Document Comparison
P2PE_Glossary_v1.2.pdf
→
P2PE_v2_Glossary.pdf
62% similar
14 → 19
Pages
4943 → 6829
Words
54
Content Changes
Content Changes
54 content changes. 30 administrative changes (dates, page numbers) hidden.
Added
p. 2
Account data Account data consists of cardholder data and/or sensitive authentication data. See Cardholder Data and Sensitive Authentication Data.
Acquirer Also referred to as “merchant bank,” “acquiring bank,” or “acquiring financial institution.” Entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance.
See also Payment Processor.
Advanced Encryption Standard (AES) A block cipher used in symmetric-key cryptography adopted by NIST in November 2001 as U.S. FIPS PUB 197 (or “FIPS 197”).
See Strong Cryptography.
Authentication Process of verifying identity of an individual, device, or process. Authentication typically occurs through the use of one or more authentication factors such as:
Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric Authentication credentials Combination …
Acquirer Also referred to as “merchant bank,” “acquiring bank,” or “acquiring financial institution.” Entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance.
See also Payment Processor.
Advanced Encryption Standard (AES) A block cipher used in symmetric-key cryptography adopted by NIST in November 2001 as U.S. FIPS PUB 197 (or “FIPS 197”).
See Strong Cryptography.
Authentication Process of verifying identity of an individual, device, or process. Authentication typically occurs through the use of one or more authentication factors such as:
Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric Authentication credentials Combination …
Added
p. 3
Cardholder data environment (CDE) The people, processes and technology that store, process, or transmit cardholder data and/or sensitive authentication data.
Certification Authority (CA) May also be called Certificate Authority. Any entity signing public keys, whether in X.509 certificate-based schemes or other designs for use in connection with the remote distribution of symmetric keys using asymmetric techniques.
See also Registration Authority Certification Authority/ Registration Authority (CA/RA) service A service that can be offered by a third-party P2PE component provider. Such services are offered on behalf of P2PE solution providers, by entities operating CA/RA platforms in connection with remote-key distribution implementations, assessed per Domain 6 and Annex A, part A1 (as applicable) and part A2 See also P2PE component provider.
Certification Authority (CA) May also be called Certificate Authority. Any entity signing public keys, whether in X.509 certificate-based schemes or other designs for use in connection with the remote distribution of symmetric keys using asymmetric techniques.
See also Registration Authority Certification Authority/ Registration Authority (CA/RA) service A service that can be offered by a third-party P2PE component provider. Such services are offered on behalf of P2PE solution providers, by entities operating CA/RA platforms in connection with remote-key distribution implementations, assessed per Domain 6 and Annex A, part A1 (as applicable) and part A2 See also P2PE component provider.
Added
p. 5
See Data Encryption Algorithm.
Decryption environment The P2PE solution provider’s or component provider’s environment that contains the HSMs
•or HSMs and Host System(s) for hybrid decryption solutions
•used to decrypt the incoming encrypted account data originating from merchant encryption environments.
For purposes of merchant-managed solutions, the merchant decryption environment is a restricted zone within the merchant's CDE that contains the HSMs used to decrypt the incoming encrypted account data originating from the merchant's encryption environment.
Decryption-management service A service that can be offered by a third-party P2PE component provider, on behalf of P2PE solution providers. These entities manage the environment that receives and decrypts encrypted account data, as covered in Domains 5 and 6 (and Annex A as applicable).
Decryption environment The P2PE solution provider’s or component provider’s environment that contains the HSMs
•or HSMs and Host System(s) for hybrid decryption solutions
•used to decrypt the incoming encrypted account data originating from merchant encryption environments.
For purposes of merchant-managed solutions, the merchant decryption environment is a restricted zone within the merchant's CDE that contains the HSMs used to decrypt the incoming encrypted account data originating from the merchant's encryption environment.
Decryption-management service A service that can be offered by a third-party P2PE component provider, on behalf of P2PE solution providers. These entities manage the environment that receives and decrypts encrypted account data, as covered in Domains 5 and 6 (and Annex A as applicable).
