Appendix G: PCI DSS Glossary of Terms, Abbreviations, and Acronyms
| Term | Definition |
|---|---|
| Account | Also referred to as “user ID,” “account ID,” or “application ID.” Used to identify an individual or process on a computer system. See Authentication Credentials and Authentication Factor. |
| Account Data | Account data consists of cardholder data and/or sensitive authentication data. See Cardholder Data and Sensitive Authentication Data. |
| Acquirer | Also referred to as “merchant bank,” “acquiring bank,” or “acquiring financial institution.” Entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance. See Payment Processor. |
| Administrative Access | Elevated or increased privileges granted to an account for that account to manage systems, networks, and/or applications. Administrative access can be assigned to an individual’s account or a built-in system account. Accounts with administrative access are often referred to as “superuser,” “root,” “administrator,” “admin,” “sysadmin,” or “supervisor-state,” depending on the particular operating system and organizational structure. |
| AES | Acronym for “Advanced Encryption Standard.” See Strong Cryptography. |
| ANSI | Acronym for “American National Standards Institute.” |
| Anti-Malware | Software that is designed to detect, and remove, block, or contain various forms of malicious software. |
| AOC | Acronym for “Attestation of Compliance.” The AOC is the official PCI SSC form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC). |
| Application | Includes all purchased, custom, and bespoke software programs or groups of programs, including both internal and external (for example, web) applications. |
| Application and System Accounts | Also referred to as “service accounts.” Accounts that execute processes or perform tasks on a computer system or in an application. These accounts usually have elevated privileges that are required to perform specialized tasks or functions and are not typically accounts used by an individual. |
| ASV | Acronym for “Approved Scanning Vendor.” Company approved by the PCI SSC to conduct external vulnerability scanning services. |
| Audit Log | Also referred to as “audit trail.” Chronological record of system activities. Provides an independently verifiable trail sufficient to permit reconstruction, review, and examination of sequence of environments and activities surrounding or leading to operation, procedure, or event in a transaction from inception to final results. |
| Authentication | Process of verifying identity of an individual, device, or process. Authentication typically occurs with one or more authentication factors. See Account, Authentication Credential, and Authentication Factor. |
| Authentication Credential | Combination of the user ID or account ID plus the authentication factor(s) used to authenticate an individual, device, or process. See Account and Authentication Factor. |
| Authentication Factor | The element used to prove or verify the identity of an individual or process on a computer system. Authentication typically occurs with one or more of the following authentication factors: • Something you know, such as a password or passphrase, • Something you have, such as a token device or smart card, • Something you are, such as a biometric element. The ID (or account) and authentication factor together are considered authentication credentials. See Account and Authentication Credential. |
| Authorization | In the context of access control, authorization is the granting of access or other rights to a user, program, or process. Authorization defines what an individual or program can do after successful authentication. In the context of a payment card transaction, authorization refers to the authorization process, which completes when a merchant receives a transaction response (for example, an approval or decline). |
| BAU | Acronym for “Business as Usual.” |
| Bespoke and Custom Software | Bespoke software is developed for the entity by a third party on the entity’s behalf and per the entity’s specifications. Custom software is developed by the entity for its own use. |
| Card Skimmer | A physical device, often attached to a legitimate card-reading device, designed to illegitimately capture and/or store the information from a payment card. |
| Card Verification Code | Also referred to as Card Validation Code or Value, or Card Security Code. For PCI DSS purposes, it is the three- or four-digit value printed on the front or back of a payment card. May be referred to as CAV2, CVC2, CVN2, CVV2, or CID according to the individual Participating Payment Brands. For more information, contact the Participating Payment Brands. |
| Cardholder | Customer to which a payment card is issued, or any individual authorized to use the payment card. See Visitor. |
