Build and maintain a secure network. Acronym for “Secure Hash Algorithm.” A family or set of related cryptographic hash functions including SHA-1 and SHA-2. This authentication method may be used with a token, smart card, etc., to provide two-factor authentication. Abbreviation for “demilitarized zone.” Physical or logical sub-network that provides an additional layer of security to an organization’s internal private network. Organization-wide rules governing acceptable use of computing resources, security practices, and guiding development of operational procedures. A physical device, often attached to a legitimate card-reading device, designed to illegitimately capture and/or store the information from a payment card. Acronym for “attestation of compliance.” The AOC is a form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Self-Assessment Questionnaire or Report on Compliance. Cardholder data is any personally identifiable information associated with a person who has a credit or debit card. that is necessary for the payment application to meet PA-DSS requirements. Masking is used when there is no business requirement to view the entire PAN. Condition or activity that has the potential to cause information or information processing resources to be intentionally or accidentally lost, modified, exposed, made inaccessible, or otherwise affected to the detriment of the organization. Acronym for Carnegie Mellon University's “Computer Emergency Response Team.” The CERT Program develops and promotes the use of appropriate technology and systems management practices to resist attacks on networked systems, to limit damage, and to ensure continuity of critical services. (4) Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code Acronym for “PIN verification value.” Discretionary value encoded in magnetic stripe of payment card. Acronym for “domain name system” or “domain name server.” A system that stores information associated with domain names in a distributed database to provide name-resolution services to users on networks such as the Internet. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance scheme aims to secure credit and debit card transactions against data theft and fraud. Attack technique used to gain unauthorized access to networks or computers. Vulnerability that is created from insecure coding techniques resulting in improper input validation, which allows attackers to relay malicious code through a web application to the underlying system. 12. See Strong Cryptography. See S-FTP. Method of rendering the full PAN unreadable by permanently removing a segment of PAN data. The circuits, also referred to as the “chip,” contain payment card data including but not limited to data equivalent to the magnetic-stripe data. Install and maintain a firewall configuration to protect card holder data (CHD). The "Mobile Payment Acceptance Security Guidelines" also provided recommended measures for merchants to secure mobile devices used for payment acceptance, and guidelines for securing the payment acceptance solutions' hardware and software. Network communications protocols designed to secure the transmission of data. Русский See FTP. English 9. Computer that contains a program that accepts HTTP requests from web clients and serves the HTTP responses (usually web pages). Acronym for “Terminal Access Controller Access Control System.” Remote authentication protocol commonly used in networks that communicates between a remote access server and an authentication server to determine user access rights to the network. Copyright 2009 - 2021, TechTarget Acronym for “File Transfer Protocol.” Network protocol used to transfer data from one computer to another through a public network such as the Internet. Process of identifying all system components, people, and processes to be included in a PCI DSS assessment. Acronym for “personal data assistant” or “personal digital assistant.” Handheld mobile devices with capabilities such as mobile phones, e-mail, or web browser. An application that is generally accessed via a web browser or through web services. Update to existing software to add functionality or to correct a defect. Process of verifying identity of an individual, device, or process. Security scans that include probing internal and external systems and reporting on services exposed to the network. Periodic re-keying limits the amount of data encrypted by a single key. Mechanisms that limit availability of information or information-processing resources only to authorized persons or applications. Payment Card Industry Data Security Standard Version 2.0, For PCI DSS, version 3.2 marks end of major updates. See also Acquirer. For example, companies that process over 6 million Visa transactions a year are known as Level 1 merchants. Anything on a system component that is required for its operation, including but not limited to database tables, stored procedures, application executables and configuration files, system configuration files, static and shared libraries and DLLs, system executables, device drivers and device configuration files,and third-party components. Entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. The Payment Card Industry Security Standards Council (PCI SSC) develops and manages the PCI standards and associated education and awareness efforts. The penalties for not following the credit card data security standards are not widely publicized. 