PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

pci_glossary_v20.pdf PCI_DSS_Glossary_v3.pdf
75% similar
17 → 22 Pages
7414 → 9156 Words
55 Content Changes

Content Changes

55 content changes. 34 administrative changes (dates, page numbers) hidden.

Added p. 2
AOC Acronym for “attestation of compliance.” The AOC is a form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Self-Assessment Questionnaire or Report on Compliance.

AOV Acronym for “attestation of validation.” The AOV is a form for PA-QSAs to attest to the results of a PA-DSS assessment, as documented in the PA-DSS Report on Validation.
Added p. 3
 Something you know, such as a password or passphrase  Something you have, such as a token device or smart card  Something you are, such as a biometric Authentication Credentials Combination of the user ID or account ID plus the authentication factor(s) used to authenticate an individual, device, or process, Authorization In the context of access control, authorization is the granting of access or other rights to a user, program, or process. Authorization defines what an individual or program can do after successful authentication.

In the context of a payment card transaction, authorization occurs when a merchant receives transaction approval after the acquirer validates the transaction with the issuer/processor.

BAU An acronym for “business as usual.” BAU is an organization’s normal daily business operations.

Buffer Overflow Vulnerability that is created from insecure coding methods, where a program overruns the buffer’s boundary and writes data to adjacent memory space. Buffer overflows are …
Added p. 4
(1) Data element on a card's magnetic stripe that uses secure cryptographic processes to protect data integrity on the stripe, and reveals any alteration or counterfeiting. Referred to as CAV, CVC, CVV, or CSC depending on payment card brand. The following list provides the terms for each card brand:

 CAV

• Card Authentication Value (JCB payment cards)  CVC

• Card Validation Code (MasterCard payment cards)  CVV

• Card Verification Value (Visa and Discover payment cards)  CSC

• Card Security Code (American Express) (2) For Discover, JCB, MasterCard, and Visa payment cards, the second type of card verification value or code is the rightmost three-digit value printed in the signature panel area on the back of the card. For American Express payment cards, the code is a four-digit unembossed number printed above the PAN on the face of the payment cards. The code is uniquely associated with each individual piece of plastic …
Added p. 13
OCTAVE® Acronym for “Operationally Critical Threat, Asset, and Vulnerability Evaluation.” A suite of tools, techniques, and methods for risk-based information security strategic assessment and planning.

Organizational Independence An organizational structure that ensures there is no conflict of interest between the person or department performing the activity and the person or department assessing the activity. For example, individuals performing assessments are organizationally separate from the management of the environment being assessed.

PA-DSS Acronym for “Payment Application Data Security Standard.” PA-QSA Acronym for “Payment Application Qualified Security Assessor.” PA-QSAs are qualified by PCI SSC to assess payment applications against the PA-DSS. Refer to the PA-DSS Program Guide and PA-QSA Qualification Requirements for details about requirements for PA-QSA Companies and Employees.
Added p. 14
PED PIN entry device.

Penetration Test Penetration tests attempt to identify ways to exploit vulnerabilities to circumvent or defeat the security features of system components. Penetration testing includes network and application testing as well as controls and processes around the networks and applications, and occurs from both outside the environment (external testing) and from inside the environment.

Personal Firewall Software A software firewall product installed on a single computer.

Personally Identifiable Information Information that can be utilized to identify or trace an individual’s identity including but not limited to name, address, social security number, biometric data, date of birth, etc.
Added p. 15
Port Logical (virtual) connection points associated with a particular communication protocol to facilitate communications across networks.

Privileged User Any user account with greater than basic access privileges. Typically, these accounts have elevated or increased privileges with more rights than a standard user account. However, the extent of privileges across different privileged accounts can vary greatly depending on the organization, job function or role, and the technology in use.

Proxy Server A server that acts as an intermediary between an internal network and the Internet. For example, one function of a proxy server is to terminate or negotiate connections between internal and external connections such that each only communicates with the proxy server.

QIR Acronym for “Qualified Integrator or Reseller.” Refer to the QIR Program Guide on the PCI SSC website for more information.

QSA Acronym for “Qualified Security Assessor.” QSAs are qualified by PCI SSC to perform PCI DSS on-site assessments. Refer to the …
Added p. 19
Stateful Inspection Also called “dynamic packet filtering.” Firewall capability that provides enhanced security by keeping track of the state of network connections. Programmed to distinguish legitimate packets for various connections, only packets matching an established connection will be permitted by the firewall; all others will be rejected.

