A financial institution that provides services for merchants who accept payment cards.


Visa, MasterCard, American Express, or any other card issuer that provides cards that are accepted by merchants.

Audit Log

A chronological record of system events and activities. It makes possible a review or reconstruction of the entire chain of events surrounding an event or operation on the computer systems in question.


The process of verifying identity of a subject or process. For example, users of a computer may be forced to authenticate by showing that they know the proper password.

Authorized Devices

Devices that are known AND have given permission to be on the network in question.

Backup/Backed Up

Duplicate copies of data made as protection against damage or loss, or for archiving purposes. If the original data needed protection against theft, the backups also require the same level of protection.

Border Routers

A network device (a ‘box’) that sits at the edge of the network and connects the network to the rest of the world.

Cardholder Data

Full magnetic stripe or the Primary Account Number (PAN), plus any of the following:

  •       •Cardholder name
  •       •Expiration date
  •       •Service Code

This data needs to be protected.

Client-Side Input Controls

Security measures designed to make the user do the right thing on their computer. These cannot be trusted completely, which is why software developers need to also rely on server-side security controls.


An arrangement between a merchant and another company, generally an Internet Service Provider, in which the merchant is allowed to house its own computer and software at the company’s location. The merchant generally manages its own computer, but benefits from other infrastructure and services at the company’s location.


The rules on a firewall that tell it what traffic is ‘good’ (and is allowed) and what traffic is ‘bad’ (and is blocked).


A piece of data exchanged between a web server and a web browser to maintain a session. Cookies may contain user preferences and personal information.


A computer system for storing and organizing information in a structured way. It can be a special program, or something simple like an Excel spreadsheet.

Development Systems

Systems that are not used for ‘real work’, but for designed or building new solutions or programs. The idea is that if something goes wrong, the systems that are used for real work are not damaged or interfered with.


Is an acronym for “Demilitarized Zone”. It is a network added between a private and a public network to provide an additional layer of security for the private network.

Doing Business As (DBA)

A merchant’s legal business name as differentiated from the names of a company’s principals or other entity that owns or manages the business. A DBA that is significantly different from the principals’ or other entity’s name can result in an unrecognizable merchant name, or descriptor, on a cardholder’s monthly statement, which can in turn lead to potential copy requests and chargebacks.

Egress and Ingress Filters

Filters at the edge of a network that block traffic from coming into the network without permission, and block traffic from leaving the network without permission.


Process of converting information into a scrambled form except to holders of the proper cryptographic key. Using encryption protects information against unauthorized disclosure while it is encrypted.

Extended Point of Sale

An extended POS is a Point of Sale terminal that in addition to processing sales, does something else like inventory management, seating, reservations, accounting, or customer relationship management.


A security product that protects resources on one network from intruders from other networks by restricting network traffic flows. They are often separate devices that sit on your computer network, but can be software that exists on another computer (such as on a laptop).


The process of making a computer harder to attack by turning off programs inside it that are not really needed.

IDS/IPS Signatures

The part of an Intrusion Detection System or Intrusion Prevention System that lets them tell the difference between an attack and ‘normal operations’.

Incident Response

A pre-prepared formal plan laying out what to do in case of an emergency or security event, with roles and responsibilities laid out in advance.

Internal IP Addresses

An address for a computer that identifies it as belonging inside a given network, as opposed to being an ‘outside computer’.

Internal Network

The part of a network that is restricted to insiders. It does not include the DMZ, and is normally kept separate from the rest of the world by a firewall.

Internet Facing

Any computer or application designed to be accessed over the Internet or Web. (These systems are usually the first to be attacked, so they need to be well designed and protected.)

Intrusion Detection

A security system used to identify and raise alerts concerning any network or system intrusion attempts. They are similar in that sense to burglar alarms.

A typical Intrusion Detection System consists of sensors which generate security events; a console to monitor events and alerts, and control the sensors; and a central engine that stores the event data in a database.

Intrusion Prevention

A security system used to identify, raise alerts concerning, and actively block any network or system intrusion attempts. A typical Intrusion Prevention System consists of an Intrusion Detection System coupled with an active enforcement mechanism.


An authentication tool for wireless networks.


Recorded somewhere so that administrators or managers know that something happened, and know what, where, and when it happened.

Masked (Credit Card Information)

Obscured in some way, such as being replaced with **** (this is often used to hide all except the last 4 digits of a card number, turning it into something like “**** **** **** 4777”)


Anything used to store information. It includes hard disks, thumb-drives, paper, CDs, DVDs, et

Merchant Bank

A financial institution that enters into agreements with merchants to accept payment cards as payment for goods and services; also called acquirers or acquiring banks.

