Document Comparison
Small_Merchant_Glossary_of_Payment_and_Information_Security_Terms_July2016.pdf
→
Small_Merchant_Glossary_of_Payment_and_Information_Security_Terms.pdf
78% similar
10 → 10
Pages
3553 → 3727
Words
39
Content Changes
Content Changes
39 content changes. 8 administrative changes (dates, page numbers) hidden.
Added
p. 3
Authentication * Method for verifying the identity of a person, device, or process attempting to access a computer. To confirm the identity/user is valid, one or more of the following is provided:
• A password or passphrase (something the user knows)
• A token, smart card, or digital certificate unique to the user (something the user has)
Cryptography Cryptography is the method of securing data by making it unintelligible to a human or computer. Cryptography is only useful when the intended recipient can reassemble the data into a readable form using a method known only to the sender and receiver. See also Encryption.
Data Security Essentials (DSE) Data Security Essentials for Small Merchants is a set of educational resources and an evaluation tool to help merchants simplify their security and reduce risk. DSE is intended as an alternative approach to the PCI DSS Self-Assessment Questionnaires (SAQs) for those merchants designated as eligible by the …
• A password or passphrase (something the user knows)
• A token, smart card, or digital certificate unique to the user (something the user has)
Cryptography Cryptography is the method of securing data by making it unintelligible to a human or computer. Cryptography is only useful when the intended recipient can reassemble the data into a readable form using a method known only to the sender and receiver. See also Encryption.
Data Security Essentials (DSE) Data Security Essentials for Small Merchants is a set of educational resources and an evaluation tool to help merchants simplify their security and reduce risk. DSE is intended as an alternative approach to the PCI DSS Self-Assessment Questionnaires (SAQs) for those merchants designated as eligible by the …
Added
p. 8
QIR * Acronym for “Qualified Integrator or Reseller.” QIRs are integrators and resellers specially trained by the PCI Security Standards Council to address critical security controls when installing merchant payment systems. See details at www.pcisecuritystandards.org.
TERM DEFINITION Self-Assessment Questionnaire (SAQ) * A questionnaire covering a set of PCI DSS requirements that is completed by the organization itself to confirm it is meeting those requirements.
Skimming Device A physical device, often attached to a card-reading device, designed to illegally capture and/or store the information from a payment card. Also called a “card skimmer.” Small Merchant A small merchant is typically an independently owned and operated business with a single location or a few locations, and with limited or no IT budget and often with no IT personnel.
Whether a small merchant is required to validate PCI compliance is determined by the payment brand or acquirer (merchant bank).
Virtual Private Network (VPN) * Software that creates …
TERM DEFINITION Self-Assessment Questionnaire (SAQ) * A questionnaire covering a set of PCI DSS requirements that is completed by the organization itself to confirm it is meeting those requirements.
Skimming Device A physical device, often attached to a card-reading device, designed to illegally capture and/or store the information from a payment card. Also called a “card skimmer.” Small Merchant A small merchant is typically an independently owned and operated business with a single location or a few locations, and with limited or no IT budget and often with no IT personnel.
Whether a small merchant is required to validate PCI compliance is determined by the payment brand or acquirer (merchant bank).
Virtual Private Network (VPN) * Software that creates …
Modified
p. 2
Definitions for terms marked with an asterisk (*) are based on or derived from definitions in the Payment Card Industry (PCI) Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS): Glossary of Terms, Abbreviations, and Acronyms. The latest version of this glossary is considered the authoritative source, and must be referred to for the current and complete PCI DSS and PA-DSS definitions.
Modified
p. 2
This Glossary of Payment and Information Security Terms is a supplement to the Guide to Safe Payments, part of the Payment Protection Resources for Small Merchants. Its intent is to explain relevant Payment Card Industry (PCI) and information security terms in easy-to-understand language.
Introduction This Glossary of Payment and Information Security Terms is a supplement to the Guide to Safe Payments, part of the Data Security Essentials for Small Merchants. Its intent is to explain relevant Payment Card Industry (PCI) and information security terms in easy-to-understand language.
Modified
p. 2
Please refer to the Guide to Safe Payments and the other Payment Protection Resources for Small Merchants at the following:
Please refer to the Data Security Essentials for Small Merchants at the following:
Removed
p. 3
ASV * Acronym for “Approved Scanning Vendor.” Authentication * Process of verifying identity of an individual, device, or process. Authentication typically occurs through the use of one or more authentication factors such as:
• Something you know, such as a password or passphrase
• Something you have, such as a token device or smart car
• Something you know, such as a password or passphrase
• Something you have, such as a token device or smart car
Modified
p. 3
Approved Scanning Vendor (ASV) * Company approved by the PCI Security Standards Council to conduct scanning services to identify common weaknesses in system configuration. See also ASV.
