PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

pci_dss_glossary.pdf pci_glossary_v20.pdf
81% similar
14 → 17 Pages
6005 → 7414 Words
55 Content Changes

Content Changes

55 content changes. 27 administrative changes (dates, page numbers) hidden.

Added p. 2
Account Data Account data consists of cardholder data plus sensitive authentication data. See Cardholder Data and Sensitive Authentication Data Account Number See Primary Account Number (PAN).

Audit Trail See Audit Log.

Authentication Process of verifying identity of an individual, device, or process. Authentication typically occurs through the use of one or more authentication factors such as:  Something you know, such as a password or passphrase  Something you have, such as a token device or smart card  Something you are, such as a biometric Authentication Credentials Combination of the user ID or account ID plus the authentication factor(s) used to authenticate an individual, device, or process,

Cardholder Data Environment The people, processes and technology that store, process or transmit cardholder data or sensitive authentication data, including any connected system components.
Added p. 4
Cryptoperiod The time span during which a specific cryptographic key can be used for its defined purpose based on, for example, a defined period of time and/or the amount of cipher-text that has been produced, and according to industry best practices and guidelines (for example, NIST Special Publication 800-57).

Entity Term used to represent the corporation, organization or business which is undergoing a PCI DSS review.

Hashing Process of rendering cardholder data unreadable by converting data into a fixed-length message digest via Strong Cryptography. Hashing is a (mathematical) function in which a non-secret algorithm takes any arbitrary length message as input and produces a fixed length output (usually called a “hash code” or “message digest”). A hash function should have the following properties: (1) It is computationally infeasible to determine the original input given only the hash code, (2) It is computationally infeasible to find two inputs that give the same hash …
Added p. 16
Virtualization Virtualization refers to the logical abstraction of computing resources from physical constraints. One common abstraction is referred to as virtual machines or VMs, which takes the content of a physical machine and allows it to operate on different physical hardware and/or along with other virtual machines on the same physical hardware. In addition to VMs, virtualization can be performed on many other computing resources, including applications, desktops, networks, and storage.

Virtual Hypervisor See Hypervisor.

Virtual Machine Monitor (VMM) The VMM is included with the hypervisor and is software that implements virtual machine hardware abstraction. It manages the system's processor, memory, and other resources to allocate what each guest operating system requires.

Virtual Machine A self-contained operating environment that behaves like a separate computer. It is also known as the “Guest,” and runs on top of a hypervisor.

Virtual Appliance (VA) A VA takes the concept of a pre-configured device for performing a specific …
Modified p. 1
Payment Card Industry (PCI) Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS) Glossary of Terms, Abbreviations, and Acronyms Version 1.2
Payment Card Industry (PCI) Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS) Glossary of Terms, Abbreviations, and Acronyms Version 2.0
Modified p. 2
Audit Log Also referred to as “audit trail.” Chronological record of system activities. Provides a trail sufficient to permit reconstruction, review, and examination of sequence of environments and activities surrounding or leading to operation, procedure, or event in a transaction from inception to final results.
Audit Log Also referred to as “audit trail.” Chronological record of system activities. Provides an independently verifiable trail sufficient to permit reconstruction, review, and examination of sequence of environments and activities surrounding or leading to operation, procedure, or event in a transaction from inception to final results.
Modified p. 2 → 3
Bluetooth Wireless protocol using short-range communications technology to facilitate transmission of data over short distance between two devices.
Bluetooth Wireless protocol using short-range communications technology to facilitate transmission of data over short distances.
Removed p. 3
Cardholder Data Environment Area of computer system network that possesses cardholder data or sensitive authentication data and those systems and segments that directly attach or support cardholder processing, storage, or transmission. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment and thus the scope of the PCI DSS assessment. A cardholder data environment is comprised of system components. See System Components.
Modified p. 3
Card Verification Code or Value Refers to either: (1) magnetic-stripe data, or (2) printed security features. (1) Data element on a card's magnetic stripe that uses secure cryptographic process to protect data integrity on the stripe, and reveals any alteration or counterfeiting. Referred to as CAV, CVC, CVV, or CSC depending on payment card brand. The following list provides the terms for each card brand: CAV
Card Verification Code or Value Also known as Card Validation Code or Value, or Card Security Code. Refers to either: (1) magnetic-stripe data, or (2) printed security features. (1) Data element on a card's magnetic stripe that uses secure cryptographic process to protect data integrity on the stripe, and reveals any alteration or counterfeiting. Referred to as CAV, CVC, CVV, or CSC depending on payment card brand. The following list provides the terms for each card brand:  CAV
Modified p. 3
• Card Authentication Value (JCB payment cards) CVC
• Card Authentication Value (JCB payment cards)  CVC
Modified p. 3
• Card Validation Code (MasterCard payment cards) CVV
• Card Validation Code (MasterCard payment cards)  CVV
Modified p. 3
• Card Verification Value (Visa and Discover payment cards) CSC
• Card Verification Value (Visa and Discover payment cards)  CSC
Modified p. 3
• Card Security Code (American Express) (2) For Discover, JCB, MasterCard, and Visa payment cards, the second type of card verification value or code is the rightmost three-digit value printed in the signature panel area on the back of the card. For American Express payment cards, the code is a four-digit unembossed number printed above the PAN on the face of the payment cards. The code is uniquely associated with each individual piece of plastic and ties the PAN to …
• Card Security Code (American Express) (2) For Discover, JCB, MasterCard, and Visa payment cards, the second type of card verification value or code is the rightmost three-digit value printed in the signature panel area on the back of the card. For American Express payment cards, the code is a four-digit unembossed number printed above the PAN on the face of the payment cards. The code is uniquely associated with each individual piece of plastic and ties the PAN to …
Modified p. 3
• Card Identification Number (American Express and Discover payment cards) CAV2
• Card Identification Number (American Express and Discover payment cards)  CAV2
Modified p. 3
• Card Authentication Value 2 (JCB payment cards) CVC2
• Card Authentication Value 2 (JCB payment cards)  CVC2
Modified p. 3
• Card Validation Code 2 (MasterCard payment cards) CVV2
• Card Validation Code 2 (MasterCard payment cards)  CVV2
Modified p. 3 → 4
• Card Verification Value 2 (Visa payment cards) CIS Acronym for “Center for Internet Security.” Non-profit enterprise with mission to help organizations reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls.
CIS Acronym for “Center for Internet Security.” Non-profit enterprise with mission to help organizations reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls.
Modified p. 4
Console Screen and keyboard which permits access and control of the server or mainframe computer in a networked environment.
Console Screen and keyboard which permits access and control of a server, mainframe computer or other system type in a networked environment.
Modified p. 4
Default Accounts Login account predefined in a system, application, or device to permit initial access when system is first put into service.
Default Accounts Login account predefined in a system, application, or device to permit initial access when system is first put into service. Additional default accounts may also be generated by the system as part of the installation process.