| Cardholder Data (CHD) | At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code. See Sensitive Authentication Data for additional data elements that might be transmitted or processed (but not stored) as part of a payment transaction. |
| CDE | Acronym for “Cardholder Data Environment.” The CDE is comprised of: • The system components, people, and processes that store, process, or transmit cardholder data and/or sensitive authentication data, and, • System components that may not store, process, or transmit CHD/SAD but have unrestricted connectivity to system components that store, process, or transmit CHD/SAD. |
| CERT | Acronym for “Computer Emergency Response Team.” |
| Change Control | Processes and procedures to review, test, and approve changes to systems and software for impact before implementation. |
| CIS | Acronym for “Center for Internet Security.” |
| Cleartext Data | Unencrypted data. |
| Column-Level Database Encryption | Technique or technology (either software or hardware) for encrypting contents of a specific column in a database versus the full contents of the entire database. Alternatively, see Disk Encryption and File-Level Encryption. |
| Commercial Off-the-Shelf (COTS) | Description of products that are stock items not specifically customized or designed for a specific customer or user and are readily available for use. |
| Compensating Controls | See PCI DSS Appendices B and C. |
| Compromise | Also referred to as “data compromise” or “data breach.” Intrusion into a computer system where unauthorized disclosure/theft, modification, or destruction of cardholder data is suspected. |
| Console | Directly connected screen and/or keyboard which permits access and control of a server, mainframe computer, or other system type. See Non-Console Access. |
| Consumer | Individual cardholder purchasing goods, services, or both. |
| Critical systems | A system or technology that is deemed by the entity to be of particular importance. For example, a critical system may be essential for the performance of a business operation or for a security function to be maintained. Examples of critical systems often include security systems, public-facing devices and systems, databases, and systems that store, process, or transmit cardholder data. |
| Cryptographic Algorithm | Also referred to as “encryption algorithm.” A clearly specified reversible mathematical process used for transforming cleartext data to encrypted data, and vice versa. See Strong Cryptography. |
| Cryptographic Key | A parameter used in conjunction with a cryptographic algorithm that is used for operations such as: • Transforming cleartext data into ciphertext data, • Transforming ciphertext data into cleartext data, • A digital signature computed from data, • Verifying a digital signature computed from data, • An authentication code computed from data, or • An exchange agreement of a shared secret. See Strong Cryptography. |
| Cryptographic Key Generation | Key generation is one of the functions within key management. The following documents provide recognized guidance on proper key generation: • NIST Special Publication 800-133: Recommendation for Cryptographic Key Generation • ISO 11568-2 Financial services — Key management (retail) — Part 2: Symmetric ciphers, their key management and life cycle – 4.3 Key generation • ISO 11568-4 Financial services — Key management (retail) — Part 4: Asymmetric cryptosystems — Key management and life cycle – 6.2 Key life cycle stages — Generation • European Payments Council EPC 342-08 Guidelines on Algorithms Usage and Key Management – 4.1.1 Key generation [for symmetric algorithms] – 4.2.1 Key generation [for asymmetric algorithms]. |
| Cryptographic Key Management | The set of processes and mechanisms which support cryptographic key establishment and maintenance, including replacing older keys with new keys as necessary. |
| Cryptoperiod | The time span during which a cryptographic key can be used for its defined purpose. Often defined in terms of the period for which the key is active and/or the amount of ciphertext that has been produced by the key, and according to industry best practices and guidelines (for example, NIST Special Publication 800-57). |
| Customized Approach | See PCI DSS section: 8 Approaches for Implementing and Validating PCI DSS. |
| CVSS | Acronym for “Common Vulnerability Scoring System.” Refer to ASV Program Guide for more information. |
| Data-Flow Diagram | A diagram showing how and where data flows through an entity’s applications, systems, networks, and to/from external parties. |
| Default Account | Login account predefined in a system, application, or device to permit initial access when system is first put into service. Additional default accounts may also be generated by the system as part of the installation process. |
| Default Password | Password on system administration, user, or service accounts predefined in a system, application, or device; usually associated with default account. Default accounts and passwords are published and well known, and therefore easily guessed. |
