Every industry has its own set of specific jargon and acronyms. PCI compliance and overall credit card security is certainly no stranger to specialized terminology, abbreviations, and acronyms. As you consider an IVR payment solution or other mechanisms for accepting cardholder data, the jumble of vernacular might be a bit daunting. We’ve assembled our master-list of terminology and their definitions to help you make sense of it all.
A: terms & definitions
AAA – Acronym for “authentication, authorization, and accounting.” Protocol for authenticating a user based on their verifiable identity, authorizing a user based on their user rights, and accounting for a user’s consumption of network resources.
Access Control Mechanism – Security safeguards designed to detect and deny unauthorized access and permit authorized access in an Information System.
Account Data – Account data consists of cardholder data plus sensitive authentication data. (See Cardholder Data and Sensitive Authentication Data)
Acquirer – Also referred to as “acquiring bank” or “acquiring financial institution.” An entity that initiates and maintains relationships with merchants for the acceptance of payment cards
Adware – Annoying program that displays advertisements, etc. Considered by some to be a form of malware since it is often installed secretly and has undesirable effects that may compromise privacy.
AES – An abbreviation for “Advanced Encryption Standard.” Block cipher used in symmetric key cryptography adopted by NIST in November 2001 as U.S. FIPS PUB 197 (or “FIPS 197”). (See Strong Cryptography)
ANSI – Acronym for “American National Standards Institute.” A private, non-profit organization that administers and coordinates the U.S. voluntary standardization and conformity assessment system
Antivirus – Software designed to minimize the risk of malware by detecting, preventing and/or removing various types of malware infections such as viruses, worms, Trojans, etc.
Application – all purchased and custom software programs or groups of programs, including both internal and external (for example, web) applications.
ASV – Acronym for “Approved Scanning Vendor, a company approved by the PCI SSC to conduct external vulnerability scanning services.
Asymmetric Cryptosystem – A method of encryption in which two different keys are used: one for encryption and one for decrypting the data (e.g. public-key encryption).
Audit Log – Also referred to as “audit trail.” A chronological record of system activities that provides an independently verifiable trail sufficient to permit reconstruction, review, and examination of the sequence of environments and activities surrounding or leading to an operation, procedure, or event in a transaction from inception to final results.
Audit Trail – (See Audit Log)
Authentication – The process of verifying the identity of an individual, device, or process. Authentication typically occurs through the use of one or more authentication factors such as:
- Something you know, such as a password or passphrase
- Something you have, such as a token device or smart card
- Something you are, such as a biometric
Authentication Credentials – A combination of the user ID or account ID plus the authentication factor(s) used to authenticate an individual, device, or process.
Authorization – Granting of access or other rights to a user, program, or process. For a network, authorization defines what an individual or program can do after successful authentication.
- Note: For the purposes of a payment card transaction authorization occurs when a merchant receives transaction approval after the acquirer validates the transaction with the issuer/processor.
B: terms & definitions
Backup – Duplicate copy of data made for archiving purposes or for protecting against damage or loss.
Baseline Configuration – A set of specifications for a system, or Configuration Item (CI) within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, and/or changes.
Bluetooth – A wireless protocol using short-range communications technology to facilitate the transmission of data over short distances.
Breach – The unintentional release of secure information to an untrusted environment. This may include incidents such as theft or loss of digital media such as computer tapes, hard drives, or laptop computers containing such media upon which such information is stored unencrypted, posting such information on the world wide web or on a computer otherwise accessible from the Internet without proper information security precautions, transfer of such information to a system which is not completely open but is not appropriately or formally accredited for security at the approved level, such as unencrypted e-mail, or transfer of such information to the information systems of a possibly hostile agency, such as a competing corporation or a foreign nation, where it may be exposed to more intensive decryption techniques.
Business Continuity Plan (BCP) – The documentation of a predetermined set of instructions or procedures that describe how an organization’s mission/business functions will be sustained during and after a significant disruption.
C: terms & definitions
Card Verification Code or Value – Also known as Card Validation Code or Value, or Card Security Code refers to either: magnetic-stripe data, or printed security features.
- Data element on a card’s magnetic stripe that uses a secure cryptographic process to protect data integrity on the stripe, and reveals any alteration or counterfeiting. Referred to as CAV, CVC, CVV, or CSC depending on the payment card brand. The following list provides the terms for each card brand:
- CAV – Card Authentication Value (JCB payment cards)
- CVC – Card Validation Code (MasterCard payment cards)
- CVV – Card Verification Value (Visa and Discover payment cards)
- CSC – Card Security Code (American Express)
- For Discover, JCB, MasterCard, and Visa payment cards, the second type of card verification value or code is the rightmost three-digit value printed in the signature panel area on the back of the card. For American Express payment cards, the code is a four-digit un-embossed number printed above the PAN on the face of the payment cards. The code is uniquely associated with each individual piece of plastic and ties the PAN to the plastic. The following list provides the terms for each card brand:
- CID – Card Identification Number (American Express and Discover payment cards)
- CAV2 – Card Authentication Value 2 (JCB payment cards)
- CVC2 – Card Validation Code 2 (MasterCard payment cards)
- CVV2 – Card Verification Value 2 (Visa payment cards)
Cardholder – Non-consumer or consumer customer to whom a payment card is issued to or any individual authorized to use the payment card.
Cardholder Data – At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code (See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not stored) as part of a payment transaction.)
Cardholder Data Environment – The people, processes and technology that store, process or transmit cardholder data or sensitive authentication data, including any connected system components.
CDE – Abbreviation for “Cardholder data environment”
CERT – The acronym for Carnegie Mellon University’s “Computer Emergency Response Team.” The CERT Program develops and promotes the use of appropriate technology and systems management practices to resist attacks on networked systems, to limit damage, and to ensure continuity of critical services.
Change Control – A management process for proposing, reviewing and accepting or rejecting changes to a process, system and/or the associated documentation.
