A
Access Control: The process of granting or denying specific requests to obtain and use information and related information processing services.
Access Control List (ACL): A list of permissions attached to an object, specifying which users or system processes are granted access to the object and what operations are allowed.
Account Data: Any payment card data stored, processed, or transmitted by a merchant, such as primary account numbers (PAN) and cardholder data.
Acquirer: A financial institution that processes payment card transactions on behalf of merchants. The acquirer is responsible for ensuring that the merchants it works with comply with PCI DSS requirements.
Active Directory: A Microsoft directory service used to manage users, computers, and other devices on a network. It helps enforce access control and authentication policies.
Advanced Encryption Standard (AES): A widely-used symmetric encryption algorithm that supports key lengths of 128, 192, and 256 bits. AES is considered secure and is used to protect sensitive data, including cardholder data.
Algorithm: A set of rules or steps used to solve a problem or perform a task, such as encrypting or decrypting data.
Anomaly Detection: The process of identifying unusual patterns or behaviors within a dataset or system, which may indicate a security threat or compromise.
Anti-Malware: Software designed to detect, prevent, and remove malicious software, such as viruses, worms, and ransomware.
Application Layer Firewall: A firewall that operates at the application layer of the OSI model, filtering traffic based on the content of the data packets, rather than just the source and destination IP addresses.
Application Security: The process of ensuring the security of software applications by identifying and mitigating vulnerabilities, implementing secure coding practices, and using security testing tools.
Approved Scanning Vendor (ASV): A third-party organization that has been authorized by the Payment Card Industry (PCI) Security Standards Council to perform external vulnerability scanning services for PCI DSS compliance.
Asset: Any item of value to an organization, such as hardware, software, data, or intellectual property.
Asymmetric Encryption: A type of encryption that uses a pair of keys – a public key and a private key – to encrypt and decrypt data. Also known as public key cryptography.
Attack Surface: The set of points in a system where an attacker can attempt to gain unauthorized access, exploit vulnerabilities, or compromise the system.
Attestation of Compliance (AOC): A formal document that attests an organization's adherence to PCI DSS requirements. The AOC is completed by either a Qualified Security Assessor (QSA) or an organization's internal security assessor and is submitted to the acquirer as proof of compliance.
Audit: A systematic examination of an organization's security controls, policies, and procedures to ensure compliance with a given set of standards, such as PCI DSS.
Audit Log / Audit Trail: A record of system activities, including user access and actions, security events, and other system-related information. Audit logs are used to monitor, detect, and investigate security incidents and ensure compliance with PCI DSS requirements.
Authentication: The process of verifying the identity of a user, device, or system attempting to access a resource.
B
Backup: A copy of data, software, or system configurations that can be used to restore the original in the event of data loss, corruption, or system failure.
Baseline Security: A set of minimum security measures or controls implemented to protect an organization's information systems and data from threats.
Biometrics: The use of unique physical or behavioral characteristics, such as fingerprints or facial recognition, to identify and authenticate individuals.
Blacklist: A list of entities, such as IP addresses, email addresses, or applications, that are blocked or denied access to a system due to known malicious activity or security risks.
Bluetooth: A wireless technology standard used for exchanging data between devices over short distances, which may pose security risks if not properly secured.
Botnet: A network of compromised computers, servers, or other devices that are remotely controlled by an attacker to perform malicious activities, such as launching distributed denial-of-service (DDoS) attacks.
Brute Force Attack: An attempt to crack a password or encryption key by systematically trying every possible combination of characters until the correct one is found.
Buffer Overflow: A vulnerability that occurs when an application writes more data to a buffer than it can hold, causing the excess data to overwrite adjacent memory locations and potentially leading to unauthorized access or system crashes.
Business Continuity Plan (BCP): A documented plan outlining the steps an organization will take to ensure the continued availability of critical functions and systems in the event of a disruption or disaster.
Business Impact Analysis (BIA): A process used to identify and assess the potential impact of a disruption on an organization's critical functions and systems, helping prioritize recovery efforts and develop business continuity plans.
BYOD (Bring Your Own Device): A policy that allows employees to use their personal devices, such as smartphones or laptops, for work-related activities, which may introduce security risks if not properly managed and secured.
Byte: A unit of digital information consisting of eight bits, commonly used to represent a single character of text or other data.
Backdoor: A hidden method of bypassing normal authentication or security controls to gain unauthorized access to a system, often created by an attacker or included intentionally by developers for debugging purposes.
Banner Grabbing: A technique used by attackers to gather information about a target system, such as the operating system or software versions, by analyzing the banners or other messages sent by the system during the connection process.
Bug: A flaw or error in software or hardware that can lead to unexpected behavior, security vulnerabilities, or system crashes.
C
Cardholder Data: Sensitive information associated with a payment card, such as the primary account number (PAN), cardholder name, expiration date, and service code.
Cardholder Data Environment (CDE): The set of systems, networks, and processes that store, process, or transmit cardholder data, as well as any connected systems that could impact the security of cardholder data. PCI DSS requirements apply to all components within the CDE.
Card Verification Code (CVC)/Card Verification Value (CVV): A security feature on payment cards, typically a three or four-digit number, used to verify the card is physically present during a transaction.
Certificate Authority (CA): A trusted organization that issues digital certificates to verify the identity of websites, individuals, or organizations, and ensure secure communication through encryption.
Change Management: The process of controlling and documenting changes to systems, software, or hardware to minimize the risk of disruptions, security vulnerabilities, or unauthorized modifications.
Checksum: A value calculated from a data set, such as a file or message, used to verify its integrity by detecting errors or alterations in the data.
Cipher: An algorithm used to encrypt or decrypt data, transforming it into an unreadable format to protect its confidentiality.
Ciphertext: Data that has been encrypted and is unreadable until decrypted using the appropriate key or algorithm.
Cloud Computing: The delivery of computing services, such as storage, processing power, and applications, over the internet from remote data centers, which may introduce new security risks and compliance considerations.
Cross-site Scripting (XSS): A type of web application vulnerability where an attacker injects malicious scripts into trusted websites, causing them to be executed by a victim's browser and potentially leading to data theft or unauthorized actions.