Modified p. 4 → 5
Disk Encryption Technique or technology (either software or hardware) for encrypting all stored data on a device (e.g., hard disk, flash drive). Alternatively, File-Level Encryption or Column-Level Database Encryption is used to encrypt contents of specific files or columns.
Disk Encryption Technique or technology (either software or hardware) for encrypting all stored data on a device (for example, a hard disk or flash drive). Alternatively, File- Level Encryption or Column-Level Database Encryption is used to encrypt contents of specific files or columns.
Modified p. 4 → 5
DMZ Abbreviation for “demilitarized zone.” Physical or logical sub-network or computer host that provides an additional layer of security to an organization’s internal private network. The DMZ adds an additional layer of network security between the Internet and an organization’s internal network so that external parties only have direct access to devices in the DMZ rather than all of the internal network.
DMZ Abbreviation for “demilitarized zone.” Physical or logical sub-network that provides an additional layer of security to an organization’s internal private network. The DMZ adds an additional layer of network security between the Internet and an organization’s internal network so that external parties only have direct connections to devices in the DMZ rather than the entire internal network.
Modified p. 5
ECC Acronym for “elliptic curve cryptography.” Approach to public-key cryptography based on elliptic curves over finite fields. See Strong Cryptography.
ECC Acronym for “Elliptic Curve Cryptography.” Approach to public-key cryptography based on elliptic curves over finite fields. See Strong Cryptography.
Modified p. 5
Egress Filtering Method of filtering traffic exiting an internal network via a router such that unauthorized traffic never leaves the internal network.
Egress Filtering Method of filtering outbound network traffic such that only explicitly allowed traffic is permitted to leave the network.
Modified p. 5
Encryption Process of converting information into an unintelligible form except to holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process (the inverse of encryption) against unauthorized disclosure.
Encryption Process of converting information into an unintelligible form except to holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process (the inverse of encryption) against unauthorized disclosure. See Strong Cryptography.
Modified p. 5
Encryption Algorithm A sequence of mathematical instructions used for transforming unencrypted text or data to encrypted text or data, and back again.
Encryption Algorithm A sequence of mathematical instructions used for transforming unencrypted text or data to encrypted text or data, and back again. See Strong Cryptography.
Modified p. 5 → 6
FTP Acronym for “file transfer protocol.” Network protocol used to transfer data from one computer to another through a public network such as the Internet. FTP is widely viewed as an insecure protocol because passwords and file contents are sent unprotected and in clear text. FTP can be implemented securely via SSH or other technology.
FTP Acronym for “File Transfer Protocol.” Network protocol used to transfer data from one computer to another through a public network such as the Internet. FTP is widely viewed as an insecure protocol because passwords and file contents are sent unprotected and in clear text. FTP can be implemented securely via SSH or other technology.
Modified p. 6 → 7
Ingress Filtering Method of filtering traffic entering an internal network via a router such that incoming packets are verified that they are actually coming from the networks they claim to be from.
Ingress Filtering Method of filtering inbound network traffic such that only explicitly allowed traffic is permitted to enter the network.
Removed p. 7
Issuer Also referred to as “issuing bank” or “issuing financial institution.” Entity that issues payment cards directly to consumers and non-consumers.
Modified p. 7 → 8
Key In cryptography, a key is a value that determines the output of an encryption algorithm when transforming plain text to encrypted text. The length of the key generally determines how difficult it will be to decrypt the text in a given message. See Strong Cryptography.
Key In cryptography, a key is a value that determines the output of an encryption algorithm when transforming plain text to ciphertext. The length of the key generally determines how difficult it will be to decrypt the ciphertext in a given message. See Strong Cryptography.
Modified p. 7 → 8
LAN Acronym for “local area network.” Computer network covering a small area, often a building or group of buildings.
LAN Acronym for “local area network.” A group of computers and/or other devices that share a common communications line, often in a building or group of buildings.
Modified p. 7 → 8
LDAP Acronym for “lightweight direct access protocol.” Authentication and authorization data repository utilized for querying and modifying user permissions and granting access to protected resources.
LDAP Acronym for “Lightweight Directory Access Protocol.” Authentication and authorization data repository utilized for querying and modifying user permissions and granting access to protected resources.
Removed p. 8
Masking Method of concealing a segment of data when displayed. Masking is used when there is no business requirement to view the entire PAN.

