate resources to contermeasures so as to minimize total exposure

National Vulnerability Database (NVD)

the US government repository of standards based vulnerability management data

RFC 1918

the standard identified by the Internet Engineering Task Force that defines the usage and appropriate address ranges for privatenetworks

PAN primary account number

unique payment card number that identifies the issuer and the particular cardholder account

SAQ B-IP

used for merchants who process payments via standalone PTS-approved point-of-interaction (POI) devices with an IP connection to the payment processor.