Payment Card Industry Data Security Standards (PCI DSS) are full of terminology and language that can often be confusing. We have put together a short glossary of terms to help you.
Acquirer – Refers to Banking or Financial institution that initiates and maintains relationships with merchants for the acceptance of payment cards.
Application Penetration Testing – refers to the security testing (hacking) of applications and manipulating them to assess whether security flaws may exist that may give unauthorised access to resources, data etc.
Approved Scanning Vendor (ASV) – is a vulnerability assessment provider who provides automated software tools for scanning for vulnerabilities. Such ASV providers undergo regular assessments and regulation by the PCI SSC for the provision of technical security assessments.
Card Recon – an advanced PCI compliance software tool offered by IP Solutions which is used to perform cardholder data discovery on desktops, laptops, databases and servers.
Card Scheme – Refers to one of the five major Credit Card Brands all of whom make up the core of the PCI SSC. Such brands are; VISA Inc, MasterCard Worldwide, American Express, JCB international and Discover Financial Services.
Credit card data discovery – Finding credit card data stored in an organisation is one of the key and initial steps needed for compliance with the Payment Card Industry (PCI) Data Security Standard (DSS).
Data breach – is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property
Descoping – to remove from the scope of a project, in the case of Credit Cards it means that the organisation no longer holds credit card data e.g. IP Solutions securely stores the organisations credit card data on its behalf within a pre certified Level 1 PCI DSS Environment.
Dynamic Transaction Switch (DTS) – a Microsoft.Net based transaction processing engine that resides on a secured and fault-tolerant telecommunication and server infrastructure. The DTS acts as the electronic transaction processing engine and supports a variety of products and services.
Encryption – Encryption is the conversion of data into a form, called a ciphertext that cannot be easily understood by unauthorized people. Decryption is the process of converting encrypted data back into its original form, so it can be understood. In recent years, a controversy has arisen over so-called strong encryption.
Ethical Hacker – a person who hacks into a computer network in order to test or evaluate its security, rather than with malicious or criminal intent.
Gap – a gap analysis is an exercise to establish the “gap” or distance between an organisation’s current payment card environment and the requirements set out in the PCI DSS. The gap essentially gives an indication of how much work is needed to become PCI compliant.
Interactive voice response (IVR) – a technology that allows a computer to interact with humans through the use of voice and DTMF tones input via keypad. See previous edits.
Legacy systems – out dated computer systems, programming languages or application software that are used instead of available upgraded versions.
Level 1 PCI DSS – Merchants fall under four categories of PCI compliance, depending on the number of transactions they process each year, and whether those transactions are performed from a brick and mortar location or over the Internet. Visa and MasterCard World Wide transactions totalling 6 million and up, per year, and any merchants who have experienced a data breach.
LUHN formula – also called modulus 10, is a simple algorithm used to validate the number on a credit card. It works on cards issued by all the major credit card companies, including American Express, Visa, Master Card, Discover, and Diner’s Club. Originally created by a group of mathematicians in the 1960s, the LUHN formula is in the public domain, and anyone can use it.
Man In The Middle (MITM) – refers commonly to an attack (in this context against payment card data) on a payment transaction whereby the hacker intercepts sensitive payment data between a customer and the payment application. Very often the customer would be unaware that communications were being intercepted hence the need for regular penetration testing and application security testing.
Merchant – an entity that trades goods and services and receives payment by means of credit or debit card.
Office of the Australian Information Commissioner (OAIC) – Is an independent Australian Government agency established under the Australian Information Commissioner Act 2010.
Payment Card Industry Security Standards Council (PCI SSC) – the global governing body for payment card security standards. The PCI Security Standards Council is responsible for the development, management, education, and awareness of the PCI Security Standards. These comprise the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS).
Payment Card Industry Data Security Standard (PCI DSS) – a document consisting of 12 requirements and various principles all designed to provide a framework to protect payment card data and systems.
Payment Relationship Manager (PRM) – Is the name used to describe the technology used within the IP Solutions online administration portal. The administration portal maintains relationships between payers & payments, credit cards and tokens, customers & invoices etc…
PCI Compliant – refers to an organisation that has become compliant with the PCI DSS and has demonstrated this either through a Self-Assessment Questionnaire or through formal validation (audit) by a QSA firm.
Penetration Testing – refers to a technical security audit undertaken by ethical hackers who assess infrastructure, networks and applications for security flaws
PIN Transaction Security (PTS) – a set of modular evaluation requirements managed by PCI Security Standards Council, for PIN acceptance POI terminals.
Primary Account Number (PAN) – is essentially a payment card number / credit card number (16 – 19 digits) which is generated according to the LUHNS algorithm).
Privacy Act – The Privacy Act 1988 (Privacy Act) regulates how personal information is handled. The Privacy Act includes ten National Privacy Principles (NPPs), which apply to certain private sector organisations, and 11 Information Privacy Principles (IPPs), which apply to Australian, ACT and Norfolk Island agencies.
Qualified Security Assessor (QSA) – is an Information Security and PCI expert who works for a QSA firm and who has been certified by the PCI SSC to be fit and proper to validate whether a company / environment is PCI compliant. A QSA consultant must belong to a registered and authorised firm.
Remediation – is an activity designed to close the gap between the current practice and environment where cardholder data is stored, processed or transmitted and the requirements of the PCI DSS. Such activity is generally also governed by project management and change control processes and often involves people, process and technology change.
Report on Compliance (ROC) – the report on compliance refers to a report that shows that an environment has been validated by a QSA in accordance with the PCI DSS. The outcome of the validation assessment may result in a Report of Compliance opinion of Compliant or Not Compliant depending on the evidence provided to support the compliance assertions provided by the merchant or service provider to the QSA.. The report cites evidence against each of the 12 PCI DSS requirements demonstrating how compliance has been achieved.
Scope – is a piece of work undertaken by an entity that stores, processes or transmits cardholder data and that is validated by a QSA as part of a PCI compliance programme. The scope is a definition of the cardholder data environment against which the PCI DSS must be applied.
Service Provider – an entity that stores, processes or transmits cardholder data on behalf of merchants. Examples of service providers include hosting and payment services for merchants. Such providers do not have direct service provider contractual relationships with acquiring institutions, other than for their own merchant activities, but nonetheless still fall into scope for the PCI DSS where they store process or transmit payment cards on behalf of merchants. It is the merchant responsibility to ensure the service provider used operate in a way that is complaint with the PCI DSS.
Tokenisation – the process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security. Tokenization, which seeks to minimize the amount of data a business needs to keep on hand, has become a popular way for mid and large-sized businesses to bolster the security of credit card and e-commerce transactions while minimising the cost and complexity of compliance with industry standards and government regulations. When deployed correctly Tokenisation can be extremely effective at reducing the costs and risks associated with credit card processing and storage.
Token – A value provided by hardware or software that usually works with an authentication server or VPN to perform dynamic or two-factor authentication.
Validation / Audit – refers to the final stage of PCI compliance whereby a Qualified Security Assessor (QSA) will validate and attest the compliance status of the environment under assessment for compliance with the PCI DSS.
Vulnerability Assessment – is a technical security audit that uses automated tools to test for security flaws, mis-configurations and weaknesses in infrastructure and applications (to a relatively limited extent).