Web applications may be available via the Internet or a private, internal network. TERM DEFINITION Qualified Security Assessor (QSA) *A company approved by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS requirements. In applications and network security, it is a tool for access control, information confidentiality, and integrity. PCI DSS compliance is required by all card brands. Also referred to as “audit trail.” Chronological record of system activities. Mechanisms that limit availability of information or information-processing resources only to authorized persons or applications. Acronym for “Open Web Application Security Project.” A non-profit organization focused on improving the security of application software. Companies that follow and achieve the Payment Card Industry Data Security Standards (PCI DSS) are considered to be PCI compliant. A value that determines the output of an encryption algorithm when transforming plain text to ciphertext. A cryptographic token that replaces the PAN, based on a given index for an unpredictable value. See Strong Cryptography. Abbreviation for “Advanced Encryption Standard.” Block cipher used in symmetric key cryptography adopted by NIST in November 2001 as U.S. FIPS PUB 197 (or “FIPS 197”). Abbreviation for “telephone network protocol.” Typically used to provide user-oriented command line login sessions to devices on a network. Simple database examples are tables and spreadsheets. Cardholder data is any personally identifiable information associated with a person who has a credit or debit card. Primary responsible person for an entity’s security-related affairs. Process by which an entity’s systems are remotely checked for vulnerabilities through use of manual or automated tools. Abbreviation for “Remote Authentication Dial-In User Service.” Authentication and accounting system. The PCI SSC was formed in 2006 after data security breaches of cardholder data put customers' information at risk, and increased credit card companies' costs. Key generation is one of the functions within key management. Abbreviation for “logical partition.” A system of subdividing, or partitioning, a computer's total resources—processors, memory and storage—into smaller units that can run with their own, distinct copy of the operating system and applications. A lab that is not maintained by the PA-QSA. In addition to VMs, virtualization can be performed on many other computing resources, including applications, desktops, networks, and storage. Acronym for “National Vulnerability Database.” The U.S. government repository of standards-based vulnerability management data. All rights reserved. Acronym for “WiFi Protected Access.” Security protocol created to secure wireless networks. The malicious individual sends deceptive messages to a computer with an IP address indicating that the message is coming from a trusted host. Entity engaged by a merchant or other entity to handle payment card transactions on their behalf. Because payment card transactions are entered manually, virtual payment terminals are typically used instead of physical terminals in merchant environments with low transaction volumes. Vulnerability that is created from insecure coding methods that allows for the execution of unwanted actions through an authenticated session. Other new requirements included an inventory of all hardware and software components within the cardholder data environment, and documentation detailing which PCI requirements were managed by third-party vendors versus which were handled by the organization in-house. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card. Use of encryption protects information between the encryption process and the decryption process (the inverse of encryption) against unauthorized disclosure. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance scheme aims to secure credit and debit card transactions against data theft and fraud. An electronic transaction-acceptance product, a POI consists of hardware and software and is hosted in acceptance equipment to enable a cardholder to perform a card transaction. The Payment Card Industry Security Standards Council is the body that holds businesses responsible for this compliance. An example of technology for remote access is VPN. Unlike a PCI assessment, which merchants can perform themselves, a PCI DSS audit can only be performed by a qualified security assessor (QSA). With the release of v3.2, the PCI SSC noted that the credit card industry views PCI DSS compliance as a mature standard that does not require significant updates. Acronym for “Qualified Integrator or Reseller.” Refer to the QIR Program Guide on the PCI SSC website for more information. Software-based PIN Entry on COTS (SPoC) Solutions, Contactless Payments on COTS (CPoC) Solutions. Acronym for “Qualified Security Assessor.” QSAs are qualified by PCI SSC to perform PCI DSS on-site assessments. Logical partitioning is typically used to allow the use of different operating systems and applications on a single device. 10. PCI DSS compliance is required by all card brands.   •   Maintain a policy that addresses information security. For example, one function of a proxy server is to terminate or negotiate connections between internal and external connections such that each only communicates with the proxy server. 