You are on page 1of 22

2017518 OfficialPCISecurityStandardsCouncilSiteVerifyPCICompliance,DownloadDataSecurityandCreditCardSecurityStandards

Contact
ChangeYourLanguage
English
Franais
Espaol

Deutsch
Italiano
Portugus


Trke

Submit

ToggleMenu

PCISecurity

PCISecurity
Overview
WhySecurityMatters
HowtoSecure
MaintainingPaymentSecurity
CompletingSelfAssessment
EducationalResources
StandardsOverview
Glossary
PaymentProtectionResourcesforSmallMerchants
Assessors&Solutions

Assessors&Solutions

AssessorOverview

Assessors

ApprovedScanningVendors
InternalSecurityAssessors
PaymentApplicationAssessors
PointtoPointEncryptionAssessors
https://www.pcisecuritystandards.org/pci_security/glossary 1/22
2017518 OfficialPCISecurityStandardsCouncilSiteVerifyPCICompliance,DownloadDataSecurityandCreditCardSecurityStandards

QualifiedSecurityAssessors

ProductsandSolutions
ApprovedPTSDevices
PaymentApplications
PointtoPointEncryptionSolutions

AdditionalResources

PCIForensicInvestigators
U.S.EMVVARQualificationProgram
PCIProfessionals
QualifiedIntegratorsandResellers
GiveFeedback
DocumentLibrary
Training&Qualification

Training&Qualification
Overview
ApprovedScanningVendor
InternalSecurityAssessor
PaymentApplicationQSA
PCIAcquirerTraining
PCIAwarenessTraining
PCIProfessional
P2PEAssessors
QualifiedIntegratorandReseller
QualifiedSecurityAssessor
Webinars
MeetOurTrainers
TrainingFAQ
ProgramFees
BecomeQualified
CorporateGroupTraining
AboutUs

AboutUs
Overview
Leadership
Newsroom
Events
JobsatPCI
ContactUs
Blog
GetInvolved

GetInvolved
Overview
ParticipatingOrganizations
AffiliateMembers
SpecialInterestGroups
https://www.pcisecuritystandards.org/pci_security/glossary 2/22
2017518 OfficialPCISecurityStandardsCouncilSiteVerifyPCICompliance,DownloadDataSecurityandCreditCardSecurityStandards

ParticipatingOrganizationApplication
StrategicRegionalMembers
CommunityMeetings
AsiaPacificCommunityMeeting2017
LatinAmericaForum2017
NorthAmericaCommunityMeeting2017
EuropeCommunityMeeting2017
PastCommunityMeetings
FAQs

Glossary
PaymentCardIndustry(PCI)DataSecurityStandardGlossary,AbbreviationsandAcronyms

PleaseclickhereforthedownloadableversionofthePCIDSSGlossary.

ABCDEFGHIJKLMNOPQRSTUVWXYZ

A
AAA:
Acronymforauthentication,authorization,andaccounting.Protocolforauthenticatingauserbasedon
theirverifiableidentity,authorizingauserbasedontheiruserrights,andaccountingforausers
https://www.pcisecuritystandards.org/pci_security/glossary 3/22
2017518 OfficialPCISecurityStandardsCouncilSiteVerifyPCICompliance,DownloadDataSecurityandCreditCardSecurityStandards

consumptionofnetworkresources.
Accesscontrol:
Mechanismsthatlimitavailabilityofinformationorinformationprocessingresourcesonlytoauthorized
personsorapplications.
AccountData:
Accountdataconsistsofcardholderdataand/orsensitiveauthenticationdata.SeeCardholderDataand
SensitiveAuthenticationData.
Accountnumber:
SeePrimaryAccountNumber(PAN).
Acquirer:
Alsoreferredtoasmerchantbank,acquiringbank,oracquiringfinancialinstitution.Entity,typicallya
financialinstitution,thatprocessespaymentcardtransactionsformerchantsandisdefinedbyapayment
brandasanacquirer.Acquirersaresubjecttopaymentbrandrulesandproceduresregardingmerchant
compliance.SeealsoPaymentProcessor..
AdministrativeAccess:
Elevatedorincreasedprivilegesgrantedtoanaccountinorderforthataccounttomanagesystems,networks
and/orapplications.Administrativeaccesscanbeassignedtoanindividualsaccountorabuiltinsystem
account.Accountswithadministrativeaccessareoftenreferredtoassuperuser,root,administrator,
admin,sysadminorsupervisorstate,dependingontheparticularoperatingsystemandorganizational
structure.
Adware:
Typeofmalicioussoftwarethat,wheninstalled,forcesacomputertoautomaticallydisplayordownload
advertisements.
AES:
AbbreviationforAdvancedEncryptionStandard.Blockcipherusedinsymmetrickeycryptography
adoptedbyNISTinNovember2001asU.S.FIPSPUB197(orFIPS197).SeeStrongCryptography.
ANSI:
AcronymforAmericanNationalStandardsInstitute.Private,nonprofitorganizationthatadministersand
coordinatestheU.S.voluntarystandardizationandconformityassessmentsystem.
AntiVirus:
Programorsoftwarecapableofdetecting,removing,andprotectingagainstvariousformsofmalicious
software(alsocalledmalware)includingviruses,worms,TrojansorTrojanhorses,spyware,adware,and
rootkits.
AOC:
Acronymforattestationofcompliance.TheAOCisaformformerchantsandserviceproviderstoattestto
theresultsofaPCIDSSassessment,asdocumentedintheSelfAssessmentQuestionnaireorReporton
Compliance.
AOV:
Acronymforattestationofvalidation.TheAOVisaformforPAQSAstoattesttotheresultsofaPADSS
assessment,asdocumentedinthePADSSReportonValidation.
Application:
Includesallpurchasedandcustomsoftwareprogramsorgroupsofprograms,includingbothinternaland
external(forexample,web)applications.
ASV:
AcronymforApprovedScanningVendor.CompanyapprovedbythePCISSCtoconductexternal
vulnerabilityscanningservices.
AuditLog:
Alsoreferredtoasaudittrail.Chronologicalrecordofsystemactivities.Providesanindependently
verifiabletrailsufficienttopermitreconstruction,review,andexaminationofsequenceofenvironmentsand
activitiessurroundingorleadingtooperation,procedure,oreventinatransactionfrominceptiontofinal
results.
AuditTrail:
SeeAuditLog.
Authentication:
Processofverifyingidentityofanindividual,device,orprocess.Authenticationtypicallyoccursthroughthe
useofoneormoreauthenticationfactorssuchas:

Somethingyouknow,suchasapasswordorpassphrase
https://www.pcisecuritystandards.org/pci_security/glossary 4/22
2017518 OfficialPCISecurityStandardsCouncilSiteVerifyPCICompliance,DownloadDataSecurityandCreditCardSecurityStandards

Somethingyouhave,suchasatokendeviceorsmartcard
Somethingyouare,suchasabiometric

AuthenticationCredentials:
CombinationoftheuserIDoraccountIDplustheauthenticationfactor(s)usedtoauthenticateanindividual,
device,orprocess,
Authorization:
Inthecontextofaccesscontrol,authorizationisthegrantingofaccessorotherrightstoauser,program,or
process.Authorizationdefineswhatanindividualorprogramcandoaftersuccessfulauthentication.Inthe
contextofapaymentcardtransaction,authorizationoccurswhenamerchantreceivestransactionapproval
aftertheacquirervalidatesthetransactionwiththeissuer/processor.
BacktoTop

B
Backup:
Duplicatecopyofdatamadeforarchivingpurposesorforprotectingagainstdamageorloss.
BAU:
Anacronymforbusinessasusual.BAUisanorganization'snormaldailybusinessoperations.
Bluetooth:
Wirelessprotocolusingshortrangecommunicationstechnologytofacilitatetransmissionofdataovershort
distances.
BufferOverflow:
Vulnerabilitythatiscreatedfrominsecurecodingmethods,whereaprogramoverrunsthebuffer'sboundary
andwritesdatatoadjacentmemoryspace.Bufferoverflowsareusedbyattackerstogainunauthorized
accesstosystemsordata.
BacktoTop

CardSkimmer:
Aphysicaldevice,oftenattachedtoalegitimatecardreadingdevice,designedtoillegitimatelycapture
and/orstoretheinformationfromapaymentcard.
CardVerificationCodeorValue:
AlsoknownasCardValidationCodeorValue,orCardSecurityCode.Referstoeither:(1)magneticstripe
data,or(2)printedsecurityfeatures.