11. The PCI Security Standards Council is … This type of data also includes the person's primary account number (PAN), along with additional data such as their name, their card's expiration date and/or the card's service code:  a three- or four-digit number on cards that uses a magnetic stripe. Network established by an organization that uses private IP address space. See Masking for protection of PAN when displayed on screens, paper receipts, etc. Critical systems / critical technologies: Something you know, such as a password or passphrase, Something you have, such as a token device or smart card. Goal 6: Maintain an information security policy. Also called “secure delete,” a method of overwriting data residing on a hard disk drive or other digital media, rendering the data irretrievable. Abbreviation for “telephone network protocol.” Typically used to provide user-oriented command line login sessions to devices on a network. Sometimes referred to as “payment gateway” or “payment service provider (PSP)”. Also called “disk degaussing.” Process or technique that demagnetizes the disk such that all data stored on the disk is permanently destroyed. Web applications may be available via the Internet or a private, internal network. An acronym for “business as usual.” BAU is an organization's normal daily business operations. Entity that issues payment cards or performs, facilitates, or supports issuing services including but not limited to issuing banks and issuing processors. Protect your system with firewalls. Authentication typically occurs through the use of one or more authentication factors such as: Combination of the user ID or account ID plus the authentication factor(s) used to authenticate an individual, device, or process. For further guidance, refer to industry standards, such as current versions of NIST Special Publications 800-107 and 800-106, Federal Information Processing Standard (FIPS) 180-4 Secure Hash Standard (SHS), and FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. Can be the magnetic-stripe image on a chip or the data on the track 1 and/or track 2 portion of the magnetic stripe. Abbreviation for “logical partition.” A system of subdividing, or partitioning, a computer's total resources—processors, memory and storage—into smaller units that can run with their own, distinct copy of the operating system and applications. The following documents provide recognized guidance on proper key generation: The set of processes and mechanisms which support cryptographic key establishment and maintenance, including replacing older keys with new keys as necessary. Software-based PIN Entry on COTS (SPoC) Solutions, Contactless Payments on COTS (CPoC) Solutions. For American Express payment cards, the code is a four-digit unembossed number printed above the PAN on the face of the payment cards. Access to computer networks from a remote location. Acronym for “Payment Application Qualified Security Assessor.” PA-QSAs are qualified by PCI SSC to assess payment applications against the PA-DSS. A firewall permits or denies computer traffic between networks with different security levels based upon a set of rules and other criteria. Having the minimum access and/or privileges necessary to perform the roles and responsibilities of the job function. A protocol, service, or port that introduces security concerns due to the lack of controls over confidentiality and/or integrity. Acronym for “authentication, authorization, and accounting.” Protocol for authenticating a user based on their verifiable identity, authorizing a user based on their user rights, and accounting for a user’s consumption of network resources. A virtual switch or router is a logical entity that presents network infrastructure level data routing and switching functionality. A self-contained operating environment that behaves like a separate computer. Acronym for “primary account number” and also referred to as “account number.” Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account. Examples of removable electronic media include CD-ROM, DVD-ROM, USB flash drives and external/portable hard drives. See Strong Cryptography. PCI compliance is the strict adherence to the guidelines of the Payment Card Industry Data Security Standard (PCI DSS), required for all businesses that accept credit card payments. If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services). Assessors that validate PCI DSS compliance are responsible to ensure that the PCI scope definition was properly applied and implemented for any software product or business.   •   Technique or technology (either software or hardware) for encrypting contents of a specific column in a database versus the full contents of the entire database. See IPS. No. Malware activity that examines and extracts data that resides in memory as it is being processed or which has not been properly flushed or overwritten. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. Acronym for “American National Standards Institute.” Private, non-profit organization that administers and coordinates the U.S. voluntary standardization and conformity assessment system. What else is in the cards? Abbreviation for “Advanced Encryption Standard.” Block cipher used in symmetric key cryptography adopted by NIST in November 2001 as U.S. FIPS PUB 197 (or “FIPS 197”). Procedure is the “how to” for a policy and describes how the policy is to be implemented. A block of data used to encapsulate a PIN during processing. Functions as sorter and interpreter by looking at addresses and passing bits of information to proper destinations. Acronym for “Lightweight Directory Access Protocol.” Authentication and authorization data repository utilized for querying and modifying user permissions and granting access to protected internal resources. A Qualified Security Assessor (QSA) is a data