Added
p. 6
Encryption environment A merchant’s physical location(s) containing the PCI-approved POI devices used for account-data acceptance and subsequent encryption.
Merchant P2PE encryption environments include those for brick-and- mortar and or mail-order/telephone-order (MOTO) merchants, but do NOT include e-commerce environments.
Encryption-management service A service that can be offered by a third-party P2PE component provider on behalf of P2PE solution providers. These entities manage and deploy POI devices and any resident P2PE applications and/or P2PE non-payment software, as covered in Domains 1 and 6 (and Annex A as applicable).
Merchant P2PE encryption environments include those for brick-and- mortar and or mail-order/telephone-order (MOTO) merchants, but do NOT include e-commerce environments.
Encryption-management service A service that can be offered by a third-party P2PE component provider on behalf of P2PE solution providers. These entities manage and deploy POI devices and any resident P2PE applications and/or P2PE non-payment software, as covered in Domains 1 and 6 (and Annex A as applicable).
Added
p. 7
0 + 0 = 0 0 + 1 = 1 1 + 0 = 1 1 + 1 = 0 FIPS Acronym for “Federal Information Processing Standard.” Firmware Firmware is considered to be any code within the POI device that provides security protections needed to comply with PTS device security requirements or can impact compliance to these security requirements. Firmware may be further segmented by code necessary to meet PTS Core, OP, or SRED.
Other code that exists within the device that does not provide security, and cannot impact security, is not considered firmware. P2PE applications and P2PE non-payment software are also not considered firmware.
Other code that exists within the device that does not provide security, and cannot impact security, is not considered firmware. P2PE applications and P2PE non-payment software are also not considered firmware.
Added
p. 8
(1) It is computationally infeasible to determine the original input given only the hash code, (2) It is computationally infeasible to find two inputs that give the same hash code.
Hashing must be applied to the entire PAN for the hash code to be considered rendered unreadable. It is recommended that hashed cardholder data include an input variable (for example, a “salt”) to the hashing function to reduce or defeat the effectiveness of pre-computed rainbow table attacks.
See also Input variable.
Host System For hybrid decryption environments only. A combination of software and hardware components used for the purpose of decrypting account data, may also be used for transaction processing, and which is not considered an SCD.
Input variable Random data string that is concatenated with source data before a one- way hash function is applied. Input variables can help reduce the effectiveness of rainbow table attacks.
See also Hashing and Rainbow table attack.
Hashing must be applied to the entire PAN for the hash code to be considered rendered unreadable. It is recommended that hashed cardholder data include an input variable (for example, a “salt”) to the hashing function to reduce or defeat the effectiveness of pre-computed rainbow table attacks.
See also Input variable.
Host System For hybrid decryption environments only. A combination of software and hardware components used for the purpose of decrypting account data, may also be used for transaction processing, and which is not considered an SCD.
Input variable Random data string that is concatenated with source data before a one- way hash function is applied. Input variables can help reduce the effectiveness of rainbow table attacks.
See also Hashing and Rainbow table attack.
Added
p. 9
Also referred to as “issuing bank” or “issuing financial institution.” Key See Cryptographic key.
Key-injection facility (KIF) Entities that perform cryptographic key injection.
Key-injection facility service A service that can be offered by a third-party P2PE component provider on behalf of P2PE solution providers. KIF services entities perform cryptographic key injection as a stand-alone service, including for POI devices and HSMs used in P2PE solutions, as covered in Annex B and Annex A (as applicable).
Key-injection facility (KIF) Entities that perform cryptographic key injection.
Key-injection facility service A service that can be offered by a third-party P2PE component provider on behalf of P2PE solution providers. KIF services entities perform cryptographic key injection as a stand-alone service, including for POI devices and HSMs used in P2PE solutions, as covered in Annex B and Annex A (as applicable).
Added
p. 10
Key-loading device (KLD) An SCD that may be used to perform cryptographic key injection/loading or code signing.