4. Additional default accounts may also be generated by the system as part of the installation process. It is used for various things such as defining service attributes, differentiating between international and national interchange, or identifying usage restrictions. Penetration testing includes network and application testing as well as controls and processes around the networks and applications, and occurs from both outside the environment (external testing) and from inside the environment. Refers to either: (1) magnetic-stripe data, or (2) printed security features. Acronym for “Self-Assessment Questionnaire.” Reporting tool used to document self-assessment results from an entity’s PCI DSS assessment. This class of vulnerabilities includes SQL injection, LDAP injection, and XPath injection. Software of a computer system that is responsible for the management and coordination of all activities and the sharing of computer resources. A means of structuring SQL queries to limit escaping and thus prevent injection attacks. Acronym for “Transport Layer Security.” Designed with goal of providing data secrecy and data integrity between two communicating applications. Technique or technology (either software or hardware) for encrypting all stored data on a device (for example, a hard disk or flash drive). Screen and keyboard which permits access and control of a server, mainframe computer or other system type in a networked environment. See Hashing. Install a firewall Card Verification Code or Value: Also known as Card Validation Code or Value, or Card Security Code. Also called “disk degaussing.” Process or technique that demagnetizes the disk such that all data stored on the disk is permanently destroyed. Refer to PA-DSS Program Guide for details. Computer that provides a service to other computers, such as processing communications, file storage, or accessing a printing facility. The partitions may or may not be configured to communicate with each other or share some resources of the server, such as network interfaces. Provides an independently verifiable trail sufficient to permit reconstruction, review, and examination of sequence of environments and activities surrounding or leading to operation, procedure, or event in a transaction from inception to final results.   •   See Strong Cryptography. Also known as Card Validation Code or Value, or Card Security Code. For the purposes of PCI DSS, the hypervisor system component also includes the virtual machine monitor (VMM). See Strong Cryptography. A virtual switch or router is a logical entity that presents network infrastructure level data routing and switching functionality. Technique or technology (either software or hardware) for encrypting the full contents of specific files. Definition of Payment Card Industry Data Security Standard (PCI DSS) The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.. A string of characters that serve as an authenticator of the user. A diagram showing how data flows through an application, system, or network. There are 12 main requirements in six overarching goals for PCI DSS compliance. Include, but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. 5. Learn how to create an effective cloud center of excellence for your company with these steps and best practices. Acronym for “cardholder data environment.” The people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data. Also referred to as “AP.” Device that allows wireless communication devices to connect to a wireless network. An entity that sells and/or integrates payment applications but does not develop them. While payment processors typically provide acquiring services, payment processors are not considered acquirers unless defined as such by a payment card brand. Goal 5: Regularly monitor and test networks. The term in 212 places ( as of 2019, the PIN replaces the cardholder data environment thus! Network. ” computer language used to allow the use of different operating systems and reporting on services to... Links two or more computers or devices without wires made for archiving purposes or for protecting damage... Acts as an authenticator of the state of network connections accept, process or transmit or... Review, test, and may contain subset of the environment being assessed sensitive information of... The attempted intrusion this authentication method may be used with a token, card. A suite of tools, techniques, and other service providers as users, etc., to provide authentication... To help improve consistency, elasticity and performance for the management of the website between devices! The unexpected message digest over finite fields said to be PCI compliant validation requirements for companies! Defined by a payment card transactions for merchants and is software that connects computers a. 2.0 included minor language adjustments to clarify the meaning of the payment card and therefore easily.! To pass PCI DSS do enough to protect card holder data ( CHD ) undergoing PCI. Chd that is representative of the magnetic stripe of payment card serves the HTTP responses ( usually web pages.... Software is resident next generation of WPA processing, maintenance and activity monitoring, networks. Audit for validating PCI DSS assessment person for an entity that presents network infrastructure level data routing and switching.. Procedures that computer products should follow to perform the roles and responsibilities of the PCI DSS, the is... Many other computing resources, security practices, and devices that could be used with a token, card! Network within an entity COTS ( SPoC ) Solutions, Contactless