A
Access Control: Mechanisms or policies that restrict access to data and resources to authorized users only. This includes both physical and logical controls.
Acquirer: A financial institution that processes credit or debit card payments on behalf of a merchant.
Advanced Encryption Standard (AES): A symmetric encryption algorithm established by the U.S. National Institute of Standards and Technology (NIST). AES is widely used to secure sensitive data.
Anti-Virus (AV): Software designed to detect, prevent, and remove malicious software (malware).
Attestation of compliance (AOC): A document that is used to attest that the entity being assessed has met the requirements of the PCI DSS. The AOC summarizes the results of the PCI DSS assessment and is used by merchants, service providers, and other entities to demonstrate compliance to acquirers, payment brands, and other stakeholders.
Application Programming Interface (API): A set of rules and protocols for building and interacting with software applications.
Authentication: The process of verifying the identity of a user, device, or entity in a computer system.
B
Biometric Authentication: Security process that uses unique biological characteristics, such as fingerprints or facial recognition, to verify the identity of a user.
Breach: An incident where data is accessed, used, or disclosed without authorization, typically compromising confidentiality, integrity, or availability.
Business Continuity Planning (BCP): Strategies and procedures to ensure an organization's essential functions can continue during and after a disaster.
C
Cardholder Data (CHD): Information associated with a payment card, including the primary account number (PAN), cardholder name, expiration date, and service code.
Cardholder Data Environment (CDE): The system components, people, and processes that store, process, or transmit cardholder data or sensitive authentication data.
Certificate Authority (CA): An entity that issues digital certificates used to verify the authenticity of public keys in a public key infrastructure (PKI).
Ciphertext: Data that has been encrypted and is unreadable without decryption.
Compensating Controls: Alternate security measures implemented to meet the intent of a requirement when an entity cannot meet the exact requirement as stated.
Compliance: Adherence to laws, regulations, guidelines, and specifications relevant to an organization.
Cryptographic Key: A string of bits used by a cryptographic algorithm to transform plain text into ciphertext or vice versa.
D
Data Encryption Standard (DES): A previously used symmetric-key algorithm for the encryption of digital data, now considered insecure.
Decryption: The process of converting ciphertext back into readable plaintext.
Demilitarized Zone (DMZ): A physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted network, usually the internet.
Dual Control: A security measure requiring two or more people to complete a task, preventing a single person from having control.
E
Encryption: The process of converting data into a coded format to prevent unauthorized access.
End-to-End Encryption (E2EE): A method of secure communication that prevents third parties from accessing data while it is transferred from one end system to another.
Event Logging: Recording events that occur within an organization's systems and networks to monitor activities and detect security incidents.
Exploit: A method or technique used to take advantage of a vulnerability in a system.
F
Firewall: A network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
Full Disk Encryption (FDE): Encryption at the hardware level to secure all data on a hard drive.
Fuzz Testing (Fuzzing): A software testing technique that involves providing invalid, unexpected, or random data inputs to a computer program.
G
General Data Protection Regulation (GDPR): A regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area.
Geolocation: The identification of the real-world geographic location of an object, such as a mobile phone or computer.
Governance, Risk, and Compliance (GRC): A strategy for managing an organization's overall governance, risk management, and compliance with regulations.
H
Hash Function: A function that converts an input (or 'message') into a fixed-size string of bytes. The output is typically a digest that represents the data uniquely.
Host Intrusion Detection System (HIDS): A system that monitors and analyzes the internals of a computing system to detect and respond to suspected security breaches.
I
Incident Response (IR): The approach and procedures used to manage and address the aftermath of a security breach or cyberattack.
Information Security Policy: A set of rules and practices that specify how an organization manages, protects, and distributes sensitive information.
Intrusion Detection System (IDS): Software or hardware designed to detect unauthorized access to a network or system.
J
JavaScript Object Notation (JSON): A lightweight data-interchange format that is easy for humans to read and write and easy for machines to parse and generate.
K
Key Management: The process of managing cryptographic keys, including their generation, exchange, storage, use, and replacement.
Key Rotation: The practice of changing cryptographic keys regularly to reduce the risk of compromise.
L
Least Privilege: The principle of granting users only the access and permissions they need to perform their job functions.
Logging: The practice of recording events, such as user actions or system operations, typically for monitoring and troubleshooting.
M
Malware: Malicious software designed to harm, exploit, or otherwise compromise a computer system or network.
Multi-Factor Authentication (MFA): An authentication method that requires the user to provide two or more verification factors to gain access to a resource.
N
Network Segmentation: The practice of dividing a computer network into smaller segments to improve security and performance.
Non-repudiation: Assurance that someone cannot deny the validity of their signature or the sending of a message.
O
Open Web Application Security Project (OWASP): A nonprofit organization focused on improving the security of software through community-led open-source projects.
Operational Security (OPSEC): A risk management process designed to identify and protect critical information from being intercepted by adversaries.
P
PAN (Primary Account Number): The 16-19 digit number found on payment cards. Also referred to as the card number.
Penetration Testing: A simulated cyber attack against a computer system to check for exploitable vulnerabilities.
Personal Identification Number (PIN): A numeric password used in the process of authenticating a user.
Public Key Infrastructure (PKI): A set of roles, policies, and procedures to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption.
Q
Qualified Security Assessor (QSA): A person or entity qualified by the PCI Security Standards Council to assess compliance with PCI DSS.
R
Risk Assessment: The process of identifying, evaluating, and estimating the levels of risk involved in a situation, followed by coordinating efforts to minimize, monitor, and control the probability or impact of unfortunate events.
Role-Based Access Control (RBAC): An approach to restricting system access to authorized users based on their role within an organization.
S
Scope: The boundaries within which the PCI DSS requirements apply to an organization.
Secure Sockets Layer (SSL): A standard security technology for establishing an encrypted link between a server and a client. Note that SSL has been deprecated in favor of TLS.
Security Information and Event Management (SIEM): Software products and services combining security information management (SIM) and security event management (SEM).
Segmentation: The practice of splitting a network into smaller parts to improve security and performance.
T
Tokenization: The process of substituting a sensitive data element with a non-sensitive equivalent (token) that has no extrinsic or exploitable meaning or value.
Transport Layer Security (TLS): A protocol that provides privacy and data integrity between two communicating applications.
Two-Factor Authentication (2FA): See Multi-Factor Authentication (MFA).
U
Unified Threat Management (UTM): A single security solution that provides multiple security functions, such as firewall, antivirus, and intrusion detection.
User Behavior Analytics (UBA): A cybersecurity process about the detection of insider threats, targeted attacks, and financial fraud. It uses machine learning to model and identify behaviors that may be threats.
V
Virtual Private Network (VPN): A service that encrypts your internet connection and hides your IP address to protect your online privacy.
Vulnerability: A weakness in a system or its design that could be exploited to violate the system’s security policy.
W
Web Application Firewall (WAF): A firewall that monitors, filters, and blocks data packets as they travel to and from a web application.
Whitelisting: The practice of allowing only pre-approved applications, IP addresses, or email addresses to access a system or network.
X
XML (eXtensible Markup Language): A markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.
Y
YubiKey: A hardware authentication device that provides one-time passwords (OTP), public-key encryption, and Universal 2nd Factor (U2F).
Z
Zero-Day Exploit: An exploit for a vulnerability that is unknown to the software vendor and has no patch available.
Zero Trust Architecture: A security model that assumes that threats could be both external and internal, and therefore no user or system should be automatically trusted.
Take the lead in data protection best practices with our unified SIEM solution!