Cryptography: The practice of securing communication and data storage by using mathematical techniques to encrypt and decrypt information, ensuring its confidentiality, integrity, and authenticity.
Cryptographic Key: A value used in conjunction with a cryptographic algorithm to encrypt or decrypt data. In symmetric cryptography, the same key is used for both processes, while in asymmetric cryptography, separate keys (public and private) are used.
Cryptographic Key Generation: The process of creating secret cryptographic keys used in combination with cryptographic algorithms to encrypt and decrypt data. PCI DSS requires organizations to use strong and unique keys
Customer Information: Any data related to customers, such as names, addresses, phone numbers, or email addresses, that may be subject to privacy regulations and require protection from unauthorized access or disclosure.
Cybersecurity: The practice of protecting computers, networks, and data from digital threats, such as unauthorized access, data breaches, malware, or denial-of-service attacks.
Compensating Controls: Alternative security controls implemented when an organization cannot meet a specific PCI DSS requirement due to technical or business constraints. Compensating controls must provide a similar level of protection to the original requirement and be approved by a Qualified Security Assessor (QSA) or the organization's internal security assessor.
Compliance: The process of adhering to established regulations, standards, or policies, such as PCI DSS, to ensure the security of sensitive data and the proper functioning of information systems.
Confidentiality: The principle of ensuring that sensitive information is accessible only to authorized individuals, systems, or entities, and is protected from unauthorized access or disclosure.
D
Data Breach: An incident in which unauthorized individuals gain access to sensitive information, such as payment card data, personal information, or intellectual property.
Data Encryption Standard (DES): A widely used symmetric-key encryption algorithm, now considered insecure due to its relatively short key length and susceptibility to brute-force attacks.
Data Flow Diagram: A visual representation of how data moves through an organization's systems and processes, often used to identify potential security risks or vulnerabilities.
Data Loss Prevention (DLP): Technologies and processes designed to prevent the unauthorized disclosure, alteration, or destruction of sensitive information, both in transit and at rest.
Default Account: A pre-configured user account, often created by software vendors or system administrators, which may have known usernames and passwords, increasing the risk of unauthorized access if not properly managed.
Default Password: A pre-set password provided by software vendors or hardware manufacturers, which should be changed by the user to prevent unauthorized access.
Denial of Service (DoS): An attack that overwhelms a system, network, or service with excessive traffic or requests, rendering it unavailable to legitimate users.
Digital Certificate: An electronic document issued by a certificate authority (CA) that verifies the identity of a website, individual, or organization and enables secure communication through encryption.
Digital Signature: A cryptographic technique used to verify the authenticity and integrity of a message, document, or software, by ensuring it has not been altered and was created by a specific sender.
Directory Traversal: A type of cyberattack where an attacker exploits vulnerabilities in web applications to access restricted directories and files, potentially leading to unauthorized access to sensitive information.
Disk Encryption: The process of encrypting an entire storage medium, such as a hard disk or USB drive, to protect the data it contains from unauthorized access or tampering.
Distributed Denial of Service (DDoS): A coordinated denial of service attack, where multiple systems are used to flood a target with excessive traffic or requests, overwhelming its resources and causing it to become unavailable.
DMZ (Demilitarized Zone): A network segment, often positioned between an organization's internal network and the internet, where public-facing systems are isolated to limit exposure and reduce the potential impact of a security breach.
Domain Name System (DNS): A hierarchical system for translating human-readable domain names (such as example.com) into the IP addresses used by computers to identify each other on the internet.
Dual Control: A security principle that requires two or more individuals to perform certain actions, such as approving a transaction or accessing sensitive information, to reduce the risk of fraud or error.
E
E-commerce: The buying and selling of goods and services over the internet, which may involve the processing of payment card data and require adherence to PCI DSS standards.
Encryption: The process of converting data into a coded form, using an encryption algorithm, to protect it from unauthorized access or tampering.
Encryption Algorithm: A mathematical formula used to encrypt and decrypt data, ensuring that only authorized parties with the correct decryption key can access the original information.
Encryption Key: A unique string of characters, known only to authorized parties, that is used to encrypt and decrypt data in a secure manner.
Endpoint Security: The practice of protecting devices such as computers, smartphones, and tablets from threats, vulnerabilities, and unauthorized access when connected to a network.
Enterprise Security: The strategies, policies, and technologies used to protect an organization's information, systems, and infrastructure from internal and external threats.
Event Log: A record of events, activities, or transactions within a system or network, which can be used to monitor and analyze system performance, security, and compliance.
Exfiltration: The unauthorized transfer or removal of data from a system or network, often as part of a cyberattack or data breach.
Exploit: A piece of software, a set of data, or a sequence of commands that takes advantage of a vulnerability in a system or application to cause unintended behavior or gain unauthorized access.
Extended Validation (EV) SSL Certificate: A type of digital certificate that provides a higher level of assurance regarding the identity of a website, organization, or individual by requiring more rigorous validation processes.
External Vulnerability Scanning: The process of identifying and assessing vulnerabilities in a system or network from an external perspective, often using automated tools to detect potential weaknesses.
Extranet: A private network that allows controlled access to authorized external users, such as business partners, customers, or suppliers, while maintaining security and privacy.
F
False Positive: An alert or detection by a security system that incorrectly identifies a benign activity or event as malicious, potentially leading to unnecessary investigations or actions.
Federated Identity: A method of linking and managing a user's identity across multiple systems or organizations, allowing for single sign-on (SSO) and simplified access control.
File Integrity Monitoring: A security process that involves monitoring and detecting changes to files and system components, such as configuration files or application binaries, to identify unauthorized modifications, malware, or other security threats.
File Level Encryption: A security measure that involves encrypting individual files or sets of files, as opposed to full-disk or whole-device encryption, to protect sensitive data.
File Transfer Protocol (FTP): A standard network protocol used for transferring files between a client and server over a TCP/IP-based network, such as the internet. Secure alternatives like FTPS or SFTP are recommended to ensure data privacy and integrity.
Firewall Rule: A configuration setting within a firewall that defines the criteria for allowing or blocking network traffic based on factors such as source, destination, port, or protocol.
Firmware: Software that is embedded within a hardware device, such as a router or payment terminal, to provide low-level control and management of the device's functions and operations.
