PCI DSS Glossary
Payment Card Security Data Security Standard (PCI DSS) is full of terminology and language that can often be confusing. We have put together a short glossary of terms to help you.
Acquirer – Refers to Banking or Financial institution that initiates and maintains relationships with merchants for the acceptance of payment cards.
Application Penetration Testing – refers to the security testing (hacking) of applications and manipulating them to assess whether security flaws may exist that may give unauthorised access to resources, data etc.
Approved Scanning Vendor (ASV) – is a vulnerability assessment provider who provides automated software tools for scanning for vulnerabilities. Such ASV providers undergo regular assessments and regulation by the PCI SSC for the provision of technical security assessments.
Card Recon – an advanced PCI compliance software tool offered by IP Solutions used to perform cardholder data discovery on desktops and servers.
Card Scheme – Refers to one of the five major Credit Card Brands all of whom make up the core of the PCI SSC. Such brands are; VISA Inc, MasterCard Worldwide, American Express, JCB international and Discover Financial Services.
Credit card data discovery – Finding credit card data stored in an organisation is one of the key and initial steps needed for compliance with the Payment Card Industry (PCI) Data Security Standard (DSS).
Data breach – is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property
Descoping – to remove from the scope of a project, in the case of Credit Cards it means that the organisation no longer holds credit card data
Dynamic Transaction Switch (DTS) – a Microsoft.Net based transaction management engine that resides on a secured and fault-tolerant telecommunication and server infrastructure. The DTS acts as the electronic transaction processing engine and supports a variety of products and services.
Encryption – Encryption is the conversion of data into a form, called a ciphertext that cannot be easily understood by unauthorized people. Decryption is the process of converting encrypted data back into its original form, so it can be understood. In recent years, a controversy has arisen over so-called strong encryption.
Ethical Hacker – a person who hacks into a computer network in order to test or evaluate its security, rather than with malicious or criminal intent.
Gap – a gap analysis is an exercise to establish the “gap” or distance between an organisation’s current payment card environment and the requirements set out in the PCI DSS. The gap essentially gives an indication of how much work is needed to become PCI compliant.
Interactive voice response (IVR) – a technology that allows a computer to interact with humans through the use of voice and DTMF tones input via keypad.
Legacy systems – out dated computer systems, programming languages or application software that are used instead of available upgraded versions.
Level 1 PCI DSS – Merchants fall under four categories of PCI compliance, depending on the number of transactions they process each year, and whether those transactions are performed from a brick and mortar location or over the Internet. Visa and MasterCard World Wide transactions totalling 6 million and up, per year, and any merchants who have experienced a data breach.
LUHN formula – also called modulus 10, is a simple algorithm used to validate the number on a credit card. It works on cards issued by all the major credit card companies, including American Express, Visa, Master Card, Discover, and Diner’s Club. Originally created by a group of mathematicians in the 1960s, the LUHN formula is in the public domain, and anyone can use it.
Man In The Middle (MITM) – refers commonly to an attack (in this context against payment card data) on a payment transaction whereby the hacker intercepts sensitive payment data between a customer and the payment application. Very often the customer would be unaware that communications were being intercepted hence the need for regular penetration testing and application security testing.
Merchant – an entity that trades goods and services and receives payment by means of credit or debit card.
Office of the Australian Information Commissioner (OAIC) – I s an independent Australian Government agency established under the Australian Information Commissioner Act 2010.
Payment Card Industry Security Standards Council (PCI SSC) – the global governing body for payment card security standards. The PCI Security Standards Council is responsible for the development, management, education, and awareness of the PCI Security Standards. These comprise the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS).
Payment Card Industry Data Security Standard (PCI DSS) – a document consisting of 12 requirements and various principles all designed to provide a framework to protect payment card data and systems.
Payment Relationship Manager (PRM)
PCI Compliant – refers to an organisation that has become compliant with the PCI DSS and has demonstrated this either through a Self-Assessment Questionnaire or through formal validation (audit) by a QSA firm.