Approved Scanning Vendor (ASV) * Company approved by the PCI Security Standards Council to conduct external vulnerability scanning services to identify common weaknesses in system configuration.
Modified
p. 3
• Something you are, such as a biometric Authorization * In a payment card transaction, authorization occurs when a merchant receives transaction approval after the acquirer validates the transaction with the issuer/processor.
• A biometric identifier, such as a fingerprint (something the user is or does) Authorization * In a payment card transaction, authorization occurs when a merchant receives transaction approval after the acquirer validates the transaction with the issuer/processor.
Modified
p. 3
Card Data / Customer Card Data * At a minimum, card data includes the primary account number (PAN), and may also include cardholder name and expiration date. The PAN is visible on the front of the card and encoded into the card’s magnetic stripe and/ or the embedded chip. Also referred to as cardholder data. See also Sensitive Authentication Data for additional data elements which may be part of a payment transaction but which must not be stored after the …
Card Data / Customer Card Data * At a minimum, card data includes the primary account number (PAN), and may also include cardholder name and expiration date. The PAN is visible on the front of the card and encoded into the card’s magnetic stripe and/or the embedded chip. Also referred to as cardholder data. See also Sensitive Authentication Data for additional data elements which may be part of a payment transaction but which must not be stored after the transaction …
Modified
p. 4 → 3
Chip and PIN A verification process where a consumer enters their PIN in an EMV Chip-enabled payment terminal when they purchase goods or services.
Modified
p. 4
Chip and Signature A verification process where a consumer uses their signature with an EMV Chip-enabled payment terminal when they purchase goods or services.
TERM DEFINITION Chip and Signature A verification process where a consumer uses their signature with an EMV Chip-enabled payment terminal when they purchase goods or services.
Modified
p. 4
Credential Information used to identify and authenticate a user for access to a system. For example, credentials are often the user name and password. Credentials may include a fingerprint, retina scan, or a one-time number generated by a portable “token-generator.” Security is stronger when access requires multiple credentials.
Credential Information used to identify and authenticate a user for access to a system. For example, credentials are often the username and password. Credentials may include a fingerprint, retina scan, or a one-time number generated by a portable “token-generator.” Security is stronger when access requires multiple credentials.
Modified
p. 4
Cyber-Attack Any type of offensive maneuver to break into a computer or system. Cyber-attacks can range from installing spyware on a PC, breaking into a payment system to steal card data, or attempting to break critical infrastructure such as an electric power grid.
Cyber-Attack Any offensive action to break into a computer or system. Cyber-attacks can range from installing spyware on a PC, breaking into a payment system to steal card data, or attempting to break critical infrastructure such as an electric power grid.
Modified
p. 4 → 5
Forensic Investigator PCI Forensic Investigators (PFIs) are companies approved by the PCI Council to help determine when and how a card data breach occurred. They perform investigations within the financial industry using proven investigative methodologies and tools. They also work with law enforcement to support stakeholders with any resulting criminal investigations.
TERM DEFINITION Forensic Investigator PCI Forensic Investigators (PFIs) are companies approved by the PCI Council to help determine when and how a card data breach occurred. They perform investigations within the financial industry using proven investigative methodologies and tools. They also work with law enforcement to support stakeholders with any resulting criminal investigations.
Modified
p. 5
Hacker A person or organization that attempts to circumvent security measures of computer systems to gain control and access. Usually this is done in an effort to steal card data.
Modified
p. 5
Integrator/Reseller An integrator/reseller is a company that implements, configures, and/or supports payment terminals, payment systems, and/or payment applications for merchants. These companies may also sell the payment devices or applications as part of their service. See also Qualified Integrator Reseller (QIR).
Integrator/Reseller An integrator/reseller is a company that merchants work with to help set up their payment system. This may include installation, configuration, and support. These companies may also sell the payment devices or applications as part of their service. See also Qualified Integrator Reseller (QIR).
Modified
p. 5
Mobile Device General term for a class of consumer electronic devices such as smart phones and tablets that are small, portable, and can connect to computer networks wirelessly.
Mobile Device Devices such as smart phones and tablets that are small, portable, and can connect to computer networks wirelessly.
Modified
p. 5 → 6
Multi-factor Authentication * Method of authenticating a user when two or more factors are verified. These factors include something the user has (such as a smart card or dongle), something the user knows (such as a password, passphrase, or PIN) or something the user is or does (such as fingerprints, other forms of biometrics, etc.).