Strong Cryptography Cryptography based on industry-tested and accepted algorithms, along with strong key lengths (minimum 112-bits of effective key strength) and proper key-management practices. Cryptography is a method to protect data and includes both encryption (which is reversible) and hashing (which is not reversible, or “one way”). At the time of publication, examples of industry- tested and accepted standards and algorithms for minimum encryption strength include AES (128 bits and higher), TDES (minimum triple-length keys), RSA (2048 bits and higher), ECC (160 bits and higher), and ElGamal (2048 bits and higher).

See NIST Special Publication 800-57 Part 1 (http://csrc.nist.gov/publications/) for more guidance on cryptographic key …
Added p. 21
Virtual Payment Terminal A virtual payment terminal is web-browser-based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual payment terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.

Wildcard A character that may be substituted for a defined subset of possible characters in an application version scheme. In the context of PA-DSS, wildcards can optionally be used to represent a non-security impacting change. A wildcard is the only variable element of the vendor’s version scheme, and is used to indicate there are only minor, non-security-impacting changes between each version represented by the wildcard element.
Modified p. 1
Payment Card Industry (PCI) Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS) Glossary of Terms, Abbreviations, and Acronyms Version 2.0
Payment Card Industry (PCI) Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS) Glossary of Terms, Abbreviations, and Acronyms Version 3.0
Removed p. 2
Authentication Process of verifying identity of an individual, device, or process. Authentication typically occurs through the use of one or more authentication factors such as:  Something you know, such as a password or passphrase  Something you have, such as a token device or smart card  Something you are, such as a biometric Authentication Credentials Combination of the user ID or account ID plus the authentication factor(s) used to authenticate an individual, device, or process,
Modified p. 2
Account Data Account data consists of cardholder data plus sensitive authentication data. See Cardholder Data and Sensitive Authentication Data Account Number See Primary Account Number (PAN).
Account Data Account data consists of cardholder data and/or sensitive authentication data. See Cardholder Data and Sensitive Authentication Data.
Modified p. 2
Acquirer Also referred to as “acquiring bank” or “acquiring financial institution.” Entity that initiates and maintains relationships with merchants for the acceptance of payment cards.
Acquirer Also referred to as “merchant bank,” “acquiring bank,” or “acquiring financial institution.” Entity that initiates and maintains relationships with merchants for the acceptance of payment cards.
Removed p. 3
Card Verification Code or Value Also known as Card Validation Code or Value, or Card Security Code. Refers to either: (1) magnetic-stripe data, or (2) printed security features. (1) Data element on a card's magnetic stripe that uses secure cryptographic process to protect data integrity on the stripe, and reveals any alteration or counterfeiting. Referred to as CAV, CVC, CVV, or CSC depending on payment card brand. The following list provides the terms for each card brand:  CAV

