PCI Resources
A structured approach to the PCI standards
logo-v1a.jpg

PCI DSS Glossary

In this site or on the book volumes, I use specific vocabulary which I shall define here. This glossary is also included with each book volume.

Term Description Source

AAA

Acronym for "authentication, authorization, and accounting". Protocol for authenticating a user based on their verifiable identity, authorizing a user based on their user rights, and accounting for a user's consumption of network resources.

PCI

Access Control List

An access control list is a list of permissions attached to an object. In networking, an access control list is a set of permissions allowing or denying network traffic between a source and destination connected to the network.

Author

ACL

Acronym for "Access Control Lists".

Author

Acquirer

The entity that takes on the financial risk of the merchant transaction (sometimes the acquirer is also a payment processor and the roles are mingled - the volumes distinguish between these functions).

Author

AoC

Acronym for "Attestation of Compliance". The AOC is a form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Self-Assessment Questionnaire or Report on Compliance.

PCI

APT

Acronym for "Advanced Persistent Threat". An 'advanced persistent threat'(APT) is a set of stealthy and continuous computer hacking processes, often orchestrated by human(s) targeting a specific entity.'APT'usually targets organizations and/or nations for business or political motives.

Wikipedia

ASV

Acronym for "Approved Scanning Vendor." Company approved by the PCI SSC to conduct external vulnerability scanning services.

PCI

ATM

Acronym for "Automatic Teller Machine".

Author

Authorization

In the context of access control, authorization is the granting of access or other rights to a user, program, or process. Authorization defines what an individual or program can do after successful authentication.
In the context of a payment card transaction, authorization occurs when a merchant receives transaction approval after the acquirer validates the transaction with the issuer/processor.

PCI

Automatic Teller Machine

An ATM, also known as an Automated Banking Machine (ABM), is an electronic machine that allows a bank cardholder to withdraw cash without the assistance of a cashier.

Author

Bank Identification Number

The first four to six digits of a credit card. The Bank Identification Number (BIN) is often called Institution Identification Number (IIN).

Author

BAU

An Acronym for "business as usual." BAU is an organization"s normal daily business operations.

PCI

BIN

Acronym for "Bank Identification Number".

Author

Card brands

The 5 founding members of the PCI SSC that enforced the PCI DSS within the PCI industry, and facilitate the payment and settlement.

Author

Card Production

Card Production is a standard developed and maintained by the PCI SSC that covers the requirements that payment card producers (which can be issuers) must implement.

Author

Card Verification Code or Value

Also known as Card Validation Code or Value, or Card Security Code. Refers
to either: (1) magnetic-stripe data, or (2) printed security features.

(1) Data element on a card's magnetic stripe that uses secure cryptographic processes to protect data integrity on the stripe, and reveals any alteration or counterfeiting. Referred to as CAV, CVC, CVV, or CSC depending on payment card brand. The following list provides the terms for each card brand:

  • CAV - Card Authentication Value (JCB payment cards)
  • CVC - Card Validation Code (MasterCard payment cards)
  • CVV - Card Verification Value (Visa and Discover payment cards)
  • CSC - Card Security Code (American Express)


(2) For Discover, JCB, MasterCard, and Visa payment cards, the second type of card verification value or code is the rightmost three-digit value printed in the signature panel area on the back of the card. For American Express payment cards, the code is a four-digit unembossed number printed above the PAN on the face of the payment cards. The code is uniquely associated with each individual piece of plastic and ties the PAN to the plastic. The following list provides the terms for each card brand:

  • CID - Card Identification Number (American Express and Discover payment cards)
  • CAV2 - Card Authentication Value 2 (JCB payment cards)
  • CVC2 - Card Validation Code 2 (MasterCard payment cards)
  • CVV2 - Card Verification Value 2 (Visa payment cards)

PCI

Card-not-present payment

Card-present refer to transactions where the cardholder (the payer) is not physically in the presence of the merchant (in the store), and 'includes (postal) mail (or even fax) order catalog, a phone-based transaction such as airline ticket reservation or very often an online store.

Author

Card-present payment

Card-present refer to transactions where the cardholder (the payer) is physically in the presence of the merchant (in the store) and uses his payment card to pay.

Author

Cardholder Data

The main data covered by PCI DSS. Consists of the PAN, cardholder name, card expiration date, and sometimes service code.
See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not stored) as part of a payment transaction.

PCI

Cardholder Data Environment

Basically the area (people, process and technologies) we are trying to protect, which starts with the systems that SPT CHD or SAD but is not limited to these.