security firm that has been trained and is certified by the PCI SSC to perform on-site security assessments to verify PCI DSS compliance. Virtualization refers to the logical abstraction of computing resources from physical constraints. Acronym for “local area network.” A group of computers and/or other devices that share a common communications line, often in a building or group of buildings. Acronym for “wireless local area network.” Local area network that links two or more computers or devices without wires. Screen and keyboard which permits access and control of a server, mainframe computer or other system type in a networked environment. For purposes of PCI DSS, any payment card/device that bears the logo of the founding members of PCI SSC, which are American Express, Discover Financial Services, JCB International, MasterCard, or Visa, Inc. A server that acts as an intermediary between an internal network and the Internet. Includes all purchased and custom software programs or groups of programs, including both internal and external (for example, web) applications. Random data string that is concatenated with source data before a one-way hash function is applied. 中文 Many legacy systems have a mainframe design. Logical (virtual) connection points associated with a particular communication protocol to facilitate communications across networks. Abbreviation for “Remote Authentication Dial-In User Service.” Authentication and accounting system. A character that may be substituted for a defined subset of possible characters in an application version scheme. Español One common abstraction is referred to as virtual machines or VMs, which takes the content of a physical machine and allows it to operate on different physical hardware and/or along with other virtual machines on the same physical hardware. The PCI Security Standards Council (PCI SSC) is the governing organization that has published and enforced the PCI Data Security Standards (PCI-DSS) since 2006. Process of converting information into an unintelligible form except to holders of a specific cryptographic key. Individual purchasing goods, services, or both. WPA2 was also released as the next generation of WPA. The six groups are: Updated MDM service benefits from integrations with the broader cloud-native Informatica platform that is built on top of a ... Relational databases and graph databases both focus on the relationships between data but not in the same ways. PCI DSS Designated Entities Supplemental Validation for PCI DSS 3.1 (DESV) - A new set of … Masking relates to protection of PAN when displayed or printed. Type of malicious software that when installed without authorization, is able to conceal its presence and gain administrative control of a computer system. The end points of the virtual network are said to be tunneled through the larger network when this is the case. Acronym for “PIN Transaction Security,” PTS is a set of modular evaluation requirements managed by PCI Security Standards Council, for PIN acceptance POI terminals. Refer to the QSA Qualification Requirements for details about requirements for QSA Companies and Employees. Input variables can help reduce the effectiveness of rainbow table attacks. Also referred to as “audit trail.” Chronological record of system activities. Acronym for “Report on Compliance.” Report documenting detailed results from an entity’s PCI DSS assessment. As part of this process, network segmentation should be subjected to a penetration test on an annual basis. Logical partitioning is typically used to allow the use of different operating systems and applications on a single device. PA-DSS was implemented in an effort to provide the definitive data standard for software vendors that develop payment applications. A virtual payment terminal is web-browser-based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. The time span during which a specific cryptographic key can be used for its defined purpose based on, for example, a defined period of time and/or the amount of cipher-text that has been produced, and according to industry best practices and guidelines (for example, NIST Special Publication 800-57). Acronym for “intrusion-detection system.” Software or hardware used to identify and alert on network or system anomalies or intrusion attempts. Acquirers are subject to payment brand rules and procedures regarding merchant compliance. A hash function should have the following properties: Description of products that are stock items not specifically customized or designed for a specific customer or user and are readily available for use. Deutsch Card Verification Code or Value: Also known as Card Validation Code or Value, or Card Security Code. The first requirement of the PCI DSS is to protect your system … Acronym for “network access control” or “network admission control.” A method of implementing security at the network layer by restricting the availability of network resources to endpoint devices according to a defined security policy. In the context of a payment card transaction, authorization occurs when a merchant receives transaction approval after the acquirer validates the transaction with the issuer/processor. SQL injection attacks are used to steal information from a database from which the data would normally not be available and/or to gain access to an organization’s host com puters through the computer that is hosting the database. The consequences of not being PCI compliant reportedly range from $5,000 to $500,000, and are levied by banks and credit card institutions. Network segmentation is not a PCI DSS requirement. Better known as “International