Change Management – The totality of activities used to control, direct and document changes to the organization and its associated IT systems, processes, etc.
CIS – Acronym for “Center for Internet Security.” Non-profit enterprises with a mission to help organizations reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls.
Classification – Convenient grouping of similar or related information assets that are likely to share similar information security risks and control requirements. Classification reduces the need individually to risk assess and identify security controls needed to protect every single asset in each class. Classification typically relies on confidentiality criteria but more complex schemes may also take account of integrity and availability requirements.
Column-Level Database Encryption – A technique or technology (either software or hardware) for encrypting the contents of a specific column in a database versus the full contents of the entire database. Alternatively, see Disk Encryption or File-Level Encryption.
Common Secure Configuration – A recognized standardized and established benchmark (e.g., National Checklist Program, DISA STIGs, CIS Benchmarks, etc.) that stipulates specific secure configuration settings for a given IT platform
Compensating Controls – Compensating controls may be considered when an entity cannot meet a Controls requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must:
- Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and
- Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement. See “Compensating Controls” Appendices B and C in PCI DSS Requirements and Security Assessment Procedures for guidance on the use of compensating controls.
Compromise – An intrusion into a computer system where unauthorized disclosure/theft, modification, or destruction of cardholder data is suspected. Sometimes referred to as “data compromise,” or “data breach”
Computer Security Incident Response Team (CSIRT) – A group of individuals usually consisting of Security Analysts organized to develop, recommend, and coordinate immediate mitigation actions for containment, eradication, and recovery resulting from computer security incidents.
Configuration Control – Process of controlling modifications to hardware, firmware, software, and documentation to protect the information system against improper modification prior to, during, and after system implementation.
Configuration Control Board – A group of qualified people with responsibility for the process of regulating and approving changes to hardware, firmware, software, and documentation throughout the development and operational life cycle of an information system.
Configuration Management – A collection of activities focused on establishing and maintaining the integrity of products and systems, through control of the processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle.
Console – A screen and keyboard which permits access and control of a server, mainframe computer or another system type in a networked environment.
Consumer – Individual purchasing goods, services, or both.
Continuous Monitoring – The process implemented to maintain a current security status for one or more information systems or for the entire suite of information systems on which the operational mission of the enterprise depends.
Control – Security mechanisms implemented to prevent, detect, reduce or eliminate risks. In doing so, controls maintain the properties of availability, integrity, and confidentiality.
COTS – Commercially available Off-The-Shelf
Cryptography – a method used to encode information so that only authorized individuals can read the information.
Cryptography – Discipline of mathematics and computer science concerned with information security, particularly encryption and authentication. In applications and network security, it is a tool for access control, information confidentiality, and integrity.
Cryptoperiod – The time span during which a specific cryptographic key can be used for its defined purpose based on, for example, a defined period of time and/or the amount of cipher-text that has been produced, and according to industry best practices and guidelines (for example, NIST Special Publication 800-57).
CSIRT – Abbreviation for “Computer Security Incident Response Team”
CVSS – Common Vulnerability Scoring System (CVSS) is a vulnerability scoring system designed to provide an open and standardized method for rating IT vulnerabilities. CVSS helps organizations prioritize and coordinate a joint response to security vulnerabilities by communicating the base, temporal and environmental properties of vulnerability. For additional information on CVSS v2, please see http://www.first.org/cvss and http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
D: terms & definitions
Data Custodian – The individual charged with protecting data from a loss of availability, loss of integrity, or loss of confidentiality. The data custodian implements control appropriate to the desires of the data owner and data classification.
Data Dictionary – A formal description of the data fields of records in a database, ideally including their information security characteristics
Data Owner – The individual or executive responsible for the integrity of information. The duties of the owner include specific appropriate controls, identifying authorized users, and appointing a custodian.
Data Retention Schedule – A formal listing of the types of information that must be retained for archival purposes and the time frames that these types of information must be kept
Database – A structured format for organizing and maintaining easily retrievable information. Simple database examples are tables and spreadsheets.
Database Administrator – The individual responsible for managing and Administrator administering databases. Also referred to as “DBA”
Default Accounts – Login account predefined in a system, application, or device to permit initial access when the system is first put into service. Additional default accounts may also be generated by the system as part of the installation process.
Default File Permission – Access control file privileges, read, write, execute, and delete, granted to users without further involvement of either a security administrator or users.
Default Password – Password on system administration, user, or service accounts predefined in a system, application, or device; usually associated with the default account. Default accounts and passwords are published and well known, and therefore easily guessed.
Degaussing – The Process or technique that demagnetizes the disk such that all data stored on the disk is permanently destroyed. Also called “disk degaussing”
Demilitarized Zone (DMZ) – An interface on a routing firewall that is similar to the interfaces found on the firewall’s protected side. Traffic moving between the DMZ and other interfaces on the protected side of the firewall still goes through the firewall and can have firewall protection policies applied.
Destruction – The result of actions taken to ensure that media cannot be reused as originally intended and that information is virtually impossible to recover or prohibitively expensive.
Disaster Recovery Plan (DRP) – A written plan for recovering one or more information systems at an alternate facility in response to a major hardware or software failure or destruction of facilities.
Disk Encryption – The technique or technology (either software or hardware) for encrypting all stored data on a device (for example, a hard disk or flash drive). Alternatively, File-Level Encryption or Column-Level Database Encryption is used to encrypt contents of specific files or columns.
DNS – Acronym for “Domain Name System” or “domain name server.” A system that stores information associated with domain names in a distributed database on networks such as the Internet.
DSS – Acronym for “Data Security Standard” and also referred to as “PCI DSS.”
Dual Control and Split Knowledge – Dividing and sharing the process of managing, handling, accessing, using, storing and eventually destroying encryption Keys and their components such that no one person can do any Key function without the involvement and presence of another person(s). This is an absolute core requirement in proper ‘Key management’
Dynamic Packet Filtering – See Stateful Inspection.
