The flashcards below were created by user
on FreezingBlue Flashcards.
- Acronym for “authentication, authorization, and accounting.” Protocol for
- authenticating a user based on their verifiable identity, authorizing a user
- based on their user rights, and accounting for a user’s consumption of network
- Mechanisms that limit availability of information or information-processing
- resources only to authorized persons or applications.
- Account data consists of cardholder data plus sensitive authentication data.
- See Cardholder Data and Sensitive Authentication Data
See Primary Account Number (PAN).
- Also referred to as “acquiring bank” or “acquiring financial institution.” Entity
- that initiates and maintains relationships with merchants for the acceptance of
- payment cards.
- Type of malicious software that, when installed, forces a computer to
- automatically display or download advertisements.
- Abbreviation for “Advanced Encryption Standard.” Block cipher used in
- symmetric key cryptography adopted by NIST in November 2001 as U.S. FIPS
- PUB 197 (or “FIPS 197”). See Strong Cryptography.
- Acronym for “American National Standards Institute.” Private, non-profit
- organization that administers and coordinates the U.S. voluntary
- standardization and conformity assessment system.
- Program or software capable of detecting, removing, and protecting against
- various forms of malicious software (also called “malware”) including viruses,
- worms, Trojans or Trojan horses, spyware, adware, and rootkits.
- Includes all purchased and custom software programs or groups of programs,
- including both internal and external (for example, web) applications.
- Also referred to as “audit trail.” Chronological record of system activities.
- Provides an independently verifiable trail sufficient to permit reconstruction,
- review, and examination of sequence of environments and activities
- surrounding or leading to operation, procedure, or event in a transaction from
- inception to final results.
See Audit Log
- Acronym for “Approved Scanning Vendor.” Company approved by the PCI
- SSC to conduct external vulnerability scanning services.
- Process of verifying identity of an individual, device, or process.
- Authentication typically occurs through the use of one or more authentication
- factors such as:
- 1- Something you know, such as a password or passphrase
- 2-Something you have, such as a token device or smart card
- 3- Something you are, such as a biometric
- Combination of the user ID or account ID plus the authentication factor(s) used
- to authenticate an individual, device, or process
- Granting of access or other rights to a user, program, or process. For a
- network, authorization defines what an individual or program can do after
- successful authentication.
- For the purposes of a payment card transaction authorization occurs when a
- merchant receives transaction approval after the acquirer validates the
- transaction with the issuer/processor.
- Duplicate copy of data made for archiving purposes or for protecting against
- damage or loss.
- Wireless protocol using short-range communications technology to facilitate
- transmission of data over short distances.
- Non-consumer or consumer customer to whom a payment card is issued to or
- any individual authorized to use the payment card.
- At a minimum, cardholder data consists of the full PAN. Cardholder data may
- also appear in the form of the full PAN plus any of the following: cardholder
- name, expiration date and/or service code
- See Sensitive Authentication Data for additional data elements that may be
- transmitted or processed (but not stored) as part of a payment transaction.
- The people, processes and technology that store, process or transmit
- cardholder data or sensitive authentication data, including any connected
- system components.
Code or Value
- Also known as Card Validation Code or Value, or Card Security Code.
- Refers to either: (1) magnetic-stripe data, or (2) printed security features.
- (1) Data element on a card's magnetic stripe that uses secure cryptographic
- process to protect data integrity on the stripe, and reveals any alteration
- or counterfeiting. Referred to as CAV, CVC, CVV, or CSC depending on
- payment card brand. The following list provides the terms for each card
- CAV – Card Authentication Value (JCB payment cards)
- CVC – Card Validation Code (MasterCard payment cards)
- CVV – Card Verification Value (Visa and Discover payment cards)
- CSC – Card Security Code (American Express)
- (2) For Discover, JCB, MasterCard, and Visa payment cards, the second
- type of card verification value or code is the rightmost three-digit value
- printed in the signature panel area on the back of the card. For American
- Express payment cards, the code is a four-digit unembossed number
- printed above the PAN on the face of the payment cards. The code is
- uniquely associated with each individual piece of plastic and ties the PAN
- to the plastic. The following list provides the terms for each card brand:
- CID – Card Identification Number (American Express and Discover
- payment cards)
- CAV2 – Card Authentication Value 2 (JCB payment cards)
- CVC2 – Card Validation Code 2 (MasterCard payment cards)
- CVV2 – Card Verification Value 2 (Visa payment cards)
- Acronym for Carnegie Mellon University's “Computer Emergency Response
- Team.” The CERT Program develops and promotes the use of appropriate
- technology and systems management practices to resist attacks on networked
- systems, to limit damage, and to ensure continuity of critical services
- Acronym for “Center for Internet Security.” Non-profit enterprise with mission to
- help organizations reduce the risk of business and e-commerce disruptions
- resulting from inadequate technical security controls.