Penetration Testing – refers to a technical security audit undertaken by ethical hackers who assess infrastructure, networks and applications for security flaws
PIN Transaction Security (PTS) – a set of modular evaluation requirements managed by PCI Security Standards Council, for PIN acceptance POI terminals.
Primary Account Number (PAN) – is essentially a payment card number (16 – 19 digits) which is generated according to the LUHNS algorithm).
Privacy Act – The Privacy Act 1988 (Privacy Act) regulates how personal information is handled. The Privacy Act includes ten National Privacy Principles (NPPs), which apply to certain private sector organisations, and 11 Information Privacy Principles (IPPs), which apply to Australian, ACT and Norfolk Island agencies.
Qualified Security Assessor (QSA) – is an Information Security and PCI expert who works for a QSA firm and who has been certified by the PCI SSC to be fit and proper to validate whether a company / environment is PCI compliant. A QSA consultant must belong to a registered and authorised firm.
Remediation – is an activity designed to close the gap between the current practice and environment where cardholder data is stored, processed or transmitted and the requirements of the PCI DSS. Such activity is generally also governed by project management and change control processes and often involves people, process and technology change.
Report on Compliance (ROC) – the report on compliance refers to a report that shows that an environment has been validated by a QSA in accordance with the PCI DSS. The outcome of the validation assessment may result in a Report of Compliance opinion of Compliant or Not Compliant depending on the evidence provided to support the compliance assertions provided by the merchant or service provider to the QSA.. The report cites evidence against each of the 12 PCI DSS requirements demonstrating how compliance has been achieved.
Scope – is a piece of work undertaken by an entity that stores, processes or transmits cardholder data and that is validated by a QSA as part of a PCI compliance programme. The scope is a definition of the cardholder data environment against which the PCI DSS must be applied.
Service Provider – an entity that stores, processes or transmits cardholder data on behalf of merchants. Examples of service providers include hosting and payment services for merchants. Such providers do not have direct service provider contractual relationships with acquiring institutions, other than for their own merchant activities, but nonetheless still fall into scope for the PCI DSS where they store process or transmit payment cards on behalf of merchants. It is the merchant responsibility to ensure the service provider used operate in a way that is complaint with the PCI DSS.
Tokenisation – the process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security. Tokenization, which seeks to minimize the amount of data a business needs to keep on hand, has become a popular way for small and mid-sized businesses to bolster the security of credit card and e-commerce transactions while minimising the cost and complexity of compliance with industry standards and government regulations.
Token – A value provided by hardware or software that usually works with an authentication server or VPN to perform dynamic or two-factor authentication.
Validation / Audit – refers to the final stage of PCI compliance whereby a Qualified Security Assessor (QSA) will validate and attest the compliance status of the environment under assessment for compliance with the PCI DSS.
Vulnerability Assessment – is a technical security audit that uses automated tools to test for security flaws, mis-configurations and weaknesses in infrastructure and applications (to a relatively limited extent).
Network Management Glossary
The area of Network Management, Security & Productivity is full of terminology and language that can often be confusing. We have put together a short glossary of terms to help you.
3G Failover – intelligent switching solutions that allow our customers’ networks to automatically switch over to 3G wireless connectivity, maintaining and ensuring the continuity of your connectivity.
Access Control – Refers to mechanisms and policies which restrict access to computer resources. An access control list (ACL), for example, specifies what operations different users can perform on specific files and directories.
Asymmetric Digital Subscriber Line (ADSL) – a type of DSL broadband communications technology used for connecting to the Internet. ADSL allows more data to be sent over existing copper telephone lines (POTS), when compared to traditional modem lines.
Application Gateway Firewall – application gateways look at data at the application layer of the protocol stack and serve as proxies for outside users, intercepting packets and forwarding them to the application. Thus, outside users never have a direct connection to anything beyond the firewall.
Authentication – The process of determining the identity of a user that is attempting to access a network. Authentication occurs through challenge/response, time-based code sequences or other techniques.
Authentication Header (AH) – The Authentication Header is a mechanism for providing strong integrity and authentication for IP datagrams. It might also provide non-repudiation, depending on which cryptographic algorithm is used and how keying is performed. For example, use of an asymmetric digital signature algorithm, such as RSA, could provide non- repudiation.