E: terms & definitions
ECC – Acronym for “Elliptic Curve Cryptography.” Approach to public-key cryptography based on elliptic curves over finite fields. See Strong Cryptography.
Egress Filtering – Method of filtering outbound network traffic such that only explicitly allowed traffic is permitted to leave the network.
Electronic Media – Electronic storage media including memory devices in computers (e.g. hard drives) and any transportable digital memory medium, such as magnetic tape or disk or digital memory card; or transmission media (e.g. Internet, leased and dial-up lines, and private networks) used to exchange information already in electronic format.
Encryption – Process of converting information into an unintelligible form except to holders of a specific cryptographic key. The use of encryption protects information between the encryption process and the decryption process (the inverse of encryption) against unauthorized disclosure.
Encryption Algorithm – A sequence of mathematical instructions used for transforming unencrypted text or data to encrypted text or data, and back again. See Strong Cryptography.
Entity – Term used to represent the corporation, organization or business which is undergoing a PCI DSS review.
ESI – Abbreviation for “Electronically Stored Information”
F: terms & definitions
Facilitated Risk Assessment – This process, which utilizes a “qualitative” risk analysis, is geared to a specific application, system or network. It allows risks to be addressed in financial and non-financial terms, as well as taking into consideration secondary impacts. It is a formal methodology that is driven by the system’s owners, conducted by a facilitator, and can be completed in a relatively short period of time.
File Integrity – A technique or technology under which certain files or logs are monitored to Monitoring detect if they are modified. When critical files or logs are modified, alerts should be sent to appropriate security personnel.
File Integrity Checker – Software that generates, stores, and compares message digests for files to detect changes to the files.
File-Level Encryption – A technique or technology (either software or hardware) for encrypting the full contents of specific files. Alternatively, see Disk Encryption or Column-Level Database Encryption.
FIPS – Acronym for “Federal Information Processing Standards”, standards that are publicly recognized by the U.S. Federal Government; also for use by non-government agencies and contractors.
Firewall – Hardware and/or software technology that protects network resources from unauthorized access. A firewall permits or denies computer traffic between networks with different security levels based upon a set of rules and other criteria.
Forensics – Also referred to as “computer forensics.” As it relates to information security, the application of investigative tools and analysis techniques to gather evidence from computer resources to determine the cause of data compromises.
FTP – Acronym for “File Transfer Protocol.” A network protocol used to transfer data from one computer to another through a public network such as the Internet. FTP is widely viewed as an insecure protocol because passwords and file contents are sent unprotected and in cleartext. FTP can be implemented securely via SSH or other technology.
G: terms & definitions
GPRS – Acronym for “General Packet Radio Service.” Mobile data service available to users of GSM mobile phones. Recognized for efficient use of limited bandwidth. Particularly suited for sending and receiving small bursts of data, such as e-mail and web browsing.
GSM – Acronym for “Global System for Mobile Communications”, a popular standard for mobile phones and networks. The ubiquity of the GSM standard makes international roaming very common between mobile phone operators, enabling subscribers to use their phones in many parts of the world.
H: terms & definitions
Hashing – Process of rendering cardholder data unreadable by converting data into a fixed-length message digest via Strong Cryptography. Hashing is a (mathematical) function in which a non-secret algorithm takes any arbitrary length message as input and produces a fixed-length output (usually called a “hash code” or “message digest”). A hash function should have the following properties:
- It is computationally infeasible to determine the original input given only the hash code,
- It is computationally infeasible to find two inputs that give the same hash code.
- In the context of PCI DSS, hashing must be applied to the entire PAN for the hash code to be considered rendered unreadable. It is recommended that hashed cardholder data includes a salt value as input to the hashing function (see Salt).
Host – Main computer hardware on which computer software is resident.
Hosting Provider – Offers various services to merchants and other service providers. Services range from simple to complex; from shared space on a server to a whole range of “shopping cart” options; from payment applications to connections to payment gateways and processors; and for hosting dedicated to just one customer per server. A hosting provider may be a shared hosting provider, who hosts multiple entities on a single server.
HTTP – Acronym for “hypertext transfer protocol.” Open internet protocol to transfer or convey information on the World Wide Web.
HTTPS – Acronym for “hypertext transfer protocol over secure socket layer.” Secure HTTP that provides authentication and encrypted communication on the World Wide Web designed for security-sensitive communication such as web-based logins.
Hypervisor – Software or firmware responsible for hosting and managing virtual machines. For the purposes of PCI DSS, the hypervisor system component also includes the virtual machine monitor (VMM).
I: terms & definitions
ID – Identifier for a particular user or application.
IDS – Acronym for “intrusion detection system.” Software or hardware used to identify and alert on network or system intrusion attempts. Composed of sensors that generate security events; a console to monitor events and alerts and control the sensors; and a central engine that records events logged by the sensors in a database. Uses a system of rules to generate alerts in response to security events detected
IETF – Acronym for “Internet Engineering Task Force.” A large, open international community of network designers, operators, vendors, and researchers concerned with the evolution of Internet architecture and smooth operation of the Internet. The IETF has no formal membership and is open to any interested individual.
Incident – An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies
Incident Response Plan – The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of malicious cyber-attacks against an organization’s information system(s)
Incident Response Procedure – A formal process or set of procedures to be followed after notification of a suspected system’s unauthorized action within a network or computer system. The incident response involves detection, alert, triage, response (containment and eradication), recovery and follow-up.
Index Token – A cryptographic token that replaces the PAN, based on a given index for an unpredictable value.
Information Asset – Any company data in any form, and the equipment used to manage, process, or store data, that is used in the course of executing business. This includes, but is not limited to, corporate, customer, and partner information.
Information Owner – An individual (role) with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.
Information Security – Protection of information to ensure confidentiality, integrity, and availability.
Information Security Program – Formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements.
Information System – An interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.
Ingress Filtering – Method of filtering inbound network traffic such that only explicitly allowed traffic is permitted to enter the network.