- Technique or technology (either software or hardware) for encrypting contents
- of a specific column in a database versus the full contents of the entire
- database. Alternatively, see Disk Encryption or File-Level Encryption.
- Compensating controls may be considered when an entity cannot meet a
- requirement explicitly as stated, due to legitimate technical or documented
- business constraints, but has sufficiently mitigated the risk associated with the
- requirement through implementation of other controls. Compensating controls
- (1) Meet the intent and rigor of the original PCI DSS requirement;
- (2) Provide a similar level of defense as the original PCI DSS requirement;
- (3) Be “above and beyond” other PCI DSS requirements (not simply in
- compliance with other PCI DSS requirements); and
- (4) Be commensurate with the additional risk imposed by not adhering to the
- PCI DSS requirement.
- See “Compensating Controls” Appendices B and C in PCI DSS Requirements
- and Security Assessment Procedures for guidance on the use of
- compensating controls.
- Also referred to as “data compromise,” or “data breach.” Intrusion into a
- computer system where unauthorized disclosure/theft, modification, or
- destruction of cardholder data is suspected.
- Screen and keyboard which permits access and control of a server, mainframe
- computer or other system type in a networked environment.
Individual purchasing goods, services, or both.
- Discipline of mathematics and computer science concerned with information
- security, particularly encryption and authentication. In applications and network
- security, it is a tool for access control, information confidentiality, and integrity
- The time span during which a specific cryptographic key can be used for its
- defined purpose based on, for example, a defined period of time and/or the
- amount of cipher-text that has been produced, and according to industry best
- practices and guidelines (for example, NIST Special Publication 800-57).
- Structured format for organizing and maintaining easily retrievable information.
- Simple database examples are tables and spreadsheets.
- Also referred to as “DBA.” Individual responsible for managing and
- administering databases
- Login account predefined in a system, application, or device to permit initial
- access when system is first put into service. Additional default accounts may
- also be generated by the system as part of the installation process.
- Password on system administration, user, or service accounts predefined in a
- system, application, or device; usually associated with default account. Default
- accounts and passwords are published and well known, and therefore easily
- Also called “disk degaussing.” Process or technique that demagnetizes the
- disk such that all data stored on the disk is permanently destroyed.
- Technique or technology (either software or hardware) for encrypting all stored
- data on a device (for example, a hard disk or flash drive). Alternatively, File-
- Level Encryption or Column-Level Database Encryption is used to encrypt
- contents of specific files or columns.
- Abbreviation for “demilitarized zone.” Physical or logical sub-network that
- provides an additional layer of security to an organization’s internal private
- network. The DMZ adds an additional layer of network security between the
- Internet and an organization’s internal network so that external parties only
- have direct connections to devices in the DMZ rather than the entire internal
- Acronym for “Domain Name System” or “domain name server.” System that
- stores information associated with domain names in a distributed database on
- networks such as the Internet.
Acronym for “Data Security Standard” and also referred to as “PCI DSS.”
- Process of using two or more separate entities (usually persons) operating in
- concert to protect sensitive functions or information. Both entities are equally
- responsible for the physical protection of materials involved in vulnerable
- transactions. No single person is permitted to access or use the materials (for
- example, the cryptographic key). For manual key generation, conveyance,
- loading, storage, and retrieval, dual control requires dividing knowledge of the
- key among the entities. (See also Split Knowledge.)
See Stateful Inspection.
- Acronym for “Elliptic Curve Cryptography.” Approach to public-key
- cryptography based on elliptic curves over finite fields. See Strong
- Method of filtering outbound network traffic such that only explicitly allowed
- traffic is permitted to leave the network.
- Process of converting information into an unintelligible form except to holders
- of a specific cryptographic key. Use of encryption protects information between
- the encryption process and the decryption process (the inverse of encryption)
- against unauthorized disclosure. See Strong Cryptography.
- Technique or technology under which certain files or logs are monitored to
- detect if they are modified. When critical files or logs are modified, alerts
- should be sent to appropriate security personnel.