1.Dataelementonacard'smagneticstripethatusessecurecryptographicprocessestoprotectdata
integrityonthestripe,andrevealsanyalterationorcounterfeiting.ReferredtoasCAV,CVC,CVV,or
CSCdependingonpaymentcardbrand.Thefollowinglistprovidesthetermsforeachcardbrand:
CAVCardAuthenticationValue(JCBpaymentcards)
PANCVCCardValidationCode(MasterCardpaymentcards)
CVVCardVerificationValue(VisaandDiscoverpaymentcards)
CSCCardSecurityCode(AmericanExpress)

2.ForDiscover,JCB,MasterCard,andVisapaymentcards,thesecondtypeofcardverificationvalueor
codeistherightmostthreedigitvalueprintedinthesignaturepanelareaonthebackofthecard.For
AmericanExpresspaymentcards,thecodeisafourdigitunembossednumberprintedabovethePAN
onthefaceofthepaymentcards.Thecodeisuniquelyassociatedwitheachindividualpieceofplastic
andtiesthePANtotheplastic.Thefollowinglistprovidesthetermsforeachcardbrand:
CIDCardIdentificationNumber(AmericanExpressandDiscoverpaymentcards)
CAV2CardAuthenticationValue2(JCBpaymentcards)
PANCVC2CardValidationCode2(MasterCardpaymentcards)
CVV2CardVerificationValue2(Visapaymentcards)

Cardholder:
Nonconsumerorconsumercustomertowhomapaymentcardisissuedtooranyindividualauthorizedto
usethepaymentcard.
https://www.pcisecuritystandards.org/pci_security/glossary 5/22
2017518 OfficialPCISecurityStandardsCouncilSiteVerifyPCICompliance,DownloadDataSecurityandCreditCardSecurityStandards

CardholderData:
Ataminimum,cardholderdataconsistsofthefullPAN.Cardholderdatamayalsoappearintheformofthe
fullPANplusanyofthefollowing:cardholdername,expirationdateand/orservicecodeSeeSensitive
AuthenticationDataforadditionaldataelementsthatmaybetransmittedorprocessed(butnotstored)aspart
ofapaymenttransaction.
CDE:
Acronymforcardholderdataenvironment.Thepeople,processesandtechnologythatstore,process,or
transmitcardholderdataorsensitiveauthenticationdata.
CellularTechnologies:
Mobilecommunicationsthroughwirelesstelephonenetworks,includingbutnotlimitedtoGlobalSystemfor
Mobilecommunications(GSM),codedivisionmultipleaccess(CDMA),andGeneralPacketRadioService
(GPRS).
CERT:
AcronymforCarnegieMellonUniversity'sComputerEmergencyResponseTeam.TheCERTProgram
developsandpromotestheuseofappropriatetechnologyandsystemsmanagementpracticestoresistattacks
onnetworkedsystems,tolimitdamage,andtoensurecontinuityofcriticalservices.
ChangeControl:
Processesandprocedurestoreview,test,andapprovechangestosystemsandsoftwareforimpactbefore
implementation.
CIS:
AcronymforCenterforInternetSecurity.Nonprofitenterprisewithmissiontohelporganizationsreduce
theriskofbusinessandecommercedisruptionsresultingfrominadequatetechnicalsecuritycontrols.
ColumnLevelDatabaseEncryption:
Techniqueortechnology(eithersoftwareorhardware)forencryptingcontentsofaspecificcolumnina
databaseversusthefullcontentsoftheentiredatabase.Alternatively,seeDiskEncryptionorFileLevel
Encryption.
CompensatingControls:
Compensatingcontrolsmaybeconsideredwhenanentitycannotmeetarequirementexplicitlyasstated,due
tolegitimatetechnicalordocumentedbusinessconstraints,buthassufficientlymitigatedtheriskassociated
withtherequirementthroughimplementationofothercontrols.Compensatingcontrolsmust:(1)Meetthe
intentandrigoroftheoriginalPCIDSSrequirement(2)Provideasimilarlevelofdefenseastheoriginal
PCIDSSrequirement(3)BeaboveandbeyondotherPCIDSSrequirements(notsimplyincompliance
withotherPCIDSSrequirements)and(4)Becommensuratewiththeadditionalriskimposedbynot
adheringtothePCIDSSrequirement.SeeCompensatingControlsAppendicesBandCinPCIDSS
RequirementsandSecurityAssessmentProceduresforguidanceontheuseofcompensatingcontrols.
Compromise:
Alsoreferredtoasdatacompromise,ordatabreach.Intrusionintoacomputersystemwhere
unauthorizeddisclosure/theft,modification,ordestructionofcardholderdataissuspected.
Console:
Screenandkeyboardwhichpermitsaccessandcontrolofaserver,mainframecomputerorothersystemtype
inanetworkedenvironment.
Consumer:
Individualpurchasinggoods,services,orboth.
Criticalsystems/criticaltechnologies:
Asystemortechnologythatisdeemedbytheentitytobeofparticularimportance.Forexample,acritical
systemmaybeessentialfortheperformanceofabusinessoperationorforasecurityfunctiontobe
maintained.Examplesofcriticalsystemsoftenincludesecuritysystems,publicfacingdevicesandsystems,
databases,andsystemsthatstore,process,ortransmitcardholderdata.Considerationsfordeterminingwhich
specificsystemsandtechnologiesarecriticalwilldependonanorganizationsenvironmentandrisk
assessmentstrategy.
CrossSiteRequestForgery(CSRF):
Vulnerabilitythatiscreatedfrominsecurecodingmethodsthatallowsfortheexecutionofunwantedactions
throughanauthenticatedsession.OftenusedinconjunctionwithXSSand/orSQLinjection.
CrossSiteScripting(XSS):
Vulnerabilitythatiscreatedfrominsecurecodingtechniques,resultinginimproperinputvalidation.Often
usedinconjunctionwithCSRFand/orSQLinjection.
CryptographicKey:

https://www.pcisecuritystandards.org/pci_security/glossary 6/22
2017518 OfficialPCISecurityStandardsCouncilSiteVerifyPCICompliance,DownloadDataSecurityandCreditCardSecurityStandards

Avaluethatdeterminestheoutputofanencryptionalgorithmwhentransformingplaintexttociphertext.
Thelengthofthekeygenerallydetermineshowdifficultitwillbetodecrypttheciphertextinagiven
message.SeeStrongCryptography.
CryptographicKeyGeneration:
Keygenerationisoneofthefunctionswithinkeymanagement.Thefollowingdocumentsprovide
recognizedguidanceonproperkeygeneration:

NISTSpecialPublication800133:RecommendationforCryptographicKeyGeneration
ISO115682FinancialservicesKeymanagement(retail)Part2:Symmetricciphers,theirkey
managementandlifecycle
4.3Keygeneration
ISO115684FinancialservicesKeymanagement(retail)Part4:Asymmetriccryptosystems
Keymanagementandlifecycle
6.2KeylifecyclestagesGeneration
EuropeanPaymentsCouncilEPC34208GuidelinesonAlgorithmsUsageandKeyManagement
6.1.1Keygeneration[forsymmetricalgorithms]
6.2.1Keygeneration[forasymmetricalgorithms]

CryptographicKeyManagement:
Thesetofprocessesandmechanismswhichsupportcryptographickeyestablishmentandmaintenance,
includingreplacingolderkeyswithnewkeysasnecessary.
Cryptography:
Disciplineofmathematicsandcomputerscienceconcernedwithinformationsecurity,particularlyencryption
andauthentication.Inapplicationsandnetworksecurity,itisatoolforaccesscontrol,information
confidentiality,andintegrity.
Cryptoperiod:
Thetimespanduringwhichaspecificcryptographickeycanbeusedforitsdefinedpurposebasedon,for
example,adefinedperiodoftimeand/ortheamountofciphertextthathasbeenproduced,andaccordingto
industrybestpracticesandguidelines(forexample,NISTSpecialPublication80057).
CVSS:
AcronymforCommonVulnerabilityScoringSystem.Avendoragnostic,industryopenstandarddesigned
toconveytheseverityofcomputersystemsecurityvulnerabilitiesandhelpdetermineurgencyandpriorityof
response.RefertoASVProgramGuideformoreinformation.
BacktoTop

