PCI terms can be confusing, especially when their acronyms are used without providing definitions or context clues. Understanding these terms is vital to ensuring that your company can pass required audits and meet compliance regulations. To help you better navigate the world of Information Technology (IT) audits and common terms, we have created a glossary of PCI terms.
Glossary of Common PCI Terms
Approved Scanning Vendor (ASV)
PCI compliance states that you must an approved scanning vendor must provide you with a scan certificate. The scan certificate will certify that you have met all established technical requirements. The PCI Security Standards Council has an up to date list of all approved ASVs.
An audit log is an official record of system activities up to a specific time or date. The record should clearly detail the sequent of events from the beginning of a transaction all the way to its end.
Cardholder Data (CD)
Cardholder data can contain a repertoire of information, including: Primary Account Number (PAN), cardholder name (as it appears on the card), expiration date, and / or the service code.
Cardholder Data Environment (CDE)
The CDE refers to the processes and technology that has access to the cardholder data. It is important to note that CDE can also include the people that will store, process, or transmit the cardholder data. It can also include the virtual components, connected systems components, and methods used to authenticate cardholder data.
Encryption is used to convert digitally stored information into an unreadable form. When information is encrypted, a cryptographic key will have to be used to transform the information back into a readable form. Encryption is used to help protect against the unauthorized disclosure of information.
File Integrity Monitoring
For security and information protection, the integrity of files must be closely monitored. Should the critical files or logs be altered, then an alert must be sent to the appropriate security personnel in accordance with PCI compliance standards.
A firewall is a critical component of network security. As their name suggests, firewalls are built to prevent unauthorized access from accessing networks. PCI compliant hosting options will have several types of firewalls that can be used to protect networks; these entities include shared firewalls, managed firewalls, virtual private firewalls, and a dedicated firewall appliance.
Intrusion Detection Service (IDS)
Cyber threats can occur on software and hardware. IDS is the alert used to tell security personnel about triggered intrusion events. These alerts can be customized to monitor centralized logging systems, record events, and monitor specific software and hardware solutions.
Intrusion Prevention Service (IPS)
Like an IDS, an IPS is designed to prevent successful intrusions into software or hardware.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is a national standard that all merchants who store, process, or transmit cardholder data must meet. It was created by a joint effort between Visa, MasterCard, American Express, JCB International, and Discover.
As its name suggests, a penetration test is designed to assess network and application security. It is also used on the controls and processes that are meant to protect networks and applications. The penetration test is critical in the identification of risks and vulnerabilities to networks and applications. This type of testing is often conducted on both internal and external networks.
Primary Account Number (PAN)
PAN is the unique card number that is used to identify a specific issuer and cardholder. It is typically assigned to both credit and debit cards.
Private IP addresses are used to create private networks. Access to these networks should be protected by firewalls, as well as routers.
The service provider is typically a non-payment business entity that is instrumental in processing, storing, and transmitting credit cardholder data. There are several types of service providers.
System components include network entities, such as firewalls, routers, switches, and other important security appliances. System components are also made up of server types, such as database, web, and authentication. Applications, including Internet-based, internal, and external, are part of the system component. The system component is a part of the CDE when it is used to store, transmit, or process credit cardholder data. In short, IT infrastructures, including those of third-party providers, that are a part of the CDE must meet PCI compliance laws.
This type of authentication is used for additional security. Two-factor authentication requires user authentication via two or more factors, such as a user password and a pin sent via text or email. Other two-factor authentication examples include a software or hardware token, biometric scans, and fingerprints.
Improve Your Compliance Understanding Today
This blog post should serve as your introductory guide to the most common PCI terms. To further alleviate any confusion, and to offer in-depth explanations of the various terms associated with PCI compliant regulations, our team is standing by to offer their expertise. Whether you are beginning to prepare for an audit, or want to ensure that you are compliant, we invite you to contact us via phone 215-675-1400. We invite you to experience “Audits without Anxiety!”™ by filling out our online form to request a quote for a compliance check today.