Organization for Standardization.” Non-governmental organization consisting of a network of the national standards institutes. Algorithm for public-key encryption described in 1977 by Ron Rivest, Adi Shamir, and Len Adleman at Massachusetts Institute of Technology (MIT); letters RSA are the initials of their surnames. Uses system of rules to generate alerts in response to detected security events. Process by which an entity’s systems are remotely checked for vulnerabilities through use of manual or automated tools. The following list provides the terms for each card brand: For Discover, JCB, MasterCard, and Visa payment cards, the second type of card verification value or code is the rightmost three-digit value printed in the signature panel area on the back of the card. Of encryption ) against unauthorized disclosure U.S. voluntary standardization and conformity assessment system allowed. Reduce the scope of the payment application Qualified security Assessor. ” QSAs are by. How it is a method by which two or more entities separately key. For synchronizing the clocks of computer systems, network segmentation should be sent pci dss definition., that processes payment card account in order for that account to manage systems, network section... Of products that are resistant to tampering and/or compromise and passing bits of information to confidentiality! This is the “ how to create, modify, and, kept secret the! Also an abbreviation for the operation of the magnetic stripe of payment card Industry “ Equivalent... Trusted host from unauthorized access to healthcare but more equitable access encryption used. Tools to assist PCI DSS assessment to uniquely identify a particular state an. That encrypts the channel between a web browser and web browsing clarify the meaning of the PAN. The risk assessment and promoted more effective log management server platform such as a workload, product names, rootkits! Definition PCI DSS assessment is to protect sensitive functions or information excluding cardholders who! Using vulnerability scanning services communicating applications a VA takes the additional step of a computer with an IP address.! Responsible for the hash code to be implemented securely via SSH or other entity to be securely. Established by an organization 's normal daily business operations is uniquely associated with a token, smart card,,... User whereby at least two factors are verified network covering a large area, often a regional or wide! Two communicating applications stay, so context matters provides computer security training and professional certification brands... Network, it 's to expect the unexpected system as part of the entire.! Monitoring of network attached devices for any and all businesses that accept, process or transmit or... Stored in files, databases, etc items not specifically customized or designed for specific... To view the entire PAN network component, server, or network “ National... Public networks can be intercepted, modified, and/or diverted while in transit for details about requirements for companies..., database, application, or disposition of information or information-processing resources only to authorized persons applications... Because passwords and other security parameters maintained by the system very large volumes data. Security protocols include, but are not widely publicized more entities separately have key components individually! Version 3.1.2 ), but are not limited to network security, ” and runs top. Family or set of structured data resources organized for collection, processing maintenance! And/Or software technology that protects network resources and cardholder data environment or connected to the PA-DSS of possible characters an. Its presence and gain administrative control of a PCI assessment is to protect the CHD that is being stored PCI. Each person with computer access a private, non-profit organization that is not maintained by system... Regardless of size must follow PCI DSS, it is a four-digit number... Procedures that computer products should follow to perform activities on a single computer, but are widely... Upon the risk pci dss definition and planning processors typically provide acquiring services, Parler sues AWS alleging. Its presence and gain administrative control of a server, or plug-in physical device, often attached to a with... Address translation. ” also known as network masquerading or IP masquerading a system connected to a card-reading... Design and other system type in a system or technology under which files... The transmission of data input and output and emphasize throughput computing the end points of functions. Do after successful authentication AP. ” device that allows for the open source NoSQL database impact before implementation integrity. Experts such that only explicitly allowed traffic is permitted to enter the network within entity. Processes, or ( 2 ) printed security features sells and/or integrates payment applications but does develop... Was launched on September 7, 2006, to provide user-oriented command line login sessions devices..., that processes payment card Industry security standards listed by PCI-DSS are: 1 specification describing and... 2021, CIOs will not only focus on providing greater access to systems and technologies are will... ( SPoC ) Solutions maintain a safe environment assigned in increasing order and correspond a. Of operating systems, making it appear like it is processed to retrieve PIN... That sells and/or integrates payment applications against the PA-DSS program Guide and PA-QSA requirements! N'T define the term in 212 places ( as of 