Insecure Protocol/Service/Port – A protocol, service, or port that introduces security concerns due to the lack of controls over confidentiality and/or integrity. These security concerns include services, protocols, or ports that transmit data and authentication credentials (e.g., password/passphrase in clear-text over the Internet), or that easily allow for exploitation by default or if misconfigured. Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP.
Intrusion Detection Systems (IDS) – Hardware or software product that gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organizations) and misuse (attacks from within the organizations.)
Intrusion Prevention System(s) (IPS) – System(s) which can detect an intrusive activity and can also attempt to stop the activity, ideally before it reaches its targets.
IP – The acronym for “internet protocol” A network-layer protocol containing address information and some control information that enables packets to be routed. IP is the primary network-layer protocol in the Internet protocol suite.
IP Address – Also referred to as “internet protocol address. A numeric code that uniquely identifies a particular computer on the Internet.
IP Address Spoofing – Attack technique used by a malicious individual to gain unauthorized access to computers. The malicious individual sends deceptive messages to a computer with an IP address indicating that the message is coming from a trusted host.
IPS – The acronym for the “intrusion prevention system.” Beyond an IDS, an IPS takes the additional step of blocking the attempted intrusion.
IPSEC – Abbreviation for “Internet Protocol Security”, a standard for securing IP communications by encrypting and/or authenticating all IP packets. IPSEC provides security at the network layer.
ISO – Better known as “International Organization for Standardization.” A nongovernmental organization consisting of a network of the national standards institutes of over 150 countries, with one member per country and a central secretariat in Geneva, Switzerland, that coordinates the system.
ISP – Internet Service Provider
Issuer – An entity that issues payment cards or performs, facilitates, or supports issuing services including but not limited to issuing banks and issuing processors. Also referred to as “issuing bank” or “issuing financial institution”
Issuing Services – Examples of issuing services may include but are not limited to authorization and card personalization.
IT Continuity Plan – Provides procedures and capabilities for recovering a major application or general support system. (In the event of a disaster at the main IT facilities, it becomes an IT Disaster Recovery Plan, which provides detailed procedures to facilitate recovery of capabilities at an alternate site.) The plan addresses IT system disruptions, whether to application systems or global support systems and is not focused on business processes.
IT Infrastructure – The local and wide area networks, computers, communications devices, software systems, applications, electronic mail, and other systems operated by or on behalf of the Organization. These devices, networks, and systems enable the Organization and Users to store, process and use information in electronic form, and to facilitate communications among members of the Workforce and to third parties.
IT Infrastructure – The local and wide area networks, computers, communications devices, software systems, applications, electronic mail, and other systems operated by or on behalf of the Organization. These devices, networks, and systems enable the Organization and Users to store, process and use information in electronic form, and to facilitate communications among members of the Workforce and to third parties.
K: terms & definitions
Key – In cryptography, a key is a value that determines the output of an encryption algorithm when transforming plain text to ciphertext. The length of the key generally determines how difficult it will be to decrypt the ciphertext in a given message. See Strong Cryptography.
Key Escrow – A key recovery technique for storing knowledge of a cryptographic key, or parts thereof, in the custody of one or more third parties called “escrow agents,” so that the key can be recovered and used in specified circumstances.
Key Management – In cryptography, it is the set of processes and mechanisms which support key establishment and maintenance, including replacing older keys with new keys as necessary.
L: terms & definitions
LAN – Acronym for “local area network,” A group of computers and/or other devices that share a common communications line, often in a building or group of buildings.
LDAP – Acronym for “Lightweight Directory Access Protocol.” Authentication and authorization data repository utilized for querying and modifying user permissions and granting access to protected resources.
Least Privilege – Information security principle involving restrictions in the level of privileges or rights assigned to an individual person, function or system, consistent with their authorized and intended purpose.
Log – See Audit Log.
Logical Access Control – Automated information security control protecting electronic information assets (data/software, directories, disks, tapes, etc.) against access by unauthorized users, programs or systems.
LPAR – Abbreviation for “logical partition.” A system of subdividing, or partitioning, a computer’s total resources processors, memory and storage into smaller units that can run with their own, distinct copy of the operating system and applications. Logical partitioning is typically used to allow the use of different operating systems and applications on a single device. The partitions may or may not be configured to communicate with each other or share some resources of the server, such as network interfaces.
M: terms & definitions
MAC – Acronym for “message authentication code.” In cryptography, it is a small piece of information used to authenticate a message. See Strong Cryptography.
MAC Address – Abbreviation for “media access control address.” The unique identifying value assigned by manufacturers to network adapters and network interface cards.
Magnetic-Stripe Data – Also referred to as “track data.” Data encoded in the magnetic stripe or chip used for authentication and/or authorization during payment transactions. Can be the magnetic-stripe image on a chip or the data on the track 1 and/or track 2 portions of the magnetic stripe.
Mainframe – Computers that are designed to handle very large volumes of data input and output and emphasize throughput computing. Mainframes are capable of running multiple operating systems, making it appear like it is operating as multiple computers. Many legacy systems have a mainframe design.
Malicious Software / Malware Software – designed to infiltrate or damage a computer system without the owner’s knowledge or consent. Such software typically enters a network during many business-approved activities, which results in the exploitation of system vulnerabilities. Examples include viruses, worms, Trojans (or Trojan horses), spyware, adware, and rootkits.
Malware – A program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or of otherwise annoying or disrupting the victim.
Masking – In the context of PCI DSS, it is a method of concealing a segment of data when displayed or printed. Masking is used when there is no business requirement to view the entire PAN. Masking relates to the protection of PAN when displayed or printed. See Truncation for protection of PAN when stored in files, databases, etc.
Media Sanitization – A general term referring to the actions taken to render data written on media unrecoverable by both ordinary and extraordinary means
Medium – Material on which data are or may be recorded, such as paper, punched cards, magnetic tape, magnetic disks, solid-state devices, or optical discs.
Merchant – For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing but also is a service provider if it hosts merchants as customers.
Monitoring – Use of systems or processes that constantly oversee computer or network resources for the purpose of alerting personnel in case of outages, alarms, or other predefined events.
MPLS – The acronym for “multi-protocol label switching.” Network or telecommunications mechanism designed for connecting a group of packet-switched networks.
N: terms & definitions
NAT – Acronym for “network address translation.” Known as network masquerading or IP masquerading. Change of an IP address used within one network to a different IP address known within another network.
Network – Two or more computers connected together via physical or wireless means.
Network Administrator – Personnel responsible for managing the network within an entity. Responsibilities typically include but are not limited to network security, installations, upgrades, maintenance, and activity monitoring.
Network Components – Include, but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances.
Network Security – The process by which an entity’s systems are remotely checked for vulnerabilities Scan through the use of manual or automated tools. Security scans that include probing internal and external systems and reporting on services exposed to the network. Scans may identify vulnerabilities in operating systems, services, and devices that could be used by malicious individuals.
Network Segmentation – Network segmentation isolates system components that store, process, or transmit cardholder data from systems that do not. Adequate network segmentation may reduce the scope of the cardholder data environment and thus reduce the scope of the PCI DSS assessment. See the Network Segmentation section in the PCI DSS Requirements and Security Assessment Procedures for guidance on using network segmentation. Network segmentation is not a PCI DSS requirement. See System Components.
NIST – Acronym for “National Institute of Standards and Technology.” A non-regulatory federal agency within the U.S. Commerce Department’s Technology Administration, its mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology to enhance economic security and improve quality of life.
NMAP – Security-scanning software that maps networks and identifies open ports in network resources
Non-Consumer Users – Individuals, excluding cardholders, who access system components, including but not limited to employees, administrators, and third parties
NTP – Acronym for “Network Time Protocol.” Protocol for synchronizing the clocks of computer systems, network devices, and other system components
O: terms & definitions
Occupant Emergency Plan – Provides coordinated procedures for minimizing loss of life or injury and protecting property damage in response to a physical threat. Focuses on personnel and property particular to the specific facility; it is neither business process nor IT system functionality based
Off-the-Shelf – The descriptions for products that are stock items not specifically customized or designed for a specific customer or user and are readily available for use.
Operating System /OS – The software of a computer system that is responsible for the management and coordination of all activities and the sharing of computer resources. Examples of operating systems include Microsoft Windows, Mac OS, Linux, and Unix.
OWASP – Acronym for “Open Web Application Security Project.” A non-profit organization focused on improving the security of application software. OWASP maintains a list of critical vulnerabilities for web applications. (See http://www.owasp.org).
P: terms & definitions
Pad – In cryptography, the one-time pad is an encryption algorithm with text combined with a random key or “pad” that is as long as the plain-text and used only once. Additionally, if the key is truly random, never reused, and, kept secret, the one-time pad is unbreakable
PAN – Acronym for “primary account number” and also referred to as “account number.” The unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account
PA-QSA – Acronym for “Payment Application Qualified Security Assessor,” company approved by the PCI SSC to conduct assessments on payment applications against the PA-DSS.
Parameterized – A means of structuring SQL queries to limit escaping and thus prevent Queries injection attacks.
Password / Passphrase – A string of characters that serve as an authenticator of the user
PAT – Acronym for “port address translation” and also referred to as “network address port translation.” A type of NAT that also translates the port numbers
Patch – An update to an operating system, application, or other software issued specifically to correct particular problems with the software.
Patch Management – The systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions. These revisions are known as patches, hotfixes, and service packs.
Payment Application – Any application that stores, processes, or transmits cardholder data as part of authorization or settlement Payment Cards For purposes of PCI DSS, any payment card/device that bears the logo of the founding members of PCI SSC, which are American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or Visa, Inc.
PCI – Acronym for “Payment Card Industry.”
PDA – Acronym for “personal data assistant” or “personal digital assistant.” Handheld mobile devices with capabilities such as mobile phones, e-mail, or web browser
PED – PIN entry device
Penetration Test – Penetration tests attempt to exploit vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing includes network and application testing as well as controls and processes around the networks and applications and occurs from both outside the network trying to come in (external testing) and from inside the network.
Penetration Testing – A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of an information system.
Personal Firewall – A utility on a computer that monitors network activity and blocks communications that are unauthorized.
Personally Identifiable Information (PII) – Information that alone, or when combined with other personal or identifying information can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual.
Personnel – Full-time and part-time employees, temporary employees, contractors, and consultants who are “resident” on the entity’s site or otherwise have access to the cardholder data environment.
PIN – Acronym for “personal identification number.” A secret numeric password is known only to the user and a system to authenticate the user to the system. The user is only granted access if the PIN the user-provided matches the PIN in the system. Typical PINs are used for automated teller machines for cash advance transactions. Another type of PIN is used in EMV chip cards where the PIN replaces the cardholder’s signature.
PIN Block – A block of data used to encapsulate a PIN during processing. The PIN block format defines the content of the PIN block and how it is processed to retrieve the PIN. The PIN block is composed of the PIN, the PIN length, and may contain a subset of the PAN.
POI – Acronym for “Point of Interaction,” the initial point where data is read from a card. An electronic transaction-acceptance product, a POI consists of hardware and software and is hosted in acceptance equipment to enable a cardholder to perform a card transaction. The POI may be attended or unattended. POI transactions are typically integrated circuit (chip) and/or magnetic-stripe card-based payment transactions.
Policy – Overriding statement of authority by management such as the Information Security Policy, defining, at a high level, how workers must behave in certain circumstances. States management’s definition of the business objectives, expanding on the broad policy statements (axioms), and supported by more detailed standards, procedures and guidelines that explain how the objectives are to be fulfilled. A security policy is often considered to be a “living document”, which means that the document is never finished, but is continuously updated as technology and employee requirements change.
POS – Acronym for “point of sale.” Hardware and/or software used to process payment card transactions at merchant locations.
Privacy-Applicable Law – Relevant laws, enactments, regulations, binding industry codes, regulatory permits and licenses that are in effect and address the protection, handling and privacy of target privacy data.
Private Network – A network established by an organization that uses private IP address space. Private networks are commonly designed as local area networks. Private network access from public networks should be properly protected with the use of firewalls and routers.
Privilege – The rights to alter, circumvent, override, or bypass the operating system or system security measures. Set of access rights permitted by the access control system.
Procedure – A descriptive narrative for a policy. The procedure is the “how-to” for policy and describes how the policy is to be implemented.
Protocol – Agreed-upon method of communication used within networks. Specification describing rules and procedures that computer products should follow to perform activities on a network.
Provide a similar level of defense as the original PCI DSS requirement;
PTS – Acronym for “PIN Transaction Security,” PTS is a set of modular evaluation requirements managed by PCI Security Standards Council, for PIN acceptance POI terminals. Please refer to www.pcisecuritystandards.org.
Public Network – A network established and operated by a telecommunications provider, for specific purpose of providing data transmission services for the public. Data over public networks can be intercepted, modified, and/or diverted while in transit. Examples of public networks in scope of the PCI DSS include, but are not limited to, the Internet, wireless, and mobile technologies.
PVV – Acronym for “PIN verification value.” The discretionary value encoded in magnetic stripe of a payment card.
Q: terms & definitions
QSA – Acronym for “Qualified Security Assessor,” company approved by the PCI SSC to conduct PCI DSS on-site assessments.
Qualitative Risk Assessment – Assessment of risk by relative values, such as High, Medium and Low.
Quantitative Risk Assessment – Assessment of risk by applying mathematical values and calculations throughout the process.
R: terms & definitions
RADIUS – Abbreviation for “Remote Authentication Dial-In User Service”, an Authentication and accounting system. Checks if information such as username and password that is passed to the RADIUS server is correct, and then authorizes access to the system. This authentication method may be used with a token, smart card, etc., to provide two-factor authentication.
RBAC – Acronym for “role-based access control.” Control used to restrict access by specific authorized users based on their job responsibilities.
Re-keying – The process of changing cryptographic keys. Periodic re-keying limits the amount of data encrypted by a single key.
Remediation – The act of correcting vulnerability or eliminating a threat. Three possible types of remediation are installing a patch, adjusting configuration settings, or uninstalling a software application.
Remote Access – Access to computer networks from a remote location, typically originating from outside the network. An example of technology for remote access is a VPN.
Remote Lab Environment – A lab that is not maintained by the PA-QSA
Removable Electronic – Media that store digitized data and which can be easily removed and/or Media transported from one computer system to another. Examples of removable electronic media include CD-ROM, DVD-ROM, USB flash drives and removable hard drives.
Report on Compliance – Also referred to as “ROC.” A report containing details documenting an entity’s compliance status with the PCI DSS
Report on Validation – Also referred to as “ROV.” A report containing details documenting a payment application’s compliance with the PCI PA-DSS
Reseller / Integrator – An entity that sells and/or integrates payment applications but does not develop them
Residual Risk – The risk that remains after a control is applied to an identified risk, and that control does not eliminate the risk.
RFC 1918 – The standard identified by the Internet Engineering Task Force (IETF) that defines the usage and appropriate address ranges for private (non-internet routable) networks.
Risk – The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Risk Analysis / Risk Assessment – A process that identifies valuable system resources and threats; quantifies loss exposures (that is, loss potential) based on estimated frequencies and costs of occurrence; and (optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure.
Risk Cost/Benefit/Impact Evaluation – The process of evaluating risk compared to the value of information-related assets and the amount of damage done to a system or owner should the system or data be compromised or damaged.
Risk Management – A program encompassing three processes: Risk Assessment, Risk Cost\Benefit\Impact Evaluation, and Risk Mitigation. It is a continual process focusing on best security practices and keys for implementing a successful risk management program.
Risk Mitigation – The process of prioritizing, implementing, and maintaining the appropriate risk-reducing measures recommended from the risk assessment process
Role – A group attribute that ties membership to function. When an individual assumes a role, the individual is given certain rights that belong to that role. When the individual leaves the role, those rights are removed. The rights given are consistent with the functionality that the individual needs to perform the expected tasks.
Rootkit – A type of malicious software that, when installed without authorization, is able to conceal its presence and gain administrative control of a computer system.
Router – Hardware or software that connects two or more networks. Functions as a sorter and interpreter by looking at addresses and passing bits of information to proper destinations Software routers are sometimes referred to as gateways.
RPO – Recovery Point Objective is the maximum tolerable period in which data might be lost from an IT service due to a major incident.
RSA – The algorithm for public-key encryption described in 1977 by Ron Rivest, Adi Shamir, and Len Adleman at Massachusetts Institute of Technology (MIT); letters RSA are the initials of their surnames.
RTO – Recovery Time Objective is the duration of time and a service level that a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity.
S: terms & definitions
Salt – A random string that is concatenated with other data prior to being operated on by a hash function. See also Hash.
Sampling – The process of selecting a cross-section of a group that is representative of the entire group. Sampling may be used by assessors to reduce overall testing efforts when it is validated that an entity has standard, centralized PCI DSS security and operational processes and controls in place. Sampling is not a PCI DSS requirement.
SANS – Acronym for “SysAdmin, Audit, Networking and Security”, an institute that provides computer security training and professional certification. (See www.sans.org.)
SAQ – Acronym for “Self-Assessment Questionnaire.” A tool used by any entity to validate its own compliance with the PCI DSS.
Scoping – Process of identifying all system components, people, and processes to be included in a PCI DSS assessment. The first step of a PCI DSS assessment is to accurately determine the scope of the review.
SDLC – Acronym for “system development life cycle.” Describes the phases of the development of a software or computer system that includes planning, analysis, design, testing, and implementation.
Secure Coding – The process of creating and implementing applications that are resistant to tampering and/or compromise.