D
DataFlowDiagram:
Adiagramshowinghowdataflowsthroughanapplication,system,ornetwork.
Database:
Structuredformatfororganizingandmaintainingeasilyretrievableinformation.Simpledatabaseexamples
aretablesandspreadsheets.
DataBaseAdministrator:
AlsoreferredtoasDBA.Individualresponsibleformanagingandadministeringdatabases.
DefaultAccounts:
Loginaccountpredefinedinasystem,application,ordevicetopermitinitialaccesswhensystemisfirstput
intoservice.Additionaldefaultaccountsmayalsobegeneratedbythesystemaspartoftheinstallation
process.
DefaultPassword:
Passwordonsystemadministration,user,orserviceaccountspredefinedinasystem,application,ordevice
usuallyassociatedwithdefaultaccount.Defaultaccountsandpasswordsarepublishedandwellknown,and
thereforeeasilyguessed.
Degaussing:
Alsocalleddiskdegaussing.Processortechniquethatdemagnetizesthedisksuchthatalldatastoredon
thediskispermanentlydestroyed.
Dependency:
InthecontextofPADSS,adependencyisaspecificsoftwareorhardwarecomponent(suchasahardware
terminal,database,operatingsystem,API,codelibrary,etc.)thatisnecessaryforthepaymentapplicationto
https://www.pcisecuritystandards.org/pci_security/glossary 7/22
2017518 OfficialPCISecurityStandardsCouncilSiteVerifyPCICompliance,DownloadDataSecurityandCreditCardSecurityStandards

meetPADSSrequirements.
DiskEncryption:
Techniqueortechnology(eithersoftwareorhardware)forencryptingallstoreddataonadevice(for
example,aharddiskorflashdrive).Alternatively,FileLevelEncryptionorColumnLevelDatabase
Encryptionisusedtoencryptcontentsofspecificfilesorcolumns.
DMZ:
Abbreviationfordemilitarizedzone.Physicalorlogicalsubnetworkthatprovidesanadditionallayerof
securitytoanorganizationsinternalprivatenetwork.TheDMZaddsanadditionallayerofnetworksecurity
betweentheInternetandanorganizationsinternalnetworksothatexternalpartiesonlyhavedirect
connectionstodevicesintheDMZratherthantheentireinternalnetwork.
DNS:
Acronymfordomainnamesystemordomainnameserver.Asystemthatstoresinformationassociated
withdomainnamesinadistributeddatabasetoprovidenameresolutionservicestousersonnetworkssuch
astheInternet.
DSS:
AcronymforDataSecurityStandard.SeePADSSandPCIDSS.
DualControl:
Processofusingtwoormoreseparateentities(usuallypersons)operatinginconcerttoprotectsensitive
functionsorinformation.Bothentitiesareequallyresponsibleforthephysicalprotectionofmaterials
involvedinvulnerabletransactions.Nosinglepersonispermittedtoaccessorusethematerials(for
example,thecryptographickey).Formanualkeygeneration,conveyance,loading,storage,andretrieval,
dualcontrolrequiresdividingknowledgeofthekeyamongtheentities.(SeealsoSplitKnowledge).
DynamicPacketFiltering:
SeeStatefulInspection.
BacktoTop

E
ECC:
AcronymforEllipticCurveCryptography.Approachtopublickeycryptographybasedonellipticcurves
overfinitefields.SeeStrongCryptography.
EgressFiltering:
Methodoffilteringoutboundnetworktrafficsuchthatonlyexplicitlyallowedtrafficispermittedtoleavethe
network.
Encryption:
Processofconvertinginformationintoanunintelligibleformexcepttoholdersofaspecificcryptographic
key.Useofencryptionprotectsinformationbetweentheencryptionprocessandthedecryptionprocess(the
inverseofencryption)againstunauthorizeddisclosure.SeeStrongCryptography.
EncryptionAlgorithm:
Alsocalledcryptographicalgorithm.Asequenceofmathematicalinstructionsusedfortransforming
unencryptedtextordatatoencryptedtextordata,andbackagain.SeeStrongCryptography.
Entity:
Termusedtorepresentthecorporation,organizationorbusinesswhichisundergoingaPCIDSSreview.
BacktoTop

FileIntegrityMonitoring:
Techniqueortechnologyunderwhichcertainfilesorlogsaremonitoredtodetectiftheyaremodified.When
criticalfilesorlogsaremodified,alertsshouldbesenttoappropriatesecuritypersonnel.
FileLevelEncryption:
Techniqueortechnology(eithersoftwareorhardware)forencryptingthefullcontentsofspecificfiles.
Alternatively,seeDiskEncryptionorColumnLevelDatabaseEncryption.
FIPS:
AcronymforFederalInformationProcessingStandards.StandardsthatarepubliclyrecognizedbytheU.S.
FederalGovernmentalsoforusebynongovernmentagenciesandcontractors.
Firewall:
https://www.pcisecuritystandards.org/pci_security/glossary 8/22
2017518 OfficialPCISecurityStandardsCouncilSiteVerifyPCICompliance,DownloadDataSecurityandCreditCardSecurityStandards

Hardwareand/orsoftwaretechnologythatprotectsnetworkresourcesfromunauthorizedaccess.Afirewall
permitsordeniescomputertrafficbetweennetworkswithdifferentsecuritylevelsbaseduponasetofrules
andothercriteria.
Forensics:
Alsoreferredtoascomputerforensics.Asitrelatestoinformationsecurity,theapplicationofinvestigative
toolsandanalysistechniquestogatherevidencefromcomputerresourcestodeterminethecauseofdata
compromises.
FTP:
AcronymforFileTransferProtocol.Networkprotocolusedtotransferdatafromonecomputertoanother
throughapublicnetworksuchastheInternet.FTPiswidelyviewedasaninsecureprotocolbecause
passwordsandfilecontentsaresentunprotectedandincleartext.FTPcanbeimplementedsecurelyviaSSH
orothertechnology.SeeSFTP.
BacktoTop

G
GPRS:
AcronymforGeneralPacketRadioService.MobiledataserviceavailabletousersofGSMmobilephones.
Recognizedforefficientuseoflimitedbandwidth.Particularlysuitedforsendingandreceivingsmallbursts
ofdata,suchasemailandwebbrowsing.
GSM:
AcronymforGlobalSystemforMobileCommunications.Popularstandardformobilephonesand
networks.UbiquityofGSMstandardmakesinternationalroamingverycommonbetweenmobilephone
operators,enablingsubscriberstousetheirphonesinmanypartsoftheworld.
BacktoTop

Hashing:
Processofrenderingcardholderdataunreadablebyconvertingdataintoafixedlengthmessagedigest.
Hashingisaoneway(mathematical)functioninwhichanonsecretalgorithmtakesanyarbitrarylength
messageasinputandproducesafixedlengthoutput(usuallycalledahashcodeormessagedigest).A
hashfunctionshouldhavethefollowingproperties:(1)Itiscomputationallyinfeasibletodeterminethe
originalinputgivenonlythehashcode,(2)Itiscomputationallyinfeasibletofindtwoinputsthatgivethe
samehashcode.InthecontextofPCIDSS,hashingmustbeappliedtotheentirePANforthehashcodeto
beconsideredrenderedunreadable.Itisrecommendedthathashedcardholderdataincludeaninputvariable
(forexample,asalt)tothehashingfunctiontoreduceordefeattheeffectivenessofprecomputedrainbow
tableattacks(seeInputVariable).Forfurtherguidance,refertoindustrystandards,suchascurrentversions
ofNISTSpecialPublications800107and800106,FederalInformationProcessingStandard(FIPS)1804
SecureHashStandard(SHS),andFIPS202SHA3Standard:PermutationBasedHashandExtendable
OutputFunctions.
Host:
Maincomputerhardwareonwhichcomputersoftwareisresident.
HostingProvider:
Offersvariousservicestomerchantsandotherserviceproviders.Servicesrangefromsimpletocomplex
fromsharedspaceonaservertoawholerangeofshoppingcartoptionsfrompaymentapplicationsto
connectionstopaymentgatewaysandprocessorsandforhostingdedicatedtojustonecustomerperserver.
Ahostingprovidermaybeasharedhostingprovider,whohostsmultipleentitiesonasingleserver.
HSM:
Acronymforhardwaresecuritymoduleorhostsecuritymodule.Aphysicallyandlogicallyprotected
hardwaredevicethatprovidesasecuresetofcryptographicservices,usedforcryptographickey
managementfunctionsand/orthedecryptionofaccountdata.
HTTP:
Acronymforhypertexttransferprotocol.Openinternetprotocoltotransferorconveyinformationonthe
WorldWideWeb.
HTTPS:

https://www.pcisecuritystandards.org/pci_security/glossary 9/22
2017518 OfficialPCISecurityStandardsCouncilSiteVerifyPCICompliance,DownloadDataSecurityandCreditCardSecurityStandards

Acronymforhypertexttransferprotocoloversecuresocketlayer.SecureHTTPthatprovides
authenticationandencryptedcommunicationontheWorldWideWebdesignedforsecuritysensitive
communicationsuchaswebbasedlogins.
Hypervisor:
Softwareorfirmwareresponsibleforhostingandmanagingvirtualmachines.ForthepurposesofPCIDSS,
thehypervisorsystemcomponentalsoincludesthevirtualmachinemonitor(VMM).
BacktoTop

