Acquiring Bank: A merchant’s acquiring bank is the financial institution with which maintains its accounts and which processes its credit and debit card transactions. The bank or financial institution then deposits funds from credit and debit card transactions into the merchant’s checking account.
Antivirus Software: Antivirus software is protective software designed to defend computers and computer networks against malicious software. Malicious software, or “malware,” includes: viruses, Trojans, keyloggers, hijackers, dialers, and other code that vandalizes or steals computer data. To be effective, antivirus software must run in the background at all times, and must be updated regularly so that it recognizes new versions of malicious software.
Approved Scanning Vendor (ASV): An approved scanning vendor, or ASV, is a data security firm that uses scanning solutions to determine whether or not a merchant is compliant with PCI-DSS standards. ASV’s have been trained and are qualified by the PCI Security Standards Council to perform external network and system scans as required by the PCI-DSS rules.
Computer Network: A computer is a telecommunications network that allows connected computers to exchange data. Typically, networked computing devices are connected using either cables or wireless media.
Credit Card Processor: Credit card processors are vendors who handle the work associated with processing credit card transaction between merchants, banks and credit card issuers.
Customer Card Data: Customer card data is the identifying information imbedded in the card’s magnetic strip.
Data Encryption: Data encryption is the translation of data into secret code. To read an encrypted file, one must have access to a secret key or password that decrypts or translates the data. Unencrypted data is called plain text; encrypted data is called cipher text.
Data Security: Data security refers to protecting a database from destructive forces (like malware) and the unwanted actions of unauthorized users.
Firewall: A firewall is a system designed to prevent unauthorized access to a private network. All messages entering or leaving the network pass through the firewall, which examines each message and blocks those that do not meet specific security criteria. A firewall is, therefore, considered a first line of defense in protecting private information. There are two types of firewalls, the personal or desktop firewalls on our personal computers and hardware-based firewalls, such as the ones in your router.
Forensic Audit: In most cases, PCI-DSS requires a forensic audit to be conducted when a data security breach is suspected. A forensic audit consists of an examination of your computer network to determine the level of its security, its compliance with PCI-DSS requirements, and the source of the data security breach. A certified forensic auditor performs the examination (at the merchant’s expense) and may, for example, remove malware from an infected network as part of his examination. The auditor will then report his findings back to the merchant’s bank.
Malicious Software / Malware: This is software designed to infiltrate or damage a computer system without the owner’s knowledge or consent. Examples include viruses, worms, Trojans (or Trojan horses), spyware, adware, and rootkits.
Merchant: A merchant is any entity that accepts credit cards from any of the five members of the PCI Security Council (American Express, Discover, JCB, MasterCard or Visa).
Merchant Levels: PCI-DSS rules segment merchants into one of four categories based upon their annual volume of card transactions. PCI-DSS Rules segment merchants as follows: Level 1 – more than 6 million annual transactions; Level 2 – 1 million to 6 million annual transactions; Level 3 – 20,000 to 1 million ecommerce transactions; and Level 4 – fewer than 20,000 annual transactions. Compliance standards vary depending upon the merchant’s Level.
Modems: Modems send and receive information over telephone or cable lines. A modem is needed to connect to the Internet.
Network Security: Network security is specialized field in computer networking that involves protecting a computer network from unauthorized access. A network or system administrator typically implements security policies, hardware and software designed to protect a network from outside threats also ensure that employees have adequate access to network resources.
Network Security Scan: This describes the process by which a merchant’s network is remotely scanned for data security vulnerabilities. Scans may identify vulnerabilities in operating systems and devices that could be used by malicious individuals.
PCI Compliant: This term describes an organization that has demonstrated with the PCI DSS rules.
PCI-DSS: This acronym refers to the Payment Card Industry Data Security Standards. These are the data security rules by which merchants must abide.
PCI-SSC: This acronym refers to the PCI Security Standards Council. This organization, comprised of representatives from the five major card brands and others, develops and publishes the PCI-DSS.
PCI DSS Self-Assessment Questionnaire (SAQ): Some merchants (those which process fewer than 6 million credit card transactions per year) are able to self-validate their compliance with PCI-DSS requirements by completing a Self-Assessment Questionnaire created by the PCI Data Security Counsel. Different versions of the SAQ exist (Versions A, B, C, C-VT and D), and the appropriate version for a particular merchant will depend on the manner in which it typically completes credit card transactions.
Point of Sale System: A Point-of-Sale (POS) system is a computer system used in place of a cash register in retail operations. Besides recording transactions, the computer can track inventory, print informative invoices and receipts, and handle credit and debit card payments. The POS system usually incorporates some form of bar code reader used to obtain customer card data and facilitate credit and debit card transactions.
Qualified Security Assessor (QSA): A qualified security assessor, or QSA, is a data security firm that has been trained and is certified by the PCI Security Standards Council to perform on-site security assessments for verification of compliance with PCI-DSS.
Remediation: Remediation describes a process for bringing a non-compliant merchant or network environment into compliance with PCI-DSS standards. This often involves process change, technology upgrades, and expense.
Remote Access: This describes a means of accessing computer networks from a remote location, typically from outside the network. An example of technology for remote access is VPN.
Router: Routers connect computers and networks to each other. Routers also enable several computers to share a single Internet connection. Routers can be wired or wireless. Wireless routers enable computers to share an Internet connection over a wireless network.
Server: A server is a computer or computer program that manages access to centralized resources within a computer network. For example, a file server stores files that other users can access and share. A mail server handles e-mail for users on the network. A web server displays a business’s Web site to the outside world.
Spyware: This is a type of malicious software that intercepts or takes partial control of the user’s computer without the user’s consent.
Skimmer Device: A skimmer is a small electronic device used to illegally steal victims’ credit card data. Skimmers are often used at restaurants and bars where the person using it (a server or bartender) has possession of the victim’s credit card outside of his or her immediate view.
Trojan: This is a type of malicious software, also known as a “Trojan horse,” that allows a user to perform a normal function while the Trojan performs malicious functions to the computer system without the user’s knowledge
Virtual Private Network (VPN): Businesses often need to connect and transmit data between multiple devices and locations. When that need arises, businesses have two options: (1) leasing a secured line between the locations; or (2) connecting the locations “virtually” using the internet. The problem with the second option is that the internet is public and, therefore, not secure. The solution to that problem is to employ technology to create a “virtual private network” to better protect transmitted data. The technology encrypts data, i.e., converts it into secret code to protect it from hackers.
VPN Router: A router is a device that forwards data packets along networks. A VPN router encrypts data between points on a network.
Wireless Networks: A wireless network connects computers without wires, usually using a wireless router.