Network Segmentation Means of reducing the scope of a PCI DSS assessment by reducing the size of the cardholder data environment. To achieve this, systems that do not store, process, or transmit cardholder data should be isolated from those systems that store, process, and transmit cardholder data via network controls. See Network Segmentation section in the PCI DSS Requirements and Security Assessment Procedures for guidance on using network segmentation.
Modified p. 8 → 9
Network Two or more computers connected together to share resources.
Network Two or more computers connected together via physical or wireless means.
Modified p. 9 → 10
NTP Acronym for “network time protocol.” Protocol for synchronizing the clocks of computer systems over packets switched, variable-latency data networks.
NTP Acronym for “Network Time Protocol.” Protocol for synchronizing the clocks of computer systems, network devices and other system components.
Modified p. 9 → 10
Operating System/OS Software of a computer system that is responsible for the management and coordination of all activities and the sharing of computer resources. Examples of operating systems include Microsoft Windows, Mac OS, Linux and Unix.
Operating System / OS Software of a computer system that is responsible for the management and coordination of all activities and the sharing of computer resources. Examples of operating systems include Microsoft Windows, Mac OS, Linux and Unix.
Modified p. 9 → 10
OWASP Acronym for “Open Web Application Security Project.” A non-profit organization established in 2004 focused on improving the security of application software. OWASP released the OWASP Top Ten, which lists the most critical vulnerabilities for web applications. (See http://www.owasp.org).
OWASP Acronym for “Open Web Application Security Project.” A non-profit organization focused on improving the security of application software. OWASP maintains a list of critical vulnerabilities for web applications. (See http://www.owasp.org).
Modified p. 9 → 10
Password/Passphrase A string of characters that serve as an authenticator of the user.
Password / Passphrase A string of characters that serve as an authenticator of the user.
Modified p. 9 → 10
Pad In cryptography, the one-time pad is an encryption algorithm with text combined with a random key or "pad" that is as long as the plain-text and used only once. Additionally, if key is truly random, never reused, and, kept secret, the one-time pad is unbreakable PAT Acronym for “port address translation” and also referred to as “network address port translation.” Type of NAT that also translates the port numbers.
Pad In cryptography, the one-time pad is an encryption algorithm with text combined with a random key or "pad" that is as long as the plain-text and used only once. Additionally, if key is truly random, never reused, and, kept secret, the one-time pad is unbreakable Parameterized Queries A means of structuring SQL queries to limit escaping and thus prevent injection attacks.
Modified p. 9 → 10
Payment Cards For purposes of PCI DSS, any payment card/device that bears the logo of the founding members of PCI SSC, which are American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or Visa, Inc.
Payment Application Any application that stores, processes, or transmits cardholder data as part of authorization or settlement Payment Cards For purposes of PCI DSS, any payment card/device that bears the logo of the founding members of PCI SSC, which are American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or Visa, Inc.
Modified p. 9 → 10
PCI Payment Card Industry.
PCI Acronym for “Payment Card Industry.”
Modified p. 9 → 11
Penetration Test Penetration tests attempt to exploit vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing includes network and application testing as well as controls and processes around the networks and applications, and occurs from both outside the network trying to come in (external testing) and from inside the network.
PED PIN entry device Penetration Test Penetration tests attempt to exploit vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing includes network and application testing as well as controls and processes around the networks and applications, and occurs from both outside the network trying to come in (external testing) and from inside the network.
Modified p. 10 → 12
RADIUS Abbreviation for “remote authentication and dial-in user service.” Authentication and accounting system. Checks if information such as username and password that is passed to the RADIUS server is correct, and then authorizes access to the system.
RADIUS Abbreviation for “Remote Authentication Dial-In User Service.” Authentication and accounting system. Checks if information such as username and password that is passed to the RADIUS server is correct, and then authorizes access to the system. This authentication method may be used with a token, smart card, etc., to provide two-factor authentication.
Modified p. 10 → 12
Re-keying Process of changing cryptographic keys to limit amount of data to be encrypted with the same key.
Re-keying Process of changing cryptographic keys. Periodic re-keying limits the amount of data encrypted by a single key.
Removed p. 11
Sanitization Process for deleting sensitive data from a file, device, or system; or for modifying data so that it is useless if accessed in an attack.
Modified p. 11 → 13