TERM DEFINITION Multi-factor Authentication * Method of authenticating a user when two or more factors are verified. These factors include something the user has (such as a smart card or dongle), something the user knows (such as a password, passphrase, or PIN) or something the user is or does (such as fingerprints, other forms of biometrics, etc.).
Modified
p. 5 → 6
Network * Two or more computers connected together via physical or wireless means.
Network * Two or more computers connected via physical or wireless means.
Removed
p. 6
TERM DEFINITION Operating System * Software of a computer system that is responsible for the management and coordination of all activities and the sharing of computer resources. Examples include Microsoft Windows, Apple OSX, iOS, Android, Linux, and UNIX.
Payment Application Vendor An entity that sells, distributes, or licenses a payment application to POS integrators/resellers for integration into merchant payment systems, or directly to merchants for their own installation and use.
Payment Application Vendor An entity that sells, distributes, or licenses a payment application to POS integrators/resellers for integration into merchant payment systems, or directly to merchants for their own installation and use.
Modified
p. 6
P2PE Acronym for the PCI Council’s Point-to-Point-Encryption standard. See details at www.pcisecuritystandards.org.
P2PE Acronym for the PCI Security Standards Council’s Point-to-Point-Encryption standard. See details at www.pcisecuritystandards.org.
Modified
p. 6
PA-DSS * Acronym for the PCI Council's “Payment Application Data Security Standard.” See details at www.pcisecuritystandards.org.
PA-DSS * Acronym for the PCI Security Standards Council's Payment Application Data Security Standard. See details at www.pcisecuritystandards.org.
Modified
p. 6
Password * A word, phrase, or string of characters used to authenticate a user. When combined with the user name, the password is intended to prove the identity of the user for access to computer resources.
Password * A word, phrase, or string of characters used to authenticate a user. When combined with the username, the password is intended to prove the identity of the user for access to computer resources.
Modified
p. 6 → 7
Payment System Vendor A vendor who sells, licenses, or distributes a complete payment solution to a merchant. The solution encompasses the hardware and software needed to handle payments within the store and provides a method to connect to a payment processor.
TERM DEFINITION Payment System Vendor A vendor who sells, licenses, or distributes a complete payment solution to a merchant. The solution encompasses the hardware and software needed to handle payments within the store and provides a method to connect to a payment processor.
Removed
p. 7
QIR * Acronym for “Qualified Integrator or Reseller.” See details at www.pcisecuritystandards.org.
Modified
p. 7
PCI DSS Compliant Meeting all applicable requirements of the current PCI DSS, on a continuous basis via a business-as-usual approach. Compliance is assessed and validated at a single point in time; however, it is up to each merchant to continuously follow the requirements in order to ensure robust security. Merchant banks and/or the payment brands may have requirements for formal annual validation of PCI DSS compliance.
PCI DSS Compliant Meeting all applicable requirements of the current PCI DSS, on a continuous basis via a business-as-usual approach. Compliance is assessed and validated at a single point in time; however, it is up to each merchant to continuously follow the requirements in order to provide strong security. Merchant banks and/or the payment brands may have requirements for formal annual validation of PCI DSS compliance.
Modified
p. 7
PCI DSS Validated Providing proof that all applicable PCI DSS requirements are met at a single point in time. Depending on specific merchant bank and/or payment brand requirements, validation can be achieved though the applicable PCI DSS Self-Assessment Questionnaire or by a Report on Compliance resulting from an onsite assessment.
PCI DSS Validated Providing proof that all applicable PCI DSS requirements are met at a single point in time. Depending on specific merchant bank and/or payment brand requirements, validation can be achieved through the applicable PCI DSS Self-Assessment Questionnaire or by a Report on Compliance resulting from an onsite assessment.
Modified
p. 7 → 8
Privilege Abuse Using computer system access privileges in an abusive manner. Examples include a system administrator accessing card data for malicious purposes, or someone stealing and using an administrator’s elevated access privileges for malicious purposes.
TERM DEFINITION Privilege Abuse Using computer system access privileges in an abusive manner. Examples include a system administrator accessing card data for malicious purposes, or someone stealing and using an administrator’s elevated access privileges for malicious purposes.
Removed
p. 8
PCI DSS validation tool used to document self-assessment results from an entity’s PCI DSS assessment.
Modified
p. 8
Qualified Security Assessor (QSA) * A company approved by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS requirements.
