Document Comparison
P2PE_v2_Glossary.pdf
→
P2PE_v3.0_Glossary.pdf
77% similar
19 → 19
Pages
6829 → 6557
Words
75
Content Changes
Content Changes
75 content changes. 30 administrative changes (dates, page numbers) hidden.
Added
p. 2
• Something you know, such as a password or passphrase
• Something you have, such as a token device or smart card
Bit strength The effective cryptographic strength measured in bits representing what the equivalent key length would be of a provably secure, hypothetical, symmetric key algorithm. Bit strength is never greater than the actual key length, and as cryptanalytic attacks improve and computational capabilities advance, effective cryptographic strength decreases (i.e., bit strength values will be reassessed periodically to reflect these changes).
See also Registration Authority (RA).
Certification Authority/ Registration Authority (CA/RA) component provider An entity operating CA/RA platforms in connection with remote-key distribution implementations that can support P2PE Solutions.
Clear-text Intelligible data that has meaning and can be read or acted upon without the application of decryption.
• The transformation of clear-text data into cipher-text data,
• The transformation of cipher-text data into clear-text data,
• A digital signature computed from data,
• The verification of a digital …
• Something you have, such as a token device or smart card
Bit strength The effective cryptographic strength measured in bits representing what the equivalent key length would be of a provably secure, hypothetical, symmetric key algorithm. Bit strength is never greater than the actual key length, and as cryptanalytic attacks improve and computational capabilities advance, effective cryptographic strength decreases (i.e., bit strength values will be reassessed periodically to reflect these changes).
See also Registration Authority (RA).
Certification Authority/ Registration Authority (CA/RA) component provider An entity operating CA/RA platforms in connection with remote-key distribution implementations that can support P2PE Solutions.
Clear-text Intelligible data that has meaning and can be read or acted upon without the application of decryption.
• The transformation of clear-text data into cipher-text data,
• The transformation of cipher-text data into clear-text data,
• A digital signature computed from data,
• The verification of a digital …
Added
p. 8
Irreversible transformation A non-secret process that transforms an input value to produce an output value such that knowledge of the process and the output value do not feasibly allow the input value to be determined.
Key Injection facility (KIF) An entity that performs cryptographic key services for POI devices and HSMs (including, but not limited to, key generation, conveyance, and/or key loading).
Key injection facility component provider An entity that manages KIF services that can support a P2PE solution.
Key loading Process by which a key is transferred manually or electronically into an SCD.
Key loading component provider (KLCP) An entity that manages cryptographic key loading for POI devices and HSMs that can support a P2PE solution.
Key management component provider (KMCP) An entity that manages cryptographic key generation and key conveyance for POI devices and HSMs that can support a P2PE solution.
Master File Key (MFK) This is a symmetric key used to encrypt other …
Key Injection facility (KIF) An entity that performs cryptographic key services for POI devices and HSMs (including, but not limited to, key generation, conveyance, and/or key loading).
Key injection facility component provider An entity that manages KIF services that can support a P2PE solution.
Key loading Process by which a key is transferred manually or electronically into an SCD.
Key loading component provider (KLCP) An entity that manages cryptographic key loading for POI devices and HSMs that can support a P2PE solution.
Key management component provider (KMCP) An entity that manages cryptographic key generation and key conveyance for POI devices and HSMs that can support a P2PE solution.
Master File Key (MFK) This is a symmetric key used to encrypt other …
Added
p. 13
POI deployment component provider (PDCP) An entity preparing and deploying POI devices and any resident P2PE applications and/or P2PE non-payment software that can support a P2PE solution.
POI management component provider (PMCP) An entity managing the POI devices and any resident P2PE applications and/or P2PE non-payment software once deployed that can support a P2PE solution.
P2PE Acronym for “point-to-point encryption.” P2PE application All software or other files, with access to clear-text account data, that are intended for use in a P2PE solution and loaded onto a PCI- approved POI device, and that do not meet the PTS definition of “firmware.” PTS firmware is not considered a P2PE payment application and as such is not reassessed during a P2PE assessment.
See also Account data, Firmware, and P2PE non-payment software.
POI management component provider (PMCP) An entity managing the POI devices and any resident P2PE applications and/or P2PE non-payment software once deployed that can support a P2PE solution.
P2PE Acronym for “point-to-point encryption.” P2PE application All software or other files, with access to clear-text account data, that are intended for use in a P2PE solution and loaded onto a PCI- approved POI device, and that do not meet the PTS definition of “firmware.” PTS firmware is not considered a P2PE payment application and as such is not reassessed during a P2PE assessment.
See also Account data, Firmware, and P2PE non-payment software.
Added
p. 15
• An encryption system,
• A signature system,
• A combined encryption and signature system, or
Public key infrastructure (PKI) A set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption.
• A signature system,
• A combined encryption and signature system, or
Public key infrastructure (PKI) A set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption.
Added
p. 16
Remote access connections can originate either from inside the company’s own network or from a remote location outside the company’s network. An example of technology for remote access is VPN.
Modified
p. 1
Payment Card Industry (PCI) Point-to-Point Encryption Glossary of Terms, Abbreviations, and Acronyms Version 2.0
Payment Card Industry (PCI) Point-to-Point Encryption Glossary of Terms, Abbreviations, and Acronyms Version 3.0
Modified
p. 2
See also Payment Processor.
See also Payment processor.
Modified
p. 2
See Strong Cryptography.
See Strong cryptography.
Modified
p. 2
Application Vendor See P2PE Application Vendor.
Application vendor See P2PE application vendor.
Modified
p. 2
Authentication Process of verifying identity of an individual, device, or process. Authentication typically occurs through the use of one or more authentication factors such as:
Authentication Process of verifying the identity of an individual, device, or process. Authentication typically occurs through the use of one or more authentication factors such as:
Modified
p. 2
• Something you are, such as a biometric Authentication credentials Combination of the user ID or account ID plus the authentication factor(s) used to authenticate an individual, device, or process.
Removed
p. 3
See also Registration Authority Certification Authority/ Registration Authority (CA/RA) service A service that can be offered by a third-party P2PE component provider. Such services are offered on behalf of P2PE solution providers, by entities operating CA/RA platforms in connection with remote-key distribution implementations, assessed per Domain 6 and Annex A, part A1 (as applicable) and part A2 See also P2PE component provider.
Modified
p. 3
• Service code See Sensitive authentication data (SAD) for additional data elements that may be transmitted or processed as part of a payment transaction.
Modified
p. 3
Cardholder data environment (CDE) The people, processes and technology that store, process, or transmit cardholder data and/or sensitive authentication data.
Cardholder data environment (CDE) The people, processes, and technology that store, process, or transmit cardholder data and/or sensitive authentication data.
Modified
p. 3
Certification Authority (CA) May also be called Certificate Authority. Any entity signing public keys, whether in X.509 certificate-based schemes or other designs for use in connection with the remote distribution of symmetric keys using asymmetric techniques.
Certification Authority (CA) Any entity signing public keys, whether in X.509 certificate-based schemes or other designs for use in connection with the remote distribution of symmetric keys using asymmetric techniques.
Removed
p. 4
The transformation of clear-text data into cipher-text data, The transformation of cipher-text data into clear-text data, A digital signature computed from data, The verification of a digital signature computed from data, An authentication code computed from data, or An exchange agreement of a shared secret.
Modified
p. 4
Clear-text key An unencrypted cryptographic key, which is used in its current form.
Clear-text key An unencrypted cryptographic key that is used in its current form.
Modified
p. 4
Computationally infeasible The property that a computation is theoretically achievable but is not feasible in terms of the time or resources required to perform it.
Computationally infeasible The property that a computation is theoretically achievable, but is not feasible in terms of the time or resources required to perform it.
Modified
p. 4
Critical security parameters (CSP) Security-related information (for example, cryptographic keys, authentication data such as passwords and PINs) appearing in clear text or otherwise unprotected form and whose disclosure or modification can compromise the security of a SCD or the security of the information protected by the device.