Secure Wipe – a program utility used to delete specific files permanently from a computer system. Also called “secure delete
Security Awareness – Security awareness activities are designed to present high-level information protection principles to all users in a variety of formats and channels. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize Information Security concerns and respond accordingly. Awareness is not training.
Security Education – Security education is defined as the advanced training of persons with specific information security responsibilities. Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge and strives to produce IT security specialists and professionals capable of vision and pro-active response
Security Incident – The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an Information System.
Security Officer – The individual whose primary responsible person for an entity’s security-related affairs
Security Policy – Set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information
Security Protocols – Network communications protocols designed to secure the transmission of data. Examples of security protocols include, but are not limited to SSL/TLS, IPSEC, SSH, etc.
Security Training – Information Security training strives to produce relevant and needed security skills and competencies by practitioners of functional specialties other than Information Security (e.g., management, systems design, and development, acquisition, auditing). The most significant difference between training and awareness is that training seeks to teach skills, which allow a person to perform a specific function, while awareness seeks to focus an individual’s attention on an issue or set of issues.
Sensitive Area – Any data center, server room or any area that houses systems that stores, processes, or transmits cardholder data. This excludes the areas where only point-of-sale terminals are present such as the cashier areas in a retail store.
Sensitive Authentication Data – Security-related information (including but not limited to card validation codes/values, full magnetic-stripe data, PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions.
Sensitive Information – Information of a confidential or proprietary nature and other information that would not be routinely published for unrestricted public access or where disclosure is prohibited by laws, regulations, contractual agreements. This includes (but is not limited to) identifiable medical and health records, credit card, bank account and other personal financial information, social security numbers, etc.
Separation of Duties – The practice of dividing steps in a function among different individuals, so as to keep a single individual from being able to subvert the process.
Server – Computer that provides a service to other computers, such as processing communications, file storage, or accessing a printing facility. Servers include, but are not limited to web, database, application, authentication, DNS, mail, proxy, and NTP.
Service Code – The three-digit or four-digit value in the magnetic-stripe that follows the expiration date of the payment card on the track data. It is used for various things such as defining service attributes, differentiating between international and national interchange, or identifying usage restrictions.
Service Provider – A business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded.
SHA-1/SHA-2 – Acronym for “Secure Hash Algorithm.” A family or set of related cryptographic hash functions including SHA-1 and SHA-2. See Strong Cryptography.
Significant Change – A physical, administrative, or technical modification that alters the degree of protection required. Examples include, but are not limited to, changes in operating systems, computer hardware, firmware, the operational environment, or system boundaries; new services or applications; or other conditions that potentially impact the system’s security posture or accreditation status. Includes, but is not limited to, changes in operating systems, computer hardware, firmware, the operational environment, or system boundaries; new services or applications; or other conditions that potentially impact the system’s security posture or accreditation status.
Smart Card – Also referred to as a “chip card” or “IC card (integrated circuit card).” A type of payment card that has integrated circuits embedded within. The circuits (also referred to as the “chip”) containing payment card data including but not limited to data equivalent to the magnetic-stripe data.
SNMP – Acronym for “Simple Network Management Protocol.” Supports monitoring of network-attached devices for any conditions that warrant administrative attention.
Social Engineering – Hacking/scamming technique involving the manipulation of people through a combination of deception and persuasive or assertive behavior.
Split Knowledge – The condition in which two or more entities separately have key components that individually convey no knowledge of the resultant cryptographic key.
Spyware – A type of malicious software that when installed, intercepts or takes partial control of the user’s computer without the user’s consent
SQL – Acronym for “Structured Query Language.” A computer language used to create, modify and retrieve data from relational database management systems.
SQL Injection – A form of attack on database-driven web site. A malicious individual executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet. SQL injection attacks are used to steal information from a database from which the data would normally not be available and/or to gain access to an organization’s host computers through the computer that is hosting the database.
SSH – Abbreviation for “Secure Shell”, a protocol suite providing encryption for network services like remote login or remote file transfer.
SSL – Acronym for “Secure Sockets Layer.” An established industry standard that encrypts the channel between a web browser and web server to ensure the privacy and reliability of data transmitted over this channel.
Stateful Inspection – A firewall capability that provides enhanced security by keeping track of communications packets. Only incoming packets with a proper response (“established connections”) are allowed through the firewall. Also called “dynamic packet filtering
Strong Cryptography – Cryptography based on industry-tested and accepted algorithms, along with strong key lengths and proper key-management practices. Cryptography is a method to protect data and includes both encryption (which is reversible) and hashing (which is not reversible, or “one way”). Examples of industry-tested and accepted standards and algorithms for encryption include AES (128 bits and higher), TDES (minimum double-length keys), RSA (1024 bits and higher), ECC (160 bits and higher), and ElGamal (1024 bits and higher). See NIST Special Publication 800-57 (http://csrc.nist.gov/publications/) for more information.
Symmetric Cryptosystem – a method of encryption in which the same key is used for both encryption and decryption of the data.
SysAdmin – The abbreviation for “system administrator”, an individual with elevated privileges who is responsible for managing a computer system or network.
System Component – Refers to network components, servers, or applications that are used to store, process or transmit business activities.
System-level object – Anything on a system component that is required for its operation, including but not limited to application executable and configuration files, system configuration files, static and shared libraries & DLL’s, system executables, device drivers and device configuration files, and added third-party components.
T: terms & definitions
TACACS – Acronym for “Terminal Access Controller Access Control System.” Remote authentication protocol commonly used in networks that communicates between a remote access server and an authentication server to determine user access rights to the network. This authentication method may be used with a token, smart card, etc., to provide two-factor authentication.
TCP – Acronym for “Transmission Control Protocol.” Basic communication language or protocol of the Internet.
TDES – Acronym for “Triple Data Encryption Standard” and also known as “3DES” or “Triple DES.” Block cipher formed from the DES cipher by using it three times. See Strong Cryptography.
