Document Comparison
PCI-SSF-Glossary-v1_1.pdf
→
PCI-SSF-Glossary-v1_2.pdf
71% similar
10 → 10
Pages
3006 → 3106
Words
39
Content Changes
Content Changes
39 content changes. 12 administrative changes (dates, page numbers) hidden.
Added
p. 2
December 2022 1.2 Updates to add or modify terminology to support the introduction of the Secure Software Standard: Web Software Module.
Adversarial testing Methods or techniques used during a software evaluation to force the software to behave in unintended ways or to bypass software security controls.
Assessor company Companies approved by PCI SSC (as defined in the associated program documentation) to perform security assessments against PCI standards, including those standards associated with the Secure Software Framework.
Critical assets Term used to collectively reference all sensitive data, sensitive functions, and sensitive resources. Critical assets are those data, functions, and resources that if exposed, misused, altered, or disabled, could impair the software’s ability to function properly or meet its security objectives.
Data element Term used to represent a single piece of information or datum.
Execution environment The collective hardware, software, and services required by a software application for operation. This includes, but may not be limited to, …
Adversarial testing Methods or techniques used during a software evaluation to force the software to behave in unintended ways or to bypass software security controls.
Assessor company Companies approved by PCI SSC (as defined in the associated program documentation) to perform security assessments against PCI standards, including those standards associated with the Secure Software Framework.
Critical assets Term used to collectively reference all sensitive data, sensitive functions, and sensitive resources. Critical assets are those data, functions, and resources that if exposed, misused, altered, or disabled, could impair the software’s ability to function properly or meet its security objectives.
Data element Term used to represent a single piece of information or datum.
Execution environment The collective hardware, software, and services required by a software application for operation. This includes, but may not be limited to, …
Added
p. 10
Transient data Data that is created and retained (usually in volatile memory) for the purposes of a single application session. At the end of the session, the data is securely deleted or is reset back to its default values and is not stored persistently.
Modified
p. 1
Payment Card Industry (PCI) Software Security Framework Glossary of Terms, Abbreviations, and Acronyms Version 1.1
Payment Card Industry (PCI) Software Security Framework Glossary of Terms, Abbreviations, and Acronyms Version 1.2
Modified
p. 2
February 2021 1.1 Updates to add and modify terminology to support the Secure SLC Program expansion and the introduction of the Secure Software Standard: Terminal Software Module.
February 2021 1.1 Updates to add or modify terminology to support the Secure SLC Program expansion and the introduction of the Secure Software Standard: Terminal Software Module.
Removed
p. 3
Control objective The specific software security controls and outcomes required to satisfy the parent security objective.
Critical assets Collective term to describe any software element that if exposed, misused, altered, or disabled could impair the software’s ability to function properly or meet its security objectives. Sensitive data, sensitive functions, and sensitive resources are also considered critical assets.
Critical assets Collective term to describe any software element that if exposed, misused, altered, or disabled could impair the software’s ability to function properly or meet its security objectives. Sensitive data, sensitive functions, and sensitive resources are also considered critical assets.
Modified
p. 3
Assessor Individuals approved by PCI SSC (as defined in the associated program documentation) to perform security assessments against PCI standards, including those standards associated with the Software Security Framework.
Assessor Individuals approved by PCI SSC (as defined in the associated program documentation) to perform security assessments against PCI standards, including those standards associated with the PCI Software Security Framework.
Modified
p. 3
Authentication credentials A combination of the user ID or account ID plus the authentication factor(s) used to authenticate an individual, device, or process.
Authentication credentials A combination of the user ID (or account ID) and the authentication factor(s) used to authenticate an individual, device, application, system, or process.
Modified
p. 3
Confidential data A form of sensitive data that explicitly requires protection from unauthorized disclosure. Examples of confidential data include cardholder data (CHD), sensitive authentication data (SAD), and private cryptographic keys. See Sensitive Data.
Confidential data A form of sensitive data that explicitly requires protection from unauthorized disclosure. Examples of confidential data include cardholder data (CHD), sensitive authentication data (SAD), and private cryptographic keys.