Modified
p. 8 → 9
Service Provider * A business entity that provides various services to merchants. Typically, these entities store, process, or transmit card data on behalf of another entity (such as a merchant) OR are managed service providers that provide managed firewalls, intrusion detection, hosting, and other IT-related services. Also called a “vendor.” Skimming Stealing card data directly from the consumer’s payment card or from the payment infrastructure at a merchant location such as with a rogue hand-held card reader or via modifications …
Service Provider * A business entity that provides various services to merchants. Typically, these entities store, process, or transmit card data on behalf of another entity (such as a merchant) OR are managed service providers that provide managed firewalls, intrusion detection, hosting, and other IT-related services. Also called a “vendor.” Skimming Stealing card data directly from the consumer’s payment card or from the payment infrastructure at a merchant location such as with an unauthorized hand-held card reader or via modifications …
Removed
p. 9
TERM DEFINITION Skimming Device A physical device, often attached to a legitimate card-reading device, designed to illegitimately capture and/or store the information from a payment card. Also called a “card skimmer.” Small Merchant A business that typically has a single location or possibly a few locations, with limited to no IT budget and usually with no IT personnel on staff.
Modified
p. 9
SRED An acronym for secure reading and exchange of data. A set of PCI PTS requirements designed to protect and encrypt card data in payment terminals. A PCI Council-listed Point-to-Point Encryption (P2PE) solution must use a PTS-approved and listed payment terminal with SRED enabled and actively performing card data encryption.
SRED An acronym for “Secure Reading and Exchange of Data.” A set of PCI PTS requirements designed to protect and encrypt card data in payment terminals. A PCI Council-listed Point-to-Point Encryption (P2PE) solution must use a PTS-approved and listed payment terminal with SRED enabled and actively performing card data encryption.
Modified
p. 9
Strong Authentication Used to verify the identity of a user or device to ensure the security of the system it protects. The term strong authentication is often synonymous with multifactor authentication (MFA).
Strong Authentication Used to verify the identity of a user or device to ensure the security of the system it protects. The term strong authentication often means with multifactor authentication (MFA).
Modified
p. 9 → 10
Tokenization A process by which the primary account number (PAN) is replaced with a surrogate value called a token. Tokens can be used in place of the original PAN to perform functions when the card is absent like voids, refunds, or recurring billing. Tokens also provide more security if stolen because they are unusable and thus have no value to a criminal.
TERM DEFINITION Tokenization A process by which the primary account number (PAN) is replaced with an alternative value called a token. Tokens can be used in place of the original PAN to perform functions when the card is absent like voids, refunds, or recurring billing. Tokens also provide more security if stolen because they are unusable and thus have no value to a criminal.
Modified
p. 9 → 10
Unencrypted Data Any data that is readable without the need to decrypt it first. Also called “plaintext” and “clear text” data.
Unencrypted Data Any data that is readable without the need to decrypt it first. Also called “plaintext” and “clear-text” data.
Removed
p. 10
Virtual Private Network (VPN) * The VPN consists of virtual circuits within a larger network, such as the Internet, instead of direct connections by physical wires. The end points of the VPN “tunnel” through the larger network, which is done to create a private, secure connection.
Modified
p. 10
Virus Malware that replicates copies of itself into other software or data files on an “infected” computer. Upon replication, the virus may execute a malicious payload, such as deleting all data on the computer. A virus may lie dormant and execute its payload later, or it may never trigger a malicious action. A virus that replicates itself by resending itself as an e-mail attachment or as part of a network message is called a “worm.” Vulnerability * Flaw or weakness …
Virus Malware that replicates copies of itself into other software or data files on an “infected” computer. Upon replication, the virus may execute a malicious payload, such as deleting all data on the computer. A virus may lie dormant and execute its payload later, or it may never trigger a malicious action. A virus that replicates itself by resending itself as an e-mail attachment or as part of a network message is called a “worm.” Vulnerability * Flaw or weakness …
Modified
p. 10
Vulnerability Scan A software tool that detects and classifies potential weak points (vulnerabilities) on a computer or network. A scan may be performed by an organization’s IT department or a security service provider (such as an Approved Scanning Vendor). See also Approved Scanning Vendor (ASV).
Vulnerability Scan A software tool that detects and classifies potential weak points (vulnerabilities) on a computer or network. A quarterly external vulnerability scan per PCI DSS Requirement 11.2.2 must be performed by an Approved Scanning Vendor. Other vulnerability scans (such as internal scans and those performed after network changes) can be conducted by qualified staff in an organization’s IT department or by a security service provider (such as an Approved Scanning Vendor). See also Approved Scanning Vendor (ASV).