- Technique or technology (either software or hardware) for encrypting the full
- contents of specific files. Alternatively, see Disk Encryption or Column-Level
- Database Encryption.
- Acronym for “Federal Information Processing Standards.” Standards that are
- publicly recognized by the U.S. Federal Government; also for use by nongovernment
- agencies and contractors.
- Hardware and/or software technology that protects network resources from
- unauthorized access. A firewall permits or denies computer traffic between
- networks with different security levels based upon a set of rules and other
- Also referred to as “computer forensics.” As it relates to information security,
- the application of investigative tools and analysis techniques to gather
- evidence from computer resources to determine the cause of data
- Acronym for “File Transfer Protocol.” Network protocol used to transfer data
- from one computer to another through a public network such as the Internet.
- FTP is widely viewed as an insecure protocol because passwords and file
- contents are sent unprotected and in clear text. FTP can be implemented
- securely via SSH or other technology.
- Acronym for “General Packet Radio Service.” Mobile data service available to
- users of GSM mobile phones. Recognized for efficient use of limited
- bandwidth. Particularly suited for sending and receiving small bursts of data,
- such as e-mail and web browsing.
- Acronym for “Global System for Mobile Communications.” Popular standard for
- mobile phones and networks. Ubiquity of GSM standard makes international
- roaming very common between mobile phone operators, enabling subscribers
- to use their phones in many parts of the world.
- Process of rendering cardholder data unreadable by converting data into a
- fixed-length message digest via Strong Cryptography. Hashing is a
- (mathematical) function in which a non-secret algorithm takes any arbitrary
- length message as input and produces a fixed length output (usually called a
- “hash code” or “message digest”). A hash function should have the following
- (1) It is computationally infeasible to determine the original input given only
- the hash code,
- (2) It is computationally infeasible to find two inputs that give the same hash
- In the context of PCI DSS, hashing must be applied to the entire PAN for the
- hash code to be considered rendered unreadable. It is recommended that
- hashed cardholder data includes a salt value as input to the hashing function
- (see Salt).
Main computer hardware on which computer software is resident.
- Offers various services to merchants and other service providers. Services
- range from simple to complex; from shared space on a server to a whole
- range of “shopping cart” options; from payment applications to connections to
- payment gateways and processors; and for hosting dedicated to just one
- customer per server. A hosting provider may be a shared hosting provider,
- who hosts multiple entities on a single server.
- Acronym for “hypertext transfer protocol.” Open internet protocol to transfer or
- convey information on the World Wide Web.
- Acronym for “hypertext transfer protocol over secure socket layer.” Secure
- HTTP that provides authentication and encrypted communication on the World
- Wide Web designed for security-sensitive communication such as web-based
- Software or firmware responsible for hosting and managing virtual machines.
- For the purposes of PCI DSS, the hypervisor system component also includes
- the virtual machine monitor (VMM).
Identifier for a particular user or application.
- Acronym for “intrusion detection system.” Software or hardware used to
- identify and alert on network or system intrusion attempts. Composed of
- sensors that generate security events; a console to monitor events and alerts
- and control the sensors; and a central engine that records events logged by
- the sensors in a database. Uses system of rules to generate alerts in response
- to security events detected.
- Acronym for “Internet Engineering Task Force.” Large, open international
- community of network designers, operators, vendors, and researchers
- concerned with evolution of Internet architecture and smooth operation of
- Internet. The IETF has no formal membership and is open to any interested
- A cryptographic token that replaces the PAN, based on a given index for an
- unpredictable value.
Protection of information to insure confidentiality, integrity, and availability.
- Discrete set of structured data resources organized for collection, processing,
- maintenance, use, sharing, dissemination, or disposition of information.
- Method of filtering inbound network traffic such that only explicitly allowed
- traffic is permitted to enter the network.
- A protocol, service, or port that introduces security concerns due to the lack of
- controls over confidentiality and/or integrity. These security concerns include
- services, protocols, or ports that transmit data and authentication credentials
- (e.g., password/passphrase in clear-text over the Internet), or that easily allow
- for exploitation by default or if misconfigured. Examples of insecure services,
- protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and
- Acronym for “internet protocol.” Network-layer protocol containing address
- information and some control information that enables packets to be routed. IP
- is the primary network-layer protocol in the Internet protocol suite.