Removed
p. 4
Execution environment In the context of the Software Security Framework, a collection of services and components relied on by software during operation. It includes all components and services that are used and relied on by the software to make a complete system•for example, the processors, hardware components, networks, operating systems, databases, and cloud platforms (e.g., PaaS and SaaS).
Modified
p. 4
Default software settings Software settings that are configured or active upon software installation, initialization, or first use, depending upon the software architecture or deployment environment.
Default software settings Software settings that are configured or active upon software installation, initialization, or first use.
Modified
p. 4
Entropy In cryptographic operations, the measure of the unpredictability of a random seed value. Entropy is generally measured in "bits," where a higher number indicates that the particular event is less predictable than an event with a lower number. Entropy is used to measure the security strength of cryptographic keys.
Entropy Term used in cryptographic operations to represent the measure of the unpredictability of a random seed value. Entropy is generally measured in "bits," where a higher number indicates that the particular event is less predictable than an event with a lower number. Entropy is used to measure the security strength of cryptographic keys.
Modified
p. 4
Also commonly referred to as the execution platform or runtime environment.
Modified
p. 4
External communications Any communication method that uses a wireless, local-area network, wide-area network, or a public domain protocol or security protocol to transport data. This includes, but is not limited to, Bluetooth, Wi- Fi, cellular (GPRS, CDMA), or Ethernet, and a serial point-to-point connection that is wireless or through a hub, switch, or other multiport device.
External communications Any communication method that uses a wireless, local-area network, wide-area network, or a public domain protocol or security protocol to transport data. This includes, but is not limited to, Bluetooth, Wi- Fi, cellular, or Ethernet, and a serial point-to- point connection that is wireless or through a hub, switch, or other multiport device.
Modified
p. 5
Functional testing Evaluation of software against functional requirements to verify the software has met those requirements.
Functional testing The evaluation of software against functional requirements to verify the software has met those requirements.
Modified
p. 5
Install base The number of units of a product or service that are currently implemented and in use.
Install base The number of units of a software application that are currently implemented and in use. The install base is generally regarded as the size or amount of code comprising all software functionality and is typically measured in “bytes”.
Removed
p. 6
One-time pad In cryptography, the one-time pad is an encryption algorithm with text combined with a random key or "pad" that is as long as the plaintext and used only once. Additionally, if the key is truly random, never reused, and kept secret, the one-time pad is unbreakable.
Payment data Data exchanged for purposes of conducting a transaction which may include account or tokenized data.
Payment software In the context of the Software Security Framework, software involved in or directly supporting or facilitating payment transactions.
Payment data Data exchanged for purposes of conducting a transaction which may include account or tokenized data.
Payment software In the context of the Software Security Framework, software involved in or directly supporting or facilitating payment transactions.
Modified
p. 6
Open Web Application Security Project (OWASP) A non-profit organization focused on improving the security of application software. OWASP maintains a list of critical vulnerabilities for web applications. (See http://www.owasp.org).
Open Web Application Security Project (OWASP) A non-profit organization focused on improving the security of web application software. OWASP maintains a list of critical vulnerabilities for web applications. (See http://www.owasp.org).
Modified
p. 6
Payment environment Term used to holistically describe all manual and automated processes and systems involved in performing payment transactions.
Payment environment Term used to holistically describe all manual and automated processes and systems involved in the execution of payment transactions.
Modified
p. 6 → 7
Persistent sensitive data Sensitive data that is retained in non-volatile storage and persists even if power to the device is shut off.
Persistent data Data that is retained in non-volatile storage and persists even if power to the device is shut off.
Removed
p. 7
Rainbow table attack A method of data attack using a pre-computed table of hash strings (fixed-length message digest) to identify the original data source, usually for cracking passwords or cardholder data hashes.
Secure SLC Qualified Vendor A software vendor who has had its software lifecycle management practices assessed and qualified to the Payment Card Industry SSC Secure SLC Requirements and meets all PCI program requirements associated with Secure SLC vendor qualification.