Added
p. 11
Merchant Any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.
Merchant decryption environment See Decryption environment.
Merchant as a solution provider A merchant who is acting as its own P2PE solution provider, responsible for role of solution provider in meeting, either directly or through use of outsourced P2PE components, all P2PE Domain requirements.
Merchant-managed solution (MMS) A P2PE solution managed by a merchant rather than by a third-party solution provider. These merchant solutions are typically for large retail organizations who centrally manage the solution on behalf of their own encryption environments.
In a merchant-managed solution, part of the merchant business plays the role of a P2PE solution provider (managing POIs, decryption environment, etc.) and part of the business plays the role of a “merchant” that has no access to clear-text account data, …
Merchant decryption environment See Decryption environment.
Merchant as a solution provider A merchant who is acting as its own P2PE solution provider, responsible for role of solution provider in meeting, either directly or through use of outsourced P2PE components, all P2PE Domain requirements.
Merchant-managed solution (MMS) A P2PE solution managed by a merchant rather than by a third-party solution provider. These merchant solutions are typically for large retail organizations who centrally manage the solution on behalf of their own encryption environments.
In a merchant-managed solution, part of the merchant business plays the role of a P2PE solution provider (managing POIs, decryption environment, etc.) and part of the business plays the role of a “merchant” that has no access to clear-text account data, …
Added
p. 12
Entity engaged by a merchant or other entity to handle payment card transactions on their behalf. While payment processors typically provide acquiring services, payment processors are not considered acquirers unless defined as such by a payment card brand.
POI device type Unique instance (combination) of a model name, hardware and firmware number.
POI device type Unique instance (combination) of a model name, hardware and firmware number.
Added
p. 13
PTS firmware is not considered a P2PE payment application and as such is not reassessed during a P2PE assessment.
See also Account data, Firmware, and P2PE non-payment software P2PE application vendor A vendor that develops and then sells, distributes, or licenses any P2PE application for use in a P2PE solution. A P2PE solution provider may also be a P2PE application vendor.
P2PE component A P2PE service (such as encryption management, decryption management, or key injection) that is accepted on a standalone basis as part of the P2PE Program and may be incorporated into and/or referenced as part of a P2PE solution.
A P2PE service is assessed to a specific set of P2PE requirements and results in a PCI P2PE component provider listing. P2PE component providers’ services are performed on behalf of other P2PE solution providers for use in P2PE solutions.
P2PE component provider An entity that provides a service that is assessed to a …
See also Account data, Firmware, and P2PE non-payment software P2PE application vendor A vendor that develops and then sells, distributes, or licenses any P2PE application for use in a P2PE solution. A P2PE solution provider may also be a P2PE application vendor.
P2PE component A P2PE service (such as encryption management, decryption management, or key injection) that is accepted on a standalone basis as part of the P2PE Program and may be incorporated into and/or referenced as part of a P2PE solution.
A P2PE service is assessed to a specific set of P2PE requirements and results in a PCI P2PE component provider listing. P2PE component providers’ services are performed on behalf of other P2PE solution providers for use in P2PE solutions.
P2PE component provider An entity that provides a service that is assessed to a …
Added
p. 14
PTS firmware is not considered P2PE non-payment software and as such is not reassessed during a P2PE assessment.
See also Account data and Firmware P2PE solution A combination of secure devices, applications, and processes that encrypt cardholder data from a PCI-approved point-of-interaction (POI) device through to decryption, assessed in accordance with PCI’s P2PE standard and included on PCI’s list of Validated P2PE Solutions.
P2PE solution provider An entity that:
A P2PE solution provider may be a third-party entity such as a processor, acquirer, or payment gateway. A merchant can also be a solution provider (see also Merchant as a solution provider and Merchant-managed solution).
Registration Authority (RA) An entity that performs registration services on behalf of a certification authority (CA). Registration authorities (RAs) work with a particular certification authority (CA) to vet requests for certificates that will then be issued by the certification authority.