- Also referred to as “internet protocol address.” Numeric code that uniquely
- identifies a particular computer on the Internet.
IP Address Spoofing
- Attack technique used by a malicious individual to gain unauthorized access to
- computers. The malicious individual sends deceptive messages to a computer
- with an IP address indicating that the message is coming from a trusted host.
- Acronym for “intrusion prevention system.” Beyond an IDS, an IPS takes the
- additional step of blocking the attempted intrusion.
- Abbreviation for “Internet Protocol Security.” Standard for securing IP
- communications by encrypting and/or authenticating all IP packets. IPSEC
- provides security at the network layer.
- Better known as “International Organization for Standardization.” Nongovernmental
- organization consisting of a network of the national standards
- institutes of over 150 countries, with one member per country and a central
- secretariat in Geneva, Switzerland, that coordinates the system.
- Entity that issues payment cards or performs, facilitates, or supports issuing
- services including but not limited to issuing banks and issuing processors.
- Also referred to as “issuing bank” or “issuing financial institution.”
- Examples of issuing services may include but are not limited to authorization
- and card personalization.
- In cryptography, a key is a value that determines the output of an encryption
- algorithm when transforming plain text to ciphertext. The length of the key
- generally determines how difficult it will be to decrypt the ciphertext in a given
- message. See Strong Cryptography.
- In cryptography, it is the set of processes and mechanisms which support key
- establishment and maintenance, including replacing older keys with new keys
- as necessary.
- Acronym for “local area network.” A group of computers and/or other devices
- that share a common communications line, often in a building or group of
- Acronym for “Lightweight Directory Access Protocol.” Authentication and
- authorization data repository utilized for querying and modifying user
- permissions and granting access to protected resources.
- Abbreviation for “logical partition.” A system of subdividing, or partitioning, a
- computer's total resources—processors, memory and storage—into smaller
- units that can run with their own, distinct copy of the operating system and
- applications. Logical partitioning is typically used to allow the use of different
- operating systems and applications on a single device. The partitions may or
- may not be configured to communicate with each other or share some
- resources of the server, such as network interfaces.
- Acronym for “message authentication code.” In cryptography, it is a small
- piece of information used to authenticate a message. See Strong
- Abbreviation for “media access control address.” Unique identifying value
- assigned by manufacturers to network adapters and network interface cards.
- Also referred to as “track data.” Data encoded in the magnetic stripe or chip
- used for authentication and/or authorization during payment transactions. Can
- be the magnetic stripe image on a chip or the data on the track 1 and/or track
- 2 portion of the magnetic stripe.
- Computers that are designed to handle very large volumes of data input and
- output and emphasize throughput computing. Mainframes are capable of
- running multiple operating systems, making it appear like it is operating as
- multiple computers. Many legacy systems have a mainframe design.
Malicious Software /
- Software designed to infiltrate or damage a computer system without the
- owner's knowledge or consent. Such software typically enters a network during
- many business-approved activities, which results in the exploitation of system
- vulnerabilities. Examples include viruses, worms, Trojans (or Trojan horses),
- spyware, adware, and rootkits.
- In the context of PCI DSS, it is a method of concealing a segment of data
- when displayed or printed. Masking is used when there is no business
- requirement to view the entire PAN. Masking relates to protection of PAN
- when displayed or printed. See Truncation for protection of PAN when stored
- in files, databases, etc.
- For the purposes of the PCI DSS, a merchant is defined as any entity that
- accepts payment cards bearing the logos of any of the five members of PCI
- SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for
- goods and/or services. Note that a merchant that accepts payment cards as
- payment for goods and/or services can also be a service provider, if the
- services sold result in storing, processing, or transmitting cardholder data on
- behalf of other merchants or service providers. For example, an ISP is a
- merchant that accepts payment cards for monthly billing, but also is a service
- provider if it hosts merchants as customers.
- Use of systems or processes that constantly oversee computer or network
- resources for the purpose of alerting personnel in case of outages, alarms, or
- other predefined events.
- Acronym for “multi protocol label switching.” Network or telecommunications
- mechanism designed for connecting a group of packet-switched networks.
- Acronym for “network address translation.” Known as network masquerading
- or IP masquerading. Change of an IP address used within one network to a
- different IP address known within another network.
Two or more computers connected together via physical or wireless means.
- Personnel responsible for managing the network within an entity.
- Responsibilities typically include but are not limited to network security,
- installations, upgrades, maintenance and activity monitoring.
