| Term | Definition or Synonym |
| Account Data | Account data consists of cardholder data and/or sensitive authentication data. See Cardholder Data and Sensitive Authentication Data. |
| Account Number | See Primary Account Number (PAN). |
| ACH | The Automated Clearing House (ACH) network is a nationwide, wholesale electronic payment and collection system. It is a method of transferring funds between banks via the Federal Reserve System. It is used by most, but not all, financial institutions. A central clearing facility, operated by a Federal Reserve Bank or a private sector organization on behalf of depository financial institutions in which participating DFIs transmit or receive ACH entries. |
| Acquirer | Also referred to as “merchant bank,” “acquiring bank,” or “acquiring financial institution”. Entity, typically a financial institution that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance. See also Payment Processor. |
| Actual Date | The calendar date when the transaction is initiated. |
| Address Verification (AVS) | A service associated with credit card authorization which verifies the cardholder's address. Primarily used for non-face-to-face transactions. |
| Anti-Virus | Program or software capable of detecting, removing, and protecting against various forms of malicious software (also called “malware”) including viruses, worms, Trojans or Trojan horses, spyware, adware, and rootkits. |
| AOC | Acronym for “attestation of compliance.” The AOC is a form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Self-Assessment Questionnaire or Report on Compliance. |
| Application | Includes all purchased and custom software programs or groups of programs, including both internal and external (for example, web) applications. |
| ARM | Access Request Memo |
| ASV | Acronym for “Approved Scanning Vendor.” Company approved by the PCI SSC to conduct external vulnerability scanning services. |
| Audit Log | Also referred to as “audit trail.” Chronological record of system activities. Provides an independently verifiable trail sufficient to permit reconstruction, review, and examination of sequence of environments and activities surrounding or leading to operation, procedure, or event in a transaction from inception to final results. |
| Audit Trail | See Audit Log. |
| Authentication | Process of verifying identity of an individual, device, or process. Authentication typically occurs through the use of one or more authentication factors such as: Something you know, such as a password or passphrase. § Something you have, such as a token device or smart card. § Something you are, such as a biometric |
| Authorization | The process which verifies that a cardholder account is valid, that they are not above any credit limit, and which reserves the credit amount on the account. |
| Auto-Payments | Auto-Payments allow for monthly, every other month, quarterly, twice a year and annual payments for payments on accounts. |
| Backup | Duplicate copy of data made for archiving purposes or for protecting against damage or loss. |
| Business Date | This is the JVE date for the transaction. |
| Card Skimmer | A physical device, often attached to a legitimate card-reading device, designed to illegitimately capture and/or store the information from a payment card. |
| Card Verification | Also known as Card Validation Code or Value, or Card Security Code. Refers to either: (1) magnetic-stripe data, or (2) printed security features. |
| Cardholder | Non-consumer or consumer customer to whom a payment card is issued to or any individual authorized to use the payment card. |
| Cardholder Data | At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code. See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not stored) as part of a payment transaction. |
| CDE | Acronym for “cardholder data environment.” The people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data. |
| Cellular Technologies | Mobile communications through wireless telephone networks, including but not limited to Global System for Mobile communications (GSM), code division multiple access (CDMA), and General Packet Radio Service (GPRS). |
| Change Control | Processes and procedures to review, test, and approve changes to systems and software for impact before implementation. |
| CHD | Card Holder Data includes the primary account number (PAN) along with any of the following data types: cardholder name, expiration date or service code. |
| Checkout Store | Allows you to maintain your own web store. CASHNet only collects payment information from your customer. |
| Closed Transaction | A transaction that is fulfilled. |
| Code or Value |
Data element on a card's magnetic stripe that uses secure cryptographic processes to protect data integrity on the stripe, and reveals any alteration or counterfeiting. Referred to as CAV, CVC, CVV, or CSC depending on payment card brand. For Discover, JCB, MasterCard, and Visa payment cards, the second type of card verification value or code is the rightmost three-digit value printed in the signature panel area on the back of the card. For American Express payment cards, the code is a four-digit un-embossed number printed above the PAN on the face of the payment cards. The code is uniquely associated with each individual piece of plastic and ties the PAN to the plastic. |
|
Compensating Controls |
Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must: (1) Meet the intent and rigor of the original PCI DSS requirement; (2) Provide a similar level of defense as the original PCI DSS requirement; (3) Be “above and beyond” other PCI DSS requirements (not simply incompliance with other PCI DSS requirements); and (4) Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement. See “Compensating Controls” Appendices B and C in PCI DSS Requirements and Security Assessment Procedures for guidance on the use of compensating controls. |
| Compromise | Also referred to as “data compromise,” or “data breach.” Intrusion into a computer system where unauthorized disclosure/theft, modification, or destruction of cardholder data is suspected. |
| Credit | A credit/debit card transaction generated by the merchant to return some or the entire original purchase amount back to the cardholder. |
| Credit Card | An electronic payment card issued either by a bank (in the case of Visa or MasterCard) or a proprietary entity (in the case of American Express or Discover) that enables the cardholder to purchase goods or services which may be payable over a period of time. |
| Critical Systems / Critical Technologies |
A system or technology that is deemed by the entity to be of particular importance. For example, a critical system may be essential for the performance of a business operation or for a security function to be maintained. Examples of critical systems often include security systems, public-facing devices and systems, databases, and systems that store, process, or transmit cardholder data. Considerations for determining which specific systems and technologies are critical will depend on an organization’s environment and risk-assessment strategy. |
| Database | Structured format for organizing and maintaining easily retrievable information. Simple database examples are tables and spreadsheets. |
| Database Administrator | Also referred to as “DBA.” Individual responsible for managing and administering databases. |
| Data-Flow Diagram | A diagram showing how data flows through an application, system, or network. |
| Debit | An entry to the record of an account to represent the transfer or removal of funds from the account. |
| Debit Card | An ATM bankcard used to purchase goods and services and to obtain cash. A debit card debits the cardholder's personal deposit account and requires a Personal Identification Number (PIN) for use. Debit cards branded with a bankcard logo (e.g. Visa) can be accepted in CASHNet. |
| Decline | A transaction in which the issuing bank will not authorize the transaction. |
| Default Password | Password on system administration, user, or service accounts predefined in a system, application, or device; usually associated with default account. Default accounts and passwords are published and well known, and therefore easily guessed. |
| DSS | Acronym for “Data Security Standard.” See PA-DSS and PCI DSS. |
| Dual Control | Process of using two or more separate entities (usually persons) operating in concert to protect sensitive functions or information. Both entities are equally responsible for the physical protection of materials involved in vulnerable transactions. No single person is permitted to access or use the materials (for example, the cryptographic key). For manual key generation, conveyance, loading, storage, and retrieval, dual control requires dividing knowledge of the key among the entities. (See also Split Knowledge.) |
| Encryption | Process of converting information into an unintelligible form except to holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process (the inverse of encryption) against unauthorized disclosure. See Strong Cryptography. |
| File Integrity Monitoring | Technique or technology under which certain files or logs are monitored to detect if they are modified. When critical files or logs are modified, alerts should be sent to appropriate security personnel. |
| File-Level Encryption | Technique or technology (either software or hardware) for encrypting the full contents of specific files. Alternatively, see Disk Encryption or Column-Level Database Encryption. |
| Firewall | Hardware and/or software technology that protects network resources from unauthorized access. A firewall permits or denies computer traffic between networks with different security levels based upon a set of rules and other criteria. |
| Forensics | Also referred to as “computer forensics.” As it relates to information security, the application of investigative tools and analysis techniques to gather evidence from computer resources to determine the cause of data compromises. |
| FTP | Acronym for “File Transfer Protocol.” Network protocol used to transfer data from one computer to another through a public network such as the Internet. FTP is widely viewed as an insecure protocol because passwords and file contents are sent unprotected and in clear text. FTP can be implemented securely via SSH or other technology. See S-FTP. |
| Fulfillment | Fulfillment is used by merchants to ship orders of physical goods or to reconcile end-of-day transactions. |
| GSM | Acronym for “Global System for Mobile Communications.” Popular standard for mobile phones and networks. Ubiquity of GSM standard makes international roaming very common between mobile phone operators, enabling subscribers to use their phones in many parts of the world. |
| HTTP | Acronym for “hypertext transfer protocol.” Open internet protocol to transfer or convey information on the World Wide Web. |
| HTTPS | Acronym for “hypertext transfer protocol over secure socket layer.” Secure HTTP that provides authentication and encrypted communication on the World Wide Web designed for security-sensitive communication such as web-based logins. |
| ID | Identifier for a particular user or application. |
| Index Token | A cryptographic token that replaces the PAN, based on a given index for an unpredictable value. |
| Information Security | Protection of information to ensure confidentiality, integrity, and availability. |
| IP | Acronym for “internet protocol.” Network-layer protocol containing address information and some control information that enables packets to be routed and delivered from the source host to the destination host. IP is the primary network-layer protocol in the Internet protocol suite. See TCP. |
| ISA | Internal Security Assessor (ISA) sponsor companies are organizations that have been qualified by the Council. |
| Issuer | Entity that issues payment cards or performs, facilitates, or supports issuing services including but not limited to issuing banks and issuing processors. Also referred to as “issuing bank” or “issuing financial institution.” |
| JVE | Journal Voucher Entry |
| LAN | Acronym for “local area network.” A group of computers and/or other devices that share a common communications line, often in a building or group of buildings. |
| Magnetic-Stripe Data | See Track Data. |
| Malicious Software / Malware | Software or firmware designed to infiltrate or damage a computer system without the owner's knowledge or consent, with the intent of compromising the confidentiality, integrity, or availability of the owner’s data, applications, or operating system. Such software typically enters a network during many business-approved activities, which results in the exploitation of system vulnerabilities. Examples include viruses, worms, Trojans (or Trojan horses), spyware, adware, and rootkits. |
| Masking | In the context of PCI DSS, it is a method of concealing a segment of data when displayed or printed. Masking is used when there is no business requirement to view the entire PAN. Masking relates to protection of PAN when displayed or printed. See Truncation for protection of PAN when stored in files, databases, etc. |
| Merchant | For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers. |
| Merchant Code | A four digit number that numerically identifies each merchant account (store). |
| Merchant ID | Any department that accepts credit cards, identified by a unique number that has been assigned the Cashier’s Office. |
| MFA/2FA | Muilti Factor Authentication, Two Factor Authentication is a security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction |
| MO/TO | Acronym for “Mail-Order/Telephone-Order.” |
| MSU NetID | User name/login used to access electronic resources, web sites and email at Michigan State University. |
| Network | Two or more computers connected together via physical or wireless means. |
| Network Administrator | Personnel responsible for managing the network within an entity. Responsibilities typically include but are not limited to network security, installations, upgrades, maintenance and activity monitoring. |
| P2PE | (Point-to-Point Encryption) is a security standard that requires credit card information to be encrypted instantly upon its initial swipe and then securely transferred directly to the payment processor before it can be decrypted and processed. |
| PA-DSS | Acronym for “Payment Application Data Security Standard.” |
| PAN | Acronym for “primary account number” and also referred to as “account number.” Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account. |
| PA-QSA | Acronym for “Payment Application Qualified Security Assessor.” PA-QSAs are qualified by PCI SSC to assess payment applications against the PA-DSS. Refer to the PA-DSS Program Guide and PA-QSA Qualification Requirements for details about requirements for PA-QSA Companies and Employees. |
| Password / Passphrase | A string of characters that serve as an authenticator of the user. |
| Payment Application | In the context of PA-DSS, a software application that stores, processes, or transmits cardholder data as part of authorization or settlement, where the payment application is sold, distributed, or licensed to third parties. Refer to PA-DSS Program Guide for details. |
| Payment Cards | For purposes of PCI DSS, any payment card/device that bears the logo of the founding members of PCI SSC, which are American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or Visa, Inc. |
| Payment Processor | Sometimes referred to as “payment gateway” or “payment service provider (PSP)”. Entity engaged by a merchant or other entity to handle payment card transactions on their behalf. While payment processors typically provide acquiring services, payment processors are not considered acquirers unless defined as such by a payment card brand. See also Acquirer. |
| PCI | Acronym for “Payment Card Industry.” |
| PCI DSS | Acronym for “Payment Card Industry Data Security Standard.” |
| Pending Transaction | A transaction that requires fulfillment but fulfillment has not yet occurred. |
| Personally Identifiable Information | Information that can be utilized to identify or trace an individual’s identity including but not limited to name, address, social security number, biometric data, date of birth, etc. |
| PIN | Acronym for “personal identification number.” Secret numeric password known only to the user and a system to authenticate the user to the system. The user is only granted access if the PIN the user provided matches the PIN in the system. Typical PINs are used for automated teller machines for cash advance transactions. Another type of PIN is one used in EMV chip cards where thePIN replaces the cardholder’s signature. |
| POI | Acronym for “Point of Interaction,” the initial point where data is read from a card. An electronic transaction-acceptance product, a POI consists of hardware and software and is hosted in acceptance equipment to enable a cardholder to perform a card transaction. The POI may be attended or unattended. POI transactions are typically integrated circuit (chip) and/or magnetic-stripe card-based payment transactions. |
| Policy | Organization-wide rules governing acceptable use of computing resources, security practices, and guiding development of operational procedures |
| POS | Acronym for “point of sale.” Hardware and/or software used to process payment card transactions at merchant locations. |
| Privileged User | Any user account with greater than basic access privileges. Typically, these accounts have elevated or increased privileges with more rights than a standard user account. However, the extent of privileges across different privileged accounts can vary greatly depending on the organization, job function or role, and the technology in use. |
| Processing Fee | A fee charged by financial services providers to MSU for processing services. |
| PTS | Acronym for “PIN Transaction Security,” PTS is a set of modular evaluation requirements managed by PCI Security Standards Council, for PIN acceptance POI terminals. |
| Public Network | Network established and operated by a third party telecommunications provider for specific purpose of providing data transmission services for the public. Data over public networks can be intercepted, modified, and/or diverted while in transit. Examples of public networks include, but are not limited to, the Internet, wireless, and mobile technologies. See also Private Network. |
| QSA | Acronym for “Qualified Security Assessor.” QSAs are qualified by PCI SSC to perform PCI DSS on-site assessments. Refer to the QSA Qualification Requirements for details about requirements for QSA Companies and Employees. |
| Recurring Payments | See Auto-Payments |
| Remote Access | Access to computer networks from a location outside of that network. Remote access connections can originate either from inside the company’s own network or from a remote location outside the company’s network. An example of technology for remote access is VPN. |
| Risk Analysis / Risk Assessment | Process that identifies valuable system resources and threats; quantifies loss exposures (that is, loss potential) based on estimated frequencies and costs of occurrence; and (optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure. |
| ROC | Acronym for “Report on Compliance.” Report documenting detailed results from an entity’s PCI DSS assessment. |
| Routing Number | A nine digit number (eight digits and one check digit) that uniquely identifies a financial institution. The routing number is printed on checks, deposit slips, etc. and is used to route all financial transactions (e.g., ACH Debits) to the appropriate bank. |
| SAD | Sensitive Authentication Data: Security-related information including, but not limited to, card validation codes/values (e.g., three-digit or four-digit value printed on the front or back of a payment card, such as CVV2 and CVC2 data), full magnetic-stripe data, PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions. Sensitive authentication data must not be stored after authorization. |
| SAQ | Acronym for “Self-Assessment Questionnaire.” Reporting tool used to document self-assessment results from an entity’s PCI DSS assessment. |
| Scoping | Process of identifying all system components, people, and processes to be included in a PCI DSS assessment. The first step of a PCI DSS assessment is to accurately determine the scope of the review. |
| Secure Sockets Layer (SSL) | An encryption system that allows merchants to securely process electronic transactions to processors. An Internet protocol used to securely transmit confidential information, such as credit card numbers. |
| Security Officer | Primary person responsible for an entity’s security-related matters. |
| Sensitive Area | Any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes the areas where only point-of-sale terminals are present such as the cashier areas in a retail store. |
| Separation of Duties | Practice of dividing steps in a function among different individuals, so as to keep a single individual from being able to subvert the process. |
| Server | Computer that provides a service to other computers, such as processing communications, file storage, or accessing a printing facility. Servers include, but are not limited to web, database, application, authentication, DNS, mail, proxy, and NTP. |
| Service Provider | Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services). |
| Settlement | See Fulfillment. |
| Spyware | Type of malicious software that when installed, intercepts or takes partial control of the user’s computer without the user’s consent. |
| SSC | Security Standards Council (PCI SSC), it is the governing organization and open forum responsible for the development, management, education, and awareness of PCI Security Standards, including the Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS). |
| Storefront | Allows you to create a web store for your customers to purchase items or make payments at the CASHNet web site. |
| SysAdmin | Abbreviation for “system administrator.” Individual with elevated privileges who is responsible for managing a computer system or network. |
| Token | In the context of authentication and access control, a token is a value provided by hardware or software that works with an authentication server or VPN to perform dynamic or two-factor authentication. See RADIUS, TACACS, and VPN. See also Session Token. |
| Track Data | Also referred to as “full track data” or “magnetic-stripe data.” Data encoded in the magnetic stripe or chip used for authentication and/or authorization during payment transactions. Can be the magnetic-stripe image on a chip or the data on the track 1 and/or track 2 portion of the magnetic stripe. |
| Transaction | The action between a cardholder and a merchant that results in financial activity between the merchant and cardholder's account. |
| Transaction Data | Data related to electronic payment card transaction. |
| Trojan | Also referred to as “Trojan horse.” A type of malicious software that when installed, allows a user to perform a normal function while the Trojan performs malicious functions to the computer system without the user’s knowledge. |
| Truncation | Method of rendering the full PAN unreadable by permanently removing a segment of PAN data. Truncation relates to protection of PAN when stored in files, databases, etc. See Masking for protection of PAN when displayed on screens, paper receipts, etc. |
| Void | Cancelling of a transaction so that funds are never removed from a customer’s account. |
| VPN | Acronym for “virtual private network.” A computer network in which some of connections are virtual circuits within some larger network, such as the Internet, instead of direct connections by physical wires. The end points of the virtual network are said to be tunneled through the larger network when this is the case. While a common application consists of secure communications through the public Internet, a VPN may or may not have strong security features such as authentication or content encryption. A VPN may be used with a token, smart card, etc., to provide two-factor authentication. |
| Web Application | An application that is generally accessed via a web browser or through web services. Web applications may be available via the Internet or a private, internal network. |
| Wireless Networks | Network that connects computers without a physical connection to wires. |
| WLAN | Acronym for “wireless local area network.” Local area network that links two or more computers or devices without wires. |
| WPA/WPA2 | Acronym for “WiFi Protected Access.” Security protocol created to secure wireless networks. WPA is the successor to WEP. WPA2 was also released as the next generation of WPA. |