See also Certification Authority and Certification Authority/Registration Authority service.
Secure Reading and …
See also Account data and Firmware P2PE solution A combination of secure devices, applications, and processes that encrypt cardholder data from a PCI-approved point-of-interaction (POI) device through to decryption, assessed in accordance with PCI’s P2PE standard and included on PCI’s list of Validated P2PE Solutions.
P2PE solution provider An entity that:
A P2PE solution provider may be a third-party entity such as a processor, acquirer, or payment gateway. A merchant can also be a solution provider (see also Merchant as a solution provider and Merchant-managed solution).
Registration Authority (RA) An entity that performs registration services on behalf of a certification authority (CA). Registration authorities (RAs) work with a particular certification authority (CA) to vet requests for certificates that will then be issued by the certification authority.
See also Certification Authority and Certification Authority/Registration Authority service.
Secure Reading and …
Added
p. 18
Terminal master key (TMK) A symmetric key used to encrypt other cryptographic keys at the point of interaction.
Test platform In the context of Domain 2, special test functionality that is separate or absent from production-level code. This platform is expected to be provided by the application vendor to the P2PE assessor, as needed to provide a framework that allows for testing of the application’s functionality outside of a production-deployment environment.
Two-factor authentication Method of authenticating a user whereby two or more factors are verified. These factors include something the user has (such as a smart card or dongle), something the user knows (such as a password, passphrase, or PIN), or something the user is or does (such as fingerprints, other forms of biometrics, parametrics, etc.) Unattended acceptance terminal (UAT) See Unattended payment terminal.
Versioning methodology A process of assigning version schemes to uniquely identify a particular state of an application or software. …
Test platform In the context of Domain 2, special test functionality that is separate or absent from production-level code. This platform is expected to be provided by the application vendor to the P2PE assessor, as needed to provide a framework that allows for testing of the application’s functionality outside of a production-deployment environment.
Two-factor authentication Method of authenticating a user whereby two or more factors are verified. These factors include something the user has (such as a smart card or dongle), something the user knows (such as a password, passphrase, or PIN), or something the user is or does (such as fingerprints, other forms of biometrics, parametrics, etc.) Unattended acceptance terminal (UAT) See Unattended payment terminal.
Versioning methodology A process of assigning version schemes to uniquely identify a particular state of an application or software. …
Modified
p. 1
Payment Card Industry (PCI) Point-to-Point Encryption (P2PE) Glossary of Terms, Abbreviations, and Acronyms Version 1.2
Payment Card Industry (PCI) Point-to-Point Encryption Glossary of Terms, Abbreviations, and Acronyms Version 2.0
Removed
p. 2
Account data At a minimum, account data contains the full PAN and (if present) any elements of sensitive authentication data. The following are also considered to be account data if sent in conjunction with the PAN: cardholder name, expiration date, or service code.
ATM An unattended terminal that has electronic capability, accepts PINs, and disburses currency or checks.
Authentication The process for establishing unambiguously the identity of an entity, organization, or person at a specific point in time.
Authorization The right granted to a user to access an object, resource, or function.
Authorize To permit or give authority to a user to communicate with or make use of an object, resource, or function.
Cardholder An individual to whom a card is issued or who is authorized to use the card.
ATM An unattended terminal that has electronic capability, accepts PINs, and disburses currency or checks.
Authentication The process for establishing unambiguously the identity of an entity, organization, or person at a specific point in time.
Authorization The right granted to a user to access an object, resource, or function.
Authorize To permit or give authority to a user to communicate with or make use of an object, resource, or function.
Cardholder An individual to whom a card is issued or who is authorized to use the card.
Modified
p. 2
American National Standards Institute (ANSI) A U.S. standards accreditation organization.
Modified
p. 2 → 3
Cardholder name Expiration date Service Code See Sensitive authentication data (SAD) for additional data elements that may be transmitted or processed as part of a payment transaction.
Cardholder name Expiration date Service code See Sensitive authentication data (SAD) for additional data elements that may be transmitted or processed as part of a payment transaction.