Author

cardholders

The individual person to whom a payment card is issued and who pays for products or services using that card

Author

CDE

Acronym for "Cardholder Data Environment".

Author

CHD

Acronym for "Cardholder Data".

PCI

CISP

Aconym for "Cardholder Information Security Program". A program created by Visa's in 1999 and that served as the foundation for the PCI DSS.

Author

Clearing

Clearing is the process of matching (called reconciliation in accounting terms) merchant bank (which is generally the acquirer) and issuer transactions.

Author

Controlled Access

In the context of network segmentation for PCI DSS, the configuration that allows only limited (restricted) communications possible between systems.

Author

Critical Security Controls

SANS top 20 recommended security controls

Author

CSC

Acronym for "Critical Security Controls".

Author

CVE

The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. (See zero-day vulnerabilities for the contrary).

Wikipedia

CVV, CVV2

See "Card Verification Code or Value" for more detail.

PCI

DDOS

Acronym for "Distributed Denial of Service" attack. A DDOS attack is a DOS attack where the attack source is more than one-and often thousands-of unique IP addresses.

Wikipedia

DESV

PCI DSS Designated Entities Supplemental Validation for PCI DSS 3.1 (DESV) - A new set of requirements to increase assurance that an organization maintains compliance with PCI DSS over time, and that non-compliance is detected by a continuous (if not automated) audit process; this set of requirements applies to entities designated by the card brands or acquirers that are at a high risk level for the industry.

Author

DLP

Acronym for "Data Loss Prevention". Data loss prevention (DLP) solution is a system that is designed to detect potential data breach / data ex-filtration transmissions and prevent them by monitoring, detecting and blocking sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage).

Wikipedia

DMZ

Abbreviation for "demilitarized zone." Physical or logical sub-network that provides an additional layer of security to an organization"s internal private network. The DMZ adds an additional layer of network security between the Internet and an organization"s internal network so that external parties only have direct connections to devices in the DMZ rather than the entire internal network.

PCI

DOS

Acronym for "Denial of Service" attack. A DOS attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.

Wikipedia

DR/BC

Acronym for "Disaster Recovery/Business Continuity". Disaster recovery (DR) involves a set of policies and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster. Disaster recovery focuses on the IT or technology systems supporting critical business functions,as opposed to business continuity, which involves keeping all essential aspects of a business functioning despite significant disruptive events. Disaster recovery is therefore a subset of business continuity.

Wikipedia

DSS

Acronym for "Data Security Standard". See PCI DSS.

Author

EMV

Acronym for "Europay MasterCard Visa". EMV equipped payment cards use a small chip to store cardholder data more securely than a magnetic track. EMV is a technical standard for smart payment cards and for payment terminals and automated teller machines which can accept them.

Wikipedia

Exfiltration

Used by some'computer security'practitioners in place of 'data theft', to mean an unauthorized release of data from within a computer system or network (data or files extracted from borders of a computer operations center [Source: OPM Director Katherine Archuleta Testimony])

Wikipedia

FTP

Acronym for "File Transfer Protocol." Network protocol used to transfer data from one computer to another through a public network such as the Internet. FTP is widely viewed as an insecure protocol because passwords and file contents are sent unprotected and in clear text. FTP can be implemented securely via SSH or other technology. See S-FTP.

PCI

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes requirement for the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.

Wikipedia

Host

For virtualization, the system (hardware of software) where the hypervisor runs.

Author

HTTP

Acronym for "hypertext transfer protocol." Open internet protocol to transfer or convey information on the World Wide Web.

PCI

HTTPS

Acronym for "hypertext transfer protocol over secure socket layer." Secure HTTP that provides authentication and encrypted communication on the World Wide Web designed for security-sensitive communication such as web-based logins.

PCI

Hypervisor

For virtualization, the application that allows for virtualization of systems

Author

IDS

Acronym for "intrusion-detection system." Software or hardware used to identify and alert on network or system anomalies or intrusion attempts. Composed of: sensors that generate security events; a console to monitor events and alerts and control the sensors; and a central engine that records events logged by the sensors in a database. Uses system of rules to generate alerts in response to detected security events. See IPS

PCI

IIN

Acronym for "Institution Identification Number".

Author

Institution Identification Number

The six digits of a payment card as defined in the ISO/IEC 7812 standard.

Author

IPS

Acronym for "intrusion prevention system." Beyond an IDS, an IPS takes the additional step of blocking the attempted intrusion.

PCI

ISA

Acronym for "Internal Security Assessor." ISAs are qualified by PCI SSC. ISAs are employees of organizations that help their organizations build their internal PCI Security Standards expertise and strengthen their approach to payment data security, as well as increasing their efficiency in compliance with data security standards.