I
ID:
Identifierforaparticularuserorapplication.
IDS:
Acronymforintrusiondetectionsystem.Softwareorhardwareusedtoidentifyandalertonnetworkor
systemanomaliesorintrusionattempts.Composedof:sensorsthatgeneratesecurityeventsaconsoleto
monitoreventsandalertsandcontrolthesensorsandacentralenginethatrecordseventsloggedbythe
sensorsinadatabase.Usessystemofrulestogeneratealertsinresponsetodetectedsecurityevents.SeeIPS
IETF:
AcronymforInternetEngineeringTaskForce.Large,openinternationalcommunityofnetworkdesigners,
operators,vendors,andresearchersconcernedwithevolutionofInternetarchitectureandsmoothoperation
ofInternet.TheIETFhasnoformalmembershipandisopentoanyinterestedindividual.
IMAP:
AcronymforInternetMessageAccessProtocol.AnapplicationlayerInternetprotocolthatallowsane
mailclienttoaccessemailonaremotemailserver.
IndexToken:
AcryptographictokenthatreplacesthePAN,basedonagivenindexforanunpredictablevalue.
InformationSecurity:
Protectionofinformationtoinsureconfidentiality,integrity,andavailability.
InformationSystem:
Discretesetofstructureddataresourcesorganizedforcollection,processing,maintenance,use,sharing,
dissemination,ordispositionofinformation.
IngressFiltering:
Methodoffilteringinboundnetworktrafficsuchthatonlyexplicitlyallowedtrafficispermittedtoenterthe
network.
InjectionFlaws:
Vulnerabilitythatiscreatedfrominsecurecodingtechniquesresultinginimproperinputvalidation,which
allowsattackerstorelaymaliciouscodethroughawebapplicationtotheunderlyingsystem.Thisclassof
vulnerabilitiesincludesSQLinjection,LDAPinjection,andXPathinjection.
InputVariable:
Randomdatastringthatisconcatenatedwithsourcedatabeforeaonewayhashfunctionisapplied.Input
variablescanhelpreducetheeffectivenessofrainbowtableattacks.SeealsoHashingandRainbowTables.
InsecureProtocol/Service/Port:
Aprotocol,service,orportthatintroducessecurityconcernsduetothelackofcontrolsoverconfidentiality
and/orintegrity.Thesesecurityconcernsincludeservices,protocols,orportsthattransmitdataor
authenticationcredentials(forexample,password/passphrase)incleartextovertheInternet,orthateasily
allowforexploitationbydefaultorifmisconfigured.Examplesofinsecureservices,protocols,orports
includebutarenotlimitedtoFTP,Telnet,POP3,IMAP,andSNMPv1andv2.
IP:
Acronymforinternetprotocol.Networklayerprotocolcontainingaddressinformationandsomecontrol
informationthatenablespacketstoberoutedanddeliveredfromthesourcehosttothedestinationhost.IPis
theprimarynetworklayerprotocolintheInternetprotocolsuite.SeeTCP.
IPAddress:
Alsoreferredtoasinternetprotocoladdress.Numericcodethatuniquelyidentifiesaparticularcomputer
(host)ontheInternet.
IPAddressSpoofing:
Attacktechniqueusedtogainunauthorizedaccesstonetworksorcomputers.Themaliciousindividualsends
deceptivemessagestoacomputerwithanIPaddressindicatingthatthemessageiscomingfromatrusted

https://www.pcisecuritystandards.org/pci_security/glossary 10/22
2017518 OfficialPCISecurityStandardsCouncilSiteVerifyPCICompliance,DownloadDataSecurityandCreditCardSecurityStandards

host.
IPS:
Acronymforintrusionpreventionsystem.BeyondanIDS,anIPStakestheadditionalstepofblockingthe
attemptedintrusion.
IPSEC:
AbbreviationforInternetProtocolSecurity.StandardforsecuringIPcommunicationsatthenetworklayer
byencryptingand/orauthenticatingallIPpacketsinacommunicationsession.
ISO:
BetterknownasInternationalOrganizationforStandardization.Nongovernmentalorganizationconsisting
ofanetworkofthenationalstandardsinstitutes.
Issuer:
Entitythatissuespaymentcardsorperforms,facilitates,orsupportsissuingservicesincludingbutnot
limitedtoissuingbanksandissuingprocessors.Alsoreferredtoasissuingbankorissuingfinancial
institution.
IssuingServices:
Examplesofissuingservicesmayincludebutarenotlimitedtoauthorizationandcardpersonalization.
BacktoTop

L
LAN:
Acronymforlocalareanetwork.Agroupofcomputersand/orotherdevicesthatshareacommon
communicationsline,ofteninabuildingorgroupofbuildings.
LDAP:
AcronymforLightweightDirectoryAccessProtocol.Authenticationandauthorizationdatarepository
utilizedforqueryingandmodifyinguserpermissionsandgrantingaccesstoprotectedinternalresources.
LeastPrivilege:
Havingtheminimumaccessand/orprivilegesnecessarytoperformtherolesandresponsibilitiesofthejob
function.
Log:
SeeAuditLog.
LPAR:
Abbreviationforlogicalpartition.Asystemofsubdividing,orpartitioning,acomputer'stotalresources
processors,memoryandstorageintosmallerunitsthatcanrunwiththeirown,distinctcopyofthe
operatingsystemandapplications.Logicalpartitioningistypicallyusedtoallowtheuseofdifferent
operatingsystemsandapplicationsonasingledevice.Thepartitionsmayormaynotbeconfiguredto
communicatewitheachotherorsharesomeresourcesoftheserver,suchasnetworkinterfaces.
BacktoTop

MAC:
Incryptography,anacronymformessageauthenticationcode.Asmallpieceofinformationusedto
authenticateamessage.SeeStrongCryptography.
MACAddress:
Abbreviationformediaaccesscontroladdress.Uniqueidentifyingvalueassignedbymanufacturersto
networkadaptersandnetworkinterfacecards.
MagneticStripeData:
SeeTrackData.
Mainframe:
Computersthataredesignedtohandleverylargevolumesofdatainputandoutputandemphasize
throughputcomputing.Mainframesarecapableofrunningmultipleoperatingsystems,makingitappearlike
itisoperatingasmultiplecomputers.Manylegacysystemshaveamainframedesign.
MaliciousSoftware/Malware:
Softwareorfirmwaredesignedtoinfiltrateordamageacomputersystemwithouttheowner'sknowledgeor
consent,withtheintentofcompromisingtheconfidentiality,integrity,oravailabilityoftheownersdata,
applications,oroperatingsystem.Suchsoftwaretypicallyentersanetworkduringmanybusinessapproved
https://www.pcisecuritystandards.org/pci_security/glossary 11/22
2017518 OfficialPCISecurityStandardsCouncilSiteVerifyPCICompliance,DownloadDataSecurityandCreditCardSecurityStandards

activities,whichresultsintheexploitationofsystemvulnerabilities.Examplesincludeviruses,worms,
Trojans(orTrojanhorses),spyware,adware,androotkits.
Masking:
InthecontextofPCIDSS,itisamethodofconcealingasegmentofdatawhendisplayedorprinted.
MaskingisusedwhenthereisnobusinessrequirementtoviewtheentirePAN.Maskingrelatestoprotection
ofPANwhendisplayedorprinted.SeeTruncationforprotectionofPANwhenstoredinfiles,databases,etc.
MemoryScrapingAttacks:
Malwareactivitythatexaminesandextractsdatathatresidesinmemoryasitisbeingprocessedorwhichhas
notbeenproperlyflushedoroverwritten.
Merchant:
ForthepurposesofthePCIDSS,amerchantisdefinedasanyentitythatacceptspaymentcardsbearingthe
logosofanyofthefivemembersofPCISSC(AmericanExpress,Discover,JCB,MasterCardorVisa)as
paymentforgoodsand/orservices.Notethatamerchantthatacceptspaymentcardsaspaymentforgoods
and/orservicescanalsobeaserviceprovider,iftheservicessoldresultinstoring,processing,ortransmitting
cardholderdataonbehalfofothermerchantsorserviceproviders.Forexample,anISPisamerchantthat
acceptspaymentcardsformonthlybilling,butalsoisaserviceproviderifithostsmerchantsascustomers.
MO/TO:
AcronymforMailOrder/TelephoneOrder.
Monitoring:
Useofsystemsorprocessesthatconstantlyoverseecomputerornetworkresourcesforthepurposeof
alertingpersonnelincaseofoutages,alarms,orotherpredefinedevents.
MultiFactorAuthentication:
Methodofauthenticatingauserwherebyatleasttwofactorsareverified.Thesefactorsincludesomething
theuserhas(suchasasmartcardordongle),somethingtheuserknows(suchasapassword,passphrase,or
PIN)orsomethingtheuserisordoes(suchasfingerprints,otherformsofbiometrics,etc.).
BacktoTop

