QSA Glosary Flashcards
AAA
Authentication, Authorization, and accounting
Account Data
Cardholder sensitive data to include account # and identifying data
Acquirer
The Merchant Bank, acquiring bank, or acquiring financial institution. Runs the payment acceptance
AOC
Attestation of compliance. A form that attests results of a self-assessment or Report on Compliance
AOV
attestation of validation
ASV
approved scanning vendor
Audit Log
the record of system activities. same as audit trail
BAU
business as usual. an organization’s normal routine
Card Skimmer
an physical swiper data capture device
CVV
Card verification code or value. CAV = JCB CVC = Mastercard CVV = Visa and Discover CSC = AmExp
CDE
cardholder data environment. People, processes, and technology that store, process, or transmit cardholder data or sensitive cardholder Au data
CERT
Carnegie-Mellon’s Computer Emergency Response Team
CIS
center for internet security. NFP enterprise w mission to help organizations reduce risk of business and e-commerce disruptions resulting from inadequate technical security controls
Compensation controls
Used to mitigate a risk that cannot be eliminated. Must: - Meet intent and rigor of original PCI DSS req
- Provide similar level of defense as original req
- be “above and beyond” other reqs
- be commensurate with the additional risk imposed by not adhering to original req
CVSS
Common Vulnerability Scoring System. an open standard used to convey severity of computer security and vulnerability
Dependency
in PA DSS world, hardware or software necessary for the payment application to meet PA DSS Reqs
DSS
Data Security Standard
Dual control
two or more separate entities working in conjunction to secure system function or information
Egress Filtering
method of filtering outbound web traffic
Entity
legal-eese for the organization going through the audit
FIPS
federal info processing standards
HSM
hosting security module or hardware security module. physically or logically controlled hardware that provides secure set of crypto devices and or key management
IETF
internet engineering task force
Masking
security data by displaying place values rather than actual numerical values
MPLS
multi-protocol label switching
NIST
National institute of standards and technology
National Vulnerability DB
NVD
OCTAVE
operationaly ciritcial threat, asset, and vul eval. A suite of tools, techs, and methods for risk-based info sect strategic assessment
OWASP
open web application secuirty project. OWASP.org
PED
Pin entry device
PVV
PIN verification Value
QIR
Qualified Integrator or Reseller
RFC 1918
standard ID’d by the internet engineering TF that defines the usage and appropriate address ranges for private networks
ROC
Report on compliance; our assessment of their compliance report
SANS
SysAdmin, Audit, Networking, and Security. SANS.org
SAQ
Self assessment questionnaire
Split Knowledge
when two or more entities hold components of a cryptographic key; when separate, provide no indication of the key
Wildcard
just what it sounds like however, in this case also can represent a non-security impacting change.
What is PCI DSS?
Payment Card Industry Data Security Standard
What is PCI PA-DSS
Payment Card Industry Payment Application Data Security Standard
What does P2PE stand for?
Point-to-point encryption
What is the PTS - POI acronym stand for?
PIN Transaction Security - point of interaction
PTS - PIN
PIN Transaction Security PIN Standards
PTS - HSM
PIN transaction Security - Hardware Security Modules
