Glosario de Terminologia PCI DSS v3.2

2017518 OfficialPCISecurityStandardsCouncilSiteVerifyPCICompliance,DownloadDataSecurityandCreditCardSecurityStandards
Contact
ChangeYourLanguage
English
Franais
Espaol

Deutsch
Italiano
Portugus

Trke
Submit
ToggleMenu
PCISecurity
PCISecurity
Overview
WhySecurityMatters
HowtoSecure
MaintainingPaymentSecurity
CompletingSelfAssessment
EducationalResources
StandardsOverview
Glossary
PaymentProtectionResourcesforSmallMerchants
Assessors&Solutions
Assessors&Solutions
AssessorOverview
Assessors
ApprovedScanningVendors
InternalSecurityAssessors
PaymentApplicationAssessors
PointtoPointEncryptionAssessors
https://www.pcisecuritystandards.org/pci_security/glossary 1/22
QualifiedSecurityAssessors
ProductsandSolutions
ApprovedPTSDevices
PaymentApplications
PointtoPointEncryptionSolutions
AdditionalResources
PCIForensicInvestigators
U.S.EMVVARQualificationProgram
PCIProfessionals
QualifiedIntegratorsandResellers
GiveFeedback
DocumentLibrary
Training&Qualification
Training&Qualification
Overview
ApprovedScanningVendor
InternalSecurityAssessor
PaymentApplicationQSA
PCIAcquirerTraining
PCIAwarenessTraining
PCIProfessional
P2PEAssessors
QualifiedIntegratorandReseller
QualifiedSecurityAssessor
Webinars
MeetOurTrainers
TrainingFAQ
ProgramFees
BecomeQualified
CorporateGroupTraining
AboutUs
AboutUs
Overview
Leadership
Newsroom
Events
JobsatPCI
ContactUs
Blog
GetInvolved
GetInvolved
Overview
ParticipatingOrganizations
AffiliateMembers
SpecialInterestGroups
ParticipatingOrganizationApplication
StrategicRegionalMembers
CommunityMeetings
AsiaPacificCommunityMeeting2017
LatinAmericaForum2017
NorthAmericaCommunityMeeting2017
EuropeCommunityMeeting2017
PastCommunityMeetings
FAQs
Glossary
PaymentCardIndustry(PCI)DataSecurityStandardGlossary,AbbreviationsandAcronyms
PleaseclickhereforthedownloadableversionofthePCIDSSGlossary.
ABCDEFGHIJKLMNOPQRSTUVWXYZ
A
AAA:
Acronymforauthentication,authorization,andaccounting.Protocolforauthenticatingauserbasedon
theirverifiableidentity,authorizingauserbasedontheiruserrights,andaccountingforausers
consumptionofnetworkresources.
Accesscontrol:
Mechanismsthatlimitavailabilityofinformationorinformationprocessingresourcesonlytoauthorized
personsorapplications.
AccountData:
Accountdataconsistsofcardholderdataand/orsensitiveauthenticationdata.SeeCardholderDataand
SensitiveAuthenticationData.
Accountnumber:
SeePrimaryAccountNumber(PAN).
Acquirer:
Alsoreferredtoasmerchantbank,acquiringbank,oracquiringfinancialinstitution.Entity,typicallya
financialinstitution,thatprocessespaymentcardtransactionsformerchantsandisdefinedbyapayment
brandasanacquirer.Acquirersaresubjecttopaymentbrandrulesandproceduresregardingmerchant
compliance.SeealsoPaymentProcessor..
AdministrativeAccess:
Elevatedorincreasedprivilegesgrantedtoanaccountinorderforthataccounttomanagesystems,networks
and/orapplications.Administrativeaccesscanbeassignedtoanindividualsaccountorabuiltinsystem
account.Accountswithadministrativeaccessareoftenreferredtoassuperuser,root,administrator,
admin,sysadminorsupervisorstate,dependingontheparticularoperatingsystemandorganizational
structure.
Adware:
Typeofmalicioussoftwarethat,wheninstalled,forcesacomputertoautomaticallydisplayordownload
advertisements.
AES:
AbbreviationforAdvancedEncryptionStandard.Blockcipherusedinsymmetrickeycryptography
adoptedbyNISTinNovember2001asU.S.FIPSPUB197(orFIPS197).SeeStrongCryptography.
ANSI:
AcronymforAmericanNationalStandardsInstitute.Private,nonprofitorganizationthatadministersand
coordinatestheU.S.voluntarystandardizationandconformityassessmentsystem.
AntiVirus:
Programorsoftwarecapableofdetecting,removing,andprotectingagainstvariousformsofmalicious
software(alsocalledmalware)includingviruses,worms,TrojansorTrojanhorses,spyware,adware,and
rootkits.
AOC:
Acronymforattestationofcompliance.TheAOCisaformformerchantsandserviceproviderstoattestto
theresultsofaPCIDSSassessment,asdocumentedintheSelfAssessmentQuestionnaireorReporton
Compliance.
AOV:
Acronymforattestationofvalidation.TheAOVisaformforPAQSAstoattesttotheresultsofaPADSS
assessment,asdocumentedinthePADSSReportonValidation.
Application:
Includesallpurchasedandcustomsoftwareprogramsorgroupsofprograms,includingbothinternaland
external(forexample,web)applications.
ASV:
AcronymforApprovedScanningVendor.CompanyapprovedbythePCISSCtoconductexternal
vulnerabilityscanningservices.
AuditLog:
Alsoreferredtoasaudittrail.Chronologicalrecordofsystemactivities.Providesanindependently
verifiabletrailsufficienttopermitreconstruction,review,andexaminationofsequenceofenvironmentsand
activitiessurroundingorleadingtooperation,procedure,oreventinatransactionfrominceptiontofinal
results.
AuditTrail:
SeeAuditLog.
Authentication:
Processofverifyingidentityofanindividual,device,orprocess.Authenticationtypicallyoccursthroughthe
useofoneormoreauthenticationfactorssuchas:
Somethingyouknow,suchasapasswordorpassphrase
Somethingyouhave,suchasatokendeviceorsmartcard
Somethingyouare,suchasabiometric
AuthenticationCredentials:
CombinationoftheuserIDoraccountIDplustheauthenticationfactor(s)usedtoauthenticateanindividual,
device,orprocess,
Authorization:
Inthecontextofaccesscontrol,authorizationisthegrantingofaccessorotherrightstoauser,program,or
process.Authorizationdefineswhatanindividualorprogramcandoaftersuccessfulauthentication.Inthe
contextofapaymentcardtransaction,authorizationoccurswhenamerchantreceivestransactionapproval
aftertheacquirervalidatesthetransactionwiththeissuer/processor.
BacktoTop
B
Backup:
Duplicatecopyofdatamadeforarchivingpurposesorforprotectingagainstdamageorloss.
BAU:
Anacronymforbusinessasusual.BAUisanorganization'snormaldailybusinessoperations.
Bluetooth:
Wirelessprotocolusingshortrangecommunicationstechnologytofacilitatetransmissionofdataovershort
distances.
BufferOverflow:
Vulnerabilitythatiscreatedfrominsecurecodingmethods,whereaprogramoverrunsthebuffer'sboundary
andwritesdatatoadjacentmemoryspace.Bufferoverflowsareusedbyattackerstogainunauthorized
accesstosystemsordata.
BacktoTop
CardSkimmer:
Aphysicaldevice,oftenattachedtoalegitimatecardreadingdevice,designedtoillegitimatelycapture
and/orstoretheinformationfromapaymentcard.
CardVerificationCodeorValue:
AlsoknownasCardValidationCodeorValue,orCardSecurityCode.Referstoeither:(1)magneticstripe
data,or(2)printedsecurityfeatures.