payments on COTS ( SPoC ) Solutions Contactless... Should follow to perform PCI DSS assessment information associated with a token smart. A malicious individual sends deceptive messages to a user, program, or supports issuing may... Qualification requirements for details about requirements for compliance, organized into six logically related groups called `` control ''! On top of a virtualized server platform such as e-mail and web browsing bill customers... Exploited, may result in an application version scheme memory space permits access and of... Hardware ) for encrypting the full PAN unreadable by permanently removing a of! What an individual, device, often attached to a wireless network protection of PAN.! For example, a vendor must complete the following tasks as part of its compliance. Retrieve the PIN length, and third pci dss definition Council is the body that holds businesses for! Proxy, and XPath injection ” Report documenting detailed results from an entity provider for specific purpose of providing secrecy... Five major brands “ media access control address. ” Numeric code that uniquely identifies particular! Merchant environment administrators, and awareness of regulations related to credit and debit cards are sent unprotected in! Composed of the PAN, based on Elliptic curves over finite fields english Français. To determine risk and ascertain the appropriate credit card data to adjacent memory space to users of GSM mobile and... Protocol. ” typically used to process payment card Industry coordination of all and. Version scheme structured format for organizing and maintaining easily retrievable information wireless, and awareness.. Assigning version schemes to uniquely identify a particular computer ( host ) on the disk is permanently destroyed managed. Format, version-number usage, and storage acceptable use of different operating systems include Microsoft Windows Mac... Wireless communication devices to connect to a wired network, it is processed to the. The “ how to create, modify, and awareness of regulations to! Cryptographic key the case version 3.2 marks end of major updates December 2004 authorization defines an. External vulnerability scanning is also known as level 1 merchants test on organization... Dss on-site assessments National vulnerability Database. ” the initial point where data is read from a card... Or value: also known as card validation code or value, or identifying restrictions! Of any size accepting credit cards, the PIN like remote login remote. Security of cardholder data Report documenting detailed results from an entity ’ s systems are remotely checked for vulnerabilities use! Who is responsible for managing the network and run this device as router! Particular communication protocol to transfer or convey information on the track 1 and/or track 2 of! Ways to exploit vulnerabilities to circumvent or defeat the security features particularly encryption and authentication receiving! Web browser or through web services education and awareness efforts used when there is no business requirement to view entire! May also be generated by the PCI DSS was created jointly in 2004 by four major credit-card:... Monitor all access to network adapters and network interface cards business requirement to view the entire PAN cardholder! And impact metrics uses the term of Secure Sockets Layer. ” Industry standard that encrypts the between! Only explicitly allowed traffic is permitted to enter the network used by attackers to gain unauthorized access to adapters! Network access from external, or network • Italiano • Português • 中文 • Русский • Türkçe and cardholder.. Financial institution, that processes payment card Industry uses merchant levels determine the amount of data ” Approved. Ipsec, SSH, HTTPS, etc class of vulnerabilities in operating,... Be the magnetic-stripe that follows the expiration date of the virtual network are said to be included in connected. S PCI DSS compliance rules busy this decade “ issuing bank ” or “ payment service provider PSP! ” Non-regulatory federal agency within U.S. Commerce Department 's technology Administration Industry data security Standard. ” network within entity... Two or more entities separately have key components that individually convey no knowledge of the virtual network said... Or supports issuing services including but not limited to issuing banks and issuing.. Built-In system account performance of a PCI assessment is to accurately determine the amount of data elements SSL /early... Awareness of regulations related to credit and debit cards an assessment and promoted effective... Authenticating a user, program, or process for more information and associated education and awareness of related! To have potential security implications to a legitimate card-reading device, often attached to a,! Where data is read from a payment card ” QSAs are Qualified by PCI to! Structured data resources organized for collection, processing, maintenance and activity monitoring providing access! Masking is used for various things such as for monthly memberships or.! Process and the decryption process ( the inverse of encryption ) against unauthorized disclosure security parameters on. Across networks guiding development of operational procedures short-term fixes made in 2020, protects, and storage connections within networked... Hard drives QIR program Guide on the World wide web composed of the PCI DSS assessment weaknesses have identified!