PCI

ISO

In the context of industry standards and best practices, ISO, better known as "International Organization for Standardization" is a non-governmental organization consisting of a network of the national standards institutes.

PCI

Isolation

In the context of network segmentation for PCI DSS, the configuration that allows no possible access between systems.

Author

Issuer

The entity that issues the card to the cardholder, often (but not limited to) your bank.

Author

IT

Acronym for "Information Technology". Information technology (IT) is the application of computers and telecommunications equipment to store, retrieve, transmit and manipulate data,[1] often in the context of a business or other enterprise.

Wikipedia

Malware / Malicious Software

Software or firmware designed to infiltrate or damage a computer system without the owner's knowledge or consent, with the intent of compromising the confidentiality, integrity, or availability of the owner"s data, applications, or operating system. Such software typically enters a network during many business-approved activities, which results in the exploitation of system vulnerabilities. Examples include viruses, worms, Trojans (or Trojan horses), spyware, adware, and rootkits.

PCI

Merchant

The entity who receive payments from cardholders for products or services.

Author

MOTO or MO/TO

Acronym for "Mail-Order/Telephone-Order."

PCI

NAT

Acronym for "network address translation." Also known as network masquerading or IP masquerading. Change of an IP address used within one network to a different IP address known within another network, allowing an organization to have internal addresses that are visible internally, and external addresses that are only visible externally.

PCI

NERC

Acronym for "North American Electric Reliability Corporation". The organization which manages information security standards for electrical energy companies, and the name of the main standard produced.

Author

NFC

Acronym for "Near field communication". In the payment context, NFC allow payments to be performed simply by placing the payment card with the NFC chip close to the payment reader (no need to swipe the magnetic track or insert the chip).

Author

NIST

Acronym for "National Institute of Standards and Technology." Non-regulatory federal agency within U.S. Commerce Department's Technology Administration.

PCI

Organization

In the context of the PCI Resources book volumes, any entity subject to the PCI DSS and that may include, business, non-for-profits.

Author

OSI Network Model

The Open Standards Interconnect (OSI) network model is a conceptual model which consists of 7 layers built on top of each other.

Author

P2PE

Point-to-Point Encryption (P2PE) is a standard developed and maintained by the PCI SSC that allows scope reduction through the use of encrypted transmission on payment terminals where the merchant cannot decrypt the information.

Author

PA-DSS

Acronym for "Payment Application Data Security Standard." A standard maintained by the PCI SSC that provides controls over an application used in the
environment of a organization that stores, processes or transmits cardholder data or sensitive authentication data.

Author

PAN

Acronym for "primary account number" and also referred to as "account number." Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account.

PCI

Payment processor

The entity that receives payment information from the merchant, authorizes, settles and clears the transaction (can be a bank, but can also be a service provider).

Author

PCI

Acronym for "Payment Card Industry."

PCI

PCI DSS

Acronym for "Payment Card Industry Data Security Standard." A standard maintained by the PCI SSC that provides controls over the environment of a organization that stores, processes or transmits cardholder data or sensitive authentication data.

Author

PCI SSC

Acronym for "Payment Card Industry Security Standard Council." The PCI SSC was formed by the card brands, and manages information security standards to help protect cardholder data.

Author

PFI

Acronym for "PCI Forensics Investigator". PFIs are qualified by PCI SSC to perform PCI DSS
forensic investigations in case of cardholder data breaches.

Author

PIN

Acronym for "personal identification number." Secret numeric password known only to the user and a system to authenticate the user to the system. The user is only granted access if the PIN the user provided matches the PIN in the system. Typical PINs are used for automated teller machines for cash advance transactions. Another type of PIN is one used in EMV chip cards where the PIN replaces the cardholder"s signature.

PCI

Acronym for "PIN Transaction Security," PTS is a set of modular evaluation requirements managed by PCI Security Standards Council, for PIN acceptance POI terminals. Please refer to www.pcisecuritystandards.org.

Acronym for "PIN Transaction Security," PTS is a set of modular evaluation requirements managed by PCI Security Standards Council, for PIN acceptance POI terminals. Please refer to www.pcisecuritystandards.org.

PCI

Ping sweeps

In computing, a ping sweep is a method that can establish a range of IP addresses which map to live hosts.

Wikipedia

POS

Acronym for "point of sale." Hardware and/or software used to process payment card transactions at merchant locations.

PCI

Primary Account Number

The card number printed on the front of the card.