N
NAC:
Acronymfornetworkaccesscontrolornetworkadmissioncontrol.Amethodofimplementingsecurity
atthenetworklayerbyrestrictingtheavailabilityofnetworkresourcestoendpointdevicesaccordingtoa
definedsecuritypolicy.
NAT:
Acronymfornetworkaddresstranslation.AlsoknownasnetworkmasqueradingorIPmasquerading.
ChangeofanIPaddressusedwithinonenetworktoadifferentIPaddressknownwithinanothernetwork,
allowinganorganizationtohaveinternaladdressesthatarevisibleinternally,andexternaladdressesthatare
onlyvisibleexternally.
Network:
Twoormorecomputersconnectedtogetherviaphysicalorwirelessmeans.
NetworkAdministrator:
Personnelresponsibleformanagingthenetworkwithinanentity.Responsibilitiestypicallyincludebutare
notlimitedtonetworksecurity,installations,upgrades,maintenanceandactivitymonitoring.
NetworkComponents:
Include,butarenotlimitedtofirewalls,switches,routers,wirelessaccesspoints,networkappliances,and
othersecurityappliances.
NetworkDiagram:
Adiagramshowingsystemcomponentsandconnectionswithinanetworkedenvironment.
NetworkSecurityScan:
Processbywhichanentityssystemsareremotelycheckedforvulnerabilitiesthroughuseofmanualor
automatedtools.Securityscansthatincludeprobinginternalandexternalsystemsandreportingonservices
exposedtothenetwork.Scansmayidentifyvulnerabilitiesinoperatingsystems,services,anddevicesthat
couldbeusedbymaliciousindividuals.
NetworkSegmentation:
Alsoreferredtoassegmentationorisolation.Networksegmentationisolatessystemcomponentsthat
store,process,ortransmitcardholderdatafromsystemsthatdonot.Adequatenetworksegmentationmay
reducethescopeofthecardholderdataenvironmentandthusreducethescopeofthePCIDSSassessment.

https://www.pcisecuritystandards.org/pci_security/glossary 12/22
2017518 OfficialPCISecurityStandardsCouncilSiteVerifyPCICompliance,DownloadDataSecurityandCreditCardSecurityStandards

SeetheNetworkSegmentationsectioninthePCIDSSRequirementsandSecurityAssessmentProcedures
forguidanceonusingnetworksegmentation.NetworksegmentationisnotaPCIDSSrequirement.
NetworkSniffing:
Alsoreferredtoaspacketsniffingorsniffing.Atechniquethatpassivelymonitorsorcollectsnetwork
communications,decodesprotocols,andexaminescontentsforinformationofinterest.
NIST:
AcronymforNationalInstituteofStandardsandTechnology.NonregulatoryfederalagencywithinU.S.
CommerceDepartment'sTechnologyAdministration.
NMAP:
Securityscanningsoftwarethatmapsnetworksandidentifiesopenportsinnetworkresources.
NonConsoleAccess:
Referstologicalaccesstoasystemcomponentthatoccursoveranetworkinterfaceratherthanviaadirect,
physicalconnectiontothesystemcomponent.Nonconsoleaccessincludesaccessfromwithinlocal/internal
networksaswellasaccessfromexternal,orremote,networks.
NonConsumerUsers:
Individuals,excludingcardholders,whoaccesssystemcomponents,includingbutnotlimitedtoemployees,
administrators,andthirdparties.
NTP:
AcronymforNetworkTimeProtocol.Protocolforsynchronizingtheclocksofcomputersystems,network
devicesandothersystemcomponents.
NVD:
AcronymforNationalVulnerabilityDatabase.TheU.S.governmentrepositoryofstandardsbased
vulnerabilitymanagementdata.NVDincludesdatabasesofsecuritychecklists,securityrelatedsoftware
flaws,misconfigurations,productnames,andimpactmetrics.
BacktoTop

O
OCTAVE:
AcronymforOperationallyCriticalThreat,Asset,andVulnerabilityEvaluation.Asuiteoftools,
techniques,andmethodsforriskbasedinformationsecuritystrategicassessmentandplanning.
OfftheShelf:
Descriptionofproductsthatarestockitemsnotspecificallycustomizedordesignedforaspecificcustomer
oruserandarereadilyavailableforuse.
OperatingSystem/OS:
Softwareofacomputersystemthatisresponsibleforthemanagementandcoordinationofallactivitiesand
thesharingofcomputerresources.ExamplesofoperatingsystemsincludeMicrosoftWindows,MacOS,
LinuxandUnix.
OrganizationalIndependence:
Anorganizationalstructurethatensuresthereisnoconflictofinterestbetweenthepersonordepartment
performingtheactivityandthepersonordepartmentassessingtheactivity.Forexample,individuals
performingassessmentsareorganizationallyseparatefromthemanagementoftheenvironmentbeing
assessed.
OWASP:
AcronymforOpenWebApplicationSecurityProject.Anonprofitorganizationfocusedonimprovingthe
securityofapplicationsoftware.OWASPmaintainsalistofcriticalvulnerabilitiesforwebapplications.(See
http://www.owasp.org).
BacktoTop

PADSS:
AcronymforPaymentApplicationDataSecurityStandard.
PAQSA:
AcronymforPaymentApplicationQualifiedSecurityAssessor.PAQSAsarequalifiedbyPCISSCto
assesspaymentapplicationsagainstthePADSS.RefertothePADSSProgramGuideandPAQSA
QualificationRequirementsfordetailsaboutrequirementsforPAQSACompaniesandEmployees.
https://www.pcisecuritystandards.org/pci_security/glossary 13/22
2017518 OfficialPCISecurityStandardsCouncilSiteVerifyPCICompliance,DownloadDataSecurityandCreditCardSecurityStandards

Pad:
Incryptography,theonetimepadisanencryptionalgorithmwithtextcombinedwitharandomkeyor"pad"
thatisaslongastheplaintextandusedonlyonce.Additionally,ifkeyistrulyrandom,neverreused,and,
keptsecret,theonetimepadisunbreakable
PAN:
Acronymforprimaryaccountnumberandalsoreferredtoasaccountnumber.Uniquepaymentcard
number(typicallyforcreditordebitcards)thatidentifiestheissuerandtheparticularcardholderaccount.
ParameterizedQueries:
AmeansofstructuringSQLqueriestolimitescapingandthuspreventinjectionattacks.
Password/Passphrase:
Astringofcharactersthatserveasanauthenticatoroftheuser.
PAT:
Acronymforportaddresstranslationandalsoreferredtoasnetworkaddressporttranslation.Typeof
NATthatalsotranslatestheportnumbers.
Patch:
Updatetoexistingsoftwaretoaddfunctionalityortocorrectadefect.
PaymentApplication:
InthecontextofPADSS,asoftwareapplicationthatstores,processes,ortransmitscardholderdataaspart
ofauthorizationorsettlement,wherethepaymentapplicationissold,distributed,orlicensedtothirdparties.
RefertoPADSSProgramGuidefordetails.
PaymentCards:
ForpurposesofPCIDSS,anypaymentcard/devicethatbearsthelogoofthefoundingmembersofPCISSC,
whichareAmericanExpress,DiscoverFinancialServices,JCBInternational,MasterCard,orVisa,Inc.
PaymentProcessor:
Sometimesreferredtoaspaymentgatewayorpaymentserviceprovider(PSP).Entityengagedbya
merchantorotherentitytohandlepaymentcardtransactionsontheirbehalf.Whilepaymentprocessors
typicallyprovideacquiringservices,paymentprocessorsarenotconsideredacquirersunlessdefinedassuch
byapaymentcardbrand.SeealsoAcquirer.
PCI:
AcronymforPaymentCardIndustry.
PCIDSS:
AcronymforPaymentCardIndustryDataSecurityStandard.
PDA:
Acronymforpersonaldataassistantorpersonaldigitalassistant.Handheldmobiledeviceswith
capabilitiessuchasmobilephones,email,orwebbrowser.
PED:
PINentrydevice
PenetrationTest:
Penetrationtestsattempttoidentifywaystoexploitvulnerabilitiestocircumventordefeatthesecurity
featuresofsystemcomponents.Penetrationtestingincludesnetworkandapplicationtestingaswellas
controlsandprocessesaroundthenetworksandapplications,andoccursfrombothoutsidetheenvironment
(externaltesting)andfrominsidetheenvironment.
PersonalFirewallSoftware:
Asoftwarefirewallproductinstalledonasinglecomputer.
PersonallyIdentifiableInformation:
Informationthatcanbeutilizedtoidentifyanindividualincludingbutnotlimitedtoname,address,social
securitynumber,phonenumber,etc.
Personnel:
Fulltimeandparttimeemployees,temporaryemployees,contractors,andconsultantswhoareresidenton
theentityssiteorotherwisehaveaccesstothecardholderdataenvironment.
PIN:
Acronymforpersonalidentificationnumber.Secretnumericpasswordknownonlytotheuseranda
systemtoauthenticatetheusertothesystem.TheuserisonlygrantedaccessifthePINtheuserprovided
matchesthePINinthesystem.TypicalPINsareusedforautomatedtellermachinesforcashadvance
transactions.AnothertypeofPINisoneusedinEMVchipcardswherethePINreplacesthecardholders
signature.
PINBlock:

https://www.pcisecuritystandards.org/pci_security/glossary 14/22
2017518 OfficialPCISecurityStandardsCouncilSiteVerifyPCICompliance,DownloadDataSecurityandCreditCardSecurityStandards

AblockofdatausedtoencapsulateaPINduringprocessing.ThePINblockformatdefinesthecontentof
thePINblockandhowitisprocessedtoretrievethePIN.ThePINblockiscomposedofthePIN,thePIN
length,andmaycontainsubsetofthePAN.
POI:
AcronymforPointofInteraction,theinitialpointwheredataisreadfromacard.Anelectronic
transactionacceptanceproduct,aPOIconsistsofhardwareandsoftwareandishostedinacceptance
equipmenttoenableacardholdertoperformacardtransaction.ThePOImaybeattendedorunattended.POI
transactionsaretypicallyintegratedcircuit(chip)and/ormagneticstripecardbasedpaymenttransactions.
Policy:
Organizationwiderulesgoverningacceptableuseofcomputingresources,securitypractices,andguiding
developmentofoperationalprocedures
POP3:
AcronymforPostOfficeProtocolv3.Applicationlayerprotocolusedbyemailclientstoretrieveemail
fromaremoteserveroveraTCP/IPconnection.
Port:
Logical(virtual)connectionpointsassociatedwithaparticularcommunicationprotocoltofacilitate
communicationsacrossnetworks.
POS:
Acronymforpointofsale.Hardwareand/orsoftwareusedtoprocesspaymentcardtransactionsat
merchantlocations.
PrivateNetwork:
NetworkestablishedbyanorganizationthatusesprivateIPaddressspace.Privatenetworksarecommonly
designedaslocalareanetworks.Privatenetworkaccessfrompublicnetworksshouldbeproperlyprotected
withtheuseoffirewallsandrouters.
PrivilegedUser:
Anyuseraccountwithgreaterthanbasicaccessprivileges.Typically,theseaccountshaveelevatedor
increasedprivilegeswithmorerightsthanastandarduseraccount.However,theextentofprivilegesacross
differentprivilegedaccountscanvarygreatlydependingontheorganization,jobfunctionorrole,andthe
technologyinuse.
Procedure:
Descriptivenarrativeforapolicy.Procedureisthehowtoforapolicyanddescribeshowthepolicyisto
beimplemented.
Protocol:
Agreeduponmethodofcommunicationusedwithinnetworks.Specificationdescribingrulesandprocedures
thatcomputerproductsshouldfollowtoperformactivitiesonanetwork.
ProxyServer:
AserverthatactsasanintermediarybetweenaninternalnetworkandtheInternet.Forexample,onefunction
ofaproxyserveristoterminateornegotiateconnectionsbetweeninternalandexternalconnectionssuchthat
eachonlycommunicateswiththeproxyserver.
PTS:
AcronymforPINTransactionSecurity,PTSisasetofmodularevaluationrequirementsmanagedbyPCI
SecurityStandardsCouncil,forPINacceptancePOIterminals.Pleaserefertowww.pcisecuritystandards.org.
PublicNetwork:
Networkestablishedandoperatedbyathirdpartytelecommunicationsproviderforspecificpurposeof
providingdatatransmissionservicesforthepublic.Dataoverpublicnetworkscanbeintercepted,modified,
and/ordivertedwhileintransit.Examplesofpublicnetworksinclude,butarenotlimitedto,theInternet,
wireless,andmobiletechnologies.SeealsoPrivateNetwork.
PVV:
AcronymforPINverificationvalue.Discretionaryvalueencodedinmagneticstripeofpaymentcard.
BacktoTop

Q
QIR:
AcronymforQualifiedIntegratororReseller.RefertotheQIRProgramGuideonthePCISSCwebsitefor
moreinformation.
QSA:

https://www.pcisecuritystandards.org/pci_security/glossary 15/22
2017518 OfficialPCISecurityStandardsCouncilSiteVerifyPCICompliance,DownloadDataSecurityandCreditCardSecurityStandards

AcronymforQualifiedSecurityAssessor.QSAsarequalifiedbyPCISSCtoperformPCIDSSonsite
assessments.RefertotheQSAQualificationRequirementsfordetailsaboutrequirementsforQSA
CompaniesandEmployees.
BacktoTop

R
RADIUS:
AbbreviationforRemoteAuthenticationDialInUserService.Authenticationandaccountingsystem.
ChecksifinformationsuchasusernameandpasswordthatispassedtotheRADIUSserveriscorrect,and
thenauthorizesaccesstothesystem.Thisauthenticationmethodmaybeusedwithatoken,smartcard,etc.,
toprovidetwofactorauthentication.
RainbowTableAttack:
Amethodofdataattackusingaprecomputedtableofhashstrings(fixedlengthmessagedigest)toidentify
theoriginaldatasource,usuallyforcrackingpasswordorcardholderdatahashes.
Rekeying:
Processofchangingcryptographickeys.Periodicrekeyinglimitstheamountofdataencryptedbyasingle
key.
RemoteAccess:
Accesstocomputernetworksfromaremotelocation.Remoteaccessconnectionscanoriginateeitherfrom
insidethecompanysownnetworkorfromaremotelocationoutsidethecompanysnetwork.Anexampleof
technologyforremoteaccessisVPN.
RemoteLabEnvironment:
AlabthatisnotmaintainedbythePAQSA.
RemovableElectronicMedia:
Mediathatstoredigitizeddataandwhichcanbeeasilyremovedand/ortransportedfromonecomputer
systemtoanother.ExamplesofremovableelectronicmediaincludeCDROM,DVDROM,USBflash
drivesandexternal/portableharddrives.
Reseller/Integrator:
Anentitythatsellsand/orintegratespaymentapplicationsbutdoesnotdevelopthem.
RFC1918:
ThestandardidentifiedbytheInternetEngineeringTaskForce(IETF)thatdefinestheusageandappropriate
addressrangesforprivate(noninternetroutable)networks.
RiskAnalysis/RiskAssessment:
Processthatidentifiesvaluablesystemresourcesandthreatsquantifieslossexposures(thatis,losspotential)
basedonestimatedfrequenciesandcostsofoccurrenceand(optionally)recommendshowtoallocate
resourcestocountermeasuressoastominimizetotalexposure.
RiskRanking:
Adefinedcriterionofmeasurementbasedupontheriskassessmentandriskanalysisperformedonagiven
entity.
ROC:
AcronymforReportonCompliance.ReportdocumentingdetailedresultsfromanentitysPCIDSS
assessment.
Rootkit:
Typeofmalicioussoftwarethatwheninstalledwithoutauthorization,isabletoconcealitspresenceandgain
administrativecontrolofacomputersystem.
Router:
Hardwareorsoftwarethatconnectstwoormorenetworks.Functionsassorterandinterpreterbylookingat
addressesandpassingbitsofinformationtoproperdestinations.Softwareroutersaresometimesreferredto
asgateways.
ROV:
AcronymforReportonValidation.ReportdocumentingdetailedresultsfromaPADSSassessmentfor
purposesofthePADSSprogram.
RSA:
Algorithmforpublickeyencryptiondescribedin1977byRonRivest,AdiShamir,andLenAdlemanat
MassachusettsInstituteofTechnology(MIT)lettersRSAaretheinitialsoftheirsurnames.
BacktoTop

https://www.pcisecuritystandards.org/pci_security/glossary 16/22
2017518 OfficialPCISecurityStandardsCouncilSiteVerifyPCICompliance,DownloadDataSecurityandCreditCardSecurityStandards

SFTP:
AcronymforSecureFTP.SFTPhastheabilitytoencryptauthenticationinformationanddatafilesin
transit.SeeFTP.
Sampling:
Theprocessofselectingacrosssectionofagroupthatisrepresentativeoftheentiregroup.Samplingmay
beusedbyassessorstoreduceoveralltestingefforts,whenitisvalidatedthatanentityhasstandard,
centralizedPCIDSSsecurityandoperationalprocessesandcontrolsinplace.SamplingisnotaPCIDSS
requirement.
SANS:
AcronymforSysAdmin,Audit,NetworkingandSecurity,aninstitutethatprovidescomputersecurity
trainingandprofessionalcertification.(Seewww.sans.org.)
SAQ:
AcronymforSelfAssessmentQuestionnaire.Reportingtoolusedtodocumentselfassessmentresults
fromanentitysPCIDSSassessment.
Schema:
Formaldescriptionofhowadatabaseisconstructedincludingtheorganizationofdataelements.
Scoping:
Processofidentifyingallsystemcomponents,people,andprocessestobeincludedinaPCIDSSassessment.
ThefirststepofaPCIDSSassessmentistoaccuratelydeterminethescopeofthereview.
SDLC:
Acronymforsystemdevelopmentlifecycle.Phasesofthedevelopmentofasoftwareorcomputersystem
thatincludesplanning,analysis,design,testing,andimplementation.
SecureCoding:
Theprocessofcreatingandimplementingapplicationsthatareresistanttotamperingand/orcompromise.
SecureCryptographicDevice:
Asetofhardware,softwareandfirmwarethatimplementscryptographicprocesses(includingcryptographic
algorithmsandkeygeneration)andiscontainedwithinadefinedcryptographicboundary.Examplesof
securecryptographicdevicesincludehost/hardwaresecuritymodules(HSMs)andpointofinteraction
devices(POIs)thathavebeenvalidatedtoPCIPTS.
SecureWipe:
Alsocalledsecuredelete,amethodofoverwritingdataresidingonaharddiskdriveorotherdigitalmedia,
renderingthedatairretrievable.
SecurityEvent:
Anoccurrenceconsideredbyanorganizationtohavepotentialsecurityimplicationstoasystemorits
environment.InthecontextofPCIDSS,securityeventsidentifysuspiciousoranomalousactivity.
SecurityOfficer:
Primaryresponsiblepersonforanentityssecurityrelatedaffairs.
SecurityPolicy:
Setoflaws,rules,andpracticesthatregulatehowanorganizationmanages,protects,anddistributessensitive
information.
SecurityProtocols:
Networkcommunicationsprotocolsdesignedtosecurethetransmissionofdata.Examplesofsecurity
protocolsinclude,butarenotlimitedtoSSL/TLS,IPSEC,SSH,HTTPS,etc.
SensitiveArea:
Anydatacenter,serverroomoranyareathathousessystemsthatstores,processes,ortransmitscardholder
data.Thisexcludestheareaswhereonlypointofsaleterminalsarepresentsuchasthecashierareasina
retailstore.
SensitiveAuthenticationData:
Securityrelatedinformation(includingbutnotlimitedtocardvalidationcodes/values,fulltrackdata(from
themagneticstripeorequivalentonachip),PINs,andPINblocks)usedtoauthenticatecardholdersand/or
authorizepaymentcardtransactions.
SeparationofDuties:
Practiceofdividingstepsinafunctionamongdifferentindividuals,soastokeepasingleindividualfrom
beingabletosubverttheprocess.
Server:

https://www.pcisecuritystandards.org/pci_security/glossary 17/22
2017518 OfficialPCISecurityStandardsCouncilSiteVerifyPCICompliance,DownloadDataSecurityandCreditCardSecurityStandards

Computerthatprovidesaservicetoothercomputers,suchasprocessingcommunications,filestorage,or
accessingaprintingfacility.Serversinclude,butarenotlimitedtoweb,database,application,authentication,
DNS,mail,proxy,andNTP.
ServiceCode:
Threedigitorfourdigitvalueinthemagneticstripethatfollowstheexpirationdateofthepaymentcardon
thetrackdata.Itisusedforvariousthingssuchasdefiningserviceattributes,differentiatingbetween
internationalandnationalinterchange,oridentifyingusagerestrictions.
ServiceProvider:
Businessentitythatisnotapaymentbrand,directlyinvolvedintheprocessing,storage,ortransmissionof
cardholderdataonbehalfofanotherentity.Thisalsoincludescompaniesthatprovideservicesthatcontrolor
couldimpactthesecurityofcardholderdata.Examplesincludemanagedserviceprovidersthatprovide
managedfirewalls,IDSandotherservicesaswellashostingprovidersandotherentities.Ifanentity
providesaservicethatinvolvesonlytheprovisionofpublicnetworkaccesssuchasatelecommunications
companyprovidingjustthecommunicationlinktheentitywouldnotbeconsideredaserviceproviderfor
thatservice(althoughtheymaybeconsideredaserviceproviderforotherservices).
SessionToken:
Inthecontextofwebsessionmanagement,asessiontoken(alsoreferredtoasasessionidentifieror
sessionID),isauniqueidentifier(suchasacookie)usedtotrackaparticularsessionbetweenaweb
browserandawebserver.
SHA1/SHA2:
AcronymforSecureHashAlgorithm.Afamilyorsetofrelatedcryptographichashfunctionsincluding
SHA1andSHA2.SeeStrongCryptography.
SmartCard:
AlsoreferredtoaschipcardorICcard(integratedcircuitcard).Atypeofpaymentcardthathas
integratedcircuitsembeddedwithin.Thecircuits,alsoreferredtoasthechip,containpaymentcarddata
includingbutnotlimitedtodataequivalenttothemagneticstripedata.
SNMP:
AcronymforSimpleNetworkManagementProtocol.Supportsmonitoringofnetworkattacheddevicesfor
anyconditionsthatwarrantadministrativeattention.
Splitknowledge:
Amethodbywhichtwoormoreentitiesseparatelyhavekeycomponentsthatindividuallyconveyno
knowledgeoftheresultantcryptographickey.
Spyware:
Typeofmalicioussoftwarethatwheninstalled,interceptsortakespartialcontroloftheuserscomputer
withouttheusersconsent.
SQL:
AcronymforStructuredQueryLanguage.Computerlanguageusedtocreate,modify,andretrievedata
fromrelationaldatabasemanagementsystems.
SQLInjection:
Formofattackondatabasedrivenwebsite.AmaliciousindividualexecutesunauthorizedSQLcommands
bytakingadvantageofinsecurecodeonasystemconnectedtotheInternet.SQLinjectionattacksareusedto
stealinformationfromadatabasefromwhichthedatawouldnormallynotbeavailableand/ortogainaccess
toanorganizationshostcomputersthroughthecomputerthatishostingthedatabase.
SSH:
AbbreviationforSecureShell.Protocolsuiteprovidingencryptionfornetworkserviceslikeremotelogin
orremotefiletransfer.
SSL:
AcronymforSecureSocketsLayer.Industrystandardthatencryptsthechannelbetweenawebbrowser
andwebserver.NowsupersededbyTLS.SeeTLS.
StatefulInspection:
Alsocalleddynamicpacketfiltering.Firewallcapabilitythatprovidesenhancedsecuritybykeepingtrack
ofthestateofnetworkconnections.Programmedtodistinguishlegitimatepacketsforvariousconnections,
onlypacketsmatchinganestablishedconnectionwillbepermittedbythefirewallallotherswillberejected.
StrongCryptography:
Cryptographybasedonindustrytestedandacceptedalgorithms,alongwithkeylengthsthatprovidea
minimumof112bitsofeffectivekeystrengthandproperkeymanagementpractices.Cryptographyisa
methodtoprotectdataandincludesbothencryption(whichisreversible)andhashing(whichisoneway
thatis,notreversible).SeeHashing.
https://www.pcisecuritystandards.org/pci_security/glossary 18/22
2017518 OfficialPCISecurityStandardsCouncilSiteVerifyPCICompliance,DownloadDataSecurityandCreditCardSecurityStandards

Atthetimeofpublication,examplesofindustrytestedandacceptedstandardsandalgorithmsincludeAES
(128bitsandhigher),TDES/TDEA(triplelengthkeys),RSA(2048bitsandhigher),ECC(224bitsand
higher),andDSA/DH(2048/224bitsandhigher).SeethecurrentversionofNISTSpecialPublication800
57Part1(http://csrc.nist.gov/publications/)formoreguidanceoncryptographickeystrengthsand
algorithms.

Note:Theaboveexamplesareappropriateforpersistentstorageofcardholderdata.Theminimum
cryptographyrequirementsfortransactionbasedoperations,asdefinedinPCIPINandPTS,aremore
flexibleasthereareadditionalcontrolsinplacetoreducethelevelofexposure.Itisrecommendedthatall
newimplementationsuseaminimumof128bitsofeffectivekeystrength.
SysAdmin:
Abbreviationforsystemadministrator.Individualwithelevatedprivilegeswhoisresponsiblefor
managingacomputersystemornetwork.
SystemComponents:
Anynetworkcomponent,server,orapplicationincludedinorconnectedtothecardholderdataenvironment.
Systemlevelobject:
Anythingonasystemcomponentthatisrequiredforitsoperation,includingbutnotlimitedtodatabase
tables,storedprocedures,applicationexecutablesandconfigurationfiles,systemconfigurationfiles,static
andsharedlibrariesandDLLs,systemexecutables,devicedriversanddeviceconfigurationfiles,andthird
partycomponents.
BacktoTop

T
TACACS:
AcronymforTerminalAccessControllerAccessControlSystem.Remoteauthenticationprotocol
commonlyusedinnetworksthatcommunicatesbetweenaremoteaccessserverandanauthenticationserver
todetermineuseraccessrightstothenetwork.Thisauthenticationmethodmaybeusedwithatoken,smart
card,etc.,toprovidetwofactorauthentication.
TCP:
AcronymforTransmissionControlProtocol.OneofthecoretransportlayerprotocolsoftheInternet
Protocol(IP)suite,andthebasiccommunicationlanguageorprotocoloftheInternet.SeeIP.
TDES:
AcronymforTripleDataEncryptionStandardandalsoknownas3DESorTripleDES.Blockcipher
formedfromtheDEScipherbyusingitthreetimes.SeeStrongCryptography.
TELNET:
Abbreviationfortelephonenetworkprotocol.Typicallyusedtoprovideuserorientedcommandlinelogin
sessionstodevicesonanetwork.Usercredentialsaretransmittedincleartext.
Threat:
Conditionoractivitythathasthepotentialtocauseinformationorinformationprocessingresourcestobe
intentionallyoraccidentallylost,modified,exposed,madeinaccessible,orotherwiseaffectedtothe
detrimentoftheorganization.
TLS:
AcronymforTransportLayerSecurity.Designedwithgoalofprovidingdatasecrecyanddataintegrity
betweentwocommunicatingapplications.TLSissuccessorofSSL.
Token:
Inthecontextofauthenticationandaccesscontrol,atokenisavalueprovidedbyhardwareorsoftwarethat
workswithanauthenticationserverorVPNtoperformdynamicortwofactorauthentication.SeeRADIUS,
TACACS,andVPN.
TrackData:
Alsoreferredtoasfulltrackdataormagneticstripedata.Dataencodedinthemagneticstripeorchip
usedforauthenticationand/orauthorizationduringpaymenttransactions.Canbethemagneticstripeimage
onachiporthedataonthetrack1and/ortrack2portionofthemagneticstripe.
TransactionData:
Datarelatedtoelectronicpaymentcardtransaction.
Trojan:

https://www.pcisecuritystandards.org/pci_security/glossary 19/22
2017518 OfficialPCISecurityStandardsCouncilSiteVerifyPCICompliance,DownloadDataSecurityandCreditCardSecurityStandards

AlsoreferredtoasTrojanhorse.Atypeofmalicioussoftwarethatwheninstalled,allowsausertoperform
anormalfunctionwhiletheTrojanperformsmaliciousfunctionstothecomputersystemwithouttheusers
knowledge.
Truncation:
MethodofrenderingthefullPANunreadablebypermanentlyremovingasegmentofPANdata.Truncation
relatestoprotectionofPANwhenstoredinfiles,databases,etc.SeeMaskingforprotectionofPANwhen
displayedonscreens,paperreceipts,etc.
TrustedNetwork:
Networkofanorganizationthatiswithintheorganizationsabilitytocontrolormanage.
BacktoTop

U
UntrustedNetwork:
Networkthatisexternaltothenetworksbelongingtoanorganizationandwhichisoutoftheorganizations
abilitytocontrolormanage.
URL:
AcronymforUniformResourceLocator.AformattedtextstringusedbyWebbrowsers,emailclients,and
othersoftwaretoidentifyanetworkresourceontheInternet.
BacktoTop

VersioningMethodology:
Aprocessofassigningversionschemestouniquelyidentifyaparticularstateofanapplicationorsoftware.
Theseschemesfollowaversionnumberformat,versionnumberusage,andanywildcardelementasdefined
bythesoftwarevendor.Versionnumbersaregenerallyassignedinincreasingorderandcorrespondtoa
particularchangeinthesoftware.
VirtualAppliance(VA):
AVAtakestheconceptofapreconfigureddeviceforperformingaspecificsetoffunctionsandrunthis
deviceasaworkload.Often,anexistingnetworkdeviceisvirtualizedtorunasavirtualappliance,suchasa
router,switch,orfirewall.
VirtualHypervisor:
SeeHypervisor.
VirtualMachine:
Aselfcontainedoperatingenvironmentthatbehaveslikeaseparatecomputer.Itisalsoknownasthe
Guest,andrunsontopofahypervisor.
VirtualMachineMonitor(VMM):
TheVMMisincludedwiththehypervisorandissoftwarethatimplementsvirtualmachinehardware
abstraction.Itmanagesthesystemsprocessor,memory,andotherresourcestoallocatewhateachguest
operatingsystemrequires.
VirtualPaymentTerminal:
Avirtualpaymentterminaliswebbrowserbasedaccesstoanacquirer,processororthirdpartyservice
providerwebsitetoauthorizepaymentcardtransactions,wherethemerchantmanuallyenterspaymentcard
dataviaasecurelyconnectedwebbrowser.Unlikephysicalterminals,virtualpaymentterminalsdonotread
datadirectlyfromapaymentcard.Becausepaymentcardtransactionsareenteredmanually,virtualpayment
terminalsaretypicallyusedinsteadofphysicalterminalsinmerchantenvironmentswithlowtransaction
volumes.
VirtualSwitchorRouter:
Avirtualswitchorrouterisalogicalentitythatpresentsnetworkinfrastructureleveldataroutingand
switchingfunctionality.Avirtualswitchisanintegralpartofavirtualizedserverplatformsuchasa
hypervisordriver,module,orplugin.
Virtualization:
Virtualizationreferstothelogicalabstractionofcomputingresourcesfromphysicalconstraints.One
commonabstractionisreferredtoasvirtualmachinesorVMs,whichtakesthecontentofaphysicalmachine
andallowsittooperateondifferentphysicalhardwareand/oralongwithothervirtualmachinesonthesame

https://www.pcisecuritystandards.org/pci_security/glossary 20/22
2017518 OfficialPCISecurityStandardsCouncilSiteVerifyPCICompliance,DownloadDataSecurityandCreditCardSecurityStandards

physicalhardware.InadditiontoVMs,virtualizationcanbeperformedonmanyothercomputingresources,
includingapplications,desktops,networks,andstorage.
VLAN:
AbbreviationforvirtualLANorvirtuallocalareanetwork.Logicallocalareanetworkthatextends
beyondasingletraditionalphysicallocalareanetwork.
VPN:
Acronymforvirtualprivatenetwork.Acomputernetworkinwhichsomeofconnectionsarevirtual
circuitswithinsomelargernetwork,suchastheInternet,insteadofdirectconnectionsbyphysicalwires.The
endpointsofthevirtualnetworkaresaidtobetunneledthroughthelargernetworkwhenthisisthecase.
WhileacommonapplicationconsistsofsecurecommunicationsthroughthepublicInternet,aVPNmayor
maynothavestrongsecurityfeaturessuchasauthenticationorcontentencryption.AVPNmaybeusedwith
atoken,smartcard,etc.,toprovidetwofactorauthentication.
Vulnerability:
Flaworweaknesswhich,ifexploited,mayresultinanintentionalorunintentionalcompromiseofasystem.
BacktoTop

W
WAN:
Acronymforwideareanetwork.Computernetworkcoveringalargearea,oftenaregionalorcompany
widecomputersystem.
WebApplication:
Anapplicationthatisgenerallyaccessedviaawebbrowserorthroughwebservices.Webapplicationsmay
beavailableviatheInternetoraprivate,internalnetwork.
WebServer:
ComputerthatcontainsaprogramthatacceptsHTTPrequestsfromwebclientsandservestheHTTP
responses(usuallywebpages).
WEP:
AcronymforWiredEquivalentPrivacy.Weakalgorithmusedtoencryptwirelessnetworks.Several
seriousweaknesseshavebeenidentifiedbyindustryexpertssuchthataWEPconnectioncanbecrackedwith
readilyavailablesoftwarewithinminutes.SeeWPA.
Wildcard:
Acharacterthatmaybesubstitutedforadefinedsubsetofpossiblecharactersinanapplicationversion
scheme.InthecontextofPADSS,wildcardscanoptionallybeusedtorepresentanonsecurityimpacting
change.Awildcardistheonlyvariableelementofthevendorsversionscheme,andisusedtoindicatethere
areonlyminor,nonsecurityimpactingchangesbetweeneachversionrepresentedbythewildcardelement.
WirelessAccessPoint:
AlsoreferredtoasAP.Devicethatallowswirelesscommunicationdevicestoconnecttoawireless
network.Usuallyconnectedtoawirednetwork,itcanrelaydatabetweenwirelessdevicesandwireddevices
onthenetwork.
WirelessNetworks:
Networkthatconnectscomputerswithoutaphysicalconnectiontowires.
WLAN:
Acronymforwirelesslocalareanetwork.Localareanetworkthatlinkstwoormorecomputersordevices
withoutwires.
WPA/WPA2:
AcronymforWiFiProtectedAccess.Securityprotocolcreatedtosecurewirelessnetworks.WPAisthe
successortoWEP.WPA2wasalsoreleasedasthenextgenerationofWPA.
BacktoTop

AboutUs
Leadership
News
Jobs
Blog

https://www.pcisecuritystandards.org/pci_security/glossary 21/22
2017518 OfficialPCISecurityStandardsCouncilSiteVerifyPCICompliance,DownloadDataSecurityandCreditCardSecurityStandards

Training
Webinars
Qualification
Documents

GettingStarted
ParticipatingOrganizations
AffiliateMembers
Awareness

Contact&Info
AboutUs
Careers
ContactUs

Media
NewsRoom
PressContacts
Events

Copyright20062017PCISecurityStandardsCouncil,LLC.Allrightsreserved.LegalTerms&
Conditions.SitemapAssociationManagementservicesprovidedbyVirtual,Inc.PrivacyPolicy

EnglishFranaisEspaolDeutschItalianoPortugus
Trke

https://www.pcisecuritystandards.org/pci_security/glossary 22/22