SANS Acronym for “SysAdmin, Audit, Networking and Security,” an institute that provides computer security training and professional certification. (See www.sans.org.) SDLC Acronym for “system development life cycle.” Phases of the development of a software or computer system that includes planning, analysis, design, testing, and implementation.
SDLC Acronym for “system development life cycle.” Phases of the development of a software or computer system that includes planning, analysis, design, testing, and implementation.
Modified p. 11 → 13
Security Officer Primary responsible person for security related affairs of an organization.
Security Officer Primary responsible person for an entity’s security-related affairs.
Modified p. 11 → 13
Security Policy Set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information SAQ Acronym for “Self-Assessment Questionnaire.” Tool used by any entity to validate its own compliance with the PCI DSS.
Security Policy Set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information Security Protocols Network communications protocols designed to secure the transmission of data. Examples of security protocols include, but are not limited to SSL/TLS, IPSEC, SSH, etc.
Modified p. 11 → 13
Sensitive Authentication Data Security-related information (card validation codes/values, full magnetic-stripe data, PINs, and PIN blocks) used to authenticate cardholders, appearing in plain-text or otherwise unprotected form.
Sensitive Authentication Data Security-related information (including but not limited to card validation codes/values, full magnetic-stripe data, PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions.
Modified p. 12 → 14
Smart Card Also referred to as “chip card” or “IC card (integrated circuit card).” A type of payment card that has integrated circuits embedded within. The circuits, also referred to as the “chip,” contain payment card data including, but not limited to, data equivalent to the magnetic-stripe data.
Smart Card Also referred to as “chip card” or “IC card (integrated circuit card).” A type of payment card that has integrated circuits embedded within. The circuits, also referred to as the “chip,” contain payment card data including but not limited to data equivalent to the magnetic-stripe data.
Modified p. 12 → 14
SSH Abbreviation for “secure shell.” Protocol suite providing encryption for network services like remote login or remote file transfer.
SSH Abbreviation for “Secure Shell.” Protocol suite providing encryption for network services like remote login or remote file transfer.
Modified p. 12 → 14
SSL Acronym for “secure sockets layer.” Established industry standard that encrypts the channel between a web browser and web server to ensure the privacy and reliability of data transmitted over this channel.
SSL Acronym for “Secure Sockets Layer.” Established industry standard that encrypts the channel between a web browser and web server to ensure the privacy and reliability of data transmitted over this channel.
Modified p. 13 → 15
TACACS Acronym for “terminal access controller access control system.” Remote authentication protocol commonly used in networks that communicates between a remote access server and an authentication server to determine user access rights to the network.
TACACS Acronym for “Terminal Access Controller Access Control System.” Remote authentication protocol commonly used in networks that communicates between a remote access server and an authentication server to determine user access rights to the network. This authentication method may be used with a token, smart card, etc., to provide two-factor authentication.
Modified p. 13 → 15
Threat Condition or activity that may cause information or information processing resources to be intentionally or accidentally lost, modified, exposed, made inaccessible, or otherwise affected to the detriment of the organization TLS Acronym for “transport layer security.” Designed with goal of providing data secrecy and data integrity between two communicating applications. TLS is successor of SSL.
Threat Condition or activity that has the potential to cause information or information processing resources to be intentionally or accidentally lost, modified, exposed, made inaccessible, or otherwise affected to the detriment of the organization TLS Acronym for “Transport Layer Security.” Designed with goal of providing data secrecy and data integrity between two communicating applications. TLS is successor of SSL.
Modified p. 13 → 15
Token Hardware or software that performs dynamic or two-factor authentication.
Token A value provided by hardware or software that usually works with an authentication server or VPN to perform dynamic or two-factor authentication. See RADIUS, TACACS, and VPN.
Modified p. 14 → 17
WEP Acronym for “wired equivalent privacy.” Weak algorithm used to encrypt wireless networks. Several serious weaknesses have been identified by industry experts such that a WEP connection can be cracked with readily available software within minutes. See WPA.
WEP Acronym for “Wired Equivalent Privacy.” Weak algorithm used to encrypt wireless networks. Several serious weaknesses have been identified by industry experts such that a WEP connection can be cracked with readily available software within minutes. See WPA.
Modified p. 14 → 17
WPA/WPA2 Acronym for “WiFi Protected Access.” Security protocol created to secure wireless networks. WPA is the successor to WEP and is deemed to provide better security than WEP. WPA2 was also released as the next generation of WPA.
WPA/WPA2 Acronym for “WiFi Protected Access.” Security protocol created to secure wireless networks. WPA is the successor to WEP.. WPA2 was also released as the next generation of WPA.