It happens to the best of us. We are in a meeting, trying to plan what the next step in the organization’s compliance process should be, when the “tech talk” starts. Whether it’s the networking guy, the lady in charge of the system admins, or even your CampusGuard Security Advisor, you think to yourself, “What did they just say? Should I know what that means?”
To help you understand the lingo, below are some of the most common terms you might hear in reference to PCI and what exactly they are referring to.
| Acronym | Meaning | Definition |
|---|---|---|
|
AOC |
Attestation of Compliance |
Form for merchants and service providers to attest to the results of a PCI DSS assessment. Since this form contains only summary level information, it can be shared outside of the organization. |
|
ASV |
Approved Scanning Vendor |
Company approved by the PCI SSC to conduct vulnerability scanning services. Quarterly external vulnerability scans, for those that require them, must be conducted by an ASV in order to comply with the PCI DSS. |
|
BAU |
Business As Usual |
Organization’s normal daily business operations. |
|
CDE |
Cardholder Data Environment |
Any people, processes, or technology that store, process, or transmit cardholder data or sensitive authentication data. |
|
CHD |
Cardholder Data |
Sensitive payment card data including, at a minimum, the full card number (aka PAN) and can also include the cardholder name, expiration date, and/or service code if combined with the PAN. |
|
CISSP |
Certified Information Systems Security Professional |
Globally recognized certification that confirms an individual’s knowledge about information security. |
|
CVV |
Card Verification Value (Visa, Disc) |
Data element on the magnetic stripe that protects the information on the stripe and can be used to reveal any alteration or counterfeiting. |
|
CVV2 |
Card Verification Value (Visa) |
The three- or four-digit value printed on the payment card and used to validate possession of the physical card. |
|
DLP |
Data Loss Prevention |
Software used to identify and block any sensitive data being sent outside the network. Data can be protected while in use, in motion, or at rest. |
|
DMZ |
Demilitarized Zone |
Physical or logical network that provides an additional layer of security between a public network (e.g. the Internet) and an organization’s internal network. |
|
DNS |
Domain Name System/Server |
A system that stores human-readable names (aka domain names) along with the internet addresses for websites and other services. The system then provides name-resolution services so that the website “name” you type can be translated by your computer into the actual internet address. |
|
DSS |
Data Security Standard |
The shortened abbreviation for the Payment Card Industry Data Security Standard, or PCI DSS. |
|
E2EE |
End to End Encryption |
A broad category of solutions that encrypt communications between endpoints. P2PE is a PCI SSC-validated subset of this category. |
|
FIM |
File Integrity Monitoring |
Technology that monitors for changes in normally static files, systems, and applications in order to detect malicious activity. |
|
FTP |
File Transfer Protocol |
Network protocol used to transfer data from one computer to another through a public network. Standard FTP is considered an insecure protocol because file content is sent unencrypted over the network. |
|
FW |
Firewall |
Hardware and/or software technology that permits or denies computer traffic between trusted networks and external systems or networks. |
|
HSM |
Hardware Security Module |
Hardware device that is used to manage and protect cryptographic keys. |
|
IDS/IPS |
Intrusion Detection Systems / Intrusion Prevention Systems |
Systems used to monitor network traffic and report potential system anomalies or prevent intrusion attempts. |
|
IP (Address) |
Internet Protocol Address |
Numeric code that uniquely identifies a particular computer (host) on the Internet. |
|
IRP |
Incident Response Plan |
Specific procedures that define the steps to take in the event of a security breach, minimize the chaos, and hopefully limit the potential effects. |
|
LAN |
Local Area Network |
Group of interconnected computers and/or other devices within a limited area. |
|
LDAP |
Lightweight Directory Access Protocol |
Authentication and authorization data repository used for storing, modifying, and validating user permissions, as well as granting access to internal resources. |
|
MFA |
Multi-Factor Authentication |
Method of authenticating a user in which at least different two factors are tested and verified (something the user has, something the user knows, or something the user is or does). |
|
MO/TO |
Mail-Order/Telephone-Order |
Payments taken through the mail or over the phone. |
|
NTP |
Network Time Protocol |
Protocol for synchronizing the clocks of computer systems and network devices. |
|
OWASP |
Open Web Application Security Project |
Non-profit organization focused on improving the security of application software. The “OWASP Top 10” is a respected and often-referenced list of the most threatening vulnerabilities. |
|
PAN |
Primary Account Number |
Unique payment card number that identifies the issuer and particular cardholder account. |
