PCI Glossary of Terms
Approved Scanning Vendor (ASV) - To become PCI compliant, you'll need a successful scan certificate from an approved scanning vendor to certify you meet all technical requirements. The PCI Security Standards Council provides a list of approved ASVs.
Audit Log - A record of system activities ordered by date. This should be detailed enough to provide a sequence of events that lead back to the start of the transaction to the end.
Cardholder Data (CD) - Cardholder data consists of the full PAN - primary account number. Cardholder data may also appear with the following data: cardholder name, expiration date and/or service code.
Cardholder Data Environment (CDE) - This includes all processes and technology as well as the people that store, process or transmit customer cardholder data or authentication data, including connected system components and any virtualization components (i.e., servers, applications, etc.)
Encryption - This refers to the conversion of information into an unreadable form. Only people with a specific cryptographic key can access the information. This protects information between the encryption and decryption process against any unauthorized disclosure.
File Integrity Monitoring - This determines whether or not files or logs have been modified in any way. When certain critical files or logs are changed, PCI dictates that alerts should be sent to security personnel.
Firewall - This technology protects network resources from unauthorized access by permitting or denying traffic between networks with different security levels based on custom criteria. PCI compliant hosting options include different types of managed firewalls, including shared firewalls, virtual private firewalls and dedicated firewall appliances. A virtual private firewall is recommended for PCI compliance due to the privacy of the managed firewall services and the inclusion of Intrusion Detection Service (IDS) and Intrusion Prevention Service (IPS).
Intrusion Detection Service (IDS) - This refers to the software or hardware used to target and alert network or system intrusions. This system can include alert sensors, monitoring options and a centralized logging system to record events.
Intrusion Prevention Service (IPS) - Similar to the Intrusion Detection Service, IPS attempts to block possible intrusions detected by the IDS.
Payment Card Industry Data Security Standard (PCI DSS) - This was established by the large payment card brands, Visa, JCB International, American Express, Discover and MasterCard as a national standard for any merchant that intends to store, process or transmit credit cardholder data.
Penetration Test - These type of tests are conducted on network and applications as well as controls and processes around them in order to determine any vulnerabilities and the potential for access and security breaches. Penetration testing should include external and internal network tests.
Primary Account Number (PAN) - The primary account number is also referred to as account number or unique payment card number that identifies the issuer and cardholder account. It is typically for either credit or debit cards.
Private Network - Private networks use private IP address space and should be access-protected by firewalls and routers from a public network.
Service Provider - A non-payment brand business entity that is involved with the process, storage or transmittal of credit cardholder data. Any company that affects the security of cardholder data is included, i.e., a managed service or hosting provider that provides managed firewalls, IDS, etc.
System Components - The PCI SSC defines these as network, servers, virtualization components and applications. Network components may include firewalls, switches, routers, and other security appliances. Server types may include web, database, authentication and other devices. Applications include internal and external applications, including Internet-based.
The system component becomes part of the CDE if it stores, transmits or processes CD, or if it’s connected to another system that does the aforementioned. As such, any IT infrastructure that is part of the CDE becomes liable to scrutiny under PCI compliance laws, including any application or server provided by a third party.
Two-Factor Authentication - User authentication that requires two or more factors. For example, a hardware or software token, a user password or pin, or fingerprints and/or other biometric authentication method.