1.Dataelementonacard'smagneticstripethatusessecurecryptographicprocessestoprotectdata
integrityonthestripe,andrevealsanyalterationorcounterfeiting.ReferredtoasCAV,CVC,CVV,or
CSCdependingonpaymentcardbrand.Thefollowinglistprovidesthetermsforeachcardbrand:
CAVCardAuthenticationValue(JCBpaymentcards)
PANCVCCardValidationCode(MasterCardpaymentcards)
CVVCardVerificationValue(VisaandDiscoverpaymentcards)
CSCCardSecurityCode(AmericanExpress)
2.ForDiscover,JCB,MasterCard,andVisapaymentcards,thesecondtypeofcardverificationvalueor
codeistherightmostthreedigitvalueprintedinthesignaturepanelareaonthebackofthecard.For
AmericanExpresspaymentcards,thecodeisafourdigitunembossednumberprintedabovethePAN
onthefaceofthepaymentcards.Thecodeisuniquelyassociatedwitheachindividualpieceofplastic
andtiesthePANtotheplastic.Thefollowinglistprovidesthetermsforeachcardbrand:
CIDCardIdentificationNumber(AmericanExpressandDiscoverpaymentcards)
CAV2CardAuthenticationValue2(JCBpaymentcards)
PANCVC2CardValidationCode2(MasterCardpaymentcards)
CVV2CardVerificationValue2(Visapaymentcards)
Cardholder:
Nonconsumerorconsumercustomertowhomapaymentcardisissuedtooranyindividualauthorizedto
usethepaymentcard.
CardholderData:
Ataminimum,cardholderdataconsistsofthefullPAN.Cardholderdatamayalsoappearintheformofthe
fullPANplusanyofthefollowing:cardholdername,expirationdateand/orservicecodeSeeSensitive
AuthenticationDataforadditionaldataelementsthatmaybetransmittedorprocessed(butnotstored)aspart
ofapaymenttransaction.
CDE:
Acronymforcardholderdataenvironment.Thepeople,processesandtechnologythatstore,process,or
transmitcardholderdataorsensitiveauthenticationdata.
CellularTechnologies:
Mobilecommunicationsthroughwirelesstelephonenetworks,includingbutnotlimitedtoGlobalSystemfor
Mobilecommunications(GSM),codedivisionmultipleaccess(CDMA),andGeneralPacketRadioService
(GPRS).
CERT:
AcronymforCarnegieMellonUniversity'sComputerEmergencyResponseTeam.TheCERTProgram
developsandpromotestheuseofappropriatetechnologyandsystemsmanagementpracticestoresistattacks
onnetworkedsystems,tolimitdamage,andtoensurecontinuityofcriticalservices.
ChangeControl:
Processesandprocedurestoreview,test,andapprovechangestosystemsandsoftwareforimpactbefore
implementation.
CIS:
AcronymforCenterforInternetSecurity.Nonprofitenterprisewithmissiontohelporganizationsreduce
theriskofbusinessandecommercedisruptionsresultingfrominadequatetechnicalsecuritycontrols.
ColumnLevelDatabaseEncryption:
Techniqueortechnology(eithersoftwareorhardware)forencryptingcontentsofaspecificcolumnina
databaseversusthefullcontentsoftheentiredatabase.Alternatively,seeDiskEncryptionorFileLevel
Encryption.
CompensatingControls:
Compensatingcontrolsmaybeconsideredwhenanentitycannotmeetarequirementexplicitlyasstated,due
tolegitimatetechnicalordocumentedbusinessconstraints,buthassufficientlymitigatedtheriskassociated
withtherequirementthroughimplementationofothercontrols.Compensatingcontrolsmust:(1)Meetthe
intentandrigoroftheoriginalPCIDSSrequirement(2)Provideasimilarlevelofdefenseastheoriginal
PCIDSSrequirement(3)BeaboveandbeyondotherPCIDSSrequirements(notsimplyincompliance
withotherPCIDSSrequirements)and(4)Becommensuratewiththeadditionalriskimposedbynot
adheringtothePCIDSSrequirement.SeeCompensatingControlsAppendicesBandCinPCIDSS
RequirementsandSecurityAssessmentProceduresforguidanceontheuseofcompensatingcontrols.
Compromise:
Alsoreferredtoasdatacompromise,ordatabreach.Intrusionintoacomputersystemwhere
unauthorizeddisclosure/theft,modification,ordestructionofcardholderdataissuspected.
Console:
Screenandkeyboardwhichpermitsaccessandcontrolofaserver,mainframecomputerorothersystemtype
inanetworkedenvironment.
Consumer:
Individualpurchasinggoods,services,orboth.
Criticalsystems/criticaltechnologies:
Asystemortechnologythatisdeemedbytheentitytobeofparticularimportance.Forexample,acritical
systemmaybeessentialfortheperformanceofabusinessoperationorforasecurityfunctiontobe
maintained.Examplesofcriticalsystemsoftenincludesecuritysystems,publicfacingdevicesandsystems,
databases,andsystemsthatstore,process,ortransmitcardholderdata.Considerationsfordeterminingwhich
specificsystemsandtechnologiesarecriticalwilldependonanorganizationsenvironmentandrisk
assessmentstrategy.
CrossSiteRequestForgery(CSRF):
Vulnerabilitythatiscreatedfrominsecurecodingmethodsthatallowsfortheexecutionofunwantedactions
throughanauthenticatedsession.OftenusedinconjunctionwithXSSand/orSQLinjection.
CrossSiteScripting(XSS):
Vulnerabilitythatiscreatedfrominsecurecodingtechniques,resultinginimproperinputvalidation.Often
usedinconjunctionwithCSRFand/orSQLinjection.
CryptographicKey:
Avaluethatdeterminestheoutputofanencryptionalgorithmwhentransformingplaintexttociphertext.
Thelengthofthekeygenerallydetermineshowdifficultitwillbetodecrypttheciphertextinagiven
message.SeeStrongCryptography.
CryptographicKeyGeneration:
Keygenerationisoneofthefunctionswithinkeymanagement.Thefollowingdocumentsprovide
recognizedguidanceonproperkeygeneration:
NISTSpecialPublication800133:RecommendationforCryptographicKeyGeneration
ISO115682FinancialservicesKeymanagement(retail)Part2:Symmetricciphers,theirkey
managementandlifecycle
4.3Keygeneration
ISO115684FinancialservicesKeymanagement(retail)Part4:Asymmetriccryptosystems
Keymanagementandlifecycle
6.2KeylifecyclestagesGeneration
EuropeanPaymentsCouncilEPC34208GuidelinesonAlgorithmsUsageandKeyManagement
6.1.1Keygeneration[forsymmetricalgorithms]
6.2.1Keygeneration[forasymmetricalgorithms]
CryptographicKeyManagement:
Thesetofprocessesandmechanismswhichsupportcryptographickeyestablishmentandmaintenance,
includingreplacingolderkeyswithnewkeysasnecessary.
Cryptography:
Disciplineofmathematicsandcomputerscienceconcernedwithinformationsecurity,particularlyencryption
andauthentication.Inapplicationsandnetworksecurity,itisatoolforaccesscontrol,information
confidentiality,andintegrity.
Cryptoperiod:
Thetimespanduringwhichaspecificcryptographickeycanbeusedforitsdefinedpurposebasedon,for
example,adefinedperiodoftimeand/ortheamountofciphertextthathasbeenproduced,andaccordingto
industrybestpracticesandguidelines(forexample,NISTSpecialPublication80057).
CVSS:
AcronymforCommonVulnerabilityScoringSystem.Avendoragnostic,industryopenstandarddesigned
toconveytheseverityofcomputersystemsecurityvulnerabilitiesandhelpdetermineurgencyandpriorityof
response.RefertoASVProgramGuideformoreinformation.
BacktoTop
D
DataFlowDiagram:
Adiagramshowinghowdataflowsthroughanapplication,system,ornetwork.
Database:
Structuredformatfororganizingandmaintainingeasilyretrievableinformation.Simpledatabaseexamples
aretablesandspreadsheets.
DataBaseAdministrator:
AlsoreferredtoasDBA.Individualresponsibleformanagingandadministeringdatabases.
DefaultAccounts:
Loginaccountpredefinedinasystem,application,ordevicetopermitinitialaccesswhensystemisfirstput
intoservice.Additionaldefaultaccountsmayalsobegeneratedbythesystemaspartoftheinstallation
process.
DefaultPassword:
Passwordonsystemadministration,user,orserviceaccountspredefinedinasystem,application,ordevice
usuallyassociatedwithdefaultaccount.Defaultaccountsandpasswordsarepublishedandwellknown,and
thereforeeasilyguessed.
Degaussing:
Alsocalleddiskdegaussing.Processortechniquethatdemagnetizesthedisksuchthatalldatastoredon
thediskispermanentlydestroyed.
Dependency:
InthecontextofPADSS,adependencyisaspecificsoftwareorhardwarecomponent(suchasahardware
terminal,database,operatingsystem,API,codelibrary,etc.)thatisnecessaryforthepaymentapplicationto
meetPADSSrequirements.