- Include, but are not limited to firewalls, switches, routers, wireless access
- points, network appliances, and other security appliances.
- Process by which an entity’s systems are remotely checked for vulnerabilities
- through use of manual or automated tools. Security scans that include probing
- internal and external systems and reporting on services exposed to the
- network. Scans may identify vulnerabilities in operating systems, services, and
- devices that could be used by malicious individuals.
- Network segmentation isolates system components that store, process, or
- transmit cardholder data from systems that do not. Adequate network
- segmentation may reduce the scope of the cardholder data environment and
- thus reduce the scope of the PCI DSS assessment. See the Network
- Segmentation section in the PCI DSS Requirements and Security Assessment
- Procedures for guidance on using network segmentation. Network
- segmentation is not a PCI DSS requirement. See System Components.
- Acronym for “National Institute of Standards and Technology.” Non-regulatory
- federal agency within U.S. Commerce Department's Technology
- Administration. Their mission is to promote U.S. innovation and industrial
- competitiveness by advancing measurement science, standards, and
- technology to enhance economic security and improve quality of life.
- Security-scanning software that maps networks and identifies open ports in
- network resources.
- Individuals, excluding cardholders, who access system components, including
- but not limited to employees, administrators, and third parties.
- Acronym for “Network Time Protocol.” Protocol for synchronizing the clocks of
- computer systems, network devices and other system components
- Description of products that are stock items not specifically customized or
- designed for a specific customer or user and are readily available for use.
Operating System /
- Software of a computer system that is responsible for the management and
- coordination of all activities and the sharing of computer resources. Examples
- of operating systems include Microsoft Windows, Mac OS, Linux and Unix.
- Acronym for “Open Web Application Security Project.” A non-profit
- organization focused on improving the security of application software.
- OWASP maintains a list of critical vulnerabilities for web applications. (See
- Acronym for “Payment Application Qualified Security Assessor,” company
- approved by the PCI SSC to conduct assessments on payment applications
- against the PA-DSS.
- Acronym for “primary account number” and also referred to as “account
- number.” Unique payment card number (typically for credit or debit cards) that
- identifies the issuer and the particular cardholder account.
A string of characters that serve as an authenticator of the user.
- In cryptography, the one-time pad is an encryption algorithm with text
- combined with a random key or "pad" that is as long as the plain-text and used
- only once. Additionally, if key is truly random, never reused, and, kept secret,
- the one-time pad is unbreakable
- A means of structuring SQL queries to limit escaping and thus prevent
- injection attacks.
- Acronym for “port address translation” and also referred to as “network
- address port translation.” Type of NAT that also translates the port numbers.
Update to existing software to add functionality or to correct a defect.
- Any application that stores, processes, or transmits cardholder data as part of
- authorization or settlement
- For purposes of PCI DSS, any payment card/device that bears the logo of the
- founding members of PCI SSC, which are American Express, Discover
- Financial Services, JCB International, MasterCard Worldwide, or Visa, Inc.
Acronym for “Payment Card Industry.”
Acronym for “personal data assistant” or “personal digital assistant.” Handheldmobile devices with capabilities such as mobile phones, e-mail, or webbrowser.
Penetration tests attempt to exploit vulnerabilities to determine whetherunauthorized access or other malicious activity is possible. Penetration testingincludes network and application testing as well as controls and processesaround the networks and applications, and occurs from both outside thenetwork trying to come in (external testing) and from inside the network.
Full-time and part-time employees, temporary employees, contractors, andconsultants who are “resident” on the entity’s site or otherwise have access tothe cardholder data environment.
Information that can be utilized to identify an individual including but not limitedto name, address, social security number, phone number, etc.
Acronym for “personal identification number.” Secret numeric password knownonly to the user and a system to authenticate the user to the system. The useris only granted access if the PIN the user provided matches the PIN in thesystem. Typical PINs are used for automated teller machines for cash advancetransactions. Another type of PIN is one used in EMV chip cards where thePIN replaces the cardholder’s signature.
Acronym for “Point of Interaction,” the initial point where data is read from acard. An electronic transaction-acceptance product, a POI consists ofhardware and software and is hosted in acceptance equipment to enable acardholder to perform a card transaction. The POI may be attended orunattended. POI transactions are typically integrated circuit (chip) and/ormagnetic-stripe card-based payment transactions.
