PCI-Glossary
Cards (266)
- Payment Card Industry (PCI) standards
- Data Security Standard (DSS)
- Payment Application Data Security Standard (PA-DSS)
- AAAAcronym for "authentication, authorization, and accounting." Protocol for authenticating a user based on their verifiable identity, authorizing a user based on their user rights, and accounting for a user's consumption of network resources.
- Access ControlMechanisms that limit availability of information or information-processing resources only to authorized persons or applications.
- Account DataAccount data consists of cardholder data and/or sensitive authentication data.
- Account NumberSee Primary Account Number (PAN).
- AcquirerAlso referred to as "merchant bank," "acquiring bank," or "acquiring financial institution". Entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance.
- Administrative AccessElevated or increased privileges granted to an account in order for that account to manage systems, networks and/or applications.
- AdwareType of malicious software that, when installed, forces a computer to automatically display or download advertisements.
- AESAbbreviation for "Advanced Encryption Standard." Block cipher used in symmetric key cryptography adopted by NIST in November 2001 as U.S. FIPS PUB 197 (or "FIPS 197").
- ANSIAcronym for "American National Standards Institute." Private, non-profit organization that administers and coordinates the U.S. voluntary standardization and conformity assessment system.
- Anti-VirusProgram or software capable of detecting, removing, and protecting against various forms of malicious software (also called "malware") including viruses, worms, Trojans or Trojan horses, spyware, adware, and rootkits.
- AOCAcronym for "attestation of compliance." The AOC is a form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Self-Assessment Questionnaire or Report on Compliance.
- AOVAcronym for "attestation of validation." The AOV is a form for PA-QSAs to attest to the results of a PA-DSS assessment, as documented in the PA-DSS Report on Validation.
- ApplicationIncludes all purchased and custom software programs or groups of programs, including both internal and external (for example, web) applications.
- ASVAcronym for "Approved Scanning Vendor." Company approved by the PCI SSC to conduct external vulnerability scanning services.
- Audit LogAlso referred to as "audit trail." Chronological record of system activities. Provides an independently verifiable trail sufficient to permit reconstruction, review, and examination of sequence of environments and activities surrounding or leading to operation, procedure, or event in a transaction from inception to final results.
- Audit TrailSee Audit Log.
- AuthenticationProcess of verifying identity of an individual, device, or process. Authentication typically occurs through the use of one or more authentication factors such as: Something you know, such as a password or passphrase; Something you have, such as a token device or smart card; Something you are, such as a biometric.
- Authentication CredentialsCombination of the user ID or account ID plus the authentication factor(s) used to authenticate an individual, device, or process.
- AuthorizationIn the context of access control, authorization is the granting of access or other rights to a user, program, or process. Authorization defines what an individual or program can do after successful authentication.
- BackupDuplicate copy of data made for archiving purposes or for protecting against damage or loss.
- BAUAn acronym for "business as usual." BAU is an organization's normal daily business operations.
- BluetoothWireless protocol using short-range communications technology to facilitate transmission of data over short distances.
- Buffer OverflowVulnerability that is created from insecure coding methods, where a program overruns the buffer's boundary and writes data to adjacent memory space. Buffer overflows are used by attackers to gain unauthorized access to systems or data.
- Card SkimmerA physical device, often attached to a legitimate card-reading device, designed to illegitimately capture and/or store the information from a payment card.
- Card Verification Code or ValueAlso known as Card Validation Code or Value, or Card Security Code. Refers to either: (1) magnetic-stripe data, or (2) printed security features.
- CardholderNon-consumer or consumer customer to whom a payment card is issued to or any individual authorized to use the payment card.
- Cardholder DataAt a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.
- CDEAcronym for "cardholder data environment." The people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data.
- Cellular TechnologiesMobile communications through wireless telephone networks, including but not limited to Global System for Mobile communications (GSM), code division multiple access (CDMA), and General Packet Radio Service (GPRS).
- CERTAcronym for Carnegie Mellon University's "Computer Emergency Response Team." The CERT Program develops and promotes the use of appropriate technology and systems management practices to resist attacks on networked systems, to limit damage, and to ensure continuity of critical services.
- Change ControlProcesses and procedures to review, test, and approve changes to systems and software for impact before implementation.
- CISAcronym for "Center for Internet Security." Non-profit enterprise with mission to help organizations reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls.
- Column-Level Database EncryptionTechnique or technology (either software or hardware) for encrypting contents of a specific column in a database versus the full contents of the entire database.
- Compensating ControlsCompensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls.
- CompromiseAlso referred to as "data compromise," or "data breach." Intrusion into a computer system where unauthorized disclosure/theft, modification, or destruction of cardholder data is suspected.
- ConsoleScreen and keyboard which permits access and control of a server, mainframe computer or other system type in a networked environment.
- ConsumerIndividual purchasing goods, services, or both.
- Critical systems / critical technologiesA system or technology that is deemed by the entity to be of particular importance. For example, a critical system may be essential for the performance of a business operation or for a security function to be maintained.
- Cross-Site Request Forgery (CSRF)Vulnerability that is created from insecure coding methods that allows for the execution of unwanted actions through an authenticated session. Often used in conjunction with XSS and/or SQL injection.