DiskEncryption:
Techniqueortechnology(eithersoftwareorhardware)forencryptingallstoreddataonadevice(for
example,aharddiskorflashdrive).Alternatively,FileLevelEncryptionorColumnLevelDatabase
Encryptionisusedtoencryptcontentsofspecificfilesorcolumns.
DMZ:
Abbreviationfordemilitarizedzone.Physicalorlogicalsubnetworkthatprovidesanadditionallayerof
securitytoanorganizationsinternalprivatenetwork.TheDMZaddsanadditionallayerofnetworksecurity
betweentheInternetandanorganizationsinternalnetworksothatexternalpartiesonlyhavedirect
connectionstodevicesintheDMZratherthantheentireinternalnetwork.
DNS:
Acronymfordomainnamesystemordomainnameserver.Asystemthatstoresinformationassociated
withdomainnamesinadistributeddatabasetoprovidenameresolutionservicestousersonnetworkssuch
astheInternet.
DSS:
AcronymforDataSecurityStandard.SeePADSSandPCIDSS.
DualControl:
Processofusingtwoormoreseparateentities(usuallypersons)operatinginconcerttoprotectsensitive
functionsorinformation.Bothentitiesareequallyresponsibleforthephysicalprotectionofmaterials
involvedinvulnerabletransactions.Nosinglepersonispermittedtoaccessorusethematerials(for
example,thecryptographickey).Formanualkeygeneration,conveyance,loading,storage,andretrieval,
dualcontrolrequiresdividingknowledgeofthekeyamongtheentities.(SeealsoSplitKnowledge).
DynamicPacketFiltering:
SeeStatefulInspection.
BacktoTop
E
ECC:
AcronymforEllipticCurveCryptography.Approachtopublickeycryptographybasedonellipticcurves
overfinitefields.SeeStrongCryptography.
EgressFiltering:
Methodoffilteringoutboundnetworktrafficsuchthatonlyexplicitlyallowedtrafficispermittedtoleavethe
network.
Encryption:
Processofconvertinginformationintoanunintelligibleformexcepttoholdersofaspecificcryptographic
key.Useofencryptionprotectsinformationbetweentheencryptionprocessandthedecryptionprocess(the
inverseofencryption)againstunauthorizeddisclosure.SeeStrongCryptography.
EncryptionAlgorithm:
Alsocalledcryptographicalgorithm.Asequenceofmathematicalinstructionsusedfortransforming
unencryptedtextordatatoencryptedtextordata,andbackagain.SeeStrongCryptography.
Entity:
Termusedtorepresentthecorporation,organizationorbusinesswhichisundergoingaPCIDSSreview.
BacktoTop
FileIntegrityMonitoring:
Techniqueortechnologyunderwhichcertainfilesorlogsaremonitoredtodetectiftheyaremodified.When
criticalfilesorlogsaremodified,alertsshouldbesenttoappropriatesecuritypersonnel.
FileLevelEncryption:
Techniqueortechnology(eithersoftwareorhardware)forencryptingthefullcontentsofspecificfiles.
Alternatively,seeDiskEncryptionorColumnLevelDatabaseEncryption.
FIPS:
AcronymforFederalInformationProcessingStandards.StandardsthatarepubliclyrecognizedbytheU.S.
FederalGovernmentalsoforusebynongovernmentagenciesandcontractors.
Firewall:
Hardwareand/orsoftwaretechnologythatprotectsnetworkresourcesfromunauthorizedaccess.Afirewall
permitsordeniescomputertrafficbetweennetworkswithdifferentsecuritylevelsbaseduponasetofrules
andothercriteria.
Forensics:
Alsoreferredtoascomputerforensics.Asitrelatestoinformationsecurity,theapplicationofinvestigative
toolsandanalysistechniquestogatherevidencefromcomputerresourcestodeterminethecauseofdata
compromises.
FTP:
AcronymforFileTransferProtocol.Networkprotocolusedtotransferdatafromonecomputertoanother
throughapublicnetworksuchastheInternet.FTPiswidelyviewedasaninsecureprotocolbecause
passwordsandfilecontentsaresentunprotectedandincleartext.FTPcanbeimplementedsecurelyviaSSH
orothertechnology.SeeSFTP.
BacktoTop
G
GPRS:
AcronymforGeneralPacketRadioService.MobiledataserviceavailabletousersofGSMmobilephones.
Recognizedforefficientuseoflimitedbandwidth.Particularlysuitedforsendingandreceivingsmallbursts
ofdata,suchasemailandwebbrowsing.
GSM:
AcronymforGlobalSystemforMobileCommunications.Popularstandardformobilephonesand
networks.UbiquityofGSMstandardmakesinternationalroamingverycommonbetweenmobilephone
operators,enablingsubscriberstousetheirphonesinmanypartsoftheworld.
BacktoTop
Hashing:
Processofrenderingcardholderdataunreadablebyconvertingdataintoafixedlengthmessagedigest.
Hashingisaoneway(mathematical)functioninwhichanonsecretalgorithmtakesanyarbitrarylength
messageasinputandproducesafixedlengthoutput(usuallycalledahashcodeormessagedigest).A
hashfunctionshouldhavethefollowingproperties:(1)Itiscomputationallyinfeasibletodeterminethe
originalinputgivenonlythehashcode,(2)Itiscomputationallyinfeasibletofindtwoinputsthatgivethe
samehashcode.InthecontextofPCIDSS,hashingmustbeappliedtotheentirePANforthehashcodeto
beconsideredrenderedunreadable.Itisrecommendedthathashedcardholderdataincludeaninputvariable
(forexample,asalt)tothehashingfunctiontoreduceordefeattheeffectivenessofprecomputedrainbow
tableattacks(seeInputVariable).Forfurtherguidance,refertoindustrystandards,suchascurrentversions
ofNISTSpecialPublications800107and800106,FederalInformationProcessingStandard(FIPS)1804
SecureHashStandard(SHS),andFIPS202SHA3Standard:PermutationBasedHashandExtendable
OutputFunctions.
Host:
Maincomputerhardwareonwhichcomputersoftwareisresident.
HostingProvider:
Offersvariousservicestomerchantsandotherserviceproviders.Servicesrangefromsimpletocomplex
fromsharedspaceonaservertoawholerangeofshoppingcartoptionsfrompaymentapplicationsto
connectionstopaymentgatewaysandprocessorsandforhostingdedicatedtojustonecustomerperserver.
Ahostingprovidermaybeasharedhostingprovider,whohostsmultipleentitiesonasingleserver.
HSM:
Acronymforhardwaresecuritymoduleorhostsecuritymodule.Aphysicallyandlogicallyprotected
hardwaredevicethatprovidesasecuresetofcryptographicservices,usedforcryptographickey
managementfunctionsand/orthedecryptionofaccountdata.
HTTP:
Acronymforhypertexttransferprotocol.Openinternetprotocoltotransferorconveyinformationonthe
WorldWideWeb.
HTTPS:
Acronymforhypertexttransferprotocoloversecuresocketlayer.SecureHTTPthatprovides
authenticationandencryptedcommunicationontheWorldWideWebdesignedforsecuritysensitive
communicationsuchaswebbasedlogins.
Hypervisor:
Softwareorfirmwareresponsibleforhostingandmanagingvirtualmachines.ForthepurposesofPCIDSS,
thehypervisorsystemcomponentalsoincludesthevirtualmachinemonitor(VMM).
BacktoTop
I
ID:
Identifierforaparticularuserorapplication.
IDS:
Acronymforintrusiondetectionsystem.Softwareorhardwareusedtoidentifyandalertonnetworkor
systemanomaliesorintrusionattempts.Composedof:sensorsthatgeneratesecurityeventsaconsoleto
monitoreventsandalertsandcontrolthesensorsandacentralenginethatrecordseventsloggedbythe
sensorsinadatabase.Usessystemofrulestogeneratealertsinresponsetodetectedsecurityevents.SeeIPS
IETF:
AcronymforInternetEngineeringTaskForce.Large,openinternationalcommunityofnetworkdesigners,
operators,vendors,andresearchersconcernedwithevolutionofInternetarchitectureandsmoothoperation
ofInternet.TheIETFhasnoformalmembershipandisopentoanyinterestedindividual.
IMAP:
AcronymforInternetMessageAccessProtocol.AnapplicationlayerInternetprotocolthatallowsane
mailclienttoaccessemailonaremotemailserver.
