PCI-Glossary

avatar
Created by
Patrick Forrest

Cards (266)

  • Payment Card Industry (PCI) standards
    • Data Security Standard (DSS)
    • Payment Application Data Security Standard (PA-DSS)
  • AAA
    Acronym for "authentication, authorization, and accounting." Protocol for authenticating a user based on their verifiable identity, authorizing a user based on their user rights, and accounting for a user's consumption of network resources.
  • Access Control
    Mechanisms that limit availability of information or information-processing resources only to authorized persons or applications.
  • Account Data
    Account data consists of cardholder data and/or sensitive authentication data.
  • Account Number
    See Primary Account Number (PAN).
  • Acquirer
    Also referred to as "merchant bank," "acquiring bank," or "acquiring financial institution". Entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance.
  • Administrative Access
    Elevated or increased privileges granted to an account in order for that account to manage systems, networks and/or applications.
  • Adware
    Type of malicious software that, when installed, forces a computer to automatically display or download advertisements.
  • AES
    Abbreviation for "Advanced Encryption Standard." Block cipher used in symmetric key cryptography adopted by NIST in November 2001 as U.S. FIPS PUB 197 (or "FIPS 197").
  • ANSI
    Acronym for "American National Standards Institute." Private, non-profit organization that administers and coordinates the U.S. voluntary standardization and conformity assessment system.
  • Anti-Virus
    Program or software capable of detecting, removing, and protecting against various forms of malicious software (also called "malware") including viruses, worms, Trojans or Trojan horses, spyware, adware, and rootkits.
  • AOC
    Acronym for "attestation of compliance." The AOC is a form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Self-Assessment Questionnaire or Report on Compliance.
  • AOV
    Acronym for "attestation of validation." The AOV is a form for PA-QSAs to attest to the results of a PA-DSS assessment, as documented in the PA-DSS Report on Validation.
  • Application
    Includes all purchased and custom software programs or groups of programs, including both internal and external (for example, web) applications.
  • ASV
    Acronym for "Approved Scanning Vendor." Company approved by the PCI SSC to conduct external vulnerability scanning services.
  • Audit Log
    Also referred to as "audit trail." Chronological record of system activities. Provides an independently verifiable trail sufficient to permit reconstruction, review, and examination of sequence of environments and activities surrounding or leading to operation, procedure, or event in a transaction from inception to final results.
  • Audit Trail

    See Audit Log.
  • Authentication
    Process of verifying identity of an individual, device, or process. Authentication typically occurs through the use of one or more authentication factors such as: Something you know, such as a password or passphrase; Something you have, such as a token device or smart card; Something you are, such as a biometric.
  • Authentication Credentials
    Combination of the user ID or account ID plus the authentication factor(s) used to authenticate an individual, device, or process.
  • Authorization
    In the context of access control, authorization is the granting of access or other rights to a user, program, or process. Authorization defines what an individual or program can do after successful authentication.
  • Backup
    Duplicate copy of data made for archiving purposes or for protecting against damage or loss.
  • BAU
    An acronym for "business as usual." BAU is an organization's normal daily business operations.
  • Bluetooth
    Wireless protocol using short-range communications technology to facilitate transmission of data over short distances.
  • Buffer Overflow
    Vulnerability that is created from insecure coding methods, where a program overruns the buffer's boundary and writes data to adjacent memory space. Buffer overflows are used by attackers to gain unauthorized access to systems or data.
  • Card Skimmer
    A physical device, often attached to a legitimate card-reading device, designed to illegitimately capture and/or store the information from a payment card.
  • Card Verification Code or Value

    Also known as Card Validation Code or Value, or Card Security Code. Refers to either: (1) magnetic-stripe data, or (2) printed security features.
  • Cardholder
    Non-consumer or consumer customer to whom a payment card is issued to or any individual authorized to use the payment card.
  • Cardholder Data

    At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.
  • CDE
    Acronym for "cardholder data environment." The people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data.
  • Cellular Technologies
    Mobile communications through wireless telephone networks, including but not limited to Global System for Mobile communications (GSM), code division multiple access (CDMA), and General Packet Radio Service (GPRS).
  • CERT
    Acronym for Carnegie Mellon University's "Computer Emergency Response Team." The CERT Program develops and promotes the use of appropriate technology and systems management practices to resist attacks on networked systems, to limit damage, and to ensure continuity of critical services.
  • Change Control
    Processes and procedures to review, test, and approve changes to systems and software for impact before implementation.
  • CIS
    Acronym for "Center for Internet Security." Non-profit enterprise with mission to help organizations reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls.
  • Column-Level Database Encryption
    Technique or technology (either software or hardware) for encrypting contents of a specific column in a database versus the full contents of the entire database.
  • Compensating Controls
    Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls.
  • Compromise
    Also referred to as "data compromise," or "data breach." Intrusion into a computer system where unauthorized disclosure/theft, modification, or destruction of cardholder data is suspected.
  • Console
    Screen and keyboard which permits access and control of a server, mainframe computer or other system type in a networked environment.
  • Consumer
    Individual purchasing goods, services, or both.
  • Critical systems / critical technologies
    A system or technology that is deemed by the entity to be of particular importance. For example, a critical system may be essential for the performance of a business operation or for a security function to be maintained.
  • Cross-Site Request Forgery (CSRF)
    Vulnerability that is created from insecure coding methods that allows for the execution of unwanted actions through an authenticated session. Often used in conjunction with XSS and/or SQL injection.