| Defined Approach | See PCI DSS section: 8 Approaches for Implementing and Validating PCI DSS. |
| Disk Encryption | Technique or technology (either software or hardware) for encrypting all stored data on a device (for example, a hard disk or flash drive). Alternatively, File-Level Encryption or Column-Level Database Encryption is used to encrypt contents of specific files or columns. |
| DMZ | Abbreviation for “demilitarized zone.” Physical or logical sub-network that provides an additional layer of security to an organization’s internal private network. |
| DNS | Acronym for “Domain Name System.” |
| Dual Control | Process of using two or more separate entities (usually persons) operating in concert to protect sensitive functions or information. Both entities are equally responsible for the physical protection of materials involved in vulnerable transactions. No single person is permitted to access or use the materials (for example, the cryptographic key). For manual key generation, conveyance, loading, storage, and retrieval, dual control requires dividing knowledge of the key among the entities. See Split Knowledge. |
| ECC | Acronym for “Elliptic Curve Cryptography.” See Strong Cryptography. |
| E-commerce (web) Redirection Server | A server that redirects a customer browser from a merchant’s website to a different location for payment processing during an ecommerce transaction. |
| Encryption | The (reversible) transformation of data by a cryptographic algorithm to produce cipher text, i.e., to hide the information content of the data. See Strong Cryptography. |
| Encryption Algorithm | See Cryptographic Algorithm. |
| Entity | In the context of a PCI DSS assessment, a term used to represent the corporation, organization, or business which is undergoing an assessment. |
| File Integrity Monitoring (FIM) | A change-detection solution that checks for changes, additions, and deletions to critical files, and notifies when such changes are detected. |
| File-Level Encryption | Technique or technology (either software or hardware) for encrypting the full contents of specific files. Alternatively, see Disk Encryption and Column-Level Database Encryption. |
| Firewall | Hardware and/or software technology that protects network resources from unauthorized access. A firewall permits or denies computer traffic between networks with different security levels based upon a set of rules and other criteria. |
| Forensics | Also referred to as “computer forensics.” As it relates to information security, the application of investigative tools and analysis techniques to gather evidence from computer resources to determine the cause of data compromises. Investigations into compromises of payment data are typically conducted by a PCI Forensic Investigator (PFI). |
| FTP | Acronym for “File Transfer Protocol.” Network protocol used to transfer data from one computer to another through a public network such as the Internet. FTP is widely viewed as an insecure protocol because passwords and file contents are sent unprotected and in cleartext. FTP can be implemented securely via SSH or other technology. |
| Hashing | A method to protect data that converts data into a fixed-length message digest. Hashing is a one-way (mathematical) function in which a non-secret algorithm takes any arbitrary length message as input and produces a fixed length output (usually called a “hash code” or “message digest”). Hash functions are required to have the following properties: • It is computationally infeasible to determine the original input given only the hash code, • It is computationally infeasible to find two inputs that give the same hash code. |
| HSM | Acronym for “hardware security module” or “host security module.” A physically and logically protected hardware device that provides a secure set of cryptographic services, used for cryptographic key-management functions and/or the decryption of account data. |
| IDS | Acronym for “intrusion-detection system.” |
| Legal Exception | A legal restriction due to a local or regional law, regulation, or regulatory requirement, where meeting a PCI DSS requirement would violate that law, regulation, or regulatory requirement. Contractual obligations or legal advice are not legal restrictions. See the following PCI DSS v4.x documents for information on reporting legal exceptions: • The Report on Compliance (ROC) Template and related Attestations of Compliance. • The Self-Assessment Questionnaires (SAQs) and related Attestations of Compliance. Note: Where an entity operates in multiple locations, a legal exception may only be claimed for the locations governed by the law, regulation, or regulatory requirement, and may not be claimed for locations in which such law, regulation, or regulatory requirement is inapplicable. |
| Log | See Audit Log. |
| Logical Access Control | Mechanisms that limit the availability of information or information-processing resources only to authorized persons or applications. See Physical Access Control. |
| MAC | In cryptography, an acronym for "message authentication code." See Strong Cryptography. |
| Magnetic-Stripe Data | See Track Data. |
| Masking | Method of concealing a segment of PAN when displayed or printed. Masking is used when there is no business need to view the entire PAN. Masking relates to protection of PAN when displayed on screens, paper receipts, printouts, etc. See Truncation for protection of PAN when electronically stored, processed, or transmitted. |
| Media | Physical material, including but not limited to, electronic storage devices, removable electronic media, and paper reports. |
| Merchant | For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any PCI SSC Participating Payment Brand as payment for goods and/or services. A merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers. |
| MO/TO | Acronym for "Mail-Order/Telephone-Order." |
| Multi-Factor Authentication | Method of authenticating a user whereby at least two factors are verified. These factors include something the user has (such as a smart card or dongle), something the user knows (such as a password, passphrase, or PIN), or something the user is or does (such as fingerprints and other biometric elements). |
| Index Token | A random value from a table of random values that corresponds to a given PAN. |
| Interactive Login | The process of an individual providing authentication credentials to directly log into an application or system account. Using interactive login means there is no accountability or traceability of actions taken by that individual. |
| IPS | Acronym for "intrusion prevention system." |
| ISO | Acronym for "International Organization for Standardization." |
| Issuer | Also referred to as "issuing bank" or "issuing financial institution." Entity that issues payment cards or performs, facilitates, or supports issuing services, including but not limited to issuing banks and issuing processors. |
| Issuing services | Examples of issuing services include but are not limited to authorization and card personalization. |
| Keyed Cryptographic Hash | A hashing function that incorporates a randomly generated secret key to provide brute force attack resistance and secret authentication integrity. Appropriate keyed cryptographic hashing algorithms include but are not limited to: HMAC, CMAC, and GMAC, with an effective cryptographic strength of at least 128-bits (NIST SP 800-131Ar2). Refer to the following for more information about HMAC, CMAC, and GMAC, respectively: NIST SP 800-107r1, NIST SP 800-38B, and NIST SP 800-38D. See NIST SP 800-107 (Revision 1): Recommendation for Applications Using Approved Hash Algorithms §5.3. |
| Key Custodian | A role where a person(s) is entrusted with, and responsible for, performing key management duties involving secret and/or private keys, key shares, or key components on behalf of an entity. |
| Key Management System | A combination of hardware and software that provides an integrated approach for generating, distributing, and/or managing cryptographic keys for devices and applications. |
| LAN | Acronym for "local area network." |
| LDAP | Acronym for "Lightweight Directory Access Protocol." |
| Least Privileges | The minimum level of privileges necessary to perform the roles and responsibilities of the job function. |
| Local User | A user who accesses systems, networks and/or applications from within an entity's network. For example, local users are on the same network as the system they are accessing, or who access a local network via a VPN or other remote networking technology that is administered by the entity. |
| Log Harvesting | Also referred to as "log parsing." Function as part of log review to identify and extract specified entries or activity based on pre-defined criteria. |
| Log Monitoring or Review | Also referred to as "log analysis." Function to examine log entries and log files to identify events that may impact security. |
| Mail-Order/Telephone-Order (MO/TO) | A purchase transaction initiated by mail or telephone. See MO/TO. |
| Main Office | See Primary Office. |
| Malicious Software/Malware | Software designed to infiltrate or damage a computer system without the owner's knowledge or consent. Examples include but are not limited to viruses, worms, Trojans, adware, ransomware, spyware, keyloggers, and rootkits. |
| Memory Scraping | A type of malware that captures data while it is temporarily stored in memory (RAM). Memory scraping malware is particularly effective against unencrypted data, and has been used to capture encrypted data in cleartext when that data is presented in memory. |
| Message Authentication | A process to verify a message's origin and contents has not been altered in transit. |
| Message Authentication Code (MAC) | A code used to confirm the integrity of a message – i.e., that data has not been altered in memory or transit. |
| MOC | Acronym for "model of compliance." |
| Money-Transfer Value Card | A payment card that contains stored-value funds used to transfer money between individuals and/or companies. Also referred to as a "remittance card" or "payroll card." |
| MPLS | Acronym for "multiprotocol label switching." |
| MSP | Acronym for "managed service provider." |
| Must | In PCI DSS, "must" indicates a requirement. Failure to meet a requirement will impact an entity's ability to achieve PCI DSS compliance. See also Should. |
| NAC | Acronym for "network access control." |
| NAS | Acronym for "network-attached storage." |
| NAT | Acronym for "network address translation." |
| Network | Two or more computers connected together via physical or wireless means. |
| Network Administrator | Personnel responsible for managing the network within an entity. Duties include but are not limited to network security, installations, upgrades, maintenance and performance. |
| Network Components | Include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. |
| Network Time Protocol (NTP) | Protocol for synchronizing system clocks among network resources. Version 3 of NTP includes authentication and encryption. |
| Network Segmentation | Also referred to as "segmentation" or "isolation." Network segmentation isolates system components that store, process, or transmit cardholder data from systems that do not. Adequate network segmentation may reduce the scope of the cardholder data environment and thus reduce the scope of the PCI DSS assessment. See the PCI DSS Scoping Toolkit for guidance on using network segmentation. Network segmentation is not a PCI DSS requirement. |
| Network Security Scan | Process by which an entity's systems are remotely checked for known vulnerabilities. |
| NIDS/NIPS | Acronym for "network intrusion detection/prevention system." See also IDS and IPS. |
| NIST | Acronym for "National Institute of Standards and Technology." Non-regulatory federal agency within the U.S. Commerce Department's Technology Administration. The role of NIST is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve quality of life. |
| Non-Console Access | Logical access to a system component that occurs over a network interface rather than via a direct, physical connection to the system component. Non-console access includes access from within a local / internal network as well as access from external, or remote, networks. See Console Access. |
| Non-Consumer Entity | A consumer entity acting as a customer of a merchant—for example, a business or commercial entity, a government agency, a non-profit organization, a trade association, or a professional association—that maintains an ongoing relationship with a merchant and uses payment card(s) to pay for goods or services. |
| NTP | See Network Time Protocol. |
| Observer/Observer Entity | A third party requested by a participating payment brand to ensure the entity is complying with PCI DSS requirements. |
| Offline PIN | An encrypted PIN block that is encrypted using public key cryptography and is stored within the chip on a chip payment card or sent to the issuer host systems in payment messages, to be decrypted and checked later by the issuer host. |
| Online PIN | A PIN that is encrypted using symmetric cryptography and sent online to the issuer host systems with the authorization request for checking in real-time. |
| Operating System | Software that controls the allocation and usage of hardware resources such as memory, CPU time, disk space, and peripheral devices. Examples of operating systems include Microsoft Windows, Apple macOS, Linux, Unix, AIX, etc. |
| OWASP | Acronym for "Open Web Application Security Project." A non-profit organization focused on improving the security of software. See www.owasp.org. |
| PA-DSS | Acronym for "Payment Application Data Security Standard." The PA-DSS has been replaced by the PCI Secure Software Standard and the Secure SLC Standard as part of the PCI Software Security Framework. For more information, see PCI Software Security Framework. |
| PAM | Acronym for "privileged access management." |
| PAN | Acronym for "primary account number" and also referred to as "account number." Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account. For the purposes of PCI DSS, a PAN is a numerical value that identifies a payment card account and is validated using the Luhn algorithm. A PAN does not include BIN-only information, an internal identifier used for non-card payment methods, or a payment token. PANs are also known as "payment card numbers." |
| Parameterized Queries | Method to prevent SQL injection by inserting a parameter instead of a literal value in the SQL query. This will not break the intent of the query, and when implemented correctly, reduces risk of SQL Injection. When using parameterized queries, control of user input is maintained and validated by properly escaping or filtering special characters preventing manipulation of SQL queries by attackers. |
| Password/Passphrase | A string of characters that authenticate an account to a computer system. A password is generally short (up to 14 characters) and can be a simple as four digits. A passphrase is typically longer (15-30 characters or more). The terms password and passphrase are interchangeable in the PCI DSS. See Strong Authentication and Strong Passwords/Passphrases. |
| Payment Application | Any application that stores, processes, or transmits cardholder data as part of authorization or settlement, where the payment application is sold, distributed, licensed or traded for use on a system. |
| Payment Brand | For the purposes of the PCI DSS, the payment brand is the payment card company that licenses participants into their payment programs. |
| Payment Card | For purposes of PCI DSS, any payment card/device that bears the logo of the founding members of PCI SSC, which are American Express, Discover Financial Services, JCB International, Mastercard, and Visa, Inc. |
| Payment Card Data | See Account Data, Cardholder Data, and Sensitive Authentication Data. |
| Payment Gateway | Entity that provides a service to a merchant for the purpose of authorizing and/or routing card transactions between the merchant and the merchant's financial institution. Payment gateways are considered service providers. See Service Provider for more information. |
| Payment Processor | Entity engaged by the acquirer, issuer, or merchant to handle payment card transactions on their behalf. Also called an acquiring processor or issuing processor. Payment processors are considered service providers. See Service Provider for more information. |
| Payment System Components | Components that store, process, or transmit cardholder data as part of authorization and settlement of payment card transactions, where the components are sold, distributed, licensed, or traded, for use on a system. For example, payment terminals, point-of-sale (POS) systems and other payment devices, and system software, that store, process, or transmit cardholder data as part of payment card authorization or settlement, where devices and software are sold, distributed, licensed, or traded, for use on a system. |
| PCI | Acronym for "Payment Card Industry." |
| PCI DSS | Acronym for "Payment Card Industry Data Security Standard." |
| PCI SPoC Standard | Acronym for "PCI Software-based PIN Entry on COTS Standard." The PCI SPoC Program incorporates many processes, security requirements, test requirements, and vendor release agreements to support software-based PIN entry on commercial off-the-shelf (COTS) mobile and tablet devices and card readers. |
| PCI-Recognized Lab | An organization that PCI SSC has recognized as having demonstrated that they possess the expertise, processes, facilities, and quality assurance to perform security testing of payment security products and solutions in accordance with PCI SSC technical and operational requirements. Each such lab must be qualified by PCI SSC to perform specific types of payment security testing. See Payment Card Industry (PCI) Security Standards Council® - List of Labs for more information. |
| PCI SSC | Acronym for "PCI Security Standards Council." |
| PCI SSF | Acronym for "PCI Software Security Framework." |
| PED | Acronym for "PIN entry device." |
| Penetration Test | Penetration tests attempt to identify ways to exploit vulnerabilities to circumvent or defeat the security features of system components. Penetration testing includes network and application testing as well as controls and processes around the networks and applications, and occurs from both outside the environment (external testing) and inside the environment. |
| Personnel | Full-time and part-time employees, temporary employees, contractors, and consultants who are "resident" on the entity's facilities or otherwise have access to the cardholder data environment. |
| Phone-line Tampering | Devices connected to telephone lines to gain access to the merchant's telephone lines for interception or to record voice or data communications. |
| Physical Access Control | Mechanisms that limit physical entry to facilities. Examples include but are not limited to: • Employee badges that require swiping or display to enter a building, • Physical locks, keys, card key, combination lock systems, • Access control list (approved/restricted personnel). |
| Physical Security | Controls to protect people, property, and facilities from damage, unauthorized access, and/or harm. |
| PIN | Acronym for "personal identification number." Secret numeric password known only to the user and a system to authenticate the user to the system. |