Fuzz Testing: A type of software testing that involves inputting random, malformed, or unexpected data into a system or application to discover potential vulnerabilities, crashes, or other issues.
Failover: A backup operational mode in which the functions of a system component are assumed by a secondary component when the primary component becomes unavailable due to failure or scheduled maintenance.
False Negative: A failure of a security system to detect or alert on a malicious activity or event, allowing the threat to go unnoticed and potentially cause harm.
Full-Disk Encryption (FDE): A security measure that involves encrypting the entire storage drive of a device, including the operating system, applications, and data, to protect against unauthorized access.
First-Party Fraud: Fraud committed by the account holder, often involving the use of their own payment card or account, with the intention of defrauding the issuing bank or merchant.
Fraud Detection: The process of monitoring and analyzing transactions, events, or activities to identify and prevent fraudulent activities, such as unauthorized charges or account takeovers.
Function Level Access Control: A security mechanism that restricts access to specific functions or features within a system or application based on the user's role or privileges.
FIPS (Federal Information Processing Standards): A set of standards and guidelines for the security of non-classified information systems used by the United States federal government, including encryption algorithms and key management practices.
FPE (Format Preserving Encryption): An encryption method that maintains the original format of the plaintext data after it has been encrypted, enabling it to be processed or stored in systems that require specific formats without the need for decryption.
G
Gateway: A network device that acts as an intermediary between different networks, facilitating communication and data transfer while enforcing security policies and access controls.
GDPR (General Data Protection Regulation): A European Union regulation that governs the protection and processing of personal data, requiring organizations to implement appropriate security measures and obtain consent from individuals before collecting, storing, or processing their data.
Ghost Terminal: A fraudulent payment terminal or point of sale (POS) device, often designed to resemble a legitimate device, used by criminals to capture cardholder data during transactions.
Group Policy: A Microsoft Windows feature that enables administrators to centrally manage and enforce configurations, security settings, and other policies for users and computers within an Active Directory domain.
GUID (Globally Unique Identifier): A unique, 128-bit number used to identify resources, objects, or entities across different systems, ensuring that each identifier is distinct and not reused.
GRC (Governance, Risk, and Compliance): A management approach that encompasses the processes, policies, and tools used by organizations to ensure adherence to legal, regulatory, and industry requirements, as well as to manage and mitigate risks and support effective decision-making.
Greylisting: An anti-spam technique that temporarily rejects incoming emails from unknown or suspicious senders, requiring them to resend the message after a certain period, with the assumption that legitimate senders will retry while spammers will not.
GPG (GNU Privacy Guard): An open-source implementation of the Pretty Good Privacy (PGP) encryption standard, used for securing email communication, digital signatures, and other sensitive data.
GUI (Graphical User Interface): A type of user interface that allows users to interact with a system or application through graphical elements, such as buttons, icons, and menus, rather than text-based commands.
Gap Analysis: A process used to identify and assess the differences between an organization's current state and a desired or required state, such as compliance with a security standard or best practice.
Geolocation: The process of identifying the physical location of a device or user based on factors such as IP address, GPS data, or other network and device attributes.
Geofencing: A location-based security mechanism that establishes a virtual boundary around a specific geographical area, triggering actions or alerts when a device enters or leaves the defined area.
Granular Access Control: A security model that provides fine-grained control over user access to specific resources, functions, or data within a system or application, based on criteria such as user roles, privileges, or attributes.
Guard: In the context of information security, a guard is a security mechanism that enforces access control policies between different security domains or network segments, preventing unauthorized data flows or communications.
GSM (Global System for Mobile Communications): A widely used mobile communication standard that provides voice, data, and messaging services, including features such as encryption and authentication to protect against eavesdropping and unauthorized access.
H
Hash Function: A cryptographic algorithm that takes an input (or "message") and returns a fixed-size string of bytes, typically used for verifying data integrity by creating a unique "fingerprint" or "hash value" for a given piece of data.
Hashing: The process of applying a hash function to input data, resulting in a unique hash value that can be used for data integrity checks, password storage, or other security purposes.
HIDS (Host-based Intrusion Detection System): A security solution that monitors individual host systems, such as servers or workstations, for suspicious activity, unauthorized changes, or potential security threats, and alerts administrators when issues are detected.
HMAC (Hashed Message Authentication Code): A specific type of message authentication code (MAC) that combines a cryptographic hash function with a secret key, used to ensure the integrity and authenticity of transmitted data.
Honeypot: A security mechanism that simulates a vulnerable system or network resource, designed to attract and detect attackers or intruders, and gather information about their techniques and objectives.
HTTP (Hypertext Transfer Protocol): The primary protocol used for transmitting and receiving data over the World Wide Web, which defines how web browsers and servers communicate and exchange information.
HTTPS (Hypertext Transfer Protocol Secure): An extension of HTTP that incorporates encryption using SSL/TLS, providing secure communication and data transfer between web browsers and servers.
HTTP Strict Transport Security (HSTS): A security policy mechanism that enforces the use of HTTPS for all connections to a specific website, protecting against various attacks that attempt to downgrade or bypass SSL/TLS encryption.
Hardware Security Module (HSM): A specialized, tamper-resistant device used to manage and protect cryptographic keys, perform encryption and decryption operations, and ensure the secure storage and processing of sensitive data.
Heuristic Analysis: A method of detecting malware or other threats based on behavioral patterns, characteristics, or other indicators, rather than relying on specific signatures or known attributes.
Hot Site: A fully operational, off-site facility that can be quickly activated in the event of a disaster or disruption, providing an organization with the necessary infrastructure, resources, and connectivity to maintain critical operations and services.
Hybrid Cloud: A cloud computing model that combines elements of both public and private clouds, allowing organizations to balance the flexibility, scalability, and cost benefits of public cloud services with the control and security of private cloud infrastructure.
Hypervisor: A software or hardware component that creates and manages virtual machines, enabling multiple operating systems to run simultaneously on a single physical host.
High Availability: A system design approach that aims to ensure continuous operation and minimize downtime by incorporating redundancy, fault tolerance, and other measures to protect against hardware failures, software errors, or other disruptions.
Heap Overflow: A type of buffer overflow vulnerability that occurs when a program writes data beyond the allocated space in memory, potentially leading to crashes, data corruption, or the execution of arbitrary code by an attacker.