Organization-wide rules governing acceptable use of computing resources,security practices, and guiding development of operational procedures
Acronym for “point of sale.” Hardware and/or software used to processpayment card transactions at merchant locations.
Network established by an organization that uses private IP address space.Private networks are commonly designed as local area networks. Privatenetwork access from public networks should be properly protected with theuse of firewalls and routers.
Descriptive narrative for a policy. Procedure is the “how to” for a policy anddescribes how the policy is to be implemented.
Agreed-upon method of communication used within networks. Specificationdescribing rules and procedures that computer products should follow toperform activities on a network.
Acronym for “PIN Transaction Security,” PTS is a set of modular evaluationrequirements managed by PCI Security Standards Council, for PINacceptance POI terminals. Please refer to www.pcisecuritystandards.org.
Network established and operated by a telecommunications provider, forspecific purpose of providing data transmission services for the public. Dataover public networks can be intercepted, modified, and/or diverted while intransit. Examples of public networks in scope of the PCI DSS include, but arenot limited to, the Internet, wireless, and mobile technologies.
Acronym for “PIN verification value.” Discretionary value encoded in magneticstripe of payment card.
Acronym for “Qualified Security Assessor,” company approved by the PCISSC to conduct PCI DSS on-site assessments.
Abbreviation for “Remote Authentication Dial-In User Service.” Authenticationand accounting system. Checks if information such as username andpassword that is passed to the RADIUS server is correct, and then authorizesaccess to the system. This authentication method may be used with a token,smart card, etc., to provide two-factor authentication.
Acronym for “role-based access control.” Control used to restrict access byspecific authorized users based on their job responsibilities.
Access to computer networks from a remote location, typically originating fromoutside the network. An example of technology for remote access is VPN.
Media that store digitized data and which can be easily removed and/ortransported from one computer system to another. Examples of removableelectronic media include CD-ROM, DVD-ROM, USB flash drives andremovable hard drives.
Report on Compliance
Also referred to as “ROC.” Report containing details documenting an entity’scompliance status with the PCI DSS.
Report on Validation
Also referred to as “ROV.” Report containing details documenting a paymentapplication’s compliance with the PCI PA-DSS.
Process of changing cryptographic keys. Periodic re-keying limits the amountof data encrypted by a single key.
A lab that is not maintained by the PA-QSA.
Reseller / Integrator
An entity that sells and/or integrates payment applications but does notdevelop them.
The standard identified by the Internet Engineering Task Force (IETF) thatdefines the usage and appropriate address ranges for private (non-internetroutable) networks.
Risk Analysis / RiskAssessment
Process that identifies valuable system resources and threats; quantifies lossexposures (that is, loss potential) based on estimated frequencies and costs ofoccurrence; and (optionally) recommends how to allocate resources tocountermeasures so as to minimize total exposure.
Type of malicious software that when installed without authorization, is able toconceal its presence and gain administrative control of a computer system.
Hardware or software that connects two or more networks. Functions as sorterand interpreter by looking at addresses and passing bits of information toproper destinations. Software routers are sometimes referred to as gateways.
Algorithm for public-key encryption described in 1977 by Ron Rivest, AdiShamir, and Len Adleman at Massachusetts Institute of Technology (MIT);letters RSA are the initials of their surnames.
Random string that is concatenated with other data prior to being operated onby a hash function. See also Hash.
The process of selecting a cross-section of a group that is representative ofthe entire group. Sampling may be used by assessors to reduce overall testingefforts, when it is validated that an entity has standard, centralized PCI DSSsecurity and operational processes and controls in place. Sampling is not aPCI DSS requirement.
Acronym for “SysAdmin, Audit, Networking and Security,” an institute thatprovides computer security training and professional certification. (Seewww.sans.org.)
Process of identifying all system components, people, and processes to beincluded in a PCI DSS assessment. The first step of a PCI DSS assessment isto accurately determine the scope of the review.
Acronym for “system development life cycle.” Phases of the development of asoftware or computer system that includes planning, analysis, design, testing,and implementation.
The process of creating and implementing applications that are resistant totampering and/or compromise.
Also called “secure delete,” a program utility used to delete specific filespermanently from a computer system.
Primary responsible person for an entity’s security-related affairs.
Set of laws, rules, and practices that regulate how an organization manages,protects, and distributes sensitive information
Network communications protocols designed to secure the transmission ofdata. Examples of security protocols include, but are not limited to SSL/TLS,IPSEC, SSH, etc.
