PCI Glossary of Terms
Approved Scanning Vendor (ASV) - To become PCI compliant, you'll need a successful scan certificate from an approved scanning vendor to certify that you meet all technical requirements. The PCI Security Standards Council provides a list of approved ASVs.
Audit Log - A record of system activities ordered by date. This should be detailed enough to provide a sequence of events that lead from the start of the transaction to the end.
Cardholder Data (CD) - Cardholder data consists of the full primary account number (PAN). Cardholder data may also appear with the following data: cardholder name, expiration date, and/or service code.
Cardholder Data Environment (CDE) - This includes all processes and technology as well as the people that store, process, or transmit customer cardholder data or authentication data, including connected system components and any virtualization components (e.g. servers, applications, etc.)
Encryption - This refers to the conversion of information into an unreadable form where only those with a specific cryptographic key can access the information. This protects information between the encryption and decryption processes against any unauthorized disclosure.
File Integrity Monitoring - This determines whether or not files have been modified in any way. When certain critical files are changed, PCI dictates that alerts should be sent to security personnel.
Firewall - This technology protects network resources from unauthorized access by permitting or denying traffic between networks based on custom criteria. PCI-compliant hosting options include different types of managed firewalls, including shared firewalls, virtualized private firewalls, and dedicated firewall appliances.
Intrusion Detection Service (IDS) - This refers to the software or hardware used to alert on network or system intrusions. This system can include alert sensors, monitoring options, and a centralized logging system to record events.
Intrusion Prevention Service (IPS) - Similar to the Intrusion Detection Service, IPS attempts to block possible intrusions once they are detected.
Payment Card Industry Data Security Standard (PCI DSS) - This was established by the large payment card brands (Visa, JCB International, American Express, Discover, and MasterCard) as a national standard for any merchant that intends to store, process, or transmit credit cardholder data.
Penetration Test - These types of tests are conducted on networks and applications, as well as the controls and processes around them in order to discover any vulnerabilities as well as the potential for access and security breaches. Penetration testing should include external and internal network tests.
Primary Account Number (PAN) - The primary account number is also referred to as "account number" or "unique payment card number", and identifies the issuer and cardholder account. It is typically used for either credit or debit cards.
Private Network - Private networks are those internal to an organization, potentially use private IP address space, and should be protected by firewalls and routers from a public network.
Service Provider - A non-payment brand business entity that is involved with the process, storage, or transmittal of cardholder data. Any company that affects the security of cardholder data is included, e.g. a managed service or hosting provider that provides managed firewalls, IDS, etc.
System Components - The PCI SSC defines these as networks, servers, virtualization components, and applications. Network components may include firewalls, switches, routers, and other security appliances. Server types may include web, database, authentication, and other devices. Applications include internal and external applications, including Internet-based.
The system component becomes part of the CDE if it stores, transmits or processes cardholder data, or if it’s connected to another system that does the aforementioned. As such, any IT infrastructure that is part of the CDE becomes liable to scrutiny under PCI compliance laws, including any application or server provided by a third party.
Two-Factor Authentication - User authentication that requires two or more factors. For example, a hardware or software token, a user password or pin, or fingerprints and/or other biometric authentication method.