Removed
p. 3
Compromise In cryptography, the breaching of secrecy and/or security.
Credentials Identification data for an entity, incorporating at a minimum the entity's distinguished name and public key.
Credentials Identification data for an entity, incorporating at a minimum the entity's distinguished name and public key.
Modified
p. 3 → 4
A violation of the security of a system such that an unauthorized disclosure of sensitive information may have occurred. This includes the unauthorized disclosure, modification, substitution, or use of sensitive data (including clear-text cryptographic keys and other keying material).
Compromise A violation of the security of a system such that an unauthorized disclosure of sensitive information may have occurred. This includes the unauthorized disclosure, modification, substitution, or use of sensitive data (including clear-text cryptographic keys and other keying material).
Removed
p. 4
Decipher See Decrypt.
Dual control A process of using two or more separate entities (usually persons), operating in concert, to protect sensitive functions or information. Both entities are equally responsible for the physical protection of materials or functions being protected. Each party is responsible for the protection of mechanisms used to enact dual control (for example, passwords, keys, etc.). No single person must be able to access or use the materials (for example, the password or keys) of the other party.
Dual control A process of using two or more separate entities (usually persons), operating in concert, to protect sensitive functions or information. Both entities are equally responsible for the physical protection of materials or functions being protected. Each party is responsible for the protection of mechanisms used to enact dual control (for example, passwords, keys, etc.). No single person must be able to access or use the materials (for example, the password or keys) of the other party.
Modified
p. 4 → 5
Decryption A process of transforming cipher text (unreadable) into clear text (readable).
Modified
p. 4 → 5
Derivation key A cryptographic key, which is used to cryptographically compute another key. A derivation key is normally associated with the DUKPT key- management method.
Derivation key A cryptographic key, which is used to cryptographically compute another key. A derivation key is normally associated with the DUKPT key-management method.
Modified
p. 4 → 5
Derivation keys are normally used in a transaction-receiving (for example, acquirer) SCD in a one-to-many relationship to derive or decrypt the transaction keys (the derived keys) used by a large number of originating SCDs (for example, POIs).
Derivation keys are normally used in a transaction-receiving (e.g., acquirer) SCD in a one-to-many relationship to derive or decrypt the transaction keys (the derived keys) used by a large number of originating SCDs (for example, POIs).
Modified
p. 4 → 6
For manual key generation, conveyance, loading, storage, and retrieval, dual control requires split knowledge of the key among the entities. Also see Split knowledge.
For manual key generation, conveyance, loading, storage, and retrieval, dual control requires split knowledge of the key among the entities. No single person can gain control of a protected item or process.
Removed
p. 5
EEPROM Electronically erasable programmable read-only memory.
Electronic key entry The entry of cryptographic keys into a SCD in electronic form using a key-loading device. The user entering the key may have no knowledge of the value of the key being entered.
EPROM Erasable programmable read-only memory.
Exclusive-OR Binary addition without carry, also known as “modulo 2 addition,” symbolized as “XOR,” and defined as:
0 + 0 = 0 0 + 1 = 1 1 + 0 = 1 1 + 1 = 0 Fail closed A state where the PCI-approved POI device discontinues operations for PCI payment brand accounts/cards.
FIPS Federal Information Processing Standard.
Firmware The programs and data (i.e., software) permanently stored in hardware (for example, in ROM, PROM, or EPROM) such that the programs and data cannot be dynamically written or modified during execution. Programs and data stored in EEPROM are considered as software.
b) Approved to the PCI HSM standard.
Electronic key entry The entry of cryptographic keys into a SCD in electronic form using a key-loading device. The user entering the key may have no knowledge of the value of the key being entered.
EPROM Erasable programmable read-only memory.
Exclusive-OR Binary addition without carry, also known as “modulo 2 addition,” symbolized as “XOR,” and defined as:
0 + 0 = 0 0 + 1 = 1 1 + 0 = 1 1 + 1 = 0 Fail closed A state where the PCI-approved POI device discontinues operations for PCI payment brand accounts/cards.