Mobile Computer

A computer that is supposed to move around easily, like a notebook, or PDA.

Network Address Translation (NAT)

Sometimes known as network masquerading or IP masquerading. It is a standard networking process whereby an IP address used within one network is changed to a different IP address for use within another network. It is used by many networks as a way for internal computers talk to the rest of the world with greater convenience and privacy.


Operational security is security that is based on processes and procedures, as opposed to technology

Primary Account Number (PAN)

The payment card number (credit or debit) that identifies the issuer and the particular cardholder account. It is usually stamped on the front of a debit/credit card, and also encoded in the magnetic stripe.


A secret word or string of letters used to authenticate the user. Similar in purpose to a bank account PIN.

Payment Card Account Information

This is an important idea in PCI, and one that you need to understand. The Payment Card Environment is that part of your computer network that possesses cardholder data or sensitive authentication data, and those systems and segments that directly attach or support cardholder processing, storage, or transmission. For example, if you have a computer directly connected to a Point of Sale terminal, that computer is part of the payment card environment, no matter what you do (or do not do) on that computer.

The scope of the Payment Card Environment may be limited through the use of proper network segmentation.

Payment Card Environment

This is an important idea in PCI, and one that Merchants need to understand. The payment card environment includes ALL devices that:

  • process payment cards, OR
  • store information about payment cards, OR
  • that transmit that sort of information,

AND ALL devices that connect directly to one of those devices. For example, if a Merchant has a computer connected to a Point of Sale terminal, that computer is part of the payment card environment, no matter what the Merchant does (or does not do) on that computer.

Payment Gateway

A system that provides services to Internet merchants for the authorization and clearing of online payment card transactions.

Penetration Test

A controlled (and officially approved) attempt by someone playing the part of an attacker to see if they can break into a given computer system. It is not necessary that they actually break in: it can be more like ‘rattling all the door-knobs to see if any are unlocked’. Any successes that they have can then be used as guidance to improve the security systems in question.

Perimeter Firewalls

A firewall device that sits at the edge of a network and is designed to protect the network by keeping malicious network traffic out.

Personal Firewall

A piece of software that sits on a computer and protects it no matter where it goes. It is different from a ‘normal’ firewall (which is a box that sits in one place on a network and does not move around).

Point of Sale (POS)

The device used to process transactions at the checkout. These can be simple swipe-card devices with a pin-pad, or can be joined onto a computer that also handles inventory and other tasks.


Official, documented rules about how a Merchant’s security systems and process/procedures are to operate, what tools should be used, how they should be used, what actions are NOT allowed, and so on.


An Association Member, or Association-approved non-member acting as the agent of a Member, that provides authorization, clearing, or settlement services for merchants and processors: authorizing processors, and clearing processors.

Production Systems and Applications

Any computer, software, or equipment that is actually used in the operations of a business, instead of being ‘just for testing’ or similar.

Public Networks

Any computer network or communications system that is intended for use by the general public. The most obvious examples are the Internet, Web, GPRS, and GSM.

Communications over a public network cannnot be assumed to be private, and therefore require the use of encryption.

Publicly Reachable Network Segment

Any part of a network that outsiders can connect to from their computers. Examples include any web server that outsiders can look at pages on.

Remote Administration

Controlling a computer from a remote location. This is usually done to fix problems or to change settings.

Roles and Responsibilities

Official, documented rules about who should do what in the case of an emergency or particular event. These need to be prepared in advance, with everyone involved knowing in advance what their responsibilities are.


The ‘boss’ account on a computer: the account that has permission to do anything possible to the computer.


Hardware or software that connects two or more networks, and allows computers to talk to each other.


Process for deleting sensitive data from a file, device, or system; or for scrambling data so that it is useless if accessed.

Secure Disposal

Destroying or wiping media so that the information on it cannot be read or mis-used by outsiders. At current media prices, itt is relatively cheap to do this properly by physically destroying the thing holding the data (for example, by breaking the CD in half).

Secure Distribution

Sharing information in a secure way, so that attackers can neither read it nor change it.

Sensitive Cardholder Data

Any information belonging to a cardholder that needs to be protected (because of identity-theft concerns, or privacy requirements, etc). The most important examples of this are information taken the magnetic stripe of a card, or the card number, plus things like card expiration dates, or cardholder name


Controls or security measures imposed on servers, rather than relying on attempted control at the user’s end (where the software creator does not have proper control).

Shared WEP Keys

Encryption keys used for wireless communications encryption (Wired Equivalent Privacy) that are used by more than one person.

Shopping Cart

A shopping cart is a piece of software that acts as an online store’s catalog and ordering process. Typically, a shopping cart is the interface between a merchant’s Web site and its deeper infrastructure, allowing consumers to select merchandise; review what they have selected; make necessary modifications or additions; and purchase the merchandise.


Using a machine to cut paper up into hundred of tiny pieces, so that an attacker cannot read it.

SNMP Community Strings

SNMP is a set of tools for managing computer networks. “Community strings” are passwords that restrict access to these tools to approved people.

Spoofed IP Addresses

A technique used by an intruder to gain unauthorized access to computers. In this attack, the intruder sends deceptive messages to a computer, with the message using an IP address indicating that the message is coming from a trusted host.

SQL Injection

A form of attack on database-driven applications and web-sites. An attacker executes unauthorized SQL commands by putting them in what was supposed to be a name or an address (or similar) so that an unprotected database system will get confused and execute the malicious instructions. SQL injection attacks are used to steal information from a database, to destroy databases, and/or to gain access to an organization’s host computers through the computer that is hosting the database.


Service Set Identifier. The ‘public name’ assigned to a wireless computer network.

SSID Broadcasts

The automatic broadcast by a wireless network of its name (its ‘SSID’). This makes it visible to other computers using wireless nearby.

SSL Version 3.0 with 128 bit encryption

Secure Sockets Layer. Established industry standard for encrypting the channel between a web browser and web server to ensure the privacy and reliability of data transmitted over this channel. There are different types of SSL, with the modern, strong, version being version 3.0 with 128-bit encryption. Another solution, called TLS (Transport Layer Security), is an even-better replacement.


Hardware or software that connects two or more networks, and allows computers to talk to each other.


Making sure that various clocks are all showing the exact same time. Having synchronized clocks makes record-keeping and trouble-shooting simpler and more reliable.


Systems that are not used for ‘real work’, but for testing solutions or programs. The idea is that if something goes wrong, the systems that are used for real work are not damaged or interfered with.


A recorded time, showing when a particular thing happened. These are used in audit records and in trouble-shooting computer problems.

Third-Party Processor

A non-member organization that performs transaction authorization and processing, account record keeping, and other day-to-day business and administrative functions for issuers and merchant banks


Information flowing between computers over a network. Traffic can be carrying email, files, web-pages, phone-conversations, or a wide variety of other things.


Communications: sending information over a network.


The practice of removing data segments. Commonly, when account numbers are truncated, the first 12 digits are deleted, leaving only the last 4 digits.

Vendor Default Accounts

System login account predefined in a manufactured system to permit initial access when the system is first put into service.

Vendor Default Security Settings

Many pieces of equipment or software come with built-in security features. “Vendor default security settings” means the ‘out of the box’ settings that these security features come with. For example, system administration or service accounts will ship from the manufacturer with a ‘default password’. These default accounts and passwords are published and well known, and so do NOT provide adequate security.

Virus Scanner

A program capable of detecting, blocking, and/or removing various forms of malicious code or malware such as viruses, worms, spyware, and Trojans.


Virtual Private Network. A way of using encryption to make sure that your communications back to a computer are private, even over a public network.

Vulnerability Scan

A scan of a given network by another computer to identify any weaknesses in any computer security systems.

Web Hosting

Web hosting is a service that provides a physical location in which a web site resides. Customers’ websites are stored on computer servers located in environments permanently connected to the Internet through high-speed data lines.

Web Servers

A computer used to display web pages.


Wired Equivalent Privacy. An encryption protocol for wireless network traffic. It is an old system that is very simple, but does NOT work very well. Avoid it if possible, by using newer, better systems like WPA or 802.11i.

WEP Keys

The secret numbers or letters used in WEP encryption to (hopefully) keep wireless communications private.

Wi-Fi Protected Acess

Commonly called ‘WPA’. A way of encrypting wireless network traffic so that it cannot be read or changed by attackers. It is a newer, better, replacement for WEP.

Wireless Access Points

A network device (a ‘box’) that lets users connect to the network via wireless (i.e. without using a cable). They usually, but not always, have small antennas, and THEY are attached to the network via a cable.

Wireless Analyzer

A machine or program designed to inspect a wireless environment, detect all computers and systems using wireless technology, and analyze them to identify what types of wireless they are using, and how they are set up.