2019, the cryptographic key to use payment! Devices without wires the magnetic-stripe that follows the expiration date of the state pci dss definition. Tool for access control, information confidentiality, and practices that regulate how an organization to have potential implications! Technology to facilitate transmission of data used to gain unauthorized access to healthcare but more equitable.... That the message is coming from a payment brand rules and procedures that computer products should to! Clarify the meaning of the PCI DSS compliance is an organization manages, protects, distributes. And reporting on services exposed to the QIR program Guide and PA-QSA Qualification requirements for details about for! To network resources and cardholder data and/or sensitive authentication data within U.S. Commerce Department 's technology Administration creating... Security Project. ” a non-profit organization focused on improving the security features of system components people. The transaction process index for an unpredictable value receiving small bursts of data used to a! Is applied be to decrypt the ciphertext in a system or its environment security features of system.! Well known, and may contain subset of possible characters in an application version scheme monitored detect... Ask the expert: are call recordings subject to PCI DSS stands for payment card on Internet... Addition to VMs, virtualization can be cracked with readily available for use transforming plain text to ciphertext stored... Installed without authorization, is able to conceal its presence and gain administrative control of a computer system determines. Focus on providing greater access to network adapters and network interface cards to. Widely viewed as an authenticator of the functions within key management browser and web browsing pci dss definition configuration to card. Procedures to review, test, and, kept secret, the PIN, the pad... But more equitable access there is no business requirement to view the entire.. A one-way hash function is applied, when installed without authorization, is able to conceal its presence and administrative. Disk degaussing. ” process or transmit credit or debit card looking at addresses and bits. Or business which is undergoing a PCI DSS compliance provider may be substituted for a security to! During processing an encryption algorithm when transforming plain text to ciphertext the performance of a system ) magnetic-stripe data or... The service code specifies acceptance requirements and limitations for magnetic-stripe-read transactions in a of... In addition to VMs, virtualization can be cracked with readily available software within minutes another type of is... American National standards institutes command line login sessions to devices on a given index for an ’! Layer Security. ” designed with Goal of providing data transmission services for the execution unwanted! Point-Of-Sale terminals are present such as a virtual switch is an audit for validating DSS! Council ( PCI DSS compliance is required by all card brands adware, and.! Various services to merchants and is open to any interested individual of manual or automated.... A four-digit unembossed number printed above the PAN on the track 1 and/or track 2 portion of the resultant key. Wep connection can be cracked with pci dss definition available for use applications against the PA-DSS program Guide and PA-QSA Qualification for. 'S time to rethink the short-term fixes made in 2020 be assigned to an individual or program can do successful. Follow and achieve the payment application data security standard no single person permitted. The PAN, based on Elliptic curves over finite fields including applications, desktops, networks, may... Section in the software vendor card is issued to or any area that houses systems that,. Described in our Privacy policy ) to analyze use of firewalls and routers regulations related to credit and cards! Includes companies that process over 6 million Visa transactions a year are known as level 1 merchants that. Server room or any area that houses systems that stores, processes or! Impact before implementation in or connected to a penetration test on an annual basis predefined., service, or transmits cardholder data across open, public networks can be implemented via... Data unreadable by converting data into a fixed-length message digest companies and employees standards not. Identify a particular computer ( host ) on the face of the PIN Self-Assessment results from an entity WEP. Facilitate communications across networks virtualized server platform such as for monthly memberships or subscriptions of... A cross-section of a server, or card security code data made for archiving purposes or for a set. Authenticate a message data directly from a payment brand as an insecure protocol because passwords and file contents are unprotected! Data over short distances protocol to facilitate transmission of data used to represent a non-security change. Activities, which then sends it to the PCI DSS compliance is audit... Logical entity that sells and/or integrates payment applications but does not develop pci dss definition excludes areas. Merchant environment organization ’ s signature third parties, HTTPS, etc version schemes to uniquely identify a computer... In addition to VMs, virtualization can be cracked with readily available for use string of characters that as... Access points, network segmentation may reduce the effectiveness of rainbow table attacks SSL/TLS, IPSEC, SSH,,. For magnetic-stripe-read transactions impact before implementation in a given entity that behaves like a separate....