Authorisation – The process of determining what types of activities or access is permitted on a network. Usually used in the context of authentication: once you have authenticated a user, they may be authorised to have access to a specific service.
Challenge-Response – a common authentication technique whereby an individual is prompted (the challenge) to provide some private information (the response). Most security systems that rely on smart cards are based on challenge-response. A user is given a code (the challenge) which he or she enters into the smart card. The smart card then displays a new code (the response) that the user can present to log in.
Challenge-Handshake Authentication Protocol (CHAP) – an authentication technique where after a link is established, a server sends a challenge to the requestor. The requestor responds with a value obtained by using a one-way hash function. The server checks the response by comparing it its own calculation of the expected hash value. If the values match, the authentication is acknowledged otherwise the connection is usually terminated.
Cloud Based – refers to applications, services or resources made available to users on demand via the Internet from a cloud computing provider’s servers. Companies typically utilise cloud-based computing as a way to increase capacity, enhance functionality or add additional services on demand without having to commit to potentially expensive infrastructure costs or increase / train existing in-house support staff.
Content blocking – the ability to block network traffic based on actual packet content.
Content Filtering – the ability to review the actual information that an end user sees when using a specific Internet application. For example, the content of e-mail.
Cookie – a message given to a Web browser by a Web server. The browser stores the message in a text file called cookie.txt. The message is then sent back to the server each time the browser requests a page from the server.
Class of Service (CoS) – is a way of managing traffic in a network by grouping similar types of traffic (for example, e-mail, streaming video, voice, large document file transfer) together and treating each type as a class with its own level of service priority.
Cyberslacking – a term used to describe the increased use of the internet on company computers by employees for their personal use or entertainment. The practice, which accelerated with the advent of broadband internet connections, is estimated to cost employers millions a year in lost productivity, added security costs, and staff replacement.
Data driven attack – form of intrusion in which the attack is encoded in seemingly innocuous data, and it is subsequently executed by a user or other software to actually implement the attack.
Denial of service attack – a user or program takes up all the system resources by launching a multitude of requests, leaving no resources and thereby “denying” service to other users. Typically, denial-of-service attacks are aimed at bandwidth control.
Digital Certificate – a digital certificate is an electronic “credit card” that establishes your credentials when doing business or other transactions on the Web. It is issued by a certification authority (CA). It contains your name, a serial number, expiration dates, a copy of the certificate holder’s public key (used for encrypting and decrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real.
Digital Signature – an electronic rather than a written signature that can be used by someone to authenticate the identity of the sender of a message or of the signer of a document. It can also be used to ensure that the original content of the message or document that has been conveyed is unchanged. Additional benefits to the use of a digital signature are that it is easily transportable, cannot be easily repudiated, cannot be imitated by someone else, and can be automatically time-stamped.
DNS spoofing – breaching the trust relationship by assuming the DNS name of another system. This is usually accomplished by either corrupting the name service cache of a victim system or by compromising a domain name server for a valid domain.
Firewall – a program that protects the resources of one network from users from other networks. Typically, an enterprise with an intranet that allows its workers access to the wider Internet will want a firewall to prevent outsiders from accessing its own private data resources.
Firewall denial-of service the firewall is specifically subjected to a denial-of-service attack.
File Transfer Protocol (FTP) – the simplest way to exchange files between computers on the Internet. Like the Hypertext Transfer Protocol (HTTP), which transfers displayable Web pages and related files, and the Simple Mail Transfer Protocol (SMTP), which transfers e-mail, FTP is an application protocol that uses the Internet’s TCP/IP protocols.
Gateway – a network point that acts as an entrance to another network. In a company network, a proxy server acts as a gateway between the internal network and the Internet. A gateway may also be any machine or service that passes packets from one network to another network in their trip across the Internet.
Insider attack – an attack originating from inside a protected network.
Intrusion detection – detection of break-ins or break-in attempts by reviewing logs or other information available on a network.
IP hijacking – an attack where an active, established session is intercepted and taken over by the attacker. May take place after authentication has occurred which allows the attacker to assume the role of an already authorized user.
