top of page
Background

Glossary

A quick guidance

Acquirer (Acquiring Bank/Merchant Bank) - Refers to Banking or Financial institution that initiates and maintains relationships with merchants for the acceptance of payment cards.

API (Application Programming Interface) - APIs provide users with pre-existing interfaces to program against which allows rapid and standardised application development.

Application Penetration Testing -  Refers to the security testing (hacking) of applications and manipulating them to assess whether security flaws may exist that may give unauthorised access to resources, data etc.

Approval - A positive reply from a transaction authorisation request.

Approved Scanning Vendor (ASV) -  is a vulnerability assessment provider who provides automated software tools for scanning for vulnerabilities. Such ASV providers undergo regular assessments and regulation by the PCI SSC for the provision of technical security assessments.

Arbitration - Process used by Acquirers to resolve a chargeback related dispute with an Issuer.

Authorisation - The approval or guarantee of funds given by the Card Issuer to the Acquirer.

BIN (Bank Identification Number) - The six-digit number assigned by Visa and MasterCard to identify a member (Issuer or Acquirer) or processor for authorization. clearing or settlement processing. The Issuer assigns the six digits as the first six digits of the card number. The Acquirer assigns the six digits as the first six digits of the merchant number. Visa numbers always begins with a 4 and MasterCard numbers with a 5.

Biometric - a method of identifying the holder of a device by measuring a unique physical characteristic of the holder. e.g. by fingerprint matching. voice recognition or retinal scan

Card Issuer - Financial institution that issues the payment card to the Cardholder.

Card Not Present (CNP) Transaction - Type of transaction where the card is not presented at the POS (Point of Sale) and no magnetic stripe is read. These are usually considered higher risk transactions.

Card Recon - An advanced PCI compliance software tool offered by IP Solutions used to perform cardholder data discovery on desktops and servers.

Card Scheme - Refers to one of the five major Credit Card Brands all of whom make up the core of the PