Print out our handy glossary of essential Payment Card Industry Data Security Standard (PCI DSS) terminology for a fast reference. Online, each term links to a full definition which also include resources for further learning.
AAA server -- a server program that handles user requests for access to computer resources and, for an enterprise, provides authentication, authorization, and accounting (AAA) services.
access control -- a security technique that can be used to regulate who or what can view or use resources in a computing environment.
adware – software that displays advertising while it’s running; often tracks user information and shares with third parties.
AES (Advanced Encryption Standard) -- a symmetric block cipher used by the U.S. government to protect classified information that is implemented in software and hardware throughout the world to encrypt sensitive data.
ANSI (American National Standards Institute) -- the primary organization for fostering the development of technology standards in the United States.
attack vector -- a path or means by which a hacker can gain access to a computer or network server in order to deliver a payload or malicious outcome.
audit trail – also known as an audit log, the sequence of paperwork that validates or invalidates accounting entries.
authentication -- the process of determining whether someone or something is, in fact, who or what it is declared to be, as a means of securing access to a given resource.
authorization -- is the process of giving someone permission to do or have something. In multi-user computer systems, a system administrator defines for the system which users are allowed access to the system and what privileges of use they are cleared for.
authentication, authorization, and accounting (AAA) -- a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services.
authentication factor -- a category of credential used to verify identity. The three main categories are knowledge factors (things the user knows), possession factors (things the user has) and inherence factors (things the user inherently is).
backup -- the activity of copying files or databases so that they will be preserved in case of equipment failure or other catastrophe.
biometric authentication -- a type of security system that uses the unique biological characteristics of individuals to verify identity for secure logins into electronic systems.
California Security Breach Information Act -- California state legislation requiring organizations that maintain personal information about individuals to inform those individuals if the security of their information is compromised.
card verification value (CVV) -- a combination of features used in credit, debit and automated teller machine (ATM) cards for the purpose of establishing the owner's identity and minimizing the risk of fraud.
Chief Compliance Officer (COO) - a corporate official in charge of overseeing and managing compliance issues within an organization, ensuring, for example, that a company is complying with regulatory requirements, and that the company and its employees are complying with internal policies and procedures.
cardholder data (CD) -- the primary account number (PAN) of a payment card belonging to a cardholder, along with any of the following data types: cardholder name, expiration date or service code (a three- or four-digit number coded onto the magnetic-stripe that specifies acceptance requirements and limitations for a magnetic-stripe-read transaction).
cardholder data environment (CDE) -- is a computer system or networked group of IT systems that processes, stores and/or transmits cardholder data or sensitive payment authentication data, as well as any component that directly connects to or supports this network.
claims-based identity -- a means of authenticating an end user, application or device to another system in a way that abstracts the entity’s specific information while providing data that authorizes them for appropriate and relevant interactions.
column-level encryption -- a method of database encryption in which the information in every cell (or data field) in a particular column has the same password for access, reading, and writing purposes.
compensating control -- a data security measure that is designed to satisfy the requirement for some other security measure that is deemed too difficult or impractical to implement.
compliance -- a state in which someone or something is in accordance with established guidelines, specifications, or legislation.
compliance audit -- a comprehensive review of an organization's adherence to regulatory guidelines. Independent accounting, security or IT consultants evaluate the strength and thoroughness of compliance preparations.
computer forensics -- the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law.
control framework -- a data structure that organizes and categorizes an organization’s internal controls, which are practices and procedures established to create business value and minimize risk.
cross-site scripting (XSS) -- a security exploit in which the attacker inserts malicious coding into a link that appears to be from a trustworthy source.
cross-site tracing (XST) -- a sophisticated form of cross-site scripting (XSS) that can bypass security countermeasures already put in place to protect against XSS.
cryptographic key -- a variable value that is applied using an algorithm to a string or block of unencrypted text to produce encrypted text, or to decrypt encrypted text.
cryptoperiod -- sometimes called a key lifetime or a validity period, a specific time span during which a cryptographic key setting remains in effect.
data at rest -- data in computer storage rather than traversing a network or temporarily residing in computer memory to be read or updated.
data breach -- an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so.
data destruction -- the process of destroying data stored on tapes, hard disks and other forms of electronic media so that it is completely unreadable and cannot be accessed or used for unauthorized purposes.
data masking -- a method of creating a structurally similar but inauthentic version of an organization's data that can be used for purposes such as software testing and user training. The purpose is to protect the actual data while having a functional substitute for occasions when the real data is not required.
DMZ (demilitarized zone) -- a computer host or small network inserted as a "neutral zone" between a company's private network and the outside public network.
egress filtering -- a process in which outbound data is monitored or restricted, usually by means of a firewall that blocks packets that fail to meet certain security requirements.
encryption -- the conversion of electronic data into another form, called ciphertext, which cannot be easily understood by anyone except authorized parties.
Electronic Industries Association (EIA) - consortium that makes decisions about data transmission standards.
FIPS (Federal Information Processing Standards) -- a set of standards that describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies.
firewall -- a network security system, either hardware- or software-based, that controls incoming and outgoing network traffic based on a set of rules.
four-factor authentication (4FA) -- the use of four types of identity-confirming credentials to authenticate the user, typically the three common knowledge, possession and inherence factors plus location, although time is sometimes considered the fourth factor.
Gramm-Leach-Bliley Act (GLB) -- federal legislation enacted in the United States to control the ways that financial institutions deal with the private information of individuals.
hard-drive encryption -- a technology that encrypts the data stored on a hard drive using sophisticated mathematical functions.
hashing -- the transformation of a string of characters into a usually shorter fixed-length value or key that represents the original string. Used to index and retrieve items in a database because it is faster to find the item using the shorter hashed key than to find it using the original value, also used in many encryption algorithms.
HTTPS (HTTP over SSL or HTTP Secure) -- the use of Secure Socket Layer (SSL) or Transport Layer Security (TLS) as a sublayer under regular HTTP application layering.
identity access management (IAM) system -- a framework for business processes that facilitates the management of electronic identities.
ingress filtering -- a method of verifying that inbound packets arriving at a network are from the source computer they claim to be before entry (or ingress) is granted.
intrusion detection (ID) -- a type of security management system for computers and networks that gathers and analyzes information from various areas within a computer or a network to identify possible security breaches.
IP address – the sequence of numbers that uniquely identifies a computer on the Internet or within a network.
IPsec (Internet Protocol Security) -- a framework for a set of protocols for security at the network or packet processing layer of network communication.
IP spoofing, also known as IP address forgery -- a hijacking technique in which the attacker masquerades as a trusted host to conceal his identity, hijack browsers, or gain access to a network.
multifactor token – a security token that uses more than one category of credential to confirm user authentication. A common example is the use of a smartphone software token app that enables the phone to serve as the hardware token; this example yields a two-factor token.
National Computer Security Center (NCSC) -- a U.S. government organization within the National Security Agency (NSA) that evaluates computing equipment for high security applications to ensure that facilities processing classified or other sensitive material are using trusted computer systems and components.
National Vulnerability Database (NVD) -- a government repository of standards-based vulnerability information.
NAT (Network Address Translation or Network Address Translator) -- the translation of an IP address used within one network to a different IP address known within another network. Typically, a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses.
NIST (National Institute of Standards and Technology) -- a unit of the US Commerce Department that promotes and maintains measurement standards.
one-time password (OTP) -- an automatically generated numeric or alphanumeric string of characters that will authenticate the user for a single transaction or session.
OTP token -- a security device or software program that produces new single-use passwords or passcodes at preset time intervals.
out-of-band authentication -- a type of two-factor authentication that requires a secondary verification method through a separate communication channel along with the typical ID and password.
Payment Card Industry Data Security Standard (PCI DSS) -- a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.
Payment Application Data Security Standard (PA-DSS) -- a set of requirements that are intended to help software vendors develop secure payment applications that support PCI DSS compliance.
PCI assessment -- an audit for validating compliance with the PCI DSS. During the assessment, a PCI Qualified Security Assessor (QSA) determines whether the business has met the PCI DSS 12 requirements, either directly or through a compensating control.
PCI compliance -- adherence to a set of security standards that were developed to protect card information during and after a financial transaction.
PCI DSS 12 requirements -- a set of security controls that businesses are required to implement to protect credit card data and comply with the PCI DSS. The requirements were developed and are maintained by the PCI Security Standards Council.
PCI DSS 2.0 -- the second version of the PCI DSS, which reinforces the need for thorough scoping before an assessment and promotes more effective log management.
PCI DSS 3.0 -- the third major iteration of the PCI DSS. Additions include penetration testing to verify the methods used to segment the merchant cardholder data environment from other IT infrastructure, an inventory of all hardware and software components within the cardholder data environment and documentation detailing which requirements are managed by third-party vendors.
PCI DSS User Group -- a London-based user group for merchants and retailers who must comply with the 12 requirements of the Payment Card Industry Data Security Standard (PCI DSS).
PCI forensic investigator program -- a certification process for companies wishing to become eligible to perform investigations into data breaches on payment card industry (PCI) networks.
PCI policy -- a type of security policy that covers how an organization addresses the 12 requirements of the PCI DSS. A PCI policy is required of all merchants and service providers who store, process or transmit credit card holder data
PCI QSA (Payment Card Industry Qualified Security Assessor) -- a designation conferred by the PCI Security Standards Council to individuals it deems qualified to perform PCI assessments and consulting services.
PCI Security Standards Council -- an organization created by the major credit card companies in an effort to better protect credit card holder data. The PCI SSC was formed in response to an increase in data security breaches, which not only put customers at risk, but also increase the credit card companies’ costs.
PII (personally identifiable information) -- any data that could potentially identify a specific individual. PII can be sensitive or non-sensitive. Non-sensitive PII is information that can be transmitted in an unencrypted form.
PIFI (personally identifiable financial information) -- any type of personally identifiable information that is linked to that person's finances. A credit card number is a prime example of PIFI.
principle of least privilege (POLP) -- the practice of limiting access to the minimal level that will allow normal functioning. Applied to employees, the principle of least privilege translates to giving people the lowest level of user rights that they can have and still do their jobs.
privacy – an assurance that information will not be shared inappropriately, that unauthorized parties will not be able to see communications and/or that messages can be sent anonymously.
Qualified Security Assessor (QSA) -- a person who has been certified by the PCI Security Standards Council to audit merchants for PCI DSS compliance.
regulatory compliance -- an organization's adherence to laws, regulations, guidelines and specifications relevant to its business.
Report on Compliance (ROC) -- a form that must be completed by all Level 1 Visa merchants undergoing a PCI DSS audit. In general, a level 1 merchant is one who processes over 6 million Visa transactions in a year.
Request for Comment 1918 (RFC 1918) -- “Address Allocation for Private Internets,” the Internet Engineering Task Force (IETF) memorandum on methods of assigning of private IP addresses on TCP/IP networks.
Sarbanes-Oxley Act (SOX) -- legislation enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise (administered by the Securities and Exchange Commission).
Section 508 -- an amendment to the United States Workforce Rehabilitation Act of 1973, is a federal law mandating that all electronic and information technology developed, procured, maintained, or used by the federal government be accessible to people with disabilities.
security information and event management (SIEM) -- an approach to security management that seeks to provide a holistic view of an organization’s information technology (IT) security.
security token (sometimes called an authentication token) -- a small hardware device that the owner carries to authorize access to a network service.
sensitive information -- data that must be protected from unauthorized access to safeguard the privacy or security of an individual or organization.
shared secret -- data known to only the two entities involved in a communication so that either party's possession of that data can be provided as proof of identity for authentication.
shoulder surfing -- using direct observation techniques, such as looking over someone's shoulder, to get information.
single-factor authentication (SFA) – an authentication method that involves only one category of credential. The familiar user name / password login is the most common form of SFA but some strong authentication methods are also used independently.
soft token -- a software-based security token that generates a single-use login PIN. Software tokens are often components of apps used to secure mobile authentication.
third party -- an entity that is involved in some way in an interaction that is primarily between two other entities.
three-factor authentication (3FA) – the use of identity-confirming credentials from three separate categories of authentication factors – typically, the knowledge, possession and inherence categories.
two-factor authentication (2FA) -- a process in which the user provides two means of identification from separate authentication factors. Often one credential is a physical token, such as a card, and the other is something memorized, such as a security code.
two-step verification -- a process that involves two authentication methods, not necessarily from separate authentication factors, performed one after the other to verify that someone or something requesting access is who or what they are declared to be.
unique identifier (UID) -- a numeric or alphanumeric string that is associated with a single entity within a given system.
universal authentication -- a network identity-verification method that allows users to move from site to site securely without having to enter identifying information multiple times.
user authentication -- the verification of an active human-to-machine transfer of credentials required for confirmation of a user’s authenticity; the term contrasts with machine authentication, which involves automated processes that do not require user input.
vendor risk management (VRM) -- a comprehensive plan for identifying and decreasing potential business uncertainties and legal liabilities regarding the hiring of 3rd party vendors for IT products and services.
virtual payment terminal -- a Web-based version of a credit card swipe device that allows merchants to process orders made by mail, over the phone or online.
vulnerability -- a flaw in code or design that creates a potential point of security compromise for an endpoint or network.
vulnerability disclosure -- the practice of publishing information about a computer security problem, and a type of policy that stipulates guidelines for doing so.
wipe -- to render all data on a hard drive unreadable. The term is often used in reference to making data stored on a computer, smartphone or tablet inaccessible before disposing of the device.