PCI Terminology
Understanding a compliance standard requires understanding all of its terminology and jargon. We've compiled our own glossary of terms for the PCI DSS to provide additional clarity beyond the Official PCI SSC Glossary.
- Acquiring Bank When a merchant makes a sale to a customer who is using a credit or debit card the 'Acquiring Bank' (or acquirer) is the bank or other financial institution that processes the payment. 'Acquirer' indicates the entity acquiring payment from the card-issuing banks. (The most common credit card companies are Visa, MasterCard, American Express, Discover and JCB.)
- Approved Scanning Vendor (ASV) An organization that meets the requirements and has been certified by the PCI Security Standards Council to scan and evaluate websites for PCI DSS compliance.
- Audit Log A chronological list of events used to provide documented evidence of what transactions occurred during a specific point in time.
- Card Brands The various payment card companies. Visa, MasterCard, American Express, Discover, JCB, et al.
- Cardholder Data (CD) Any information that can personally identify the cardholder or their account with the card brand. (i.e. account number, expiration date, address, phone number, email address)
- Cardholder Data Environment (CDE) The network or networks of computer systems that store cardholder data or valuable authentication information. The CDE also extends to the systems that support transaction processing, storage and transmission of such data. Reducing the size of the CDE also reduces the scope of a PCI assessment.
- Card Verification Code or Value (CVC, CVV) There are two (2) types of CVV, the first, CVV1, is embedded into the magnetic stripe of the card and is used for transactions made in-person with a card swipe. The second and most known is CVV2, which is located on the back of the card. CVV2 is used for transactions not made in person (i.e. over the Internet or by phone).
- Compensating Control An additional control that helps improve the success or reduce a weakness another control has. Compensating controls are usually used to detect instead of prevent an original failure from occurring.
- Data Breach The release of secure or sensitive information into an untrusted environment. Also known as a data leak or data spill. The release could be intentional or accidental. In either case, unauthorized people gain access to information they are not supposed to.
- Data Flow Diagram A graphical representation of how data moves throughout a network.
- Default Accounts The accounts that exist when you buy a new computer system or software applications. These accounts are designed to provide initial access for set-up and configuration.
- Default Password The initial password set by the manufacturer when a system is shipped out. It is best practice to change this password since they are published and well known.
- Demilitarized Zone (DMZ) Also known as a perimeter network the DMZ is a segment of the network that is used to isolate all of a companies public facing services to the Internet or other untrusted networks.
- Data Security Standard (DSS) A set of rules defined to keep valuable data secure from malicious attacks.
- Encryption Different from hashing, encryption is the act of converting data into cipher text, which is unreadable to the naked eye, that can be later decrypted for interpretation and use.
- File Integrity Monitoring (FIM) The act of ensuring data is not altered by unauthorized persons or processes. The use of hashes helps ensure that files haven't been changed.
- Firewall A networking device set-up to prevent unauthorized access to different network segments. A firewall sets permissions for certain types of traffic to be allowed or denied both to and from other network segments.
- Forensics The use of various investigation and analysis strategies to gather evidence in a structured and documented way with the end goal set to figure out what occurred on a computer system and who is responsible for it. The use of audit logs is common in this process.
- Information Security Policy A group of policies set forth by an organization to ensure each user allowed access to the organizations network follows the rules/terms of agreement related to all the data stored on their network or within the organization's area of influence.
- Information System The complete system consisting of all the equipment used for people and other devices to communicate through the network.
- Insecure Protocol/Service/Port A protocol, service, or port that brings up concerns of security due to the way each operate and do not address modern pushes for data confidentiality and integrity. (i.e. Telnet, FTP, IMAP, SNMP and POP3)
- Independent Sales Organization (ISO) An organization that sells products or services to other companies or acquires clients for other product or service providers.
- International Organization for Standardization (ISO) An international standards body, composed of representatives from other national standards organizations. ISO's mission is to keep the industry practices universal so when a task is completed it is understood that certain baseline parameters are met.
- Intrusion Detection System (IDS) A device or compilation of software designed to monitor network activity for various parameters set in the configuration. An IDS monitors traffic, finds policy violations, logs security incidents and can send notifications. An IDS does nothing to actually prevent an attack, it is simply a tool to find out if one has occurred.