• Card Authentication Value (JCB payment cards)  CVC

• Card Validation Code (MasterCard payment cards)  CVV

• Card Verification Value (Visa and Discover payment cards)  CSC

• Card Security Code (American Express) (2) For Discover, JCB, MasterCard, and Visa payment cards, the second type of card verification value or code is the rightmost three-digit value printed in the signature panel area on the back of the card. For American Express payment cards, …
Modified p. 3 → 4
Cardholder Data Environment The people, processes and technology that store, process or transmit cardholder data or sensitive authentication data, including any connected system components.
Acronym for “cardholder data environment.” The people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data.
Modified p. 4 → 5
Compensating Controls Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must: (1) Meet the intent and rigor of the original PCI DSS requirement; (2) Provide a similar level of defense as the original PCI DSS requirement; (3) Be “above and beyond” other PCI DSS requirements (not simply in …
Compensating Controls Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must:
Modified p. 5 → 6
DNS Acronym for “Domain Name System” or “domain name server.” System that stores information associated with domain names in a distributed database on networks such as the Internet.
DNS Acronym for “domain name system” or “domain name server.” A system that stores information associated with domain names in a distributed database to provide name-resolution services to users on networks such as the Internet.
Modified p. 5 → 7
Encryption Algorithm A sequence of mathematical instructions used for transforming unencrypted text or data to encrypted text or data, and back again. See Strong Cryptography.
Encryption Algorithm Also called “cryptographic algorithm.” A sequence of mathematical instructions used for transforming unencrypted text or data to encrypted text or data, and back again. See Strong Cryptography.
Modified p. 6 → 8
Hashing Process of rendering cardholder data unreadable by converting data into a fixed-length message digest via Strong Cryptography. Hashing is a (mathematical) function in which a non-secret algorithm takes any arbitrary length message as input and produces a fixed length output (usually called a “hash code” or “message digest”). A hash function should have the following properties: (1) It is computationally infeasible to determine the original input given only the hash code, (2) It is computationally infeasible to find two …
Hashing Process of rendering cardholder data unreadable by converting data into a fixed-length message digest via Strong Cryptography. Hashing is a one-way (mathematical) function in which a non-secret algorithm takes any arbitrary length message as input and produces a fixed length output (usually called a “hash code” or “message digest”). A hash function should have the following properties:
Modified p. 7 → 9
IDS Acronym for “intrusion detection system.” Software or hardware used to identify and alert on network or system intrusion attempts. Composed of sensors that generate security events; a console to monitor events and alerts and control the sensors; and a central engine that records events logged by the sensors in a database. Uses system of rules to generate alerts in response to security events detected.
IDS Acronym for “intrusion-detection system.” Software or hardware used to identify and alert on network or system anomalies or intrusion attempts. Composed of: sensors that generate security events; a console to monitor events and alerts and control the sensors; and a central engine that records events logged by the sensors in a database. Uses system of rules to generate alerts in response to detected security events. See IPS IETF Acronym for “Internet Engineering Task Force.” Large, open international community of …
Modified p. 7 → 9
Information Security Protection of information to insure confidentiality, integrity, and availability.
Information Security Protection of information to ensure confidentiality, integrity, and availability.
Modified p. 7 → 9
Insecure Protocol/Service/Port A protocol, service, or port that introduces security concerns due to the lack of controls over confidentiality and/or integrity. These security concerns include services, protocols, or ports that transmit data and authentication credentials (e.g., password/passphrase in clear-text over the Internet), or that easily allow for exploitation by default or if misconfigured. Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP.
Insecure Protocol/Service/Port A protocol, service, or port that introduces security concerns due to the lack of controls over confidentiality and/or integrity. These security concerns include services, protocols, or ports that transmit data or authentication credentials (for example, password/passphrase) in clear-text over the Internet, or that easily allow for exploitation by default or if misconfigured. Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP v1 and v2.
Modified p. 7 → 10
IP Address Also referred to as “internet protocol address.” Numeric code that uniquely identifies a particular computer on the Internet.
IP Address Also referred to as “internet protocol address.” Numeric code that uniquely identifies a particular computer (host) on the Internet.
Modified p. 7 → 10
IP Address Spoofing Attack technique used by a malicious individual to gain unauthorized access to computers. The malicious individual sends deceptive messages to a computer with an IP address indicating that the message is coming from a trusted host.
IP Address Spoofing Attack technique used to gain unauthorized access to networks or computers. The malicious individual sends deceptive messages to a computer with an IP address indicating that the message is coming from a trusted host.
Removed p. 8
Key In cryptography, a key is a value that determines the output of an encryption algorithm when transforming plain text to ciphertext. The length of the key generally determines how difficult it will be to decrypt the ciphertext in a given message. See Strong Cryptography.

Key Management In cryptography, it is the set of processes and mechanisms which support key establishment and maintenance, including replacing older keys with new keys as necessary.

Magnetic-Stripe Data Also referred to as “track data.” Data encoded in the magnetic stripe or chip used for authentication and/or authorization during payment transactions. Can be the magnetic stripe image on a chip or the data on the track 1 and/or track 2 portion of the magnetic stripe.
Modified p. 8 → 10
ISO Better known as “International Organization for Standardization.” Non- governmental organization consisting of a network of the national standards institutes of over 150 countries, with one member per country and a central secretariat in Geneva, Switzerland, that coordinates the system.
ISO Better known as “International Organization for Standardization.” Non- governmental organization consisting of a network of the national standards institutes.
Modified p. 8 → 10
MAC Acronym for “message authentication code.” In cryptography, it is a small piece of information used to authenticate a message. See Strong Cryptography.
MAC In cryptography, an acronym for “message authentication code.” A small piece of information used to authenticate a message. See Strong Cryptography.
Modified p. 9 → 11
Monitoring Use of systems or processes that constantly oversee computer or network resources for the purpose of alerting personnel in case of outages, alarms, or other predefined events.
MO/TO Acronym for “Mail-Order/Telephone-Order.” Monitoring Use of systems or processes that constantly oversee computer or network resources for the purpose of alerting personnel in case of outages, alarms, or other predefined events.
Modified p. 9 → 11
MPLS Acronym for “multi protocol label switching.” Network or telecommunications mechanism designed for connecting a group of packet-switched networks.
MPLS Acronym for “multi-protocol label switching.” Network or telecommunications mechanism designed for connecting a group of packet-switched networks.
Modified p. 9 → 12
Network Segmentation Network segmentation isolates system components that store, process, or transmit cardholder data from systems that do not. Adequate network segmentation may reduce the scope of the cardholder data environment and thus reduce the scope of the PCI DSS assessment. See the Network Segmentation section in the PCI DSS Requirements and Security Assessment Procedures for guidance on using network segmentation. Network segmentation is not a PCI DSS requirement. See System Components.
Network Segmentation Also referred to as “segmentation” or “isolation.” Network segmentation isolates system components that store, process, or transmit cardholder data from systems that do not. Adequate network segmentation may reduce the scope of the cardholder data environment and thus reduce the scope of the PCI DSS assessment. See the Network Segmentation section in the PCI DSS Requirements and Security Assessment Procedures for guidance on using network segmentation. Network segmentation is not a PCI DSS requirement.
Removed p. 10
PA-QSA Acronym for “Payment Application Qualified Security Assessor,” company approved by the PCI SSC to conduct assessments on payment applications against the PA-DSS.

