Glossary

Terms & Definitions

Abbreviations, terms and words that are related to PCI Compliance.


Access Point (see also wireless access point)
A wireless access point (WAP) is a device that allows you to connect to a wireless network or the Internet.
ACDR Fines
Account Data Recovery Fines (“ACDR fines”) are amounts assessed against a merchant by a card association to cover partial collection of losses experienced as a result of a data security event.
ACH
To debit or credit funds electronically using the ACH network and software.
ACH (verb)
To debit or credit funds electronically using the ACH network and software.
Automated Clearing House
A clearing facility operated by a Federal Reserve Bank or a private sector organization through which banks transmit and receive funds electronically.
Card Association
Card association means Visa, MasterCard,Discover, JCB, American Express or and any similar credit or debit card association.
Card Association Assessment
Card association assessment means a monetary assessment, fee, fine or penalty levied against a merchant or the merchant by a card association as the result of (i) a data security event or (ii) a security assessment conducted as the result of a data security event.
Card Replacement Expenses
Card replacement expenses means the costs that the merchant is required to pay by the card association to replace compromised bank cards as the result of (i) a data security event or (ii) a security assessment conducted as the result of a data security event.
Cardholder Data Environment
The people, processes and technology that store, process or transmit cardholder data or login and password data, including any connected system pieces
Cardholder Information
Cardholder Information means the data contained on a credit card.
CISP List
Stand for Cardholder Information Security Program. This is a a list maintained on the Visa web site of Providers who have certified their PCI compliance. You can find it at: http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf
Community string
A type of password used in Simple Network Management Protocol
Compliance Case Costs
Compliance case costs are costs and expenses incurred by a card issuer in monitoring and addressing accounts which are believed to be compromised or at risk as a result of a data security event and for which reimbursement is requested pursuant to rules of a card association. Compliance case costs do not include chargeback amounts.
Cryptography
Cryptography is the technology of protecting information by scrambling data.
Data Security Event
Data security event means the actual or suspected unauthorized access to or use of cardholder information, arising out of a merchant’s possession of or access to such cardholder information, which has been reported (a) to a card association by a merchant or (b) to the merchant by a card association.
Dynamic Packet Filtering
A firewall feature that provides security by keeping track of communications. Only established connections are allowed through the firewall. Also called Stateful Inspection
Encryption Key
An encryption key is a sequence of numbers used to encrypt or decrypt data. This is different than a password. A password is used to gain access. An encryption key is used to scramble data so that it cannot be recognized.
Firewall
A Firewall is a system which limits network access between two or more networks or parts of a nework. Normally, a Firewall is deployed between a private network and an untrusted network (such as the Internet). A Firewall grants or revoke access based on different rules that are set up in it.
Forensic Audit
Forensic audit expenses are the costs of a security assessment conducted by a qualified security assessor approved by a card association or the PCI Security Standards Council to determine the cause and extent of a data security event.
Gateway
A payment gateway is an e-commerce service provider service that handles the credit card part of thre transaction - they authorize and/or process payments electronically.
Hardening
Making sure that no unnecessary services or software is running on a machine that could leave it open to attack by a hacker. Sources of industry-accepted system hardening standards can be found at the Center for Internet Security (CIS), the International Organization for Standardization (ISO), the SysAdmin Audit Network Security (SANS) Institute, or the National Institute of Standards Technology (NIST).
IDS
Intrusion Detection System – a system for inspecting for attempted hacks into your computer system and preventing them
In Scope
Related to the cardholder data environment. If systems, people and processes are not within the cardholder data environment, then they are not “in scope”, and not subject to PCI compliance.
Internet Service Provider
An Internet service provider is a company that offers access to the internet and to e-mail, usually for a monthly fee. You can host a web site there.
IPS
Intrusion Protection System - a system for inspecting for attempted hacks into your computer system and preventing them
ISP
See Internet Service Provider
Management Console
Software used to monitor and control other machines in a network.
Media
Media means any place where data is stored. It can be paper, a hard drive, a USB device, a CD, etc.
Merchant
A merchant is an entity that accepts debit, credit or preaid cards.
MID
MID means a Merchant Identification Number, which is a unique number assigned to a location where a merchant accepts bank cards for payment.
Network
An interconnected system of computers and/or devices that talk to each other and share data or communications.
Notice Period
Notice period means the thirty (30) day period commencing immediately upon the discovery by the merchant of a data security event.
Password
A code set by a user that only they know that gains them access to a computer.
Port
A port is like a software door that can be open or shut and through which communication can travel if it is open.
Protocol
A protocol is simply a set of rules for the format and transmission of data. For example, if you are sending out a letter through mail, your address has to have a certain format to be recognized and forwarded on. The transmission of the letter is determined by what is in the address, like the state code. The same is true when computers communicate one to the other. The rules which apply to the communications are called protocols.
Proxy Server
A proxy server is a computer that acts as a middleman between two networks. The primary use of a proxy server is to protect the privacy of systems behind the proxy server, though it can also act to speed up Internet access.
Remote Management
Allows a System Administrator to access, edit, and update data on a computer from a remote location to the physical computer being updated.
Router
A device that receives and forwards data packets between computer networks
Security Event Expenses
Security event expenses are assessments, forensic audit expenses, card replacement expenses and post event services expenses that the merchant is obligated to pay in connection with a data security event..
Simple Network Management Protocol
Simple Network Management Protocol (SNMP) is software used to manage systems in a network for conditions that warrant administrative attention.
SNMP
Simple Network Management Protocol
Stateful Inspection
A firewall feature that provides security by keeping track of communications. Only established connections are allowed through the firewall. Also called Dynamic Packet Filtering
System administrator
A person in charge of managing and maintaining computer systems for a business or organization.
Third Party Agent
There are several types of organizations that would qualify as third party agents. For example, Gateways, Internet Service Providers (where web sites reside) and computer management companies, all qualify as third party agents. If your company uses a business for services that has access to and can impact the security of cardholder data, that is a third party - even if they don't have any direct access to cardholder data.
Two-factor authentication
Two-factor authentication means using two sources of identity for a person. As an example, your login is one factor. If a code is then texted to your cell phone which you have to enter before gaining access, that creates a second factor, and qualifies as two-factor authentication. An example of this would be: Model Maid's corporate office is processing via an application or a virtual terminal on their network which is connected to the Internet. Their System Administrator has remote access into the cardholder data environment. He must enter a password. A code is additionally sent to his cell phone that he must enter to gain access.
WIFI
WI-FI is the wireless technology that allows computers and other devices to communicate using high frequency radio signals that transmit and receive data over distances of a few hundred feet. Many computers now have built-in Wi-Fi cards that allow users to search for and connect to wireless routers.
Wireless Access Point
A wireless access point (WAP) is a device that allows you to connect to a wireless network or the Internet.