I
Identification: The process of recognizing and distinguishing a user, system, or device based on a unique identifier, such as a username, IP address, or device ID, which forms the basis for authentication and access control.
Identity and Access Management (IAM): A framework of policies, procedures, and technologies used to manage user identities, authenticate users, and enforce access controls, ensuring that only authorized individuals have access to specific resources and data.
Identity Proofing: The process of verifying a user's identity by confirming the authenticity of their personal information and credentials, such as government-issued identification documents, biometric data, or knowledge-based questions.
Incident Management: The process of identifying, analyzing, and responding to security incidents, including the containment, eradication, and recovery of affected systems, and the implementation of measures to prevent future occurrences.
Incident Response Plan: A documented set of procedures and guidelines for addressing security incidents, which outlines the roles and responsibilities of personnel, communication protocols, and steps for detecting, analyzing, and mitigating threats.
Information Security: The practice of protecting the confidentiality, integrity, and availability of information from unauthorized access, disclosure, modification, or destruction, through the application of administrative, technical, and physical controls.
Information Security Management System (ISMS): A systematic approach to managing and maintaining an organization's information security, which includes the establishment of policies, procedures, risk assessments, and controls, as well as the monitoring and continuous improvement of security measures.
Ingress Filtering: A network security technique that involves filtering incoming traffic based on source IP addresses, blocking packets from unauthorized or malicious sources, and preventing certain types of attacks, such as spoofing or denial-of-service (DoS).
Injection Attack: A type of security vulnerability that occurs when an attacker is able to insert or inject malicious code or commands into an application or system, potentially leading to unauthorized access, data theft, or other adverse consequences.
Insider Threat: A potential security risk originating from individuals within an organization, such as employees, contractors, or partners, who have access to sensitive information, systems, or resources, and may intentionally or unintentionally cause harm.
Integrity: A fundamental principle of information security that ensures the accuracy and consistency of data, preventing unauthorized modification or corruption, and providing assurance that information can be relied upon for its intended purpose.
Intrusion Detection System (IDS): A security solution that monitors network traffic or system activity for signs of unauthorized access, malicious activity, or potential security threats, and generates alerts or notifications when suspicious events are detected.
Intrusion Prevention System (IPS): An extension of intrusion detection systems that not only detects potential threats but also takes automated actions to block or prevent malicious activity, such as dropping packets, terminating connections, or reconfiguring network devices.
Internet of Things (IoT): A network of interconnected devices, such as sensors, appliances, or wearables, that communicate and exchange data over the internet, enabling various applications, services, and automation capabilities.
Inventory Management: The process of tracking and maintaining an organization's hardware, software, and other assets, including the identification, classification, and documentation of assets, as well as the implementation of controls to ensure their proper use and protection.
J
Jump Server: Also known as a jump host or bastion host, a jump server is a secure, intermediate server placed between a user's device and a target system or network, providing an additional layer of security and access control. It helps to mitigate the risk of unauthorized access or lateral movement within the network.
K
Key Management: The process of managing cryptographic keys, including their generation, distribution, storage, use, and disposal. Key management is crucial in ensuring the security of encrypted data, including cardholder data in the context of PCI DSS. Proper key management practices help maintain the confidentiality and integrity of sensitive data and are required for PCI DSS compliance.
Key Rotation: The practice of periodically changing cryptographic keys used for encryption and decryption to reduce the risk of unauthorized access to sensitive data. Key rotation is an important aspect of key management and can help organizations maintain compliance with PCI DSS by ensuring the ongoing security of encrypted cardholder data.
Keylogger: A type of malicious software or hardware that captures and records users' keystrokes, typically with the intent of stealing sensitive information such as passwords, credit card numbers, or other personal data. Protecting against keyloggers is essential for maintaining the security of cardholder data and achieving PCI DSS compliance.
L
Least Privilege: The principle of granting users or systems the minimum level of access necessary to perform their tasks or functions. This approach helps reduce the risk of unauthorized access to sensitive data, such as cardholder data, and is an important concept in achieving PCI DSS compliance.
Logging: The process of recording events, activities, or transactions in a computer system, application, or network. Logging is crucial for monitoring, auditing, and troubleshooting purposes and is required by PCI DSS for systems within the cardholder data environment.
Log Management: The process of collecting, storing, analyzing, and managing log data generated by systems, applications, and networks. Effective log management is essential for identifying and addressing potential security incidents, ensuring system integrity, and maintaining PCI DSS compliance.
Logical Access Control: A method of controlling access to computer systems, applications, or data based on user credentials, such as usernames, passwords, or access tokens. Logical access control is an important aspect of securing cardholder data and maintaining PCI DSS compliance.
M
Magnetic Stripe Data: Data stored on the magnetic stripe of a payment card, which includes the cardholder's name, the card number, and the expiration date. Protecting magnetic stripe data is crucial for maintaining cardholder data security and PCI DSS compliance.
Malware: Malicious software designed to infiltrate, damage, or compromise a computer system, network, or device without the user's consent. Protecting against malware is essential for maintaining the security of cardholder data and achieving PCI DSS compliance.
Masking: The process of concealing or obfuscating sensitive information, such as credit card numbers, by replacing it with other characters or symbols. Masking is often used to display only a portion of cardholder data, reducing the risk of unauthorized access and helping organizations maintain PCI DSS compliance.
Merchant: A business or organization that accepts payment cards as a form of payment for goods or services. Merchants are required to comply with PCI DSS to ensure the security of cardholder data.
Message Authentication Code (MAC): A short piece of information used to authenticate a message and confirm its integrity. MACs are commonly used in conjunction with encryption to ensure the security of sensitive data, such as cardholder data, during transmission.
Monitoring: The process of continuously observing and analyzing the operation of computer systems, networks, or applications to detect potential security issues or anomalies. Monitoring is an essential aspect of maintaining the security of cardholder data and achieving PCI DSS compliance.
MOTO (Mail Order/Telephone Order): A type of card-not-present transaction where a customer provides their payment card information to a merchant via mail or telephone. MOTO transactions are subject to PCI DSS requirements to ensure the security of cardholder data during processing, storage, and transmission.