Acronym for “Self-Assessment Questionnaire.” Tool used by any entity tovalidate its own compliance with the PCI DSS.
Any data center, server room or any area that houses systems that stores,processes, or transmits cardholder data. This excludes the areas where onlypoint-of-sale terminals are present such as the cashier areas in a retail store.
Security-related information (including but not limited to card validationcodes/values, full magnetic-stripe data, PINs, and PIN blocks) used toauthenticate cardholders and/or authorize payment card transactions.
Separation of Duties
Practice of dividing steps in a function among different individuals, so as tokeep a single individual from being able to subvert the process.
Computer that provides a service to other computers, such as processingcommunications, file storage, or accessing a printing facility. Servers include,but are not limited to web, database, application, authentication, DNS, mail,proxy, and NTP.
Three-digit or four-digit value in the magnetic-stripe that follows the expirationdate of the payment card on the track data. It is used for various things suchas defining service attributes, differentiating between international and nationalinterchange, or identifying usage restrictions.
Business entity that is not a payment brand, directly involved in theprocessing, storage, or transmission of cardholder data. This also includescompanies that provide services that control or could impact the security ofcardholder data. Examples include managed service providers that providemanaged firewalls, IDS and other services as well as hosting providers andother entities. Entities such as telecommunications companies that onlyprovide communication links without access to the application layer of thecommunication link are excluded.
Acronym for “Secure Hash Algorithm.” A family or set of related cryptographichash functions including SHA-1 and SHA-2. See Strong Cryptography.
Also referred to as “chip card” or “IC card (integrated circuit card).” A type ofpayment card that has integrated circuits embedded within. The circuits, alsoreferred to as the “chip,” contain payment card data including but not limited todata equivalent to the magnetic-stripe data.
Acronym for “Simple Network Management Protocol.” Supports monitoring ofnetwork attached devices for any conditions that warrant administrativeattention.
Condition in which two or more entities separately have key components thatindividually convey no knowledge of the resultant cryptographic key.
Type of malicious software that when installed, intercepts or takes partialcontrol of the user’s computer without the user’s consent.
Acronym for “Structured Query Language.” Computer language used tocreate, modify, and retrieve data from relational database managementsystems.
Form of attack on database-driven web site. A malicious individual executesunauthorized SQL commands by taking advantage of insecure code on asystem connected to the Internet. SQL injection attacks are used to stealinformation from a database from which the data would normally not beavailable and/or to gain access to an organization’s host computers throughthe computer that is hosting the database.
Abbreviation for “Secure Shell.” Protocol suite providing encryption for networkservices like remote login or remote file transfer.
Also called “dynamic packet filtering,” it is a firewall capability that providesenhanced security by keeping track of communications packets. Onlyincoming packets with a proper response (“established connections”) areallowed through the firewall.
Cryptography based on industry-tested and accepted algorithms, along withstrong key lengths and proper key-management practices. Cryptography is amethod to protect data and includes both encryption (which is reversible) andhashing (which is not reversible, or “one way”). Examples of industry-testedand accepted standards and algorithms for encryption include AES (128 bitsand higher), TDES (minimum double-length keys), RSA (1024 bits and higher),ECC (160 bits and higher), and ElGamal (1024 bits and higher).See NIST Special Publication 800-57 (http://csrc.nist.gov/publications/) formore information.
Abbreviation for “system administrator.” Individual with elevated privileges whois responsible for managing a computer system or network.
Any network component, server, or application included in or connected to thecardholder data environment.
Anything on a system component that is required for its operation, includingbut not limited to application executable and configuration files, systemconfiguration files, static and shared libraries & DLL's, system executables,device drivers and device configuration files, and added third-partycomponents.
Acronym for “Terminal Access Controller Access Control System.” Remoteauthentication protocol commonly used in networks that communicatesbetween a remote access server and an authentication server to determineuser access rights to the network. This authentication method may be usedwith a token, smart card, etc., to provide two-factor authentication.
Acronym for “Transmission Control Protocol.” Basic communication languageor protocol of the Internet.
Acronym for “Triple Data Encryption Standard” and also known as “3DES” or“Triple DES.” Block cipher formed from the DES cipher by using it three times.See Strong Cryptography.
Abbreviation for “telephone network protocol.” Typically used to provide userorientedcommand line login sessions to devices on a network. Usercredentials are transmitted in clear text.
