Document Comparison
PCI_DSS_Glossary_v3.pdf
→
PCI_DSS_Glossary_v3-1.pdf
83% similar
22 → 23
Pages
9156 → 9426
Words
13
Content Changes
Content Changes
13 content changes. 30 administrative changes (dates, page numbers) hidden.
Added
p. 10
ISO In the context of industry standards and best practices, ISO, better known as “International Organization for Standardization” is a non-governmental organization consisting of a network of the national standards institutes.
Added
p. 14
Payment Processor Sometimes referred to as “payment gateway” or “payment service provider (PSP)”.
Entity engaged by a merchant or other entity to handle payment card transactions on their behalf. While payment processors typically provide acquiring services, payment processors are not considered acquirers unless defined as such by a payment card brand. See also Acquirer.
Entity engaged by a merchant or other entity to handle payment card transactions on their behalf. While payment processors typically provide acquiring services, payment processors are not considered acquirers unless defined as such by a payment card brand. See also Acquirer.
Added
p. 18
Session Token In the context of web session management, a session token (also referred to as a “session identifier” or “session ID”), is a unique identifier (such as a “cookie”) used to track a particular session between a web browser and a webserver.
Note: The above examples are appropriate for persistent storage of cardholder data. The minimum cryptography requirements for transaction- based operations, as defined in PCI PIN and PTS, are more flexible as there are additional controls in place to reduce the level of exposure. For example, double length TDES keys used in unique key per transaction implementations as defined in ISO 11568 for key derivation or transformation (e.g., DUKPT) are considered to provide an equivalent level of strong cryptography because a single unique key is generated for each transaction.
It is recommended that all new implementations use a minimum of 128-bits of effective key strength.
Note: The above examples are appropriate for persistent storage of cardholder data. The minimum cryptography requirements for transaction- based operations, as defined in PCI PIN and PTS, are more flexible as there are additional controls in place to reduce the level of exposure. For example, double length TDES keys used in unique key per transaction implementations as defined in ISO 11568 for key derivation or transformation (e.g., DUKPT) are considered to provide an equivalent level of strong cryptography because a single unique key is generated for each transaction.
It is recommended that all new implementations use a minimum of 128-bits of effective key strength.
Modified
p. 1
Payment Card Industry (PCI) Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS) Glossary of Terms, Abbreviations, and Acronyms Version 3.0
Payment Card Industry (PCI) Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS) Glossary of Terms, Abbreviations, and Acronyms Version 3.1
Modified
p. 2
Acquirer Also referred to as “merchant bank,” “acquiring bank,” or “acquiring financial institution.” Entity that initiates and maintains relationships with merchants for the acceptance of payment cards.
Acquirer Also referred to as “merchant bank,” “acquiring bank,” or “acquiring financial institution”. Entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance. See also Payment Processor.
Modified
p. 5
(1) Meet the intent and rigor of the original PCI DSS requirement; (2) Provide a similar level of defense as the original PCI DSS requirement; (3) Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and (4) Be commensurate with the additional risk imposed by not adhering to the
(1) Meet the intent and rigor of the original PCI DSS requirement; (2) Provide a similar level of defense as the original PCI DSS requirement; (3) Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and (4) Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.
Removed
p. 10
ISO Better known as “International Organization for Standardization.” Non- governmental organization consisting of a network of the national standards institutes.
Modified
p. 15
Private Network Network established by an organization that uses private IP address space. Private networks are commonly designed as local area networks. Private network access from public networks should be properly protected with the use of firewalls and routers.
Private Network Network established by an organization that uses private IP address space. Private networks are commonly designed as local area networks. Private network access from public networks should be properly protected with the use of firewalls and routers. See also Public Network.
Modified
p. 15
Public Network Network established and operated by a telecommunications provider, for specific purpose of providing data transmission services for the public. Data over public networks can be intercepted, modified, and/or diverted while in transit. Examples of public networks in scope of the PCI DSS include, but are not limited to, the Internet, wireless, and mobile technologies.
Public Network Network established and operated by a third party telecommunications provider for specific purpose of providing data transmission services for the public. Data over public networks can be intercepted, modified, and/or diverted while in transit. Examples of public networks include, but are not limited to, the Internet, wireless, and mobile technologies. See also Private Network.
Modified
p. 16
Remote Access Access to computer networks from a remote location. Remote access connections can originate either from inside the company’s own network or from a remote location outside the company’s network. An example of technology for remote access is VPN.
Remote Access Access to computer networks from a location outside of that network. Remote access connections can originate either from inside the company’s own network or from a remote location outside the company’s network. An example of technology for remote access is VPN.
Modified
p. 19
SSL Acronym for “Secure Sockets Layer.” Established industry standard that encrypts the channel between a web browser and web server to ensure the privacy and reliability of data transmitted over this channel. See TLS.
SSL Acronym for “Secure Sockets Layer.” Industry standard that encrypts the channel between a web browser and web server. Now superseded by TLS. See TLS.
Modified
p. 20 → 21
Token In the context of authentication and access control, a token is a value provided by hardware or software that works with an authentication server or VPN to perform dynamic or two-factor authentication. See RADIUS, TACACS, and VPN.
Token In the context of authentication and access control, a token is a value provided by hardware or software that works with an authentication server or VPN to perform dynamic or two-factor authentication. See RADIUS, TACACS, and VPN. See also Session Token.
Modified
p. 20 → 21
Two-Factor Authentication Method of authenticating a user whereby two or more factors are verified. These factors include something the user has (such as hardware or software token), something the user knows (such as a password, passphrase, or PIN) or something the user is or does (such as fingerprints or other forms of biometrics).
Two-Factor Authentication Method of authenticating a user whereby two or more factors are verified. These factors include something the user has (such as a smart card or dongle), something the user knows (such as a password, passphrase, or PIN) or something the user is or does (such as fingerprints, other forms of biometrics, parametrics, etc.).