Multi-factor Authentication (MFA): A method of verifying a user's identity by requiring two or more independent factors, such as something the user knows (e.g., password), something the user has (e.g., token), or something the user is (e.g., biometric). MFA is an important security measure for protecting cardholder data and is required by PCI DSS in certain circumstances.
N
NAT (Network Address Translation): A technique used to map one IP address space to another, often used to enable private IP addresses to communicate over the public internet. NAT can play a role in network security by hiding internal IP addresses and is sometimes used within the context of PCI DSS to protect cardholder data environments.
Network: A group of interconnected devices, such as computers, servers, and switches, that facilitate communication and data exchange. Ensuring the security of networks, particularly those within the cardholder data environment, is critical for maintaining PCI DSS compliance.
Network Access Control (NAC): A method of managing and controlling access to a network based on user or device identity, role, or other attributes. NAC is an important aspect of securing cardholder data and maintaining PCI DSS compliance by preventing unauthorized access to sensitive systems and data.
Network Segmentation: The practice of dividing a network into smaller, separate segments to improve security and manageability. In the context of PCI DSS, network segmentation can help isolate the cardholder data environment from other parts of the network, reducing the scope of compliance and the potential for unauthorized access.
Non-Consumer User: A user who is not a consumer or end customer, typically referring to employees, contractors, or other individuals with access to a company's systems, networks, or data. Non-consumer users may have access to sensitive cardholder data and should be subject to PCI DSS controls to ensure the security of that data.
Non-repudiation: The assurance that a party cannot deny the authenticity of their actions or the validity of a message or transaction. In the context of PCI DSS, non-repudiation can be important for proving the legitimacy of transactions and ensuring the accountability of parties involved in processing cardholder data.
Nonce: A unique, one-time value used in cryptographic operations, such as encryption or authentication, to prevent replay attacks. Nonce values can be used to ensure the freshness of a message or transaction and are sometimes employed as part of a secure communication protocol within the context of PCI DSS and information security.
Non-console Access: Remote access to a computer system or network device without using a directly connected physical console. Non-console access typically involves connecting to a system via a network or the internet, and proper security measures should be in place to protect cardholder data and maintain PCI DSS compliance during non-console access.
NTP (Network Time Protocol): A protocol used to synchronize the clocks of computers and devices over a network. Accurate timekeeping is important for activities such as logging and monitoring, which are required by PCI DSS to ensure the security and integrity of cardholder data environments.
O
OAuth: An open standard for secure access delegation, commonly used as a way for users to grant access to their information on one site to another site without sharing their credentials. In the context of PCI DSS, OAuth can be used for secure authentication and authorization between systems that handle cardholder data.
Obfuscation: The process of making data or code difficult to understand or interpret, often used as a security measure to protect sensitive information. Obfuscation can be applied to cardholder data to help protect it from unauthorized access and achieve PCI DSS compliance.
One-time Password (OTP): A unique, temporary password generated for a single use or session, often used as part of multi-factor authentication to enhance security. OTPs can be used to protect cardholder data and access to sensitive systems, as required by PCI DSS.
One-way Hash: A cryptographic function that takes an input and produces a fixed-size output, often referred to as a hash, which is unique for each unique input. One-way hashes are designed to be irreversible, making it difficult to determine the original input from the hash value. In the context of PCI DSS, one-way hashing can be used to protect stored cardholder data by rendering it unreadable.
Open-source Software: Software whose source code is made available to the public, allowing users to view, modify, and distribute the software. While open-source software can offer cost and flexibility benefits, it is important to ensure that any open-source software used within the cardholder data environment is secure and compliant with PCI DSS requirements.
Operating System: The software that manages a computer's hardware and software resources, providing a platform for applications to run. Ensuring the security and proper configuration of operating systems is crucial for maintaining the security of cardholder data and achieving PCI DSS compliance.
Out-of-band Authentication: A method of authentication that uses a separate, independent channel or mechanism to verify a user's identity, such as a phone call or text message. Out-of-band authentication can be used as part of multi-factor authentication to enhance security and help maintain PCI DSS compliance.
Outsourcing: The practice of contracting with a third-party organization to provide services or perform tasks that would otherwise be done in-house. When outsourcing services related to cardholder data or the cardholder data environment, it is crucial to ensure that third-party providers are PCI DSS compliant and have adequate security measures in place.
P
P2PE (Point-to-Point Encryption): A technology that encrypts cardholder data from the point of capture at the merchant until it reaches the payment processor, ensuring that the data remains unreadable even if intercepted. P2PE can help merchants achieve PCI DSS compliance by reducing the scope of their cardholder data environment.
PA-DSS (Payment Application Data Security Standard): A set of security requirements for payment applications that handle cardholder data, designed to ensure that these applications are secure and support merchants' PCI DSS compliance efforts.
PAN (Primary Account Number): The unique identifying number associated with a payment card, often printed on the card's front face. PANs are considered sensitive cardholder data and must be protected according to PCI DSS requirements.
Password: A secret combination of characters used to authenticate a user's identity and grant access to a system or account. PCI DSS mandates strong password policies to help protect cardholder data and maintain the security of the cardholder data environment.
Patch: A software update that addresses security vulnerabilities, bugs, or other issues. Regularly applying security patches is essential for maintaining PCI DSS compliance and ensuring the security of cardholder data.
Penetration Testing: A security testing process that simulates real-world attacks on a system or network to identify vulnerabilities and weaknesses. PCI DSS requires regular penetration testing of the cardholder data environment to ensure its security.
Personal Identification Number (PIN): A unique, secret numeric code used to authenticate a user's identity, often in conjunction with a payment card. PINs are considered sensitive authentication data under PCI DSS and must be protected accordingly.
Phishing: A type of social engineering attack where an attacker attempts to deceive users into revealing sensitive information, such as passwords or credit card numbers, by masquerading as a trustworthy entity. Phishing attacks can pose a threat to cardholder data and must be addressed as part of a comprehensive PCI DSS security program.
Physical Security: The protection of an organization's facilities, assets, and personnel from unauthorized access, damage, or theft. Physical security measures, such as access controls and surveillance systems, are an important part of PCI DSS compliance to ensure the security of cardholder data.