Secure Software Lifecycle (Secure SLC) The evolution process of a software application from inception through design, development, deployment, maintenance, and finally decommission. A Secure SLC ensures that security is integrated at all stages of the software lifecycle.
Secure SLC Qualified Vendor A software vendor who has had its software lifecycle management practices assessed and qualified to the Payment Card Industry SSC Secure SLC Requirements and meets all PCI program requirements associated with Secure SLC vendor qualification.
Secure Software Lifecycle (Secure SLC) The evolution process of a software application from inception through design, development, deployment, maintenance, and finally decommission. A Secure SLC ensures that security is integrated at all stages of the software lifecycle.
Modified
p. 7
Regression testing Evaluation to confirm that updates to address specific software issues (such as faulty functionality or security problems) sufficiently address those issues, do not introduce other software issues, and remain compatible to existing code.
Regression testing A software evaluation technique used to confirm that updates to address specific software issues (such as faulty functionality or security problems) sufficiently address those issues, do not introduce other software issues, and remain compatible to existing code.
Modified
p. 7
Resiliency The extent to which software can maintain normal operations amid adverse conditions, including the ability of software to recover from a fault or an attack.
Resiliency The extent to which software can maintain normal operations amid adverse conditions, including the ability to recover from a fault or an attack.
Modified
p. 7
Sampling The process of selecting a cross-section of a group that is representative of the entire group. Please refer to the Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations, and Acronyms for more information.
Sampling The process of selecting a subset of a group of objects or subjects that is representative of the entire group.
Modified
p. 7
Secure deletion A method of removing or overwriting data residing on a hard disk drive or other digital media (including memory), rendering the data irretrievable. Additional guidance on methods for secure deletion are provided in ISO 27038:2014 Security techniques
• Specification for digital redaction or NIST Special Publication 800- 88, Guidelines for Media Sanitization.
• Specification for digital redaction or NIST Special Publication 800- 88, Guidelines for Media Sanitization.
Secure deletion The process of removing or overwriting data residing on a hard disk drive or other digital media (including memory), rendering the data irretrievable.
Removed
p. 8
Sensitive resources External resources upon which software relies to provide security features or process sensitive data. Sensitive resources are often provided by or shared with the underlying platform, operating environment, or other applications that coexist within or outside the software’s operating environment. Examples of sensitive resources include shared files, registry keys, environmental settings, communication channels, cache, shared libraries, system interfaces, web services, etc. In many cases, sensitive resources may also constitute “sensitive data” and may require protection from unauthorized disclosure or modification.
Modified
p. 8
Security testing Security testing is a process of identifying flaws related to elements of confidentiality, integrity, authentication, availability, authorization, and non-repudiation in the assessed system component(s) and security mechanisms. The process usually includes, but is not limited to, activities such as threat modeling, code reviews, vulnerability assessment, penetration testing, fuzz testing, etc.
Security testing The process of identifying flaws related to elements of confidentiality, integrity, authentication, availability, authorization, and non-repudiation in the assessed system component(s) and security mechanisms. This process usually includes, but is not limited to, activities such as threat modeling, code reviews, vulnerability assessment, penetration testing, fuzz testing, etc.
Modified
p. 8
Seed data (for random number generators) A starting value used to initialize a pseudorandom number generator.
Seed data A starting value used in the process of generating random numbers to initialize a pseudorandom number generator.
Modified
p. 8
Sensitive data In the context of the Software Security Framework, any data that requires protection from unauthorized disclosure (confidentiality) or modification (integrity). Sensitive data includes, but is not limited to, cardholder data (CHD), sensitive authentication data (SAD), tokens, cryptographic key material, and authentication credentials, internal system information, and other data defined by the software vendor as requiring protection. Sensitive data may also be present in software design characteristics, session data, status information, and error messages.
Sensitive data Any data that requires protection from unauthorized disclosure (confidentiality) or modification (integrity). Sensitive data includes, but is not limited to, cardholder data (CHD), sensitive authentication data (SAD), tokens, cryptographic key material, and authentication credentials, internal system information, and other data defined by a software vendor as requiring protection. Sensitive data may also be present in software design characteristics, session data, token data, status information, and error messages.
Modified
p. 8
Sensitive functions Any software functionality that alters other software functionality or configuration, processes sensitive data, provides security features, or interacts with sensitive resources. Examples of sensitive functions include authentication functions, cryptographic functions, communication protocols, processing daemons, etc.
Sensitive functions Any software function that facilitates access to or the modification of sensitive data. Examples of sensitive functions may include authentication functions, cryptographic functions, communication protocols, processing daemons, etc.
Modified
p. 8
Sensitive production data Sensitive data that is owned and/or generated by an entity other than a software vendor. Sensitive production data is typically obtained from software that has been deployed into a production environment owned and/or managed by another entity, such as a software vendor’s customers, partners, or other stakeholders.
Sensitive production data Sensitive data that is owned and/or generated by an entity other than a software vendor. Sensitive production data is typically obtained from software that has been deployed into a production environment owned and/or managed by another entity, such as customers, partners, or other stakeholders.
Removed
p. 9
Software Security Framework A collection of software security standards that leverage a common validation and certification model.
Stakeholder Entity affected by the security of the software at any stage during the software’s lifecycle. Stakeholders include entities that use, install, or integrate the software. Stakeholders may also include software vendor personnel, business partners, and other third parties as defined by the software vendor.
Stakeholder Entity affected by the security of the software at any stage during the software’s lifecycle. Stakeholders include entities that use, install, or integrate the software. Stakeholders may also include software vendor personnel, business partners, and other third parties as defined by the software vendor.
Modified
p. 9
Software-development personnel The staff or personnel who are involved with the development of software including the design, creation, and maintenance of applications, frameworks, or other software components. Depending on the activities being performed it may include individuals who specify, design, develop, document, test, and fix bugs in software.
Software-development personnel The staff or personnel who are responsible for or involved in the design, creation, and maintenance of software. Depending on the activities being performed it may include individuals who specify, design, develop, document, test, and fix bugs in software.
Modified
p. 9
Software security assurance processes A method for determining a level of confidence that the security functions of software work as intended and are free of vulnerabilities that may have been included in the software.
Software security assurance processes A method for determining a level of confidence that the security- related functions of software work as intended and are free of vulnerabilities that may have been included in the software.
Modified
p. 9
Software security controls Security features and functionality built into software or the software’s operating environment to protect against software threats and attacks.
Software security controls Security-related features and functionality built into or relied upon by software to protect against software threats and attacks.
Modified
p. 9
Software vendor In the context of the Software Security Framework, an entity that produces software and/or software components for commercial purposes.
Software vendor A software provider, supplier, developer, or other entity that produces or otherwise distributes software and/or software components for commercial purposes.
Modified
p. 9 → 10
Terminal software Any software that is intended for deployment and execution on a payment terminal, and is not “firmware” as defined in the PCI PTS POI Standard.
Terminal software Software that is intended for deployment and execution on a PCI- approved POI device that does not meet the definition of firmware as defined in the PCI PTS POI Standard.
Removed
p. 10
Transient sensitive data Sensitive data that is created within an application session. At the end of the session, it is intended to be securely deleted or reset back to its default values or settings and not stored. See also Persistent Sensitive Data.
Modified
p. 10
Transaction types In the context of the Software Security Framework, may include: authorization (goods and services), cash (ATM), debit adjustment, refund, available funds inquiry, balance inquiry, payment from account, payment to account, etc. See ISO 8583:2003
Transaction types Payment transaction functions that include, but may not be limited to the following: authorization (goods and services), cash (ATM), debit adjustment, refund, available funds inquiry, balance inquiry, payment from account, payment to account, etc. See ISO 8583:2003
Modified
p. 10
• Financial Financial transaction card originated messages
• Financial transaction card originated messages