| PIN Block | A block of data used to encapsulate a PIN during processing. The PIN block format defines the content of the PIN block and how it is processed to retrieve the PIN. The PIN block is composed of the PIN, the PIN length, and may contain substring of the PAN. |
| POI | Acronym for "point of interaction." The initial point where cardholder data enters the merchant's or entity's payment environment. |
| Point of Sale | Hardware and/or software used to process payment card transactions at merchant locations. |
| Policies | Organization-wide rules governing acceptable and secure use of organizational resources, security practices, and guiding development of operational procedures. |
| POS | Acronym for "point of sale." See Point of Sale. |
| POS Capture | The process of collecting payment card data at the point of sale to initiate payment card transactions. For example, POS capture includes using devices that read card magnetic stripe, EMV chip data, or contactless data to obtain card data directly from the card, and processes that enable manual entry or capture of card data via a terminal keypad. |
| POS Entry Mode | A value used to indicate how a POS device captured payment card data for a transaction. |
| Practices | Activities performed to accomplish a task, goal, or requirement. |
| Primary Account Number | See PAN. |
| Primary Office | Also referred to as "main office." The primary location of an entity's operations. This location determines which geographic region's privacy and data protection laws are applicable. |
| Private Key | A cryptographic key used with a public-key cryptographic algorithm that is uniquely associated with an entity and is not made public. |
| Private Network | Network established by an organization that uses private IP address space. Private networks are commonly designed as local area networks. Private network access from public networks should be properly protected with the use of a firewall, etc. |
| Privileged Access | See Administrative Access. |
| Procedure | A series of administrative or technical steps to be followed to accomplish a task or requirement. |
| Process | A series of structured activities designed to accomplish a specific objective. A process consists of one or more procedures and the tools, equipment, materials, and personnel required to execute each procedure. |
| Protocol | Agreed-upon method of communication used within networks. Specification describing rules and procedures that computer products should follow to perform activities on a network. |
| Public Key | A cryptographic key used with a public-key cryptographic algorithm that is uniquely associated with an entity and that may be made public. |
| Public Key Infrastructure (PKI) | A framework of different entities working together to enable the use of public key cryptography to verify identities and to perform other security services. |
| QSA | Acronym for "Qualified Security Assessor." Individual who is certified by PCI SSC to perform PCI DSS assessments. |
| RACE | Acronym for "Recognize, Analyze, Contain, and Eradicate." RACE is a framework to help organizations respond to security incidents in a structured manner. Recognize - Detect and identify potential security incidents. Analyze - Assess the situation and determine impact. Contain - Limit damage and prevent further impact. Eradicate - Remove threats and vulnerabilities. |
| RADIUS | Acronym for "Remote Authentication and Dial-in User Service." Authentication and accounting system. |
| RAID | Acronym for "redundant array of independent disks." A data storage scheme using multiple hard drives to share or replicate data among the drives. |
| RAM | Acronym for "random access memory." |
| Reachable Network | Any network that can be accessed from within the cardholder data environment: • If a system component inside the CDE can connect to a network, the network is reachable from the system component, • If a system component in a network can connect to another network, the second network is reachable from the first network. |
| Remote Access | Access to computer networks from a location outside of that network. Remote access connections can originate either from inside the entity's network(s) to access entity or third-party systems, or from external locations to access the entity's network(s). |
| Remote Laboratory | An additional secured facility (internal or external to the entity) that is separate from the entity's primary facility, with equipment used for performing testing of payment software or solutions. |
| Removable Electronic Media | Media that store digitized data and which can be easily removed and/or transported from one computer system to another. Examples of removable electronic media include but are not limited to CD-ROM, DVD-ROM, USB flash drives, external hard drives, and media cards (for example, CF, SD). |
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy