Your browser has been detected as Internet Explorer 6 or lower. Please note that some website functionality may be incompatible. Therefore we strongly recommend upgrading your browser.

About Us

7Safe Services

Follow us

  • Follow us on Twitter

PCI DSS Training Course

More Information...
PCI Security Standards Council QSA
Working Together With
Working With Barclaycard
‘Winner of the 2010 European Card Acquiring Forum (ECAF) Data Security Award for our PCI DSDS Merchant Compliance Programme’
PCI DSS PARTICIPATING ORGANIZATION

RSS 7Safe PCI DSS News

    Subscribe To Our Newsletter

    Your Name (required)

    Your Email (required)

PCI DSS Glossary of Terms

The Payment Card Security Data Security Standard (PCI DSS) is full of terminology and language that can often be confusing to the reader. We have therefore put together a simple and short glossary of terms with relevant links to help you uncover the meaning of various aspects of PCI language;

7Seec

– software written by 7Safe to search for cardholder data and sensitive card authentication data which is designed to assist in achieving and maintaining PCI compliance.

Acquirer

– Refers to Banking or Financial institution that initiates and maintains relationships with merchants for the acceptance of payment cards.

Application Penetration Testing

– refers to the security testing (hacking) of applications and manipulating them to assess whether security flaws may exist that may give unauthorised access to resources, data etc. For further information please see penetration-testing.7safe.com/web-application-security.

ASV (Approved Scanning Vendor)

– is a vulnerability assessment provider who provides automated software tools for scanning for vulnerabilities. Such ASV providers undergo regular assessments and regulation by the PCI SSC for the provision of technical security assessments.

Card Scheme

– Refers to one of the five major Credit Card Brands all of whom make up the core of the PCI SSC. Such brands are; VISA Inc, Mastercard Worldwide, American Express, JCB internationaland Discover Financial Services.

End-to-end Encryption

– refers to the concept of the overall encryption between a client (customer) transacting with a merchant / payment service provider. It is often mis-interpreted as there often exists scenarios where true end-to-end encryption does not take place – instead various point to point encrypted tunnels are established and in theory, if an application were vulnerable, the overall encryption concept could be broken because of such interim termination points.

Gap

– a gap analysis is an exercise to establish the “gap” or distance between an organisation’s current payment card environment and the requirements set out in the PCI DSS. The gap essentially gives an indication of how much work is needed to become PCI compliant.

Man In The Middle (MITM)

– refers commonly to an attack (in this context against payment card data) on a payment transaction whereby the hacker / fraudster intercepts sensitive payment data between a customer and the payment application. Very often the customer would be unaware that his/her communications were being intercepted hence the need for regular penetration testing and application security testing.

Merchant

– an entity that trades goods and services and receives payment by means of credit or debit card.

PCI Compliant

– refers to an organisation that has become compliant with the PCI DSS and has demonstrated this either through a Self Assessment Questionnaire or through formal validation (audit) by a QSA firm.

PCI DSS

– Payment Card Security Data Security Standard – a document consisting of 12 requirements and various principles all designed to provide a framework to protect payment card data and systems.

PCI SSC

– Payment Card Industry Security Standards Council; the global governing body for payment card security standards. The PCI Security Standards Council is responsible for the development, management, education, and awareness of the PCI Security Standards. These comprise the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) Requirements. whose role is .

Penetration Testing

– refers to a technical security audit undertaken by ethical hackers who assess infrastructure, networks and applications for security flaws. Please see penetration-testing.7safe.com for further details.

Primary Account Number (PAN)

– is essentially a payment card number (16 – 19 digit) which is generated according to the LUHNS algorithm).

Qualified Security Assessor (QSA)

– is a Information Security and PCI expert who works for a QSA firm and who has been certified by the PCI SSC to be fit and proper to validate whether a company / environment is PCI compliance. A QSA consultant must belong to a registered and authorised firm such as 7Safe (please see pci-dss.7safe.com).

Remediation

– is an activity designed to close the gap between the current practice and environment where cardholder data is stored, processed or transmitted and the requirements of the PCI DSS. Such activity is generally also governed by project management and change control processes and often involves people, process and technology change.

Report on Compliance (ROC)

– the report on compliance refers to a report that shows that an environment has been validated by a QSA in accordance with the PCI DSS. The outcome of the validation assessment may result in a Report of Compliance opinion of Compliant or Not Compliant depending the evidence provided to support the compliance assertions provided by the merchant or service provider to the QSA.. The report cites evidence against each of the 12 PCI DSS requirements demonstrating how compliance has been achieved. For more information on PCI compliance, please see pci-dss.7safe.com/PCI-compliance/

Scope

– is a piece of work undertaken by an entity that stores, processes or transmits cardholder data and that is validated by a QSA as part of a PCI compliance programme. The scope is a definition of the cardholder data environment against which the PCI DSS must be applied.

Service Provider

– an entity that stores, processes or transmits cardholder data on behalf of merchants. Examples of service providers include hosting and payment services for merchants. Such providers do not have direct service provider contractual relationships with acquiring institutions, other than for their own merchant activities, but nonetheless still fall into scope for the PCI DSS where they store process or transmit payment cards on behalf of merchants. It is the merchant responsibility to ensure the service provider used operate in a way that is complaint with the PCI DSS.

Validation / Audit

– refers to the final stage of PCI compliance whereby a Qualified Security Assessor (QSA) will validate and attest the compliance status of the environment under assessment for compliance with the PCI DSS.

Vulnerability Assessment

– is a technical security audit that uses automated tools to test for security flaws, mis-configurations and weaknesses in infrastructure and applications (to a relatively limited extent). An examples of a famous vulnerability assessment tools is Nessus co-authored by Jordan Hrycaj who now works for 7Safe (please see penetration-testing.7safe.com/key-people

ISO 27001 & 9001
7Safe London
27 Austin Friars
London
EC2N 2QP

Tel: +44 (0)870 600 1667
Fax: +44 (0)870 600 1668
7Safe Cambridge
South Cambridge Business Park
Sawston, Cambridge CB22 3JH
United Kingdom

Tel: +44 (0)870 600 1667
Fax: +44 (0)870 600 1668