FIPS Federal Information Processing Standard.
Firmware The programs and data (i.e., software) permanently stored in hardware (for example, in ROM, PROM, or EPROM) such that the programs and data cannot be dynamically written or modified during execution. Programs and data stored in EEPROM are considered as software.
b) Approved to the PCI HSM standard.
Modified
p. 5 → 6
Encipher See Encrypt.
Encipher See Encryption.
Modified
p. 5 → 6
Encryption The (reversible) transformation of data by a cryptographic algorithm to produce cipher text• i.e., hiding the information content of the data.
Modified
p. 5 → 6
Encrypting PIN pad (EPP) A device for secure PIN entry and encryption in an unattended PIN- acceptance device. An EPP may have a built-in display or card reader, or rely upon external displays or card readers installed in the unattended device. An EPP is typically used in an ATM or other unattended device (for example, an unattended kiosk or automated fuel dispenser) for PIN entry and is controlled by a device controller. An EPP has a clearly defined physical and …
Encrypting PIN pad (EPP) A device for secure PIN entry and encryption in an unattended PIN- acceptance device. An EPP may have a built-in display or card reader, or rely upon external displays or card readers installed in the unattended device. An EPP is typically used in an ATM or other unattended device (for example, an unattended kiosk or automated fuel dispenser) for PIN entry and is controlled by a device controller. An EPP has a clearly defined physical and …
Modified
p. 5 → 7
1) Approved and configured to FIPS140-2 (level 3 or higher), or 2) Approved to the PCI HSM standard.
Removed
p. 6
Issuer The institution holding the account identified by the primary account number (PAN).
Key bundle The three cryptographic keys (K1, K2, K3) used with a TDEA mode. The keys are used in three operations, such that they form the logical equivalent of one key. Keys used in conjunction with a key bundle must never be used separately for any other purpose.
Key bundle The three cryptographic keys (K1, K2, K3) used with a TDEA mode. The keys are used in three operations, such that they form the logical equivalent of one key. Keys used in conjunction with a key bundle must never be used separately for any other purpose.
Modified
p. 6 → 7
Hash value The value returned by a hash function. Different hash values may be used for different purposes, and are sometimes referred to as hashes, hash codes, checksums, message digests and fingerprints.
Hash value The value returned by a hash function. Different hash values may be used for different purposes and are sometimes referred to as hashes, hash codes, checksums, message digests, and fingerprints.
Modified
p. 6 → 8
International Organization for Standardization (ISO) An international standards accreditation organization.
Removed
p. 7
Key-loading device A self-contained unit that is capable of storing at least one clear-text or encrypted cryptographic key or key component that can be transferred, upon request, into a cryptographic module (such as a POI or HSM).
Modified
p. 7 → 9
Key-encrypting (encipherment or exchange) key (KEK) A cryptographic key that is used for the encryption or decryption of other keys.
Removed
p. 8
OCSP See Online Certificate Status Protocol.
Online Certificate Status Protocol The Online Certificate Status Protocol (OCSP) enables applications to determine the (revocation) state of an identified certificate. OCSP may be used to satisfy some of the operational requirements of providing more timely revocation information than is possible with CRLs and may also be used to obtain additional status information. An OCSP client issues a status request to an OCSP responder and suspends acceptance of the certificate in question until the responder provides a response.
Out-of-band notification Notification using a communication means independent of the primary communications means.
PAN Primary account number. See also Cardholder data.
Online Certificate Status Protocol The Online Certificate Status Protocol (OCSP) enables applications to determine the (revocation) state of an identified certificate. OCSP may be used to satisfy some of the operational requirements of providing more timely revocation information than is possible with CRLs and may also be used to obtain additional status information. An OCSP client issues a status request to an OCSP responder and suspends acceptance of the certificate in question until the responder provides a response.
Out-of-band notification Notification using a communication means independent of the primary communications means.
PAN Primary account number. See also Cardholder data.
Modified
p. 8 → 11
Password/passphrase A string of characters that serves as an authenticator of the user.
Modified
p. 8 → 12
PCI-approved POI device Point of interaction (POI) device evaluated and approved via the PCI PTS program, with SRED (secure reading and exchange of data) listed as a “function provided,” and with the SRED capabilities enabled and active.
PCI-approved POI device Point-of-interaction (POI) device evaluated and approved via the PCI PTS program, with SRED (secure reading and exchange of data) listed as a “function provided,” and with the SRED capabilities enabled and active.
Removed
p. 9
Plaintext See Clear text.
P2PE Point-to-point encryption.
P2PE Application A software application that is included in a P2PE Solution, required to be assessed per P2PE Domain 2 Requirements, and is intended for use on a PCI-approved point-of-interaction (POI) device or otherwise by a merchant.
P2PE Application Vendor A software vendor that develops and then sells, distributes, or licenses any third party any P2PE Application.
P2PE Components Any application or device that stores, processes, or transmits account data as part of payment authorization or settlement, or that performs cryptographic key management functions, and is incorporated into or a part of any P2PE Solution.
P2PE Solution A point-to-point encryption solution consists of point-to-point encryption and decryption environments, the configuration and design thereof, and the P2PE Components that are incorporated into, a part of, or interact with such environment.
P2PE Point-to-point encryption.
P2PE Application A software application that is included in a P2PE Solution, required to be assessed per P2PE Domain 2 Requirements, and is intended for use on a PCI-approved point-of-interaction (POI) device or otherwise by a merchant.
P2PE Application Vendor A software vendor that develops and then sells, distributes, or licenses any third party any P2PE Application.
P2PE Components Any application or device that stores, processes, or transmits account data as part of payment authorization or settlement, or that performs cryptographic key management functions, and is incorporated into or a part of any P2PE Solution.
P2PE Solution A point-to-point encryption solution consists of point-to-point encryption and decryption environments, the configuration and design thereof, and the P2PE Components that are incorporated into, a part of, or interact with such environment.
Modified
p. 9 → 12
Point of interaction (POI) The initial point where data is read from a card. An electronic transaction-acceptance product, a POI consists of hardware and software and is hosted in acceptance equipment to enable a cardholder to perform a card transaction. The POI may be attended or unattended. POI transactions are typically integrated circuit (chip) and/or magnetic- stripe card-based payment transactions." See also Secure cryptographic device.
Plaintext See Clear text Point of interaction (POI) The initial point where data is read from a card. An electronic transaction-acceptance product, a POI consists of hardware and software and is hosted in acceptance equipment to enable a cardholder to perform a card transaction. The POI may be attended or unattended. POI transactions are typically integrated circuit (chip) and/or magnetic- stripe card-based payment transactions." See also Secure cryptographic device and PCI-approved POI device.
Removed
p. 10
PROM Programmable read-only memory.
Modified
p. 10 → 14
a) Designs, implements, and manages a P2PE Solution for merchants (the P2PE Solution Provider may outsource certain aspects of the P2PE Solution•for example, key injection facility, certification authority); and
a) Designs, implements, and manages a P2PE solution for merchants (the P2PE solution provider may include outsourced P2PE components that cover certain aspects of the P2PE solution•for example, key injection facility, certification authority); and
Modified
p. 10 → 14
Pseudo-random A value that is statistically random and essentially random and unpredictable although generated by an algorithm.
Pseudo-random value A value that is statistically random and essentially random and unpredictable although generated by an algorithm.
Removed
p. 11
ROM Read-only memory.
Modified
p. 11 → 15
An encryption system, A signature system, A combined encryption and signature system, or A key-agreement system.
An encryption system, A signature system, A combined encryption and signature system, or A key-agreement system. With asymmetric cryptographic techniques, there are four elementary transformations: sign and verify for signature systems, and encrypt and decrypt for encryption systems. The signature and the decryption transformation are kept private by the owning entity, whereas the corresponding verification and encryption transformations are published.
Modified
p. 11 → 15
Random The process of generating values with a high level of entropy and which satisfy various qualifications, using cryptographic and hardware-based “noise” mechanisms. This results in a value in a set that has equal probability of being selected from the total population of possibilities, hence unpredictable.
Rainbow table attack A method of data attack using a pre-computed table of hash strings (fixed-length message digest) to identify the original data source, usually for cracking password or cardholder data hashes. Random The process of generating values with a high level of entropy and which satisfy various qualifications, using cryptographic and hardware-based “noise” mechanisms. This results in a value in a set that has equal probability of being selected from the total population of possibilities, hence unpredictable.
Modified
p. 11 → 16
See also Point of Interaction (POI).
See also Point of interaction (POI).
Removed
p. 12
Software The programs and associated data that can be dynamically written and modified.
Modified
p. 12 → 16
An SCD is used either for the acceptance and encryption of account data at the point of sale, or for cryptographic key-management functions and/or the decryption of account data. SCDs used for acceptance or encryption of account data at the point of sale are also referred to at POIs or PCI-approved POI devices. SCDs used for cryptographic key- management functions and/or the decryption of account data include HSMs (host/hardware security modules). See also Point of Interaction, PCI-approved POI device, or …
An SCD is used either for the acceptance and encryption of account data at the point of sale, or for cryptographic key-management functions and/or the decryption of account data. SCDs used for acceptance or encryption of account data at the point of sale are also referred to at POIs or PCI-approved POI devices. SCDs used for cryptographic key-management functions and/or the decryption of account data include HSMs (host/hardware security modules). See also Point of interaction, PCI-approved POI device, or Host/hardware …
Modified
p. 12 → 17
Solution Provider See P2PE Solution Provider.
Solution provider See P2PE solution provider.
Modified
p. 12 → 17
Split knowledge A condition under which two or more entities separately have key components, which individually convey no knowledge of the resultant cryptographic key.
Split knowledge A condition under which two or more entities separately have key components that individually convey no knowledge of the resultant cryptographic key.
Removed
p. 13
System software The special software (for example, operating system, compilers or utility programs) designed for a specific computer system or family of computer systems to facilitate the operation and maintenance of the computer system, programs, and data.
TDEA See Triple Data Encryption Algorithm.
Trustworthy system Computer hardware and software which:
Are reasonably secure from intrusion and misuse; Provide a reasonable level of availability, reliability, and correct operation; and Are reasonably suited to performing their intended functions.
TDEA See Triple Data Encryption Algorithm.
Trustworthy system Computer hardware and software which:
Are reasonably secure from intrusion and misuse; Provide a reasonable level of availability, reliability, and correct operation; and Are reasonably suited to performing their intended functions.
Modified
p. 13 → 18
The penetration or modification of internal operations and/or insertion of active or passive tapping mechanisms to determine or record secret data.
Modified
p. 13 → 18
Automated fuel dispenser Ticketing machine Vending machine
Automated fuel dispenser Ticketing machine Vending machine Unprotected memory Components, devices, and recording media that retain data for some interval of time that reside outside the cryptographic boundary of an SCD.
Modified
p. 14 → 19
Whitelist A list used by a POI function or application to make processing decisions. For example, a whitelist could be a list and/or range of non- PCI payment brand account/card numbers, approved by the solution provider, that are not required to be encrypted at the POI, or it could be used to make routing decisions that pertain to only a subset of accounts/cards processed. Unless explicitly authorized by the relevant payment brand, PCI payment brand card/account numbers must not be …
Whitelist A list of approved items used to make processing decisions. For example, a whitelist could be a list and/or range of non-PCI payment brand account/card numbers, approved by the solution provider, that are not required to be encrypted at the POI, or it could be used to make routing decisions that pertain to only a subset of accounts/cards processed. Unless explicitly authorized by the relevant payment brand, PCI payment brand card/account numbers must not be on a whitelist.