Critical security parameters (CSP) Security-related information (for example, cryptographic keys and authentication data such as passwords and PINs) appearing in clear text or otherwise unprotected form, and whose disclosure or modification can compromise the security of a SCD or the security of the information protected by the device.
Modified
p. 4
Cryptographic key A parameter used in conjunction with a cryptographic algorithm that determines:
Cryptographic key A parameter used with a cryptographic algorithm that determines:
Modified
p. 4 → 5
Data-encryption (encipherment or exchange) key (DEK) A cryptographic key that is used for the encryption or decryption of account data.
Data-encryption (encipherment or exchange) key (DEK) A cryptographic key used to encrypt or decrypt account data.
Removed
p. 5
Decryption-management service A service that can be offered by a third-party P2PE component provider, on behalf of P2PE solution providers. These entities manage the environment that receives and decrypts encrypted account data, as covered in Domains 5 and 6 (and Annex A as applicable).
Modified
p. 5
Decryption A process of transforming cipher text (unreadable) into clear text (readable).
Decryption A process of transforming unreadable cipher text into readable clear text.
Modified
p. 5
Derivation key A cryptographic key, which is used to cryptographically compute another key. A derivation key is normally associated with the DUKPT key-management method.
Derivation key A cryptographic key used to cryptographically compute another key. Normally, a derivation key is associated with the DUKPT key- management method.
Modified
p. 5
Normally, derivation keys are used in a transaction-receiving (e.g., acquirer) SCD in a one-to-many relationship to derive or decrypt the transaction keys (the derived keys) used by a large number of originating SCDs (for example, POIs).
Modified
p. 5
Digital signature The result of an asymmetric cryptographic transformation of data that allows a recipient of the data to validate the origin and integrity of the data and protects the sender against forgery by third parties or the recipient.
Digital signature The result of an asymmetric cryptographic transformation of data that allows a recipient of the data to validate the origin and integrity of the data, and protects the sender against forgery by third parties or the recipient.
Modified
p. 5
Double-length key A cryptographic key having a length of 112 active bits plus 16 parity bits, used in conjunction with the TDES cryptographic algorithm.
Double-length key A cryptographic key having a length of 112 active bits plus 16 parity bits, used with the TDES cryptographic algorithm.
Modified
p. 6
A key-management method that uses a unique key for each transaction and prevents the disclosure of any past key used by the transaction-originating POI. The unique transaction keys are derived from a base derivation key using only non-secret data transmitted as part of each transaction.
Modified
p. 6
Encrypting PIN pad (EPP) A device for secure PIN entry and encryption in an unattended PIN- acceptance device. An EPP may have a built-in display or card reader, or rely upon external displays or card readers installed in the unattended device. An EPP is typically used in an ATM or other unattended device (for example, an unattended kiosk or automated fuel dispenser) for PIN entry and is controlled by a device controller. An EPP has a clearly defined physical and …
Encrypting PIN pad (EPP) A device for secure PIN entry and encryption in an unattended PIN- acceptance device. An EPP may have a built-in display or card reader, or rely on external displays or card readers installed in the unattended device. An EPP typically is used in an ATM or other unattended device (for example, an unattended kiosk or automated fuel dispenser) for PIN entry and is controlled by a device controller. An EPP has a clearly defined physical and …
Modified
p. 6
Encryption The (reversible) transformation of data by a cryptographic algorithm to produce cipher text• i.e., hiding the information content of the data.
Encryption The (reversible) transformation of data by a cryptographic algorithm to produce cipher text (i.e., hiding the information content of the data).
Modified
p. 6
Merchant P2PE encryption environments include those for brick-and- mortar and or mail-order/telephone-order (MOTO) merchants, but do NOT include e-commerce environments.
Merchant P2PE encryption environments include those for brick-and- mortar and/or mail-order/telephone-order (MOTO) merchants, but do NOT include e-commerce environments.