TELNET – Abbreviation for “telephone network protocol.” Typically used to provide user-oriented command-line login sessions to devices on a network. User credentials are transmitted in cleartext.
Third-Party, External Party, or Partner – Any non-employee of a Company who is contractually bound to provide some form of service to the Company
Threat – Any person, object or event that, if realized, could potentially cause damage to an information resource or the data processed on those resources. This includes damage to the availability, integrity, and/or confidentiality of resources or information.
TLS – Acronym for “Transport Layer Security.” Designed with the goal of providing data secrecy and data integrity between two communicating applications. TLS is a successor of SSL.
Token – A value provided by hardware or software that usually works with an authentication server or VPN to perform dynamic or two-factor authentication. See RADIUS, TACACS, and VPN.
Transaction Data – Data related to electronic payment card transactions.
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) – Cryptographic protocols that provide secure communications on the Internet for such things as web browsing, email, Internet faxing, instant messaging and other data transfers. There are slight differences between SSL 3.0 and TLS 1.0, but the protocol remains substantially the same. The term “TLS” as used here applies to both protocols unless clarified by context.
Trojan – Contraction of “Trojan horse program” that may appear to the user to offer a useful function or to do nothing, but in fact contains hidden malicious functions, typically allowing remote control of the system by hackers.
Truncation – A method of rendering the full PAN unreadable by permanently removing a segment of PAN data. Truncation relates to the protection of PAN when stored in files, databases, etc. See Masking for protection of PAN when displayed on screens, paper receipts, etc.
Trusted Network – A network of an organization that is within the organization’s ability to control or manage.
Two-Factor Authentication – A method of authenticating a user whereby two or more factors are verified. These factors include something the user has (such as hardware or software token), something the user knows (such as a password, passphrase, or PIN) or something the user is or does (such as fingerprints or other forms of biometrics).
U: terms & definitions
Untrusted Network – Network that is external to the networks belonging to an organization and which is out of the organization’s ability to control or manage.
URL – Uniform resource locator
User IDs – Also known as accounts, these are character strings that uniquely identify computer users or computer processes.
V: terms & definitions
Virtual Appliance (VA) – A VA takes the concept of a pre-configured device for performing a specific set of functions and runs this device as a workload. Often, an existing network device is virtualized to run as a virtual appliance, such as a router, switch, or firewall.
Virtual Hypervisor – See Hypervisor
Virtual Machine – A self-contained operating environment that behaves like a separate computer. It is also known as the “Guest,” and runs on top of a hypervisor.
Virtual Machine (VMM) – The VMM is included with the hypervisor and is software that implements Monitor virtual machine hardware abstraction. It manages the system’s processor, memory, and other resources to allocate what each guest operating system requires.
Virtual Switch or Router – A virtual switch or router is a logical entity that presents network infrastructure level data routing and switching functionality. A virtual switch is an integral part of a virtualized server platform such as a hypervisor driver, module, or plug-in.
Virtual Terminal – A virtual terminal is a web-browser-based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.
Virtualization – Virtualization refers to the logical abstraction of computing resources from physical constraints. One common abstraction is referred to as virtual machines or VMs, which takes the content of a physical machine and allows it to operate on different physical hardware and/or along with other virtual machines on the same physical hardware. In addition to VMs, virtualization can be performed on many other computing resources, including applications, desktops, networks, and storage.
Virus – A computer program that self-replicates and automatically spreads between systems. It usually contains a payload.
Visitor – Any person who does not normally work in a Company facility or who does not perform regular business functions requiring access to or entry into a Company facility.
VLAN – Abbreviation for “virtual LAN” or “virtual local area network.” Logical local area network that extends beyond a single traditional physical local area network
VPN – Acronym for “virtual private network”, a computer network in which some of the connections are virtual circuits within some larger network, such as the Internet, instead of direct connections by physical wires. The endpoints of the virtual network are said to be tunneled through the larger network when this is the case. While a common application consists of secure communications through the public Internet, a VPN may or may not have strong security features such as authentication or content encryption. A VPN may be used with a token, smart card, etc., to provide two-factor authentication.
Vulnerability – A flaw or weakness which, if exploited, may result in an intentional or unintentional compromise of a system.
Vulnerability Assessment – Formal description and evaluation of the vulnerabilities in an information system.
W: terms & definitions
WAN – Acronym for “wide area network”, computer network covering a large area, often a regional or companywide computer system.
Web Application – An application that is generally accessed via a web browser or through web services. Web applications may be available via the Internet or a private, internal network.
Web Server – A computer that contains a program that accepts HTTP requests from web clients and serves the HTTP responses (usually web pages).
WEP – Acronym for “Wired Equivalent Privacy.” A weak algorithm used to encrypt wireless networks. Several serious weaknesses have been identified by industry experts such that a WEP connection can be cracked with readily available software within minutes. See WPA.
Whole Disk Encryption – the application of encryption to an electronic storage system and may exclude a system and/or boot partition.
Wireless Access Point – Device that allows wireless communication devices to connect to a wireless network. Usually connected to a wired network, it can relay data between wireless devices and wired devices on the network. Also referred to as “AP”
Wireless Networks – A network that connects computers without a physical connection to wires.
Wireless Technology – Technology that permits the transfer of information between separated points without a physical connection.
WLAN – Acronym for “wireless local area network”, a local area network that links two or more computers or devices without wires.
Workstation — means an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.
Worm – Networking program that exploits network connections to spread between systems and often performs unauthorized functions such as sending unsavory emails or spam, DoS attacks, etc. A form of malware.
WPA/WPA2 – Acronym for “WiFi Protected Access.” Security protocol created to secure wireless networks. WPA is the successor to WEP. WPA2 was also released as the next generation of WPA.
WPA/WPA2 – Acronym for “WiFi Protected Access.” Security protocol created to secure wireless networks. WPA is the successor to WEP.. WPA2 was also released as the next generation of WPA.
X: terms & definitions
XSS – Abbreviation for “Cross-site scripting”