IndexToken:
AcryptographictokenthatreplacesthePAN,basedonagivenindexforanunpredictablevalue.
InformationSecurity:
Protectionofinformationtoinsureconfidentiality,integrity,andavailability.
InformationSystem:
Discretesetofstructureddataresourcesorganizedforcollection,processing,maintenance,use,sharing,
dissemination,ordispositionofinformation.
IngressFiltering:
Methodoffilteringinboundnetworktrafficsuchthatonlyexplicitlyallowedtrafficispermittedtoenterthe
network.
InjectionFlaws:
Vulnerabilitythatiscreatedfrominsecurecodingtechniquesresultinginimproperinputvalidation,which
allowsattackerstorelaymaliciouscodethroughawebapplicationtotheunderlyingsystem.Thisclassof
vulnerabilitiesincludesSQLinjection,LDAPinjection,andXPathinjection.
InputVariable:
Randomdatastringthatisconcatenatedwithsourcedatabeforeaonewayhashfunctionisapplied.Input
variablescanhelpreducetheeffectivenessofrainbowtableattacks.SeealsoHashingandRainbowTables.
InsecureProtocol/Service/Port:
Aprotocol,service,orportthatintroducessecurityconcernsduetothelackofcontrolsoverconfidentiality
and/orintegrity.Thesesecurityconcernsincludeservices,protocols,orportsthattransmitdataor
authenticationcredentials(forexample,password/passphrase)incleartextovertheInternet,orthateasily
allowforexploitationbydefaultorifmisconfigured.Examplesofinsecureservices,protocols,orports
includebutarenotlimitedtoFTP,Telnet,POP3,IMAP,andSNMPv1andv2.
IP:
Acronymforinternetprotocol.Networklayerprotocolcontainingaddressinformationandsomecontrol
informationthatenablespacketstoberoutedanddeliveredfromthesourcehosttothedestinationhost.IPis
theprimarynetworklayerprotocolintheInternetprotocolsuite.SeeTCP.
IPAddress:
Alsoreferredtoasinternetprotocoladdress.Numericcodethatuniquelyidentifiesaparticularcomputer
(host)ontheInternet.
IPAddressSpoofing:
Attacktechniqueusedtogainunauthorizedaccesstonetworksorcomputers.Themaliciousindividualsends
deceptivemessagestoacomputerwithanIPaddressindicatingthatthemessageiscomingfromatrusted
host.
IPS:
Acronymforintrusionpreventionsystem.BeyondanIDS,anIPStakestheadditionalstepofblockingthe
attemptedintrusion.
IPSEC:
AbbreviationforInternetProtocolSecurity.StandardforsecuringIPcommunicationsatthenetworklayer
byencryptingand/orauthenticatingallIPpacketsinacommunicationsession.
ISO:
BetterknownasInternationalOrganizationforStandardization.Nongovernmentalorganizationconsisting
ofanetworkofthenationalstandardsinstitutes.
Issuer:
Entitythatissuespaymentcardsorperforms,facilitates,orsupportsissuingservicesincludingbutnot
limitedtoissuingbanksandissuingprocessors.Alsoreferredtoasissuingbankorissuingfinancial
institution.
IssuingServices:
Examplesofissuingservicesmayincludebutarenotlimitedtoauthorizationandcardpersonalization.
BacktoTop
L
LAN:
Acronymforlocalareanetwork.Agroupofcomputersand/orotherdevicesthatshareacommon
communicationsline,ofteninabuildingorgroupofbuildings.
LDAP:
AcronymforLightweightDirectoryAccessProtocol.Authenticationandauthorizationdatarepository
utilizedforqueryingandmodifyinguserpermissionsandgrantingaccesstoprotectedinternalresources.
LeastPrivilege:
Havingtheminimumaccessand/orprivilegesnecessarytoperformtherolesandresponsibilitiesofthejob
function.
Log:
SeeAuditLog.
LPAR:
Abbreviationforlogicalpartition.Asystemofsubdividing,orpartitioning,acomputer'stotalresources
processors,memoryandstorageintosmallerunitsthatcanrunwiththeirown,distinctcopyofthe
operatingsystemandapplications.Logicalpartitioningistypicallyusedtoallowtheuseofdifferent
operatingsystemsandapplicationsonasingledevice.Thepartitionsmayormaynotbeconfiguredto
communicatewitheachotherorsharesomeresourcesoftheserver,suchasnetworkinterfaces.
BacktoTop
MAC:
Incryptography,anacronymformessageauthenticationcode.Asmallpieceofinformationusedto
authenticateamessage.SeeStrongCryptography.
MACAddress:
Abbreviationformediaaccesscontroladdress.Uniqueidentifyingvalueassignedbymanufacturersto
networkadaptersandnetworkinterfacecards.
MagneticStripeData:
SeeTrackData.
Mainframe:
Computersthataredesignedtohandleverylargevolumesofdatainputandoutputandemphasize
throughputcomputing.Mainframesarecapableofrunningmultipleoperatingsystems,makingitappearlike
itisoperatingasmultiplecomputers.Manylegacysystemshaveamainframedesign.
MaliciousSoftware/Malware:
Softwareorfirmwaredesignedtoinfiltrateordamageacomputersystemwithouttheowner'sknowledgeor
consent,withtheintentofcompromisingtheconfidentiality,integrity,oravailabilityoftheownersdata,
applications,oroperatingsystem.Suchsoftwaretypicallyentersanetworkduringmanybusinessapproved
activities,whichresultsintheexploitationofsystemvulnerabilities.Examplesincludeviruses,worms,
Trojans(orTrojanhorses),spyware,adware,androotkits.
Masking:
InthecontextofPCIDSS,itisamethodofconcealingasegmentofdatawhendisplayedorprinted.
MaskingisusedwhenthereisnobusinessrequirementtoviewtheentirePAN.Maskingrelatestoprotection
ofPANwhendisplayedorprinted.SeeTruncationforprotectionofPANwhenstoredinfiles,databases,etc.
MemoryScrapingAttacks:
Malwareactivitythatexaminesandextractsdatathatresidesinmemoryasitisbeingprocessedorwhichhas
notbeenproperlyflushedoroverwritten.
Merchant:
ForthepurposesofthePCIDSS,amerchantisdefinedasanyentitythatacceptspaymentcardsbearingthe
logosofanyofthefivemembersofPCISSC(AmericanExpress,Discover,JCB,MasterCardorVisa)as
paymentforgoodsand/orservices.Notethatamerchantthatacceptspaymentcardsaspaymentforgoods
and/orservicescanalsobeaserviceprovider,iftheservicessoldresultinstoring,processing,ortransmitting
cardholderdataonbehalfofothermerchantsorserviceproviders.Forexample,anISPisamerchantthat
acceptspaymentcardsformonthlybilling,butalsoisaserviceproviderifithostsmerchantsascustomers.
MO/TO:
AcronymforMailOrder/TelephoneOrder.
Monitoring:
Useofsystemsorprocessesthatconstantlyoverseecomputerornetworkresourcesforthepurposeof
alertingpersonnelincaseofoutages,alarms,orotherpredefinedevents.
MultiFactorAuthentication:
Methodofauthenticatingauserwherebyatleasttwofactorsareverified.Thesefactorsincludesomething
theuserhas(suchasasmartcardordongle),somethingtheuserknows(suchasapassword,passphrase,or
PIN)orsomethingtheuserisordoes(suchasfingerprints,otherformsofbiometrics,etc.).
BacktoTop
N
NAC:
Acronymfornetworkaccesscontrolornetworkadmissioncontrol.Amethodofimplementingsecurity
atthenetworklayerbyrestrictingtheavailabilityofnetworkresourcestoendpointdevicesaccordingtoa
definedsecuritypolicy.
NAT:
Acronymfornetworkaddresstranslation.AlsoknownasnetworkmasqueradingorIPmasquerading.
ChangeofanIPaddressusedwithinonenetworktoadifferentIPaddressknownwithinanothernetwork,
allowinganorganizationtohaveinternaladdressesthatarevisibleinternally,andexternaladdressesthatare
onlyvisibleexternally.
Network:
Twoormorecomputersconnectedtogetherviaphysicalorwirelessmeans.
NetworkAdministrator:
Personnelresponsibleformanagingthenetworkwithinanentity.Responsibilitiestypicallyincludebutare
notlimitedtonetworksecurity,installations,upgrades,maintenanceandactivitymonitoring.
NetworkComponents:
Include,butarenotlimitedtofirewalls,switches,routers,wirelessaccesspoints,networkappliances,and
othersecurityappliances.
NetworkDiagram:
Adiagramshowingsystemcomponentsandconnectionswithinanetworkedenvironment.
NetworkSecurityScan:
Processbywhichanentityssystemsareremotelycheckedforvulnerabilitiesthroughuseofmanualor
automatedtools.Securityscansthatincludeprobinginternalandexternalsystemsandreportingonservices
exposedtothenetwork.Scansmayidentifyvulnerabilitiesinoperatingsystems,services,anddevicesthat
couldbeusedbymaliciousindividuals.
NetworkSegmentation:
Alsoreferredtoassegmentationorisolation.Networksegmentationisolatessystemcomponentsthat
store,process,ortransmitcardholderdatafromsystemsthatdonot.Adequatenetworksegmentationmay
reducethescopeofthecardholderdataenvironmentandthusreducethescopeofthePCIDSSassessment.
SeetheNetworkSegmentationsectioninthePCIDSSRequirementsandSecurityAssessmentProcedures
forguidanceonusingnetworksegmentation.NetworksegmentationisnotaPCIDSSrequirement.
NetworkSniffing:
Alsoreferredtoaspacketsniffingorsniffing.Atechniquethatpassivelymonitorsorcollectsnetwork
communications,decodesprotocols,andexaminescontentsforinformationofinterest.
NIST:
AcronymforNationalInstituteofStandardsandTechnology.NonregulatoryfederalagencywithinU.S.
CommerceDepartment'sTechnologyAdministration.
NMAP:
Securityscanningsoftwarethatmapsnetworksandidentifiesopenportsinnetworkresources.
NonConsoleAccess:
Referstologicalaccesstoasystemcomponentthatoccursoveranetworkinterfaceratherthanviaadirect,
physicalconnectiontothesystemcomponent.Nonconsoleaccessincludesaccessfromwithinlocal/internal
networksaswellasaccessfromexternal,orremote,networks.
NonConsumerUsers:
Individuals,excludingcardholders,whoaccesssystemcomponents,includingbutnotlimitedtoemployees,
administrators,andthirdparties.
NTP:
AcronymforNetworkTimeProtocol.Protocolforsynchronizingtheclocksofcomputersystems,network
devicesandothersystemcomponents.
NVD:
AcronymforNationalVulnerabilityDatabase.TheU.S.governmentrepositoryofstandardsbased
vulnerabilitymanagementdata.NVDincludesdatabasesofsecuritychecklists,securityrelatedsoftware
flaws,misconfigurations,productnames,andimpactmetrics.
BacktoTop
O
OCTAVE:
AcronymforOperationallyCriticalThreat,Asset,andVulnerabilityEvaluation.Asuiteoftools,
techniques,andmethodsforriskbasedinformationsecuritystrategicassessmentandplanning.
OfftheShelf:
Descriptionofproductsthatarestockitemsnotspecificallycustomizedordesignedforaspecificcustomer
oruserandarereadilyavailableforuse.
OperatingSystem/OS:
Softwareofacomputersystemthatisresponsibleforthemanagementandcoordinationofallactivitiesand
thesharingofcomputerresources.ExamplesofoperatingsystemsincludeMicrosoftWindows,MacOS,
LinuxandUnix.
OrganizationalIndependence:
Anorganizationalstructurethatensuresthereisnoconflictofinterestbetweenthepersonordepartment
performingtheactivityandthepersonordepartmentassessingtheactivity.Forexample,individuals
performingassessmentsareorganizationallyseparatefromthemanagementoftheenvironmentbeing
assessed.
OWASP:
AcronymforOpenWebApplicationSecurityProject.Anonprofitorganizationfocusedonimprovingthe
securityofapplicationsoftware.OWASPmaintainsalistofcriticalvulnerabilitiesforwebapplications.(See
http://www.owasp.org).
BacktoTop
PADSS:
AcronymforPaymentApplicationDataSecurityStandard.
PAQSA:
AcronymforPaymentApplicationQualifiedSecurityAssessor.PAQSAsarequalifiedbyPCISSCto
assesspaymentapplicationsagainstthePADSS.RefertothePADSSProgramGuideandPAQSA
QualificationRequirementsfordetailsaboutrequirementsforPAQSACompaniesandEmployees.
Pad:
Incryptography,theonetimepadisanencryptionalgorithmwithtextcombinedwitharandomkeyor"pad"
thatisaslongastheplaintextandusedonlyonce.Additionally,ifkeyistrulyrandom,neverreused,and,
keptsecret,theonetimepadisunbreakable
PAN:
Acronymforprimaryaccountnumberandalsoreferredtoasaccountnumber.Uniquepaymentcard
number(typicallyforcreditordebitcards)thatidentifiestheissuerandtheparticularcardholderaccount.
ParameterizedQueries:
AmeansofstructuringSQLqueriestolimitescapingandthuspreventinjectionattacks.
Password/Passphrase:
Astringofcharactersthatserveasanauthenticatoroftheuser.
PAT:
Acronymforportaddresstranslationandalsoreferredtoasnetworkaddressporttranslation.Typeof
NATthatalsotranslatestheportnumbers.
Patch:
Updatetoexistingsoftwaretoaddfunctionalityortocorrectadefect.
PaymentApplication:
InthecontextofPADSS,asoftwareapplicationthatstores,processes,ortransmitscardholderdataaspart
ofauthorizationorsettlement,wherethepaymentapplicationissold,distributed,orlicensedtothirdparties.
RefertoPADSSProgramGuidefordetails.
PaymentCards:
ForpurposesofPCIDSS,anypaymentcard/devicethatbearsthelogoofthefoundingmembersofPCISSC,
whichareAmericanExpress,DiscoverFinancialServices,JCBInternational,MasterCard,orVisa,Inc.
PaymentProcessor:
Sometimesreferredtoaspaymentgatewayorpaymentserviceprovider(PSP).Entityengagedbya
merchantorotherentitytohandlepaymentcardtransactionsontheirbehalf.Whilepaymentprocessors
typicallyprovideacquiringservices,paymentprocessorsarenotconsideredacquirersunlessdefinedassuch
byapaymentcardbrand.SeealsoAcquirer.
PCI:
AcronymforPaymentCardIndustry.
PCIDSS:
AcronymforPaymentCardIndustryDataSecurityStandard.
PDA:
Acronymforpersonaldataassistantorpersonaldigitalassistant.Handheldmobiledeviceswith
capabilitiessuchasmobilephones,email,orwebbrowser.
PED:
PINentrydevice
PenetrationTest:
Penetrationtestsattempttoidentifywaystoexploitvulnerabilitiestocircumventordefeatthesecurity
featuresofsystemcomponents.Penetrationtestingincludesnetworkandapplicationtestingaswellas
controlsandprocessesaroundthenetworksandapplications,andoccursfrombothoutsidetheenvironment
(externaltesting)andfrominsidetheenvironment.
PersonalFirewallSoftware:
Asoftwarefirewallproductinstalledonasinglecomputer.
PersonallyIdentifiableInformation:
Informationthatcanbeutilizedtoidentifyanindividualincludingbutnotlimitedtoname,address,social
securitynumber,phonenumber,etc.
Personnel:
Fulltimeandparttimeemployees,temporaryemployees,contractors,andconsultantswhoareresidenton
theentityssiteorotherwisehaveaccesstothecardholderdataenvironment.
PIN:
Acronymforpersonalidentificationnumber.Secretnumericpasswordknownonlytotheuseranda
systemtoauthenticatetheusertothesystem.TheuserisonlygrantedaccessifthePINtheuserprovided
matchesthePINinthesystem.TypicalPINsareusedforautomatedtellermachinesforcashadvance
transactions.AnothertypeofPINisoneusedinEMVchipcardswherethePINreplacesthecardholders
signature.
PINBlock:
AblockofdatausedtoencapsulateaPINduringprocessing.ThePINblockformatdefinesthecontentof
thePINblockandhowitisprocessedtoretrievethePIN.ThePINblockiscomposedofthePIN,thePIN
length,andmaycontainsubsetofthePAN.
POI:
AcronymforPointofInteraction,theinitialpointwheredataisreadfromacard.Anelectronic
transactionacceptanceproduct,aPOIconsistsofhardwareandsoftwareandishostedinacceptance
equipmenttoenableacardholdertoperformacardtransaction.ThePOImaybeattendedorunattended.POI
transactionsaretypicallyintegratedcircuit(chip)and/ormagneticstripecardbasedpaymenttransactions.
Policy:
Organizationwiderulesgoverningacceptableuseofcomputingresources,securitypractices,andguiding
developmentofoperationalprocedures
POP3:
AcronymforPostOfficeProtocolv3.Applicationlayerprotocolusedbyemailclientstoretrieveemail
fromaremoteserveroveraTCP/IPconnection.
Port:
Logical(virtual)connectionpointsassociatedwithaparticularcommunicationprotocoltofacilitate
communicationsacrossnetworks.
POS:
Acronymforpointofsale.Hardwareand/orsoftwareusedtoprocesspaymentcardtransactionsat
merchantlocations.
PrivateNetwork:
NetworkestablishedbyanorganizationthatusesprivateIPaddressspace.Privatenetworksarecommonly
designedaslocalareanetworks.Privatenetworkaccessfrompublicnetworksshouldbeproperlyprotected
withtheuseoffirewallsandrouters.
PrivilegedUser:
Anyuseraccountwithgreaterthanbasicaccessprivileges.Typically,theseaccountshaveelevatedor
increasedprivilegeswithmorerightsthanastandarduseraccount.However,theextentofprivilegesacross
differentprivilegedaccountscanvarygreatlydependingontheorganization,jobfunctionorrole,andthe
technologyinuse.
Procedure:
Descriptivenarrativeforapolicy.Procedureisthehowtoforapolicyanddescribeshowthepolicyisto
beimplemented.
Protocol:
Agreeduponmethodofcommunicationusedwithinnetworks.Specificationdescribingrulesandprocedures
thatcomputerproductsshouldfollowtoperformactivitiesonanetwork.
ProxyServer:
AserverthatactsasanintermediarybetweenaninternalnetworkandtheInternet.Forexample,onefunction
ofaproxyserveristoterminateornegotiateconnectionsbetweeninternalandexternalconnectionssuchthat
eachonlycommunicateswiththeproxyserver.
PTS:
AcronymforPINTransactionSecurity,PTSisasetofmodularevaluationrequirementsmanagedbyPCI
SecurityStandardsCouncil,forPINacceptancePOIterminals.Pleaserefertowww.pcisecuritystandards.org.
PublicNetwork:
Networkestablishedandoperatedbyathirdpartytelecommunicationsproviderforspecificpurposeof
providingdatatransmissionservicesforthepublic.Dataoverpublicnetworkscanbeintercepted,modified,
and/ordivertedwhileintransit.Examplesofpublicnetworksinclude,butarenotlimitedto,theInternet,
wireless,andmobiletechnologies.SeealsoPrivateNetwork.
PVV:
AcronymforPINverificationvalue.Discretionaryvalueencodedinmagneticstripeofpaymentcard.
BacktoTop
Q
QIR:
AcronymforQualifiedIntegratororReseller.RefertotheQIRProgramGuideonthePCISSCwebsitefor
moreinformation.
QSA:
AcronymforQualifiedSecurityAssessor.QSAsarequalifiedbyPCISSCtoperformPCIDSSonsite
assessments.RefertotheQSAQualificationRequirementsfordetailsaboutrequirementsforQSA
CompaniesandEmployees.
BacktoTop
R
RADIUS:
AbbreviationforRemoteAuthenticationDialInUserService.Authenticationandaccountingsystem.
ChecksifinformationsuchasusernameandpasswordthatispassedtotheRADIUSserveriscorrect,and
thenauthorizesaccesstothesystem.Thisauthenticationmethodmaybeusedwithatoken,smartcard,etc.,
toprovidetwofactorauthentication.
RainbowTableAttack:
Amethodofdataattackusingaprecomputedtableofhashstrings(fixedlengthmessagedigest)toidentify
theoriginaldatasource,usuallyforcrackingpasswordorcardholderdatahashes.
Rekeying:
Processofchangingcryptographickeys.Periodicrekeyinglimitstheamountofdataencryptedbyasingle
key.
RemoteAccess:
Accesstocomputernetworksfromaremotelocation.Remoteaccessconnectionscanoriginateeitherfrom
insidethecompanysownnetworkorfromaremotelocationoutsidethecompanysnetwork.Anexampleof
technologyforremoteaccessisVPN.
RemoteLabEnvironment:
AlabthatisnotmaintainedbythePAQSA.
RemovableElectronicMedia:
Mediathatstoredigitizeddataandwhichcanbeeasilyremovedand/ortransportedfromonecomputer
systemtoanother.ExamplesofremovableelectronicmediaincludeCDROM,DVDROM,USBflash
drivesandexternal/portableharddrives.
Reseller/Integrator:
Anentitythatsellsand/orintegratespaymentapplicationsbutdoesnotdevelopthem.
RFC1918:
ThestandardidentifiedbytheInternetEngineeringTaskForce(IETF)thatdefinestheusageandappropriate
addressrangesforprivate(noninternetroutable)networks.
RiskAnalysis/RiskAssessment:
Processthatidentifiesvaluablesystemresourcesandthreatsquantifieslossexposures(thatis,losspotential)
basedonestimatedfrequenciesandcostsofoccurrenceand(optionally)recommendshowtoallocate
resourcestocountermeasuressoastominimizetotalexposure.
RiskRanking:
Adefinedcriterionofmeasurementbasedupontheriskassessmentandriskanalysisperformedonagiven
entity.
ROC:
AcronymforReportonCompliance.ReportdocumentingdetailedresultsfromanentitysPCIDSS
assessment.
Rootkit:
Typeofmalicioussoftwarethatwheninstalledwithoutauthorization,isabletoconcealitspresenceandgain
administrativecontrolofacomputersystem.
Router:
Hardwareorsoftwarethatconnectstwoormorenetworks.Functionsassorterandinterpreterbylookingat
addressesandpassingbitsofinformationtoproperdestinations.Softwareroutersaresometimesreferredto
asgateways.
ROV:
AcronymforReportonValidation.ReportdocumentingdetailedresultsfromaPADSSassessmentfor
purposesofthePADSSprogram.
RSA:
Algorithmforpublickeyencryptiondescribedin1977byRonRivest,AdiShamir,andLenAdlemanat
MassachusettsInstituteofTechnology(MIT)lettersRSAaretheinitialsoftheirsurnames.
BacktoTop
SFTP:
AcronymforSecureFTP.SFTPhastheabilitytoencryptauthenticationinformationanddatafilesin
transit.SeeFTP.
Sampling:
Theprocessofselectingacrosssectionofagroupthatisrepresentativeoftheentiregroup.Samplingmay
beusedbyassessorstoreduceoveralltestingefforts,whenitisvalidatedthatanentityhasstandard,
centralizedPCIDSSsecurityandoperationalprocessesandcontrolsinplace.SamplingisnotaPCIDSS
requirement.
SANS:
AcronymforSysAdmin,Audit,NetworkingandSecurity,aninstitutethatprovidescomputersecurity
trainingandprofessionalcertification.(Seewww.sans.org.)
SAQ:
AcronymforSelfAssessmentQuestionnaire.Reportingtoolusedtodocumentselfassessmentresults
fromanentitysPCIDSSassessment.
Schema:
Formaldescriptionofhowadatabaseisconstructedincludingtheorganizationofdataelements.
Scoping:
Processofidentifyingallsystemcomponents,people,andprocessestobeincludedinaPCIDSSassessment.
ThefirststepofaPCIDSSassessmentistoaccuratelydeterminethescopeofthereview.
SDLC:
Acronymforsystemdevelopmentlifecycle.Phasesofthedevelopmentofasoftwareorcomputersystem
thatincludesplanning,analysis,design,testing,andimplementation.
SecureCoding:
Theprocessofcreatingandimplementingapplicationsthatareresistanttotamperingand/orcompromise.
SecureCryptographicDevice:
Asetofhardware,softwareandfirmwarethatimplementscryptographicprocesses(includingcryptographic
algorithmsandkeygeneration)andiscontainedwithinadefinedcryptographicboundary.Examplesof
securecryptographicdevicesincludehost/hardwaresecuritymodules(HSMs)andpointofinteraction
devices(POIs)thathavebeenvalidatedtoPCIPTS.
SecureWipe:
Alsocalledsecuredelete,amethodofoverwritingdataresidingonaharddiskdriveorotherdigitalmedia,
renderingthedatairretrievable.
SecurityEvent:
Anoccurrenceconsideredbyanorganizationtohavepotentialsecurityimplicationstoasystemorits
environment.InthecontextofPCIDSS,securityeventsidentifysuspiciousoranomalousactivity.
SecurityOfficer:
Primaryresponsiblepersonforanentityssecurityrelatedaffairs.
SecurityPolicy:
Setoflaws,rules,andpracticesthatregulatehowanorganizationmanages,protects,anddistributessensitive
information.
SecurityProtocols:
Networkcommunicationsprotocolsdesignedtosecurethetransmissionofdata.Examplesofsecurity
protocolsinclude,butarenotlimitedtoSSL/TLS,IPSEC,SSH,HTTPS,etc.
SensitiveArea:
Anydatacenter,serverroomoranyareathathousessystemsthatstores,processes,ortransmitscardholder
data.Thisexcludestheareaswhereonlypointofsaleterminalsarepresentsuchasthecashierareasina
retailstore.
SensitiveAuthenticationData:
Securityrelatedinformation(includingbutnotlimitedtocardvalidationcodes/values,fulltrackdata(from
themagneticstripeorequivalentonachip),PINs,andPINblocks)usedtoauthenticatecardholdersand/or
authorizepaymentcardtransactions.
SeparationofDuties:
Practiceofdividingstepsinafunctionamongdifferentindividuals,soastokeepasingleindividualfrom
beingabletosubverttheprocess.
Server:
Computerthatprovidesaservicetoothercomputers,suchasprocessingcommunications,filestorage,or
accessingaprintingfacility.Serversinclude,butarenotlimitedtoweb,database,application,authentication,
DNS,mail,proxy,andNTP.
ServiceCode:
Threedigitorfourdigitvalueinthemagneticstripethatfollowstheexpirationdateofthepaymentcardon
thetrackdata.Itisusedforvariousthingssuchasdefiningserviceattributes,differentiatingbetween
internationalandnationalinterchange,oridentifyingusagerestrictions.
ServiceProvider:
Businessentitythatisnotapaymentbrand,directlyinvolvedintheprocessing,storage,ortransmissionof
cardholderdataonbehalfofanotherentity.Thisalsoincludescompaniesthatprovideservicesthatcontrolor
couldimpactthesecurityofcardholderdata.Examplesincludemanagedserviceprovidersthatprovide
managedfirewalls,IDSandotherservicesaswellashostingprovidersandotherentities.Ifanentity
providesaservicethatinvolvesonlytheprovisionofpublicnetworkaccesssuchasatelecommunications
companyprovidingjustthecommunicationlinktheentitywouldnotbeconsideredaserviceproviderfor
thatservice(althoughtheymaybeconsideredaserviceproviderforotherservices).
SessionToken:
Inthecontextofwebsessionmanagement,asessiontoken(alsoreferredtoasasessionidentifieror
sessionID),isauniqueidentifier(suchasacookie)usedtotrackaparticularsessionbetweenaweb
browserandawebserver.
SHA1/SHA2:
AcronymforSecureHashAlgorithm.Afamilyorsetofrelatedcryptographichashfunctionsincluding
SHA1andSHA2.SeeStrongCryptography.
SmartCard:
AlsoreferredtoaschipcardorICcard(integratedcircuitcard).Atypeofpaymentcardthathas
integratedcircuitsembeddedwithin.Thecircuits,alsoreferredtoasthechip,containpaymentcarddata
includingbutnotlimitedtodataequivalenttothemagneticstripedata.
SNMP:
AcronymforSimpleNetworkManagementProtocol.Supportsmonitoringofnetworkattacheddevicesfor
anyconditionsthatwarrantadministrativeattention.
Splitknowledge:
Amethodbywhichtwoormoreentitiesseparatelyhavekeycomponentsthatindividuallyconveyno
knowledgeoftheresultantcryptographickey.
Spyware:
Typeofmalicioussoftwarethatwheninstalled,interceptsortakespartialcontroloftheuserscomputer
withouttheusersconsent.
SQL:
AcronymforStructuredQueryLanguage.Computerlanguageusedtocreate,modify,andretrievedata
fromrelationaldatabasemanagementsystems.
SQLInjection:
Formofattackondatabasedrivenwebsite.AmaliciousindividualexecutesunauthorizedSQLcommands
bytakingadvantageofinsecurecodeonasystemconnectedtotheInternet.SQLinjectionattacksareusedto
stealinformationfromadatabasefromwhichthedatawouldnormallynotbeavailableand/ortogainaccess
toanorganizationshostcomputersthroughthecomputerthatishostingthedatabase.
SSH:
AbbreviationforSecureShell.Protocolsuiteprovidingencryptionfornetworkserviceslikeremotelogin
orremotefiletransfer.
SSL:
AcronymforSecureSocketsLayer.Industrystandardthatencryptsthechannelbetweenawebbrowser
andwebserver.NowsupersededbyTLS.SeeTLS.
StatefulInspection:
Alsocalleddynamicpacketfiltering.Firewallcapabilitythatprovidesenhancedsecuritybykeepingtrack
ofthestateofnetworkconnections.Programmedtodistinguishlegitimatepacketsforvariousconnections,
onlypacketsmatchinganestablishedconnectionwillbepermittedbythefirewallallotherswillberejected.
StrongCryptography:
Cryptographybasedonindustrytestedandacceptedalgorithms,alongwithkeylengthsthatprovidea
minimumof112bitsofeffectivekeystrengthandproperkeymanagementpractices.Cryptographyisa
methodtoprotectdataandincludesbothencryption(whichisreversible)andhashing(whichisoneway
thatis,notreversible).SeeHashing.
Atthetimeofpublication,examplesofindustrytestedandacceptedstandardsandalgorithmsincludeAES
(128bitsandhigher),TDES/TDEA(triplelengthkeys),RSA(2048bitsandhigher),ECC(224bitsand
higher),andDSA/DH(2048/224bitsandhigher).SeethecurrentversionofNISTSpecialPublication800
57Part1(http://csrc.nist.gov/publications/)formoreguidanceoncryptographickeystrengthsand
algorithms.
Note:Theaboveexamplesareappropriateforpersistentstorageofcardholderdata.Theminimum
cryptographyrequirementsfortransactionbasedoperations,asdefinedinPCIPINandPTS,aremore
flexibleasthereareadditionalcontrolsinplacetoreducethelevelofexposure.Itisrecommendedthatall
newimplementationsuseaminimumof128bitsofeffectivekeystrength.
SysAdmin:
Abbreviationforsystemadministrator.Individualwithelevatedprivilegeswhoisresponsiblefor
managingacomputersystemornetwork.
SystemComponents:
Anynetworkcomponent,server,orapplicationincludedinorconnectedtothecardholderdataenvironment.
Systemlevelobject:
Anythingonasystemcomponentthatisrequiredforitsoperation,includingbutnotlimitedtodatabase
tables,storedprocedures,applicationexecutablesandconfigurationfiles,systemconfigurationfiles,static
andsharedlibrariesandDLLs,systemexecutables,devicedriversanddeviceconfigurationfiles,andthird
partycomponents.
BacktoTop
T
TACACS:
AcronymforTerminalAccessControllerAccessControlSystem.Remoteauthenticationprotocol
commonlyusedinnetworksthatcommunicatesbetweenaremoteaccessserverandanauthenticationserver
todetermineuseraccessrightstothenetwork.Thisauthenticationmethodmaybeusedwithatoken,smart
card,etc.,toprovidetwofactorauthentication.
TCP:
AcronymforTransmissionControlProtocol.OneofthecoretransportlayerprotocolsoftheInternet
Protocol(IP)suite,andthebasiccommunicationlanguageorprotocoloftheInternet.SeeIP.
TDES:
AcronymforTripleDataEncryptionStandardandalsoknownas3DESorTripleDES.Blockcipher
formedfromtheDEScipherbyusingitthreetimes.SeeStrongCryptography.
TELNET:
Abbreviationfortelephonenetworkprotocol.Typicallyusedtoprovideuserorientedcommandlinelogin
sessionstodevicesonanetwork.Usercredentialsaretransmittedincleartext.
Threat:
Conditionoractivitythathasthepotentialtocauseinformationorinformationprocessingresourcestobe
intentionallyoraccidentallylost,modified,exposed,madeinaccessible,orotherwiseaffectedtothe
detrimentoftheorganization.
TLS:
AcronymforTransportLayerSecurity.Designedwithgoalofprovidingdatasecrecyanddataintegrity
betweentwocommunicatingapplications.TLSissuccessorofSSL.
Token:
Inthecontextofauthenticationandaccesscontrol,atokenisavalueprovidedbyhardwareorsoftwarethat
workswithanauthenticationserverorVPNtoperformdynamicortwofactorauthentication.SeeRADIUS,
TACACS,andVPN.
TrackData:
Alsoreferredtoasfulltrackdataormagneticstripedata.Dataencodedinthemagneticstripeorchip
usedforauthenticationand/orauthorizationduringpaymenttransactions.Canbethemagneticstripeimage
onachiporthedataonthetrack1and/ortrack2portionofthemagneticstripe.
TransactionData:
Datarelatedtoelectronicpaymentcardtransaction.
Trojan:
AlsoreferredtoasTrojanhorse.Atypeofmalicioussoftwarethatwheninstalled,allowsausertoperform
anormalfunctionwhiletheTrojanperformsmaliciousfunctionstothecomputersystemwithouttheusers
knowledge.
Truncation:
MethodofrenderingthefullPANunreadablebypermanentlyremovingasegmentofPANdata.Truncation
relatestoprotectionofPANwhenstoredinfiles,databases,etc.SeeMaskingforprotectionofPANwhen
displayedonscreens,paperreceipts,etc.
TrustedNetwork:
Networkofanorganizationthatiswithintheorganizationsabilitytocontrolormanage.
BacktoTop
U
UntrustedNetwork:
Networkthatisexternaltothenetworksbelongingtoanorganizationandwhichisoutoftheorganizations
abilitytocontrolormanage.
URL:
AcronymforUniformResourceLocator.AformattedtextstringusedbyWebbrowsers,emailclients,and
othersoftwaretoidentifyanetworkresourceontheInternet.
BacktoTop
VersioningMethodology:
Aprocessofassigningversionschemestouniquelyidentifyaparticularstateofanapplicationorsoftware.
Theseschemesfollowaversionnumberformat,versionnumberusage,andanywildcardelementasdefined
bythesoftwarevendor.Versionnumbersaregenerallyassignedinincreasingorderandcorrespondtoa
particularchangeinthesoftware.
VirtualAppliance(VA):
AVAtakestheconceptofapreconfigureddeviceforperformingaspecificsetoffunctionsandrunthis
deviceasaworkload.Often,anexistingnetworkdeviceisvirtualizedtorunasavirtualappliance,suchasa
router,switch,orfirewall.
VirtualHypervisor:
SeeHypervisor.
VirtualMachine:
Aselfcontainedoperatingenvironmentthatbehaveslikeaseparatecomputer.Itisalsoknownasthe
Guest,andrunsontopofahypervisor.
VirtualMachineMonitor(VMM):
TheVMMisincludedwiththehypervisorandissoftwarethatimplementsvirtualmachinehardware
abstraction.Itmanagesthesystemsprocessor,memory,andotherresourcestoallocatewhateachguest
operatingsystemrequires.
VirtualPaymentTerminal:
Avirtualpaymentterminaliswebbrowserbasedaccesstoanacquirer,processororthirdpartyservice
providerwebsitetoauthorizepaymentcardtransactions,wherethemerchantmanuallyenterspaymentcard
dataviaasecurelyconnectedwebbrowser.Unlikephysicalterminals,virtualpaymentterminalsdonotread
datadirectlyfromapaymentcard.Becausepaymentcardtransactionsareenteredmanually,virtualpayment
terminalsaretypicallyusedinsteadofphysicalterminalsinmerchantenvironmentswithlowtransaction
volumes.
VirtualSwitchorRouter:
Avirtualswitchorrouterisalogicalentitythatpresentsnetworkinfrastructureleveldataroutingand
switchingfunctionality.Avirtualswitchisanintegralpartofavirtualizedserverplatformsuchasa
hypervisordriver,module,orplugin.
Virtualization:
Virtualizationreferstothelogicalabstractionofcomputingresourcesfromphysicalconstraints.One
commonabstractionisreferredtoasvirtualmachinesorVMs,whichtakesthecontentofaphysicalmachine
andallowsittooperateondifferentphysicalhardwareand/oralongwithothervirtualmachinesonthesame
physicalhardware.InadditiontoVMs,virtualizationcanbeperformedonmanyothercomputingresources,
includingapplications,desktops,networks,andstorage.
VLAN:
AbbreviationforvirtualLANorvirtuallocalareanetwork.Logicallocalareanetworkthatextends
beyondasingletraditionalphysicallocalareanetwork.
VPN:
Acronymforvirtualprivatenetwork.Acomputernetworkinwhichsomeofconnectionsarevirtual
circuitswithinsomelargernetwork,suchastheInternet,insteadofdirectconnectionsbyphysicalwires.The
endpointsofthevirtualnetworkaresaidtobetunneledthroughthelargernetworkwhenthisisthecase.
WhileacommonapplicationconsistsofsecurecommunicationsthroughthepublicInternet,aVPNmayor
maynothavestrongsecurityfeaturessuchasauthenticationorcontentencryption.AVPNmaybeusedwith
atoken,smartcard,etc.,toprovidetwofactorauthentication.
Vulnerability:
Flaworweaknesswhich,ifexploited,mayresultinanintentionalorunintentionalcompromiseofasystem.
BacktoTop
W
WAN:
Acronymforwideareanetwork.Computernetworkcoveringalargearea,oftenaregionalorcompany
widecomputersystem.
WebApplication:
Anapplicationthatisgenerallyaccessedviaawebbrowserorthroughwebservices.Webapplicationsmay
beavailableviatheInternetoraprivate,internalnetwork.
WebServer:
ComputerthatcontainsaprogramthatacceptsHTTPrequestsfromwebclientsandservestheHTTP
responses(usuallywebpages).
WEP:
AcronymforWiredEquivalentPrivacy.Weakalgorithmusedtoencryptwirelessnetworks.Several
seriousweaknesseshavebeenidentifiedbyindustryexpertssuchthataWEPconnectioncanbecrackedwith
readilyavailablesoftwarewithinminutes.SeeWPA.
Wildcard:
Acharacterthatmaybesubstitutedforadefinedsubsetofpossiblecharactersinanapplicationversion
scheme.InthecontextofPADSS,wildcardscanoptionallybeusedtorepresentanonsecurityimpacting
change.Awildcardistheonlyvariableelementofthevendorsversionscheme,andisusedtoindicatethere
areonlyminor,nonsecurityimpactingchangesbetweeneachversionrepresentedbythewildcardelement.
WirelessAccessPoint:
AlsoreferredtoasAP.Devicethatallowswirelesscommunicationdevicestoconnecttoawireless
network.Usuallyconnectedtoawirednetwork,itcanrelaydatabetweenwirelessdevicesandwireddevices
onthenetwork.
WirelessNetworks:
Networkthatconnectscomputerswithoutaphysicalconnectiontowires.
WLAN:
Acronymforwirelesslocalareanetwork.Localareanetworkthatlinkstwoormorecomputersordevices
withoutwires.
WPA/WPA2:
AcronymforWiFiProtectedAccess.Securityprotocolcreatedtosecurewirelessnetworks.WPAisthe
successortoWEP.WPA2wasalsoreleasedasthenextgenerationofWPA.
BacktoTop
AboutUs
Leadership
News
Jobs
Blog
Training
Webinars
Qualification
Documents
GettingStarted
ParticipatingOrganizations
AffiliateMembers
Awareness
Contact&Info
AboutUs
Careers
ContactUs
Media
NewsRoom
PressContacts
Events
Copyright20062017PCISecurityStandardsCouncil,LLC.Allrightsreserved.LegalTerms&
Conditions.SitemapAssociationManagementservicesprovidedbyVirtual,Inc.PrivacyPolicy
EnglishFranaisEspaolDeutschItalianoPortugus
Trke

Glosario de Terminologia PCI DSS v3.2

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Glosario de Terminologia PCI DSS v3.2

Hochgeladen von

Copyright:

Verfügbare Formate

2017518 OfficialPCISecurityStandardsCouncilSiteVerifyPCICompliance,DownloadDataSecurityandCreditCardSecurityStandards

Das könnte Ihnen auch gefallen