Modified
p. 6
Encryption management component provider (EMCP) An entity deploying and managing POI devices and any resident P2PE applications and/or P2PE non-payment software that can support a P2PE solution.
Modified
p. 7
• 1 + 1 = 0 FIPS Acronym for “Federal Information Processing Standard.” Firmware Any code within the POI device that provides security protections needed to comply with PTS device security requirements or which can impact compliance to these security requirements. Firmware may be further segmented by code necessary to meet PTS Core, OP, or SRED.
Modified
p. 7
Hardware security module (HSM) A physically and logically protected hardware device that provides a secure set of cryptographic services used for cryptographic key- management functions and/or the decryption of account data. For P2PE, these devices must be:
Modified
p. 7
Hash function A (mathematical) function that takes any arbitrary-length message as input and produces a fixed-length output. It must have the property that it is computationally infeasible to discover two different messages that produce the same hash result. It may be used to reduce a potentially long message into a “hash value” or “message digest” that is sufficiently compact to be input into a digital-signature algorithm.
Hash function A mathematical function that takes any arbitrary-length message as input and produces a fixed-length output. It must have the property that it is computationally infeasible to discover two different messages that produce the same hash result. It may be used to reduce a potentially long message into a “hash value” or “message digest” that is sufficiently compact to be input into a digital-signature algorithm.
Removed
p. 8
Hashing must be applied to the entire PAN for the hash code to be considered rendered unreadable. It is recommended that hashed cardholder data include an input variable (for example, a “salt”) to the hashing function to reduce or defeat the effectiveness of pre-computed rainbow table attacks.
Host System For hybrid decryption environments only. A combination of software and hardware components used for the purpose of decrypting account data, may also be used for transaction processing, and which is not considered an SCD.
Irreversible transformation A non-secret process that transforms an input value to produce an output value such that knowledge of the process and the output value does not feasibly allow the input value to be determined.
Host System For hybrid decryption environments only. A combination of software and hardware components used for the purpose of decrypting account data, may also be used for transaction processing, and which is not considered an SCD.
Irreversible transformation A non-secret process that transforms an input value to produce an output value such that knowledge of the process and the output value does not feasibly allow the input value to be determined.
Modified
p. 8
Input variable Random data string that is concatenated with source data before a one- way hash function is applied. Input variables can help reduce the effectiveness of rainbow table attacks.
Input variable Random data string that is concatenated with source data before a one-way hash function is applied. Input variables can help reduce the effectiveness of rainbow table attacks.
Modified
p. 8
Interface A logical section of an SCD that defines a set of entry or exit points that provide access to the device, including information flow or physical access.
Interface A logical section of an SCD that defines a set of entry or exit points that provides access to the device, including information flow or physical access.
Removed
p. 9
Key-injection facility (KIF) Entities that perform cryptographic key injection.
Key-injection facility service A service that can be offered by a third-party P2PE component provider on behalf of P2PE solution providers. KIF services entities perform cryptographic key injection as a stand-alone service, including for POI devices and HSMs used in P2PE solutions, as covered in Annex B and Annex A (as applicable).
Key-injection facility service A service that can be offered by a third-party P2PE component provider on behalf of P2PE solution providers. KIF services entities perform cryptographic key injection as a stand-alone service, including for POI devices and HSMs used in P2PE solutions, as covered in Annex B and Annex A (as applicable).
Modified
p. 9 → 8
Key component A parameter used in conjunction with other key components in an approved security function to form a clear-text cryptographic key or perform a cryptographic function.
Key component A parameter used with other key components in an approved security function to form a clear-text cryptographic key or perform a cryptographic function.
Modified
p. 9
Key-encrypting (encipherment or exchange) key (KEK) A cryptographic key that is used for the encryption or decryption of other keys.
Key-encrypting (encipherment or exchange) key (KEK) A cryptographic key used to encrypt or decrypt other keys.
Modified
p. 9
Key instance The occurrence of a key in one of its permissible forms, i.e., clear-text key, key components, encrypted key.
Key instance The occurrence of a key in one of its permissible forms (i.e., clear-text key, key components, encrypted key).
Removed
p. 10
Key storage Holding of the key in one of the permissible forms.
Modified
p. 10
Key replacement Substituting one key for another when the original key is known or suspected to be compromised or the end of its operational life is reached.
Key replacement Substituting one key for another when the original key is known or suspected to be compromised or at the end of its operational life.
Modified
p. 10
Key share Related to a cryptographic key generated such that a specified fraction of the total shares of such parameters can be combined to form the cryptographic key but such that less than a specified fraction does not provide any information about the key. Also referred to as a secret share.
Key share Related to a cryptographic key generated such that a specified fraction of the total shares of such parameters can be combined to form the cryptographic key, but such that less than a specified fraction does not provide any information about the key. Also referred to as a “secret share.” Key storage Holding the key in one of the permissible forms.
Modified
p. 10
Manual key loading The entry of cryptographic keys into an SCD from a printed form, using devices such as buttons, thumb wheels, or a keyboard.
Manual key loading The entry of cryptographic keys into an SCD from a printed form, using devices such as buttons, thumb wheels, keyboard, or a touchscreen.
Modified
p. 11 → 10
Merchant Any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.
Merchant Any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover Financial Services, JCB International, Mastercard Worldwide, or Visa Inc.) as payment for goods and/or services.
Modified
p. 11
Open Protocols Optional PTS POI module for POI devices using any communication method that uses a wireless, local, wide-area network, or a public domain protocol or security protocol to transport data. This would include but is not limited to: Bluetooth, Wi-Fi, cellular (GPRS, CDMA), or Ethernet, and a serial point-to-point connection that is wireless or through a hub, switch, or other multiport device.
Open Protocols Optional PTS POI module for POI devices implementing any communication method that uses a wireless, local-area network, wide-area network, or a public domain protocol or security protocol to transport data. This would include, but is not limited to, Bluetooth, Wi- Fi, cellular (GPRS, CDMA), or Ethernet, and a serial point-to-point connection that is wireless or through a hub, switch, or other multiport device.
Removed
p. 12
Entity engaged by a merchant or other entity to handle payment card transactions on their behalf. While payment processors typically provide acquiring services, payment processors are not considered acquirers unless defined as such by a payment card brand.
PIN entry device (PED) A PED is a device for secure PIN entry and processing. The PED typically consists of a keypad for PIN entry, laid out in a prescribed format, a display for user interaction, a processor, and storage for PIN processing sufficiently secure for the key-management scheme used and firmware. A PED has a clearly defined physical and logical boundary and a tamper-resistant or tamper-evident shell.
POI device type Unique instance (combination) of a model name, hardware and firmware number.
PIN entry device (PED) A PED is a device for secure PIN entry and processing. The PED typically consists of a keypad for PIN entry, laid out in a prescribed format, a display for user interaction, a processor, and storage for PIN processing sufficiently secure for the key-management scheme used and firmware. A PED has a clearly defined physical and logical boundary and a tamper-resistant or tamper-evident shell.
POI device type Unique instance (combination) of a model name, hardware and firmware number.
Modified
p. 12
PCI payment brand accounts/cards Payment accounts/cards associated with one of the five founding payment card brands of the Payment Card Industry Security Standards Council (PCI SSC). These accounts/cards are issued either by or on behalf of one of the founding payment card brands. The founding payment card brands are: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.
PCI payment brand accounts/cards Payment accounts/cards associated with one of the five founding payment card brands of the Payment Card Industry Security Standards Council (PCI SSC). These accounts/cards are issued either by or on behalf of one of the founding payment card brands. The founding payment card brands are American Express, Discover Financial Services, JCB International, Mastercard Worldwide, and Visa Inc.
Modified
p. 12
Physically secure environment An environment that is equipped with access controls or other mechanisms designed to prevent any unauthorized access that would result in the disclosure of all or part of any key or other secret data stored within the environment. Examples include a safe or purpose-built room with continuous access control, physical security protection, and monitoring.
Physically secure environment An environment equipped with access controls or other mechanisms designed to prevent any unauthorized access that would result in the disclosure of all or part of any key or other secret data stored within the environment. Examples include a safe or purpose-built room with continuous access control, physical security protection, and monitoring.
Modified
p. 12
Plaintext See Clear text Point of interaction (POI) The initial point where data is read from a card. An electronic transaction-acceptance product, a POI consists of hardware and software and is hosted in acceptance equipment to enable a cardholder to perform a card transaction. The POI may be attended or unattended. POI transactions are typically integrated circuit (chip) and/or magnetic- stripe card-based payment transactions." See also Secure cryptographic device and PCI-approved POI device.
Plaintext See Clear text Point of interaction (POI) The initial point where data is read from a card. An electronic transaction-acceptance product, a POI consists of hardware and software, and is hosted in acceptance equipment to enable a cardholder to perform a card transaction. The POI may be attended or unattended. POI transactions are typically integrated circuit (chip) and/or magnetic-stripe card-based payment transactions." See also Secure cryptographic device and PCI-approved POI device.
Removed
p. 13
See also Account data, Firmware, and P2PE non-payment software P2PE application vendor A vendor that develops and then sells, distributes, or licenses any P2PE application for use in a P2PE solution. A P2PE solution provider may also be a P2PE application vendor.
The following P2PE component providers can be separately assessed and PCI-listed:
Encryption-management entity
• See Encryption-management service Decryption-management entity
• See Decryption-management service Key-injection facilities (KIF)
• See Key-injection facility service Certification Authorities/Registration Authorities (CA/RA)
• See Certification Authority/Registration Authority service.
The following P2PE component providers can be separately assessed and PCI-listed:
Encryption-management entity
• See Encryption-management service Decryption-management entity
• See Decryption-management service Key-injection facilities (KIF)
• See Key-injection facility service Certification Authorities/Registration Authorities (CA/RA)
• See Certification Authority/Registration Authority service.
Modified
p. 13
P2PE component A P2PE service (such as encryption management, decryption management, or key injection) that is accepted on a standalone basis as part of the P2PE Program and may be incorporated into and/or referenced as part of a P2PE solution.
P2PE component A P2PE service that is accepted on a stand-alone basis as part of the P2PE Program and may be incorporated into and/or referenced as part of a P2PE solution.
Modified
p. 13
A P2PE service is assessed to a specific set of P2PE requirements and results in a PCI P2PE component provider listing. P2PE component providers’ services are performed on behalf of other P2PE solution providers for use in P2PE solutions.
A P2PE service is assessed to a specific set of P2PE requirements and results in a PCI P2PE component provider listing upon approval. P2PE component provider services are performed on behalf of other P2PE solution providers for use in P2PE solutions.
Modified
p. 13
P2PE component provider An entity that provides a service that is assessed to a specific set of P2PE requirements and that results in a P2PE component provider listing on the PCI SSC website. Component providers offer their services on behalf of other P2PE solution providers, intended for use in P2PE solutions.
P2PE component provider An entity providing a service that is assessed to a specific set of P2PE requirements in accordance with the P2PE Program Guide, and that results in a P2PE component provider listing on the PCI SSC website. Component providers offer their services on behalf of other P2PE solution providers or component providers, intended for use in P2PE solutions.
Removed
p. 14
See also Account data and Firmware P2PE solution A combination of secure devices, applications, and processes that encrypt cardholder data from a PCI-approved point-of-interaction (POI) device through to decryption, assessed in accordance with PCI’s P2PE standard and included on PCI’s list of Validated P2PE Solutions.
Modified
p. 14
Pseudo-random value A value that is statistically random and essentially random and unpredictable although generated by an algorithm.
Pseudo-random function A function that produces a value that is statistically random and essentially random and unpredictable although generated by an algorithm.
Modified
p. 14
Public key A cryptographic key, used with a public-key cryptographic algorithm, uniquely associated with an entity, and that may be made public In the case of an asymmetric signature system, the public key defines the verification transformation. In the case of an asymmetric encryption system, the public key defines the encryption transformation. A key that is “publicly known” is not necessarily globally available. The key may only be available to all members of a pre-specified group.
Public key A cryptographic key, used with a public-key cryptographic algorithm, uniquely associated with an entity, and that may be made public. In the case of an asymmetric signature system, the public key defines the verification transformation. In the case of an asymmetric encryption system, the public key defines the encryption transformation. A key that is “publicly known” is not necessarily globally available. The key may only be available to all members of a pre-specified group.
Modified
p. 15
• A key-agreement system. With asymmetric cryptographic techniques, there are four elementary transformations: sign and verify for signature systems, and encrypt and decrypt for encryption systems. The signature and the decryption transformation are kept private by the owning entity, whereas the corresponding verification and encryption transformations are published.
Modified
p. 15
Rainbow table attack A method of data attack using a pre-computed table of hash strings (fixed-length message digest) to identify the original data source, usually for cracking password or cardholder data hashes. Random The process of generating values with a high level of entropy and which satisfy various qualifications, using cryptographic and hardware-based “noise” mechanisms. This results in a value in a set that has equal probability of being selected from the total population of possibilities, hence unpredictable.
Rainbow table attack A method of data attack using a pre-computed table of hash strings (fixed-length message digest) to identify the original data source, usually for cracking password or cardholder data hashes.
Modified
p. 15
See also Certification Authority and Certification Authority/Registration Authority service.
See also Certification Authority and Certification Authority/Registration Authority component provider.
Removed
p. 16
Secure card reader (SCR) A PCI-approved encrypting card reader that is intended for use with a POI device.
See also Point of interaction (POI).
See also Point of interaction (POI).
Modified
p. 16
Secret key A cryptographic key, used with a secret-key cryptographic algorithm that is uniquely associated with one or more entities and should not be made public.
Secret key A cryptographic key, used with a secret-key cryptographic algorithm, that is uniquely associated with one or more entities and should not be made public.
Modified
p. 16
An SCD is used either for the acceptance and encryption of account data at the point of sale, or for cryptographic key-management functions and/or the decryption of account data. SCDs used for acceptance or encryption of account data at the point of sale are also referred to at POIs or PCI-approved POI devices. SCDs used for cryptographic key-management functions and/or the decryption of account data include HSMs (host/hardware security modules). See also Point of interaction, PCI-approved POI device, or Host/hardware …
An SCD is used either for the acceptance and encryption of account data at the point of sale, or for cryptographic key-management functions and/or the decryption of account data. SCDs used for acceptance or encryption of account data at the point of sale are also referred to at POIs or PCI-approved POI devices. SCDs used for cryptographic key-management functions and/or the decryption of account data include HSMs (host/hardware security modules). See also Point of interaction, PCI-approved POI device, or Hardware …
Modified
p. 16
Sensitive authentication data (SAD) Security-related information (including but not limited to card-validation codes/values, full-track data from the magnetic stripe, magnetic-stripe image on the chip or elsewhere, PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions.
Sensitive authentication data (SAD) Security-related information (including, but not limited to, card- validation codes/values, full-track data from the magnetic stripe, magnetic-stripe image on the chip or elsewhere, PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions.
Removed
p. 17
Single-length key A cryptographic key having a length of 56 active bits plus 8 parity bits used in conjunction with the DES cryptographic algorithm.
Modified
p. 17
Strong cryptography Cryptography based on industry-tested and accepted algorithms, along with industry-tested and accepted key lengths and key-management practices. Cryptography is a method to protect data and includes both encryption (which is reversible) and hashing (which is “not reversible, or “one way”). See also Hashing. See NIST Special Publication 800-57, Part 1 (http://csrc.nist.gov/publications/) for more guidance on cryptographic key strengths and algorithms. See P2PE Domain 6 Normative Annex C: Minimum and Equivalent Key Sizes and Strengths for Approved Algorithms for …
Strong cryptography Cryptography based on industry-tested and accepted algorithms, along with industry-tested and accepted key lengths and key- management practices. Cryptography is a method to protect data and includes both encryption (which is reversible) and hashing (which is “not reversible, or “one way”). See also Hashing. See NIST Special Publication 800-57, Part 1 (http://csrc.nist.gov/publications/) for more guidance about cryptographic key strengths and algorithms. See P2PE Domain 5 Normative Annex C: Minimum and Equivalent Key Sizes and Strengths for Approved Algorithms …
Modified
p. 17
Subordinate CA and Superior CA If one CA issues a certificate for another CA, the issuing CA is termed the superior CA, and the certified CA is termed the subordinate CA. Subordinate CAs are typically used to segment risk. Subordinate CAs may issue certificates to KDHs, SCDs. Subordinate CAs may also issue certificates to lower-level CAs and issue certificate status lists regarding certificates the subordinate CA has issued.
Subordinate CA and Superior CA If one CA issues a certificate for another CA, the issuing CA is termed the superior CA, and the certified CA is termed the subordinate CA. Typically, subordinate CAs are used to segment risk. Subordinate CAs may issue certificates to KDHs, SCDs. Subordinate CAs may also issue certificates to lower-level CAs and issue certificate status lists regarding certificates the subordinate CA has issued.
Modified
p. 17
Symmetric key A cryptographic key that is used in symmetric cryptographic algorithms. The same symmetric key that is used for encryption is also used for decryption.
Symmetric key A cryptographic key used in symmetric cryptographic algorithms. The same symmetric key used for encryption is also used for decryption.
Removed
p. 18
Two-factor authentication Method of authenticating a user whereby two or more factors are verified. These factors include something the user has (such as a smart card or dongle), something the user knows (such as a password, passphrase, or PIN), or something the user is or does (such as fingerprints, other forms of biometrics, parametrics, etc.) Unattended acceptance terminal (UAT) See Unattended payment terminal.
Unattended payment terminal (UPT) A cardholder-operated device that reads, captures, and transmits card information in an unattended environment, including, but not limited to, the following:
Unattended payment terminal (UPT) A cardholder-operated device that reads, captures, and transmits card information in an unattended environment, including, but not limited to, the following:
Modified
p. 18
Unprotected memory Components, devices, and recording media that retain data for some interval of time that reside outside the cryptographic boundary of an SCD.
Modified
p. 19 → 18
Versioning methodology A process of assigning version schemes to uniquely identify a particular state of an application or software. These schemes follow a version- number format, version-number usage, and any wildcard element as defined by the software vendor. Version numbers are generally assigned in increasing order and correspond to a particular change in the software.
Versioning methodology A process of assigning version schemes to uniquely identify a particular state of an application or software. These schemes follow a version-number format, version-number usage, and any wildcard element as defined by the software vendor. Version numbers generally are assigned in increasing order and correspond to a particular change in the software.
Modified
p. 19 → 18
Whitelist A list of approved items used to make processing decisions. For example, a whitelist could be a list and/or range of non-PCI payment brand account/card numbers, approved by the solution provider, that are not required to be encrypted at the POI, or it could be used to make routing decisions that pertain to only a subset of accounts/cards processed. Unless explicitly authorized by the relevant payment brand, PCI payment brand card/account numbers must not be on a whitelist.
Whitelist A list of approved items used to make processing decisions. For example, a whitelist could be a list and/or range of non-PCI payment brand account/card numbers, approved by the solution provider, that are not required to be encrypted at the POI. Unless explicitly authorized by the relevant payment brand, PCI payment brand card/account numbers must not be on a whitelist.
Modified
p. 19 → 18
Working key A key used to cryptographically process the transaction. A working key is sometimes referred to as a data key, communications key, session key, or transaction key.
Working key A key used to cryptographically process the transaction. A working key is sometimes referred to as a “data key,” “communications key,” “session key,” or “transaction key.” XOR See Exclusive-Or.