Term
|
Definition
| Measures that limit access to information or information processing resources to those authorized persons or applications. |
|
|
Term
|
Definition
| A method to determine existing user accounts based on trial and error. Giving too much information in an error message can disclose information that makes it easier for an attacker to penetrate or compromise the system. |
|
|
Term
|
Definition
| The payment card number (credit or debit) that identifies the issuer and the particular cardholder account. |
|
|
Term
|
Definition
| A bankcard association member that initiates and maintains relationships with merchants that accept Visa or MasterCard cards. |
|
|
Term
|
Definition
| Information or information processing resources of an organization. |
|
|
Term
|
Definition
| A chronological record of system activities that is sufficient to enable the reconstruction, reviewing, and examination of the sequence of environments and activities surrounding or leading to an operation, a procedure, or an event in a transaction from its inception to final results. Sometimes specifically referred to as a security audit trail. |
|
|
Term
|
Definition
| The process of verifying identity of a subject or process. |
|
|
Term
|
Definition
| The granting of access or other rights to a user, program, or process. |
|
|
Term
|
Definition
| A duplicate copy of data made for archiving purposes or for protecting against damage or loss. |
|
|
Term
|
Definition
| The three-digit value printed on the signature panel of a payment card used to verify card-not-present transactions. On a MasterCard payment card this is called CVC2. On a Visa payment card this is called CVV2. |
|
|
Term
|
Definition
| The customer to whom a card has been issued or the individual authorized to use the card. |
|
|
Term
|
Definition
| All personally identifiable data about the cardholder and relationship to the Member (i.e., account number, expiration date, data provided by the Member, other electronic data gathered by the merchant/agent, and so on). This term also accounts for other personal insights gathered about the cardholder (i.e., addresses, telephone numbers, and so on). |
|
|
Term
|
Definition
| This is having a server that belongs to one person or group physically located on an Internet-connected network that belongs to another person or group. |
|
|
Term
|
Definition
| An intrusion into a computer system where unauthorized disclosure, modification, or destruction of cardholder data may have occurred. |
|
|
Term
|
Definition
| A screen and keyboard which allows access and control of the server / mainframe in a networked environment. |
|
|
Term
|
Definition
| Individual purchasing goods and/or services. |
|
|
Term
|
Definition
| A string of data exchanged between a web server and a web browser to maintain a session. This may contain user preferences and personal information. |
|
|
Term
|
Definition
| Doing Business As. Compliance validation levels are based on the transaction volume of a DBA or chain of stores (not of a corporate that owns several chains). |
|
|
Term
|
Definition
| A network added between a private network and a public network in order to provide an additional layer of security. |
|
|
Term
|
Definition
| A structured format for organizing and maintaining information that can be easily retrieved. A simple example of a database is a table or a spreadsheet. |
|
|
Term
|
Definition
| A system login account that has been predefined in a manufactured system to permit initial access when the system is first put into service. |
|
|
Term
|
Definition
| The password on system administration or service accounts when a system is shipped from the manufacturer, usually associated with the default account. Default accounts and passwords are published and well known. |
|
|
Term
|
Definition
| A method of preserving the integrity of a process by requiring that several individuals independently take some action before certain transactions are completed. |
|
|
Term
|
Definition
| Traffic leaving the network. |
|
|
Term
|
Definition
| The process of converting information into a form unintelligible to anyone except holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process (the inverse of encryption), against unauthorized disclosure. |
|
|
Term
|
Definition
| Hardware and/or software that protect the resources of one network from users from other networks. Typically, an enterprise with an intranet that allows its workers access to the wider Internet must have a firewall to prevent outsiders from accessing its own private data resources. |
|
|
Term
|
Definition
| The main hardware on which software is resident. |
|
|
Term
|
Definition
| An IP address is a numeric code that uniquely identifies a particular computer on the Internet. |
|
|
Term
|
Definition
| A technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. |
|
|
Term
|
Definition
| An established standard for communication between financial systems. |
|
|
Term
|
Definition
| Protection of information for confidentiality, integrity and availability. |
|
|
Term
|
Definition
| Traffic entering the network. |
|
|
Term
| Intrusion Detection Systems |
|
Definition
| An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. |
|
|
Term
|
Definition
| In cryptography, a key is a value applied using an algorithm to unencrypted text to produce encrypted text. The length of the key generally determines how difficult it will be to decrypt the text in a given message. |
|
|
Term
| Magnetic Stripe Data (Track Data) |
|
Definition
| Data encoded in the magnetic stripe used for authorization during a card present transaction. Entities may not retain full magnetic stripe data subsequent to transaction authorization. Specifically, subsequent to authorization, service codes, discretionary data/CVV, and Visa reserved values must be purged; however, account number, expiration date, and name may be extracted and retained. |
|
|
Term
|
Definition
| A view of activity on a network. |
|
|
Term
|
Definition
| A network is two or more computers connected to each other so they can share resources. |
|
|
Term
| Network Address Translation (NAT) |
|
Definition
| The translation of an Internet Protocol address (IP address) used within one network to a different IP address known within another network. |
|
|
Term
|
Definition
| Any user, excluding consumer customers, that accesses systems, including but not limited to, employees, administrators, and third parties. |
|
|
Term
|
Definition
| A string of characters that serve as an authenticator of the user. |
|
|
Term
|
Definition
| A quick-repair job for a piece of programming. During a software product's beta test distribution or try-out period and later after the product is formally released, problems will almost invariably be found. A patch is the immediate solution that is provided to users. |
|
|
Term
|
Definition
| Payment applications are computer programs that store, process, or transmit cardholder data as part of authorization or settlement. These applications are purchased or licensed from a third party, and not developed by the merchant. Terminal-only payment solutions do not normally have applicable payment applications. Payment applications are normally found in payment solutions that use computers. To find the Payment Application name and version, you will need to look within the software itself, or contact your payment solution provider. |
|
|
Term
|
Definition
| The online group that handles the credit card transaction. A small example of payment gateway companies are: Authorize.net, Cybersource or Paypal. If you only use a standalone terminal and you do not use the Internet for your payment transactions then this option will not apply to you and you should select NONE in the pull down menu. |
|
|
Term
|
Definition
| The successful act of bypassing the security mechanisms of a system. |
|
|
Term
|
Definition
| The security-oriented probing of a computer system or network to seek out vulnerabilities that an attacker could exploit. The testing involves an attempt to penetrate the system so the tester can report on the vulnerabilities and suggest steps to improve security. |
|
|
Term
|
Definition
| Organizational-level rules governing acceptable use of computing resources, security practices, and guiding development of operational procedures. |
|
|
Term
|
Definition
| A procedure provides the descriptive narrative on the policy to which it applies. It is the "how to" of the policy. A procedure tells the organization how a policy is to be carried out. |
|
|
Term
|
Definition
| Typically this is the organization from whom you receive your monthly merchant statement. A small example of processors are: First Data Merchant Services, TSYS or Bank of America Merchant Services. In some cases, the Processor receives information from the Payment Gateway to process the transaction with the Cardholder organizations. |
|
|
Term
|
Definition
| An agreed-upon method of communication used within networks. A specification that describes the rules and procedures products should follow to perform activities on a network. |
|
|
Term
|
Definition
| Also known as risk assessment, a process that systematically identifies valuable system resources and threats to those resources, quantifies loss exposures (i.e., loss potential) based on estimated frequencies and costs of occurrence, and (optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure. |
|
|
Term
|
Definition
| A router is a piece of hardware or software that connects two or more networks. A router functions as a sorter and interpreter as it looks at addresses and passes bits of information to their proper destinations. Software routers are sometimes referred to as gateways. |
|
|
Term
|
Definition
| A form of attack on a database-driven Web site in which the attacker executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet. SQL injection attacks are used to steal information from a database from which the data would normally not be available and/or to gain access to an organization's host computers through the computer that is hosting the database. |
|
|
Term
|
Definition
| An established industry standard that encrypts the channel between a web browser and Web server to ensure the privacy and reliability of data transmitted over this channel. |
|
|
Term
|
Definition
| To delete sensitive data from a file, a device, or a system; or modify data so that data is useless for attacks. |
|
|
Term
|
Definition
| The person who takes primary responsibility for the security related affairs of the organization. |
|
|
Term
|
Definition
| The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information. |
|
|
Term
| Sensitive Cardholder Data |
|
Definition
| Data whose unauthorized disclosure may be used in fraudulent transaction. It includes, the account number, magnetic stripe data, CVC2/CVV2 and expiration date. |
|
|
Term
|
Definition
| The practice of dividing the steps in a system function among different individuals, so as to keep a single individual from subverting the process. |
|
|
Term
|
Definition
| A computer that acts as a provider of some service to other computers, such as processing communications, file storage, or printing facility. |
|
|
Term
|
Definition
| An Online system for handling the billing/inventory of an online purchase process. A small example of shopping cart companies is: Americart, Cart32 and MetaCart. If your products or services may not be purchased on a web site then this option does not apply to you and you should select NONE in the pull down menu. |
|
|
Term
|
Definition
| A non-intrusive test which involves probing external-facing systems and reporting on the services available to the external network (i.e. services available to the Internet). |
|
|
Term
|
Definition
| A system is said to be tamper-resistant if it is difficult to modify or subvert, even for an assailant who has physical access to the system. |
|
|
Term
|
Definition
| A condition that may cause information or information processing resources to be intentionally or accidentally lost, modified, exposed, made inaccessible, or otherwise affected to the detriment of the organization. |
|
|
Term
|
Definition
| A device that performs dynamic authentication. |
|
|
Term
|
Definition
| Data related to an electronic payment. |
|
|
Term
|
Definition
| The practice of removing a data segment. Commonly, when account numbers are truncated, the first 12 digits are deleted, leaving only the last 4 digits. |
|
|
Term
| Two-factor Authentication |
|
Definition
| Authentication that requires users to produce two credentials - something they have (e.g., smartcards or hardware tokens), and something they know (e.g., a password). In order to access a system, users must produce both factors. |
|
|
Term
|
Definition
| A character string that is used to uniquely identify each user of a system. |
|
|
Term
|
Definition
| A program or a string of code that can replicate itself and cause the modification or destruction of software or data. |
|
|
Term
|
Definition
| A weakness in system security procedures, system design, implementation, or internal controls that could be exploited to violate system security policy. |
|
|
Term
|
Definition
| An automated tool that checks a merchant or service provider's systems for vulnerabilities. The tool remotely reviews networks and Web applications based on the external-facing Internet protocol (IP) addresses. Scans identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company's private network. |
|
|
Term
|
Definition
| A company that allows individuals or other companies to use their server space to host web sites. A small example of web host companies is: Pair, Verio and Hostmonster. If you do not have a website for your business then this option will not apply to you and you should select NONE in the pull down menu. |
|
|