- Intrusion Prevention System (IPS) Much like an IDS, however, an IPS can actually change the behavior of other network devices to actually prevent or stop an attack from happening.
- IP Address A number assigned to each host or node on a network used to identify and allow devices to communicate. They are made up of four (4) octets each one containing a number ranging from zero (0) to 255.
- Merchant For the purposes of PCI DSS, a merchant is an entity that accepts credit cards as payment for goods and/or services.
- Merchant Level Most simply a direct representation of the number of transaction an organization processes in any given year. Level 4 is between one (1) and 20,000, Level 3 is between 20,000 and 1,000,000, Level 2 is between 1,000,000 and 6,000,000, and finally Level 1 is anything above 6,000,000 transactions per year.
- Network Diagram A graphic representation of the logical side of how a network is organized. Accurate network diagrams are a vital tool in diagnosing, repairing, and maintaining a network.
- Network Segmentation The art of splitting networks into separate parts. Properly segmenting a network will both increase performance and security.
- Payment Application Qualified Security Assessor (PA-QSA) A company that has been approved by the PCI SSC to perform assessments on payment applications.
- Payment Application Ranging from cash resisters to website shopping carts. Anything that stores, processes, or transmits card data electronically is considered a payment application.
- Payment Card Industry (PCI) The amalgamation of credit, debit, prepaid, e-purse, ATM, and POS cards and their respective businesses is known as the payment card industry.
- Payment Card Industry Data Security Standard (PCI DSS) The PCI DSS focuses on six (6) major objectives. (1) A secure network involving firewalls. (2) Protection of cardholder information any place it is stored. (3) The systems used to process cards must be up-to-date and virus free. (4) Access to system information and operation should be restricted and controlled. (5) The network must be tested and monitored to be certain everything is working properly. (6) A formal policy defining all information security procedures.
- Penetration Test The process of checking a computer system and/or its network for vulnerabilities by simulating a malicious attack on it. The process involves analysis of the hardware and software as well as the configurations of both to determines if there are any weaknesses; followed by attacks on any found weaknesses and then all summarized in a report of findings which can then be used to strengthen the network and computer systems.
- Primary Account Number (PAN) Most easily described as the credit or debit card number. This identifies both the card issuer and the respective cardholder account.
- Private Network A network established by an organization for internal use. Private networks are commonly referred to as local area networks. Private networks use the private IP address space.
- Qualified Security Assessor (QSA) A QSA, such as Aeris Secure, is certified by the PCI SSC to conduct PCI assessments and certify the PCI compliance of organizations.
- Remediation The act of reversing or stopping damage from occurring.
- Remote Access Connecting to a computer system while off site. (Most commonly done via a virtual private network or VPN.)
- Removable Electronic Media Any device that stores digitized information and can easily be moved to another location. (Examples include USB flash drives, external hard drives, CD or DVD Roms.)
- Report on Compliance (ROC) An official report documenting a companies' compliance or noncompliance with PCI DSS.
- Router A network device that handles packet transfers between computers. A router receives information and forwards it along the most efficient path to its destination. A router is more sophisticated than a switch and different from a firewall.
- Scoping The act of figuring out what systems and networks are in or out of need to be reviewed for PCI compliance.
- Service Provider Any company that provides another company with services, often requiring an annual or monthly service fee. (Internet or cell phone service providers are some of the most well known types.)
- System Components The various parts of a system. When referring to a computer the system components consist of hard drive, monitor, keyboard. A network would have components like router, switch, firewall, and cabling.
- Two-Factor Authentication Providing more than one (1) form of authentication. True two factor authentication takes factors from different categories of authentication. Authentication factors include: something you know, something you are, or something you have. Common two (2) factor authentication systems incorporate a password as something you know and issue keycards that require a swipe thus being something you have.
- Vulnerability A weakness or flaw in a system, policy, or procedure that could be exercised (accidentally or intentionally) and result in a security breach or policy violation. Vulnerabilities include software and hardware bugs or defects which can most easily be mitigated by keeping software up to date and replacing obsolete hardware. A vulnerability can also be present in implementation of hardware and software.
- Vulnerability Scan The act of checking a network or computer system for weaknesses. Commonly done remotely using tools to scan open ports, versions of software and device types.