PKI (Public Key Infrastructure): A system that manages the creation, distribution, and revocation of public key certificates for use in public key cryptography. PKI can be used to secure communications and authenticate users within the cardholder data environment, supporting PCI DSS compliance.
Point of Sale (POS): The physical location or system where a customer makes a payment for goods or services. Ensuring the security of POS systems and the cardholder data they process is critical for maintaining PCI DSS compliance.
Port Scanning: A method of probing a network or system to identify open ports and potentially vulnerable services. Regular port scanning is part of PCI DSS requirements to ensure the security of the cardholder data environment.
Privacy: The protection of an individual's personal information from unauthorized access, use, or disclosure. Privacy is an important consideration for organizations that handle cardholder data, and PCI DSS requirements help support privacy by mandating the protection of sensitive information.
Privilege Escalation: The process of exploiting a vulnerability or misconfiguration to gain elevated access or privileges on a system or network. Preventing privilege escalation is an important part of PCI DSS compliance to protect cardholder data from unauthorized access.
Pseudonymization: The process of replacing sensitive data with non-sensitive substitutes or pseudonyms, in a way that makes it difficult to re-identify the original data. Pseudonymization can be used as a technique to protect cardholder data and reduce the scope of PCI DSS compliance requirements.
Public Key Cryptography: A cryptographic system that uses a pair of keys, a public key and a private key, to secure communications and authenticate users. Public key cryptography can be used to protect cardholder data and support PCI DSS compliance by ensuring the confidentiality, integrity, and authenticity of data and communications.
Q
QSA (Qualified Security Assessor): A professional certified by the Payment Card Industry Security Standards Council (PCI SSC) to assess an organization's compliance with PCI DSS requirements. QSAs play a crucial role in ensuring the security of cardholder data by verifying that companies have implemented the necessary controls and processes.
QR Code: A two-dimensional barcode that can be scanned and read by smartphones or other devices equipped with a QR code reader. QR codes can be used in payment processing and other applications, but organizations using QR codes should ensure that they are used securely and in compliance with PCI DSS requirements.
Quality of Service (QoS): A measure of the performance of a network or system in terms of throughput, delay, and other factors. In the context of PCI DSS, maintaining an appropriate level of QoS is important to ensure the availability and reliability of cardholder data and the systems that process it.
Quarantine: The process of isolating potentially malicious or compromised systems, files, or users from a network or system to prevent further damage or data loss. Implementing quarantine measures can be a key part of incident response and maintaining PCI DSS compliance in the face of security threats.
Query: A request for information or data from a database, system, or network. In the context of PCI DSS, organizations should ensure that queries related to cardholder data are appropriately controlled and monitored to prevent unauthorized access or data leakage.
R
Ransomware: A type of malicious software that encrypts a victim's files or data, demanding a ransom to restore access. Organizations must implement strong security measures, including regular backups and malware protection, to prevent ransomware attacks and maintain PCI DSS compliance.
RBAC (Role-Based Access Control): A method of managing user access to resources and functions based on their roles or job responsibilities. RBAC is a recommended practice in PCI DSS to ensure that users have the minimum necessary access to cardholder data and related systems.
Real-time Monitoring: The continuous observation and analysis of a system or network to detect and respond to security events as they occur. Real-time monitoring is an important aspect of PCI DSS compliance, as it helps organizations identify and address security threats promptly.
Red Team: A group of security professionals that simulate real-world attacks on an organization's systems and networks to identify vulnerabilities and weaknesses. Red team exercises can support PCI DSS compliance efforts by providing valuable insights into the security of the cardholder data environment.
Remote Access: The ability to access a computer, network, or system from a location other than where the resource is physically located. PCI DSS requires organizations to implement strong security controls, such as multi-factor authentication, to secure remote access to cardholder data and related systems.
Replay Attack: A type of cyberattack in which an attacker intercepts and retransmits a valid message or session to gain unauthorized access or manipulate the system. Organizations must implement appropriate security measures, such as encryption and secure session management, to prevent replay attacks and maintain PCI DSS compliance.
Residual Risk: The remaining risk after an organization has implemented security controls and measures to mitigate identified risks. Understanding and managing residual risk is important for maintaining PCI DSS compliance and ensuring the ongoing security of cardholder data.
Response Plan: A documented set of procedures and guidelines for identifying, responding to, and recovering from security incidents. Having a well-defined and tested response plan is essential for maintaining PCI DSS compliance and minimizing the impact of security breaches.
Risk: The potential for loss or damage due to a threat or vulnerability. PCI DSS requires organizations to conduct regular risk assessments to identify and mitigate risks related to cardholder data and related systems.
Risk Assessment: A systematic process of evaluating the potential risks that may be involved in an organization's activities and operations. PCI DSS requires organizations to conduct regular risk assessments to identify and address risks to cardholder data and related systems.
Risk Management: The process of identifying, assessing, and prioritizing risks, as well as implementing appropriate controls and measures to mitigate them. Risk management is a key component of PCI DSS compliance and ensuring the security of cardholder data.
Risk Mitigation: The process of implementing controls and measures to reduce the likelihood or impact of identified risks. Risk mitigation is an important aspect of PCI DSS compliance and helps organizations protect cardholder data and maintain the security of their cardholder data environment.
Rootkit: A type of malicious software that hides its presence on a system, often by modifying operating system components or processes. Organizations must implement strong malware protection measures to detect and remove rootkits and maintain PCI DSS compliance.
Router: A network device that forwards data packets between computer networks, helping to route traffic between different systems and networks. Routers play a crucial role in the security of cardholder data environments and must be properly configured and maintained to ensure PCI DSS compliance.
RSA: A widely-used public key cryptosystem that enables secure data transmission and digital signatures. RSA can be used to protect cardholder data and support PCI DSS compliance by ensuring the confidentiality, integrity, and authenticity of data and communications.
Rule-based Access Control: An access control model that manages user access to resources and functions based on specific rules or conditions. Rule-based access control can be used in combination with role-based access control (RBAC) to ensure that users have the minimum necessary access to cardholder data and related systems, as required by PCI DSS.
Runtime Application Self-Protection (RASP): A security technology that monitors application execution and detects and prevents real-time attacks by analyzing application behavior. Implementing RASP can help organizations strengthen the security of their cardholder data environment and support PCI DSS compliance efforts.
S
SaaS (Software as a Service): A software licensing and delivery model in which applications are provided over the internet, rather than installed locally on individual devices. When using SaaS solutions that involve cardholder data, organizations must ensure that the provider meets PCI DSS requirements.
Safe Harbor: A set of data protection principles that help organizations transfer personal data across international borders while maintaining compliance with privacy laws. PCI DSS does not specifically address safe harbor, but organizations must ensure that they comply with all applicable data protection regulations when handling cardholder data.
Salt: Random data that is combined with a password or other sensitive information before being hashed, in order to increase the complexity and security of the hash. Salting is a recommended practice for protecting stored passwords and maintaining PCI DSS compliance.
Scoping: The process of determining the systems, networks, and components that are in scope for PCI DSS compliance. Scoping is an essential step in ensuring that an organization has properly implemented the necessary security controls to protect cardholder data.
SDLC (Software Development Life Cycle): The process of planning, designing, building, testing, and maintaining software applications. Organizations must follow secure SDLC practices when developing applications that process, store, or transmit cardholder data in order to maintain PCI DSS compliance.
Secure Coding: The practice of developing software applications in a way that reduces the likelihood of security vulnerabilities and risks. Secure coding is essential for maintaining PCI DSS compliance and ensuring the security of cardholder data.
Secure Socket Layer (SSL): A cryptographic protocol for securing communications over a computer network. While SSL has been replaced by the more secure Transport Layer Security (TLS) protocol, the term is still commonly used to refer to the technology. PCI DSS requires organizations to use strong encryption, such as TLS, to protect cardholder data during transmission.
Security Event: An occurrence or activity that indicates a potential threat to the security of an organization's information systems or data. Organizations must implement monitoring and alerting mechanisms to detect security events and maintain PCI DSS compliance.
Security Information and Event Management (SIEM): A type of software solution that collects, analyzes, and correlates security event data from various sources, helping organizations detect and respond to security incidents. Implementing a SIEM solution can support PCI DSS compliance efforts by providing visibility into the security of the cardholder data environment.
Security Policy: A set of documented rules and guidelines that define an organization's approach to information security and the protection of sensitive data, such as cardholder data. PCI DSS requires organizations to establish, maintain, and enforce a comprehensive security policy.
Segmentation: The practice of separating different parts of a network or system to limit the potential impact of a security breach and reduce the scope of PCI DSS compliance. Network segmentation can be achieved through the use of firewalls, routers, or other security devices.
Sensitive Authentication Data (SAD): Data used to authenticate a cardholder or transaction, such as full magnetic stripe data, card verification codes (CVC), and personal identification numbers (PIN). PCI DSS prohibits the storage of sensitive authentication data after transaction authorization.
Service Provider: A company that provides services to merchants or other entities that involve the processing, storage, or transmission of cardholder data. Service providers must comply with PCI DSS requirements and are subject to validation by qualified security assessors (QSAs).
Social Engineering: A type of attack in which an attacker manipulates people into revealing sensitive information or performing actions that compromise security. Organizations must implement security awareness.
T
Tokenization: A process that replaces sensitive data, such as cardholder data, with unique non-sensitive identifiers called tokens. Tokenization can help organizations reduce the risk of data breaches and maintain PCI DSS compliance by minimizing the amount of sensitive data stored in their systems.
Transport Layer Security (TLS): A cryptographic protocol that provides secure communication over a computer network, replacing the older Secure Sockets Layer (SSL) protocol. PCI DSS requires organizations to use strong encryption, such as TLS, to protect cardholder data during transmission.
Two-Factor Authentication (2FA): A method of verifying a user's identity by requiring them to provide two separate pieces of evidence, typically something they know (e.g., a password) and something they possess (e.g., a hardware token or smartphone). PCI DSS requires two-factor authentication for remote access to the cardholder data environment.
Threat Modeling: A structured approach to identifying, quantifying, and addressing security threats and vulnerabilities in an organization's information systems. Threat modeling can help organizations prioritize security efforts and maintain PCI DSS compliance.
Third-Party Service Provider: An organization that provides services to another organization, which may involve the processing, storage, or transmission of cardholder data. Third-party service providers must comply with PCI DSS requirements and may be subject to validation by qualified security assessors (QSAs).
Three-Domain Secure (3-D Secure): An authentication protocol designed to enhance the security of online credit and debit card transactions by verifying the cardholder's identity at the time of purchase. Implementing 3-D Secure can help merchants reduce fraud and support PCI DSS compliance.
Transaction Authorization: The process by which a card issuer approves or declines a transaction based on the available funds, card status, and other factors. PCI DSS requires merchants to protect cardholder data during and after transaction authorization.
Transaction Data: Information related to a payment card transaction, such as the cardholder's name, account number, and transaction amount. PCI DSS mandates the protection of transaction data, both in storage and during transmission.
Transaction Identifier (Transaction ID): A unique reference number assigned to each payment card transaction, which can be used to trace the transaction through the payment processing system. Transaction identifiers are not considered sensitive data under PCI DSS.
Trusted Platform Module (TPM): A hardware component that provides cryptographic functions and secure storage for sensitive data, such as encryption keys. TPMs can help organizations enhance the security of their cardholder data environment and maintain PCI DSS compliance.
Trusted Third Party (TTP): An organization or individual that acts as an impartial intermediary between two or more parties, providing trust services such as identity verification, key management, or cryptographic services. TTPs can play a role in the security of cardholder data and the overall PCI DSS compliance process.
Trusted Zone: A segment of a network or system that is considered secure and protected from unauthorized access. Organizations must implement appropriate access controls and security measures to ensure that cardholder data remains within the trusted zone and maintains PCI DSS compliance.
Tunneling: The process of encapsulating one network protocol within another, typically for the purpose of securely transmitting data across a public network. Tunneling can be used to protect cardholder data during transmission, as required by PCI DSS.
Twofish: A symmetric-key block cipher that was a finalist in the competition to select the Advanced Encryption Standard (AES). While Twofish is not as widely used as AES, it is considered to be a secure encryption algorithm and can be used to protect cardholder data in compliance with PCI DSS requirements.
U
Unique Identifier (UID): A distinct and non-reusable value assigned to a specific entity, such as a user, system, or device, to differentiate it from others. Unique identifiers can be used to track and manage access to cardholder data and help maintain PCI DSS compliance.
Unified Threat Management (UTM): An approach to information security that combines multiple security functions, such as firewall, intrusion detection, and antivirus, into a single solution. UTM can help organizations streamline their security efforts and maintain PCI DSS compliance.
Untrusted Network: A network that is not under the control of the organization and is considered potentially hostile or insecure. PCI DSS requires organizations to implement security measures to protect cardholder data when transmitted over untrusted networks.
User Acceptance Testing (UAT): A phase of software development where the intended users test the system to ensure it meets their requirements and functions correctly. UAT can help organizations identify and remediate potential security issues before they impact cardholder data and PCI DSS compliance.
User Account Management: The process of creating, maintaining, and deleting user accounts, as well as assigning and managing access rights and permissions. PCI DSS requires organizations to implement strong user account management practices to protect cardholder data.
User and Entity Behavior Analytics (UEBA): A security approach that leverages machine learning and advanced analytics to identify anomalous behavior and potential threats by analyzing user and system activity. UEBA can help organizations detect and respond to security incidents that may impact PCI DSS compliance.
User Identification: The process of uniquely identifying a user attempting to access a network or system, typically through the use of a username, email address, or other identifier. User identification is a critical component of access control and PCI DSS compliance.
User-Managed Access (UMA): A protocol that enables users to manage and control access to their personal data by third-party applications and services. UMA can help organizations ensure that cardholder data is only accessed by authorized parties and maintain PCI DSS compliance.
User Training and Awareness: The process of educating users about security best practices, policies, and procedures to help protect cardholder data and maintain PCI DSS compliance. User training and awareness is a key component of a comprehensive information security program.
V
Validation: The process of confirming that a system, application, or process meets specific requirements, such as security controls or PCI DSS requirements. Validation helps ensure that security measures are effective and functioning as intended.
Virtual Local Area Network (VLAN): A logical grouping of network devices that can span multiple physical network segments. VLANs can be used to segregate network traffic, such as cardholder data, to improve security and maintain PCI DSS compliance.
Virtual Machine (VM): A software-based emulation of a physical computer system that runs on a host system. VMs can be used to isolate sensitive environments, such as those containing cardholder data, from other systems, helping to maintain PCI DSS compliance.
Virtual Private Network (VPN): A secure network connection that uses encryption and tunneling to transmit data between remote users and a private network. VPNs can help protect cardholder data when transmitted over untrusted networks, supporting PCI DSS compliance.
Virtualization: The process of creating multiple virtual instances of a computer system, such as a server or desktop, on a single physical hardware platform. Virtualization can help organizations improve security and maintain PCI DSS compliance by isolating sensitive environments and reducing the attack surface.
Virus: A type of malicious software that can replicate itself and spread from one system to another, often causing harm or unauthorized access to data. Protecting systems against viruses is an important aspect of maintaining PCI DSS compliance.
Vulnerability: A weakness in a system, application, or process that can be exploited by an attacker to gain unauthorized access or cause harm. Identifying and mitigating vulnerabilities is a critical component of PCI DSS compliance and overall information security.
Vulnerability Assessment: A process of identifying, quantifying, and prioritizing vulnerabilities in a system or environment. Vulnerability assessments can help organizations identify and remediate security risks and maintain PCI DSS compliance.
Vulnerability Management: An ongoing process of identifying, evaluating, and mitigating vulnerabilities in systems and applications to reduce the risk of security incidents. Vulnerability management is an important aspect of PCI DSS compliance and overall information security.
Vulnerability Scanning: The process of using automated tools to scan systems and networks for known vulnerabilities. Regular vulnerability scanning is a requirement of PCI DSS and helps organizations identify and address security risks.
W
Web Application Firewall (WAF): A security solution that monitors, filters, and blocks HTTP traffic to and from web applications. WAFs can help protect web applications from common attacks, such as cross-site scripting (XSS) and SQL injection, and support PCI DSS compliance by providing an additional layer of security.
Weak Cryptography: The use of cryptographic algorithms or key lengths that are no longer considered secure due to advances in computing power or the discovery of vulnerabilities. Using weak cryptography can put cardholder data at risk and may result in non-compliance with PCI DSS requirements.
Whitelisting: The practice of explicitly allowing only known, trusted entities, such as IP addresses or applications, to access a system or network. Whitelisting can help reduce the attack surface and improve security, supporting PCI DSS compliance.
Wireless Access Point (WAP): A networking device that allows wireless devices to connect to a wired network. Securing WAPs and segregating wireless traffic containing cardholder data are important aspects of PCI DSS compliance.
Wireless Intrusion Prevention System (WIPS): A security solution designed to detect, prevent, and mitigate unauthorized access or attacks on wireless networks. WIPS can help organizations protect their wireless networks and maintain PCI DSS compliance.
Wireless Local Area Network (WLAN): A network that connects devices using wireless communication protocols, such as Wi-Fi. Securing WLANs and segregating wireless traffic containing cardholder data are important aspects of PCI DSS compliance.
X
XSS (Cross-Site Scripting): A type of security vulnerability typically found in web applications, which allows attackers to inject malicious scripts into web pages viewed by other users. Protecting against XSS attacks is essential for ensuring the security of web applications that handle cardholder data and maintaining PCI DSS compliance.
X.509: A standard for digital certificates used in public key infrastructure (PKI) systems to establish secure communications between entities over a network. X.509 certificates are used in secure communication protocols such as TLS/SSL, which help protect cardholder data during transmission and support PCI DSS compliance.
Z
Zero-Day Vulnerability: A security flaw in software or hardware that is unknown to the vendor and has not yet been patched. Zero-day vulnerabilities can be exploited by attackers before the vendor releases a fix, potentially compromising systems and data, including cardholder data. Addressing zero-day vulnerabilities is important for maintaining PCI DSS compliance and overall information security.
Zone-based Firewall: A type of firewall configuration that segments a network into multiple security zones, each with its own policies and rules. Zone-based firewalls can help organizations protect sensitive data, such as cardholder data, by restricting access to specific network segments, which supports PCI DSS compliance.