|
PA DSS |
Payment Application Data Security Standard |
Validation standard for software applications that store, process, or transmit cardholder data. |
|
QSA |
Qualified Security Assessor |
Individual or organization qualified by the PCI SSC to conduct payment card-related audits and assessments. |
|
PCI SSC |
Payment Card Industry Security Standards Council |
Global organization that was formed to develop, enhance, disseminate, and assist with the understanding of security standards for payment account security. Founding members include American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. |
|
PED |
PIN Entry Device |
Device used by consumer to enter in their PIN during a face-to-face payment transaction. |
|
PIM |
P2PE Instruction Manual |
Guideline document that P2PE service providers deliver to merchants regarding chain-of-custody, shipping and receiving devices, secure storage of devices, implementation, device inspections, etc. These instructions must be followed in order to receive the full benefits of the P2PE solution. |
|
PIN |
Personal Identification Number |
Secret numeric password known only to the user and a system to authenticate the user. |
|
POI |
Point of Interaction |
The initial point where data is read from a payment card. A POI device consists of hardware and software, and enables a cardholder to perform a card transaction. POI transactions are typically chip and/or magnetic-stripe card-based payment transactions. |
|
POS |
Point of Sale |
Hardware and/or software used to process payment card transactions. |
|
P2PE |
Point to Point Encryption |
PCI SSC-specific label given to payment solutions that encrypt the cardholder data from the point of interaction through a validated solution to the payment processor, thereby reducing the scope of PCI requirements for this payment channel. |
|
PTS |
PIN Transaction Security |
PTS is a set of modular evaluation requirements, managed by the PCI SSC, for POI terminals that accept PIN entry. |
|
QIR |
Qualified Integrator or Reseller |
Third-party vendor that has been qualified by the PCI SSC to implement, configure, and/or support PA-DSS validated Payment Applications on behalf of merchants and service providers. |
|
ROC |
Report on Compliance |
Reporting tool used to document an organization’s results from their QSA-led onsite PCI assessment. |
|
SAD |
Sensitive Authentication Data |
Security-related information (e.g. card validation codes, full track data, PINs, and PIN blocks) used to authenticate cardholders. |
|
SAQ |
Self-Assessment Questionnaire |
Reporting tool used to self-document an entity’s PCI DSS assessment results. |
|
SDLC |
System Development Life Cycle or Software Development Life Cycle |
Phases of the development of a software or computer system including: planning, analysis, design, testing, and implementation. |
|
SHA-1/ SHA-2 |
Secure Hash Algorithm |
Family or set of related cryptographic hash functions used to confirm accuracy of information after it has been received. |
|
SFTP |
Secure File Transfer Protocol |
Secure way to encrypt files/data in transit. |
|
SNMP |
Simple Network Management Protocol |
A set of protocols for network management and monitoring. These protocols are supported by many typical network devices such as routers, switches, servers, workstations, and other network components and devices. Supported devices are all network-attached items that must be monitored to detect conditions. These conditions must be addressed for ongoing network administration. |
|
SQL |
Structured Query Language |
Computer language used to create, modify, and retrieve data from database systems. |
|
SSH |
Secure Shell |
Protocol and interface providing encryption for network services like remote login or remote file transfer. |
|
SSL |
Secure Socket Layer |
Internet security standard for encrypting the link between a website and a browser to enable the transmission of sensitive |
|
TLS |
Transport Layer Security |
Designed with the goal of providing data secrecy and data integrity between two communicating applications. |
|
URL |
Uniform Resource Locator |
Formatted text string used by web browsers to identify a network resource on the Internet (web address). |
|
VDI |
Virtual Desktop Infrastructure or Virtual Desktop Interface |
Refers to the software, hardware, and other resources required for the virtualization of a standard desktop system. Process of accessing a virtualized machine that lives on a remote service. |
|
VLAN |
Virtual Local Area Network |
Computers, servers, and networks configured to be on the same LAN, even though they may be in different locations geographically. |
|
VPN |
Virtual Private Network |
Enabling remote computers to send and receive data securely over the Internet as if they were directly connected to the organization’s private network. |
|
WEP |
Wired Equivalent Privacy |
Weak security algorithm used to encrypt wireless networks. Replaced with WPA / WPA2. |
|
WPA/ WPA2 |
Wi-Fi Protected Access |
Security Protocol designed to secure wireless networks. |
|
XXS |
Cross-site Scripting |
Attack that enables hackers to inject code into public-facing web pages and gain access. |