Pad In cryptography, the one-time pad is an encryption algorithm with text combined with a random key or "pad" that is as long as the plain-text and used only once. Additionally, if key is truly random, never reused, and, kept secret, the one-time pad is unbreakable Parameterized Queries A means of structuring SQL queries to limit escaping and thus prevent injection attacks.
Modified p. 10 → 13
PAN Acronym for “primary account number” and also referred to as “account number.” Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account.
Pad In cryptography, the one-time pad is an encryption algorithm with text combined with a random key or "pad" that is as long as the plain-text and used only once. Additionally, if key is truly random, never reused, and, kept secret, the one-time pad is unbreakable PAN Acronym for “primary account number” and also referred to as “account number.” Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account.
Modified p. 10 → 14
Payment Application Any application that stores, processes, or transmits cardholder data as part of authorization or settlement Payment Cards For purposes of PCI DSS, any payment card/device that bears the logo of the founding members of PCI SSC, which are American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or Visa, Inc.
Payment Cards For purposes of PCI DSS, any payment card/device that bears the logo of the founding members of PCI SSC, which are American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or Visa, Inc.
Removed p. 11
PED PIN entry device Penetration Test Penetration tests attempt to exploit vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing includes network and application testing as well as controls and processes around the networks and applications, and occurs from both outside the network trying to come in (external testing) and from inside the network.

Personally Identifiable Information Information that can be utilized to identify an individual including but not limited to name, address, social security number, phone number, etc.
Modified p. 11 → 15
Policy Organization-wide rules governing acceptable use of computing resources, security practices, and guiding development of operational procedures POS Acronym for “point of sale.” Hardware and/or software used to process payment card transactions at merchant locations.
POS Acronym for “point of sale.” Hardware and/or software used to process payment card transactions at merchant locations.
Removed p. 12
QSA Acronym for “Qualified Security Assessor,” company approved by the PCI SSC to conduct PCI DSS on-site assessments.

RBAC Acronym for “role-based access control.” Control used to restrict access by specific authorized users based on their job responsibilities.

Report on Compliance Also referred to as “ROC.” Report containing details documenting an entity’s compliance status with the PCI DSS.

Report on Validation Also referred to as “ROV.” Report containing details documenting a payment application’s compliance with the PCI PA-DSS.
Modified p. 12 → 16
Remote Access Access to computer networks from a remote location, typically originating from outside the network. An example of technology for remote access is VPN.
Remote Access Access to computer networks from a remote location. Remote access connections can originate either from inside the company’s own network or from a remote location outside the company’s network. An example of technology for remote access is VPN.
Removed p. 13
Salt Random string that is concatenated with other data prior to being operated on by a hash function. See also Hash.

SAQ Acronym for “Self-Assessment Questionnaire.” Tool used by any entity to validate its own compliance with the PCI DSS.