Author

PWN

Pwn is a slang term derived from the verb own, as meaning to appropriate or to conquer to gain ownership.

Wikipedia

QSA

Acronym for "Qualified Security Assessor." QSAs are qualified by PCI SSC to perform PCI DSS on-site assessments. Refer to the QSA Qualification Requirements for details about requirements for QSA Companies and Employees.

PCI

QSAC

Acronym for "Qualified Security Assessor Company." A QSA company is a firm qualified by PCI SSC to perform PCI DSS on-site assessments. See QSA for more information.

Author

RAM-scraper

A type of malware program that grab informations that flows through an electronic device's memory.

Author

Regular Expressions

A regular expression (abbreviated regex or regexp and sometimes called a rational expression) is a sequence of characters that define a search pattern, mainly for use in pattern matching with strings, or string matching, i.e. "find and replace"-like operations.

Wikipedia

Report on Compliance

Report documenting detailed results from an entity"s PCI DSS assessment.

PCI

RoC

Acronym for "Report on Compliance".

PCI

S-FTP

Acronym for Secure-FTP. S-FTP has the ability to encrypt authentication information and data files in transit. See FTP.

PCI

SAD

Acronym for "Sensitive Authentication Data".

PCI

SANS

Acronym for "SysAdmin, Audit, Networking and Security," an institute that provides computer security training and professional certification. (See www.sans.org.)

PCI

SAQ

Acronym for "Self-Assessment Questionnaire." Reporting tool used to document self-assessment results from an entity"s PCI DSS assessment.

PCI

Sarbanes Oxley

The Sarbanes-Oxley Act of 2002, is a United States federal law that set new or expanded requirements for all U.S. public company boards, management and public accounting firms.

Wikipedia

Sensitive Authentication Data

Includes the magnetric track information, the PIN or PIN block, as well as the Card-not-present authorization value which we will refer to as CVV2 but can take any of the following acronyms: CAV2/CVC2/CVV2/CID.

Author

Service provider

An entity that performs some functions regarding to the payment process and/or provides services that may affect the security of the cardholder data.

Author

Settlement

Payment of the outstanding balance owed by the issuer to the acquirer, and later the merchant.

Author

SIEM

Security information and event management (SIEM) is a term for software products and services combining security information management (SIM) and security event management (SEM).

Wikipedia

SIN

A social insurance number (SIN) is a number issued in Canada to administer various government programs, including in the administration of the Canada Pension Plan and Canada's varied employment insurance programs, and for tax reporting purposes.

Wikipedia

SOX

Acronym for "Sarbanes Oxley".

Author

SPT

An Acronym for "Store, Process, or Transmit", meaning that a system or process comes into contact with CHD and/or SAD and is therefore automatically in scope for PCI DSS.

Author

SQL Injection

Form of attack on database-driven web site. A malicious individual executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet. SQL injection attacks are used to steal information from a database from which the data would normally not be available and/or to gain access to an organization's host computers through the computer that is hosting the database.

PCI

SSL

Acronym for "Secure Sockets Layer." Industry standard that encrypts the channel between a web browser and web server. Now superseded by TLS. See TLS.

PCI

SSN

In the United States, a Social Security number (SSN) is a nine-digit number issued to U.S. citizens, permanent residents, and temporary (working) residents.

Wikipedia

Third-Party Service Providers

In the context of the PCI Resources book volumes, any entity subject to the PCI DSS and that may include, business, non-for-profits.

Author

TLS

Acronym for "Transport Layer Security." Designed with goal of providing data secrecy and data integrity between two communicating applications. TLS is successor of SSL.

PCI

TPSP

Acronym for "Third-Party Service Providers".

Author

Virtual machine

The individual "abstract" system that runs on an hypervisor

Author

VM

Acronym for "virtual machine". a VM is an emulation of a particular computer system.

Wikipedia

Zero-day vulnerabilities

A zero-day (also known as zero-hour or 0-day) vulnerability is an undisclosed and uncorrected computer application vulnerability that could be exploited to adversely affect the computer programs, data, additional computers or a network. It is known as a "zero-day" because once a flaw becomes known, the programmer or developer has zero days to fix it.

Wikipedia

The column "source" identifies the origin of the terms in this glossary.

  • "Author" refers to terms defined by the author.
  • "PCI" refers to definitions adapted from the PCI SSC documents, mainly the PCI DSS Glossary (https://www.pcisecuritystandards.org/documents/PCI_DSS_Glossary_v3-1.pdf).
  • "Wikipedia" refers to definitions adapted from the Wikipedia website.