Condition or activity that has the potential to cause information or informationprocessing resources to be intentionally or accidentally lost, modified,exposed, made inaccessible, or otherwise affected to the detriment of theorganization
Acronym for “Transport Layer Security.” Designed with goal of providing datasecrecy and data integrity between two communicating applications. TLS issuccessor of SSL.
A value provided by hardware or software that usually works with anauthentication server or VPN to perform dynamic or two-factor authentication.See RADIUS, TACACS, and VPN.
Also referred to as “Trojan horse.” A type of malicious software that wheninstalled, allows a user to perform a normal function while the Trojan performsmalicious functions to the computer system without the user’s knowledge.
Method of rendering the full PAN unreadable by permanently removing asegment of PAN data. Truncation relates to protection of PAN when stored infiles, databases, etc. See Masking for protection of PAN when displayed onscreens, paper receipts, etc.
Network of an organization that is within the organization’s ability to control ormanage.
Method of authenticating a user whereby two or more factors are verified.These factors include something the user has (such as hardware or softwaretoken), something the user knows (such as a password, passphrase, or PIN)or something the user is or does (such as fingerprints or other forms ofbiometrics).
Network that is external to the networks belonging to an organization andwhich is out of the organization’s ability to control or manage.
Virtualization refers to the logical abstraction of computing resources fromphysical constraints. One common abstraction is referred to as virtualmachines or VMs, which takes the content of a physical machine and allows itto operate on different physical hardware and/or along with other virtualmachines on the same physical hardware. In addition to VMs, virtualizationcan be performed on many other computing resources, including applications,desktops, networks, and storage.
Virtual MachineMonitor (VMM)
The VMM is included with the hypervisor and is software that implementsvirtual machine hardware abstraction. It manages the system's processor,memory, and other resources to allocate what each guest operating systemrequires.
A self-contained operating environment that behaves like a separatecomputer. It is also known as the “Guest,” and runs on top of a hypervisor.
Virtual Appliance (VA)
A VA takes the concept of a pre-configured device for performing a specific setof functions and run this device as a workload. Often, an existing networkdevice is virtualized to run as a virtual appliance, such as a router, switch, orfirewall.
Virtual Switch orRouter
A virtual switch or router is a logical entity that presents network infrastructurelevel data routing and switching functionality. A virtual switch is an integral partof a virtualized server platform such as a hypervisor driver, module, or plug-in.
A virtual terminal is web-browser-based access to an acquirer, processor orthird party service provider website to authorize payment card transactions,where the merchant manually enters payment card data via a securelyconnected web browser. Unlike physical terminals, virtual terminals do notread data directly from a payment card. Because payment card transactionsare entered manually, virtual terminals are typically used instead of physicalterminals in merchant environments with low transaction volumes.
Abbreviation for “virtual LAN” or “virtual local area network.” Logical local areanetwork that extends beyond a single traditional physical local area network.
Acronym for “virtual private network.” A computer network in which some ofconnections are virtual circuits within some larger network, such as theInternet, instead of direct connections by physical wires. The end points of thevirtual network are said to be tunneled through the larger network when this isthe case. While a common application consists of secure communicationsthrough the public Internet, a VPN may or may not have strong securityfeatures such as authentication or content encryption.A VPN may be used with a token, smart card, etc., to provide two-factorauthentication.
Flaw or weakness which, if exploited, may result in an intentional orunintentional compromise of a system..
Acronym for “wide area network.” Computer network covering a large area,often a regional or company wide computer system.
An application that is generally accessed via a web browser or through webservices. Web applications may be available via the Internet or a private,internal network.
Computer that contains a program that accepts HTTP requests from webclients and serves the HTTP responses (usually web pages).
Acronym for “Wired Equivalent Privacy.” Weak algorithm used to encryptwireless networks. Several serious weaknesses have been identified byindustry experts such that a WEP connection can be cracked with readilyavailable software within minutes. See WPA.
Wireless Access Point
Also referred to as “AP.” Device that allows wireless communication devices toconnect to a wireless network. Usually connected to a wired network, it canrelay data between wireless devices and wired devices on the network.
Network that connects computers without a physical connection to wires.
Acronym for “wireless local area network.” Local area network that links two ormore computers or devices without wires.
Acronym for “WiFi Protected Access.” Security protocol created to securewireless networks. WPA is the successor to WEP.. WPA2 was also releasedas the next generation of WPA.