Sensitive Area Any data center, server room or any area that houses systems that stores, processes, or transmits cardholder data. This excludes the areas where only point-of-sale terminals are present such as the cashier areas in a retail store.
Modified p. 13 → 17
SANS Acronym for “SysAdmin, Audit, Networking and Security,” an institute that provides computer security training and professional certification. (See www.sans.org.) Scoping Process of identifying all system components, people, and processes to be included in a PCI DSS assessment. The first step of a PCI DSS assessment is to accurately determine the scope of the review.
SANS Acronym for “SysAdmin, Audit, Networking and Security,” an institute that provides computer security training and professional certification. (See www.sans.org.) SAQ Acronym for “Self-Assessment Questionnaire.” Reporting tool used to document self-assessment results from an entity’s PCI DSS assessment.
Modified p. 13 → 17
SDLC Acronym for “system development life cycle.” Phases of the development of a software or computer system that includes planning, analysis, design, testing, and implementation.
SDLC Acronym for “system development life cycle” or “software development lifecycle.” Phases of the development of a software or computer system that includes planning, analysis, design, testing, and implementation.
Modified p. 13 → 17
Secure Wipe Also called “secure delete,” a program utility used to delete specific files permanently from a computer system.
Secure Wipe Also called “secure delete,” a method of overwriting data residing on a hard disk drive or other digital media, rendering the data irretrievable.
Modified p. 13 → 17
Security Officer Primary responsible person for an entity’s security-related affairs.
Security Officer Primary person responsible for an entity’s security-related matters.
Modified p. 13 → 17
Security Policy Set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information Security Protocols Network communications protocols designed to secure the transmission of data. Examples of security protocols include, but are not limited to SSL/TLS, IPSEC, SSH, etc.
Security Policy Set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information Security Protocols Network communications protocols designed to secure the transmission of data. Examples of security protocols include, but are not limited to SSL/TLS, IPSEC, SSH, HTTPS, etc.
Modified p. 13 → 18
Sensitive Authentication Data Security-related information (including but not limited to card validation codes/values, full magnetic-stripe data, PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions.
Sensitive Authentication Data Security-related information (including but not limited to card validation codes/values, full track data (from the magnetic stripe or equivalent on a chip), PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions.
Removed p. 14
Stateful Inspection Also called “dynamic packet filtering,” it is a firewall capability that provides enhanced security by keeping track of communications packets. Only incoming packets with a proper response (“established connections”) are allowed through the firewall.
Modified p. 14 → 18
Service Provider Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are …
Service Provider Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. If an entity provides a service that involves only the provision of public network access

•such as …
Modified p. 14 → 18
Split Knowledge Condition in which two or more entities separately have key components that individually convey no knowledge of the resultant cryptographic key.
Split Knowledge A method by which two or more entities separately have key components that individually convey no knowledge of the resultant cryptographic key.
Modified p. 14 → 19
SSL Acronym for “Secure Sockets Layer.” Established industry standard that encrypts the channel between a web browser and web server to ensure the privacy and reliability of data transmitted over this channel.
SSL Acronym for “Secure Sockets Layer.” Established industry standard that encrypts the channel between a web browser and web server to ensure the privacy and reliability of data transmitted over this channel. See TLS.
Modified p. 15 → 19
System Components Any network component, server, or application included in or connected to the cardholder data environment.
System Components Any network devices, servers, computing devices, or applications included in or connected to the cardholder data environment.
Modified p. 15 → 19
System-level object Anything on a system component that is required for its operation, including but not limited to application executable and configuration files, system configuration files, static and shared libraries & DLL's, system executables, device drivers and device configuration files, and added third-party components.
System-level object Anything on a system component that is required for its operation, including but not limited to database tables, stored procedures, application executables and configuration files, system configuration files, static and shared libraries and DLLs, system executables, device drivers and device configuration files, and third-party components.
Modified p. 15 → 19
TCP Acronym for “Transmission Control Protocol.” Basic communication language or protocol of the Internet.
TCP Acronym for “Transmission Control Protocol.” One of the core transport-layer protocols of the Internet Protocol (IP) suite, and the basic communication language or protocol of the Internet. See IP.
Modified p. 15 → 20
Token A value provided by hardware or software that usually works with an authentication server or VPN to perform dynamic or two-factor authentication. See RADIUS, TACACS, and VPN.
Token In the context of authentication and access control, a token is a value provided by hardware or software that works with an authentication server or VPN to perform dynamic or two-factor authentication. See RADIUS, TACACS, and VPN.
Removed p. 16
Virtual Terminal A virtual terminal is web-browser-based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.
Modified p. 17 → 22
Vulnerability Flaw or weakness which, if exploited, may result in an intentional or unintentional compromise of a system..
Vulnerability Flaw or weakness which, if exploited, may result in an intentional or unintentional compromise of a system.
Modified p. 17 → 22
WAN Acronym for “wide area network.” Computer network covering a large area, often a regional or company wide computer system.
WAN Acronym for “wide area network.” Computer network covering a large area, often a regional or company-wide computer system.
Modified p. 17 → 22
WPA/WPA2 Acronym for “WiFi Protected Access.” Security protocol created to secure wireless networks. WPA is the successor to WEP.. WPA2 was also released as the next generation of WPA.
WPA/WPA2 Acronym for “WiFi Protected Access.” Security protocol created to secure wireless networks. WPA is the successor to WEP. WPA2 was also released as the next generation of WPA.