IP spoofing – an attack where the attacker impersonates a trusted system by using its IP network address.
Malicious Code – any code added, changed, or removed from a software system in order to intentionally cause harm or subvert the intended function of the system. Traditional examples of malicious code include viruses, worms, Trojan Horses, and attack scripts, while more modern examples include Java attack applets and dangerous ActiveX controls.
Managed Network – designed to mitigate difficulties by combining physical network, routers, switches, management, maintenance and monitoring into an all-in-one service. This enables a client to concentrate on the applications that deliver value to their business rather than on the performance of the applications and the networks on which they reside.
Network Operating Centre (NOC) -one or more locations from which control is exercised over a network. Organizations may operate multiple NOCs, either to manage different networks or to provide geographic redundancy in the event of one site being unavailable or offline.
Packet – the unit of data that is routed between an origin and a destination on the Internet or any other packet-switched network. When any file (e-mail message, HTML file, GIF file, URL request, and so forth) is sent from one place to another on the Internet, the Transmission Control Protocol (TCP) layer of TCP/IP divides the file into “chunks” of an efficient size for routing. Each of these packets is separately numbered and includes the Internet address of the destination. The individual packets for a given file may travel different routes through the Internet. When they have all arrived, they are reassembled into the original file (by the TCP layer at the receiving end).
Packet Sniffing – intercepting packets of information (including such things for example as a credit card number) that are traveling between locations on the Internet.
Password Authentication Procedure (PAP) – a procedure used to validate a connection request. After the link is established, the requestor sends a password and an ID to the server. The server validates the request and sends back an acknowledgement, terminates the connection, or offers the requestor another chance.
Password-based attacks – an attack where repetitive attempts are made to duplicate a valid log-in and/or password sequence.
Polymorphic virus – polymorphic viruses encrypt the body of the virus in an attempt to hide its signature from anti-virus programs.
Quality of Service (QoS) – on the Internet and in other networks, QoS is the idea that transmission rates, error rates, and other characteristics can be measured, improved, and, to some extent, guaranteed in advance. QoS is of particular concern for the continuous transmission of high-bandwidth video and multimedia information.
Screening router – a router configured to permit or deny traffic based on a set of permission rules installed by the administrator.
Signatures – viruses employ signatures by which they identify themselves to themselves and thereby avoid corrupting their own code. Standard viruses, including most macro viruses, use character-based signatures. More complex viruses, such as polymorphic viruses, use algorithmic signatures.
Social engineering – An attack based on tricking or deceiving users or administrators into revealing passwords or other information that compromises a target system’s security. Social engineering attacks are typically carried out by telephoning users or operators and pretending to be an authorized user.
Stealth Virus – Stealth viruses hide the modifications they make to your files or boot records, attempting to defeat anti-virus programs.
Virtual Private Networking (VPN) – is a technology that overlays communications networks with a management and security layer. Though VPN technology, network managers can set up secure relationships while still enjoying the low cost of a public network such as the Internet.
Worm – a type of virus that disables a computer by creating a large number of copies of itself within the computer’s memory, forcing out other programs. Worm viruses are generally constructed to also copy themselves to other linked computers.
Wi-Fi Protected Access (WPA) – a standards-based, interoperable security specification that utilises Temporal Key Integrity Protocol to provide improved over-the-air encryption of wireless data.
xDSL – offers much higher speeds – up to 32 Mbps for upstream traffic, and from 32 Kbps to over 1 Mbps for downstream traffic.
The payments world is full of terminology and language that can often be confusing. We have put together a short glossary of terms to help you.
Acquirer – A member of a card association, for example MasterCard and/or Visa, which maintains merchant banking relationships and receives/settles all bankcard transactions from a merchant.
Biometric – a method of identifying the holder of a device by measuring a unique physical characteristic of the holder, e.g. by fingerprint matching, voice recognition or retinal scan
Card-Not-Present (CNP) – Transactions where neither the card nor its holder is present at the point of sale, e.g. orders by eCommerce, mail order or telephone order.
Contact cards – cards that require physical contact through an electronic connection surface between the card and the card reader or terminal device.
Contactless cards – cards that do not require physical contact between the card and the card reader or terminal.
Contactless Payments – Payment devices which use radio frequency identification (RFID) for making secure payments. The embedded chip and antenna enable consumers to wave their card or fob over a reader at the point of sale to initiate a transaction.
Electronic Point of Sale (EPoS) Computerised equipment that performs all tasks of a store checkout counter. It allows payments by bank or credit cards, verifying transactions, providing sales reports and coordinating inventory data.
Electronic purse – a reloadable multipurpose prepaid card which may be used for small retail or other payments instead of coins.
Electronic wallet – a computer device used in some electronic money systems which can contain an IC card or in which IC cards can be inserted and which may perform more functions than an IC card.
Independent Sales/Service Organization (ISO) – Also called a Member Service Provider (MSP), an ISO is an outside company (not a MasterCard or Visa member) that is contracted by merchants to administer merchant and/or cardholder servicing.
Integrated Circuit (IC) card – a plastic card in which one or more integrated circuits are embedded. Also called chip card.
Interactive voice response (IVR) – a technology that allows a computer to interact with humans through the use of voice and DTMF tones input via keypad.
Mail Order / Telephone Order (MOTO) – Mail order is a term which describes the buying of goods or services by mail delivery and telephone orders purchased over the telephone.
Multi bank connectivity – allows corporate customers to connect seamlessly with multiple banking partners through a centralised point.
Payment Gateway – to be able to run an eCommerce or mail order business you need a payment gateway. Payment gateways provide the tools to authorise and settle payment transactions between customers, businesses, and banks.
Payment Service Providers (PSP) – offers merchants online services for accepting electronic payments for a variety of payment methods.
Point of Sale / Point of Purchase (PoS/PoP) – the location where a transaction occurs. Typically refers to the terminal or computer used for a card present purchase.
Processor – a payment processor is a company (often a third party) appointed by a merchant to handle payment card transaction processing for the merchant, including managing settlement of funds to the merchant’s account with the acquiring bank.
Retail funds transfer system – a funds transfer system which handles a large volume of payments of relatively low value in such forms as cheques, credit transfers, direct debits, ATM and EFTPOS transactions.
Retail payments – all payments which are not included in the definition of large-value payments. Retail payments are mainly consumer payments of relatively low value and urgency.
Retailer card – a card issued by non-banking institutions, to be used in specified stores. The holder of the card has usually been granted a line of credit.
Secure Socket Layer (SSL) – Protocols that enhance security, including capabilities such as encryption, during communication over networks like the Internet.
Payment Gateway Terminology
Acquirer (Acquiring Bank/Merchant Bank): A financial institution that provides accounts for merchants. Your merchant account at the acquiring bank receives funds when a transaction is complete. Acquirers are so named because they obtain (acquire) a merchant’s sales transactions and credit the order value to the merchant’s account.
API (Application Programming Interface): APIs provide users with pre-existing interfaces to program against which allows rapid and standardised application development.
Approval: A positive reply from a transaction authorisation request.
Arbitration: Process used by Acquirers to resolve a chargeback related dispute with an Issuer.
Authorisation: The approval or guarantee of funds given by the Card Issuer to the Acquirer.
BIN (Bank Identification Number): The six-digit number assigned by Visa and MasterCard to identify a member (Issuer or Acquirer) or processor for authorization, clearing or settlement processing. The Issuer assigns the six digits as the first six digits of the card number. The Acquirer assigns the six digits as the first six digits of the merchant number. Visa numbers always begins with a 4 and MasterCard numbers with a 5.
Card Issuer: Financial institution that issues the payment card to the Cardholder.
Card Present Transaction: Card is present at the POS (Point of Sale) and swiped through an electronic device that reads the magnetic stripe on the card.
Card Not Present (CNP) Transaction: Type of transaction where the card is not presented at the POS (Point of Sale) and no magnetic stripe is read. These are usually considered higher risk transactions.
Cardholder: Customer associated with the primary account number (or an additional authorized user) that requests a transaction from a merchant.
Cardholder-Initiated Chargeback: Cardholder contacts the Issuer with-in 90 days of a transaction and refuses to accept the charge.
Chargeback: A payment dispute initiated by the cardholder with their credit card issuing bank when a charge was not authorised by the cardholder or the goods were not delivered as promised. The amount of the disputed transaction is partially or completely reversed and immediately withdrawn from the merchant’s bank account. The merchant can dispute the chargeback with proof of purchase, signature, proof of delivery, etc.
Chargeback Fee: Amount charged to a Merchant, by an Acquirer, for processing a chargeback.
CVV (Card Verification Value): Term for 3-digit code in signature panel to verify that the card is in the cardholder’s possession.
Decline: Negative issuer response to an authorization request on card payment. Merchant must request a different form of payment.
E-Commerce (Electronic Commerce): A way of doing real-time business transactions via the Internet using any combination of technologies designed to exchange data (such as EDI or e-mail), access data (such as shared databases or electronic bulletin boards) and capture date (through bar coding and magnetic or optical character readers).
Encryption: Way of scrambling data to protect personal information.
Financial Institution: Any organization that supplies financial services such as commercial banks, thrifts, savings banks and credit unions.
Financial Transaction: A transaction from the Acquirer to the Issuer containing all the necessary data elements for authorization, posting and reconciliation.
Issuer/Issuing Bank: Member of MasterCard and/or Visa that issues payment cards.
Merchant: Seller of products or services.
Merchant Agreement: Contract between a Merchant and Acquirer that outlines payment processing rights and responsibilities.
Merchant Bank: See Acquirer.
MID (Merchant Identification Number/Merchant ID): Unique number assigned by an Acquirer to identify a specific merchant.
MOTO (Mail Order/Telephone Order): A classification of merchant account with a specific set of rules that is more restrictive than for retail merchants but enables a merchant to accept a credit card payment without a cardholder’s signature. The merchant and the cardholder do not need to be in the same physical location. MOTO accounts are also known as Card Not Present or CNP accounts.
MOTO Transaction: With a MOTO transaction the merchant never gets a physical signature from the customer – only the credit card number and expiration date are received to effect the payment.
Notification: A message where the sender notifies the receiver of an activity taken, requiring no approval or response.
Payment Cards: A broad term that encompasses all types of plastic cards used to make payments including credit, debit, stored value and prepaid.
Payment Gateway: Electronic connection between a Merchant and Acquirer that transmits payment data.
PIN (Personal Identification Number): A cardholders secret identification number that completes an online debit transaction.
POS (Point of Sale): Usually associated with retail points-of-sale, but also applies to any initial point where the customer presents payment to the merchant, such as by telephone or Internet.
Real-Time Authorization: Merchant requests and receives an authorization/decline for a credit card purchase as the customer makes their purchase. Typically take 2-3 seconds.
Reconciliation: An exchange of messages between two institutions (Acquirer, Issuer or their agents) to reach agreement on their financial totals.
Recurring or Periodic Payment: A pre-authorized recurring transaction charged to a cardholders account (i.e. phone bill, memberships).
Retrieval Request: Request by an Issuer for a copy of the original sales ticket from the Acquirer.
Reversal: A transaction from the Acquirer to the Issuer informing the card issuer that the previously initiated transaction cannot be processed as instructed (i.e. is undeliverable, unprocessed or cancelled by the receiver).
Settlement: A transfer of funds to complete one or more prior transactions made, subject to final accounting.
Smart Card: A payment card with a built in chip to store information.
SSL (Secure Sockets Layer): This is a technological method used to transmit information which is submitted via a website securely in order to prevent unauthorised users gaining access to that information. Typically, when a user accesses a website which secured with SSL, a symbol displays in their browser windows to indicate that the site is secure. When information is transmitted using SSL, it is encrypted prior to transmission using a special certificate key. It is then decrypted with another key after transmission.
TID (Terminal Identification Number): Number that identifies a merchant to the front-end network. A unique number is assigned to each POS terminal.
Transaction: Transfer of goods or services between a customer and merchant that results in payment.
Transaction Date: Actual date transaction was made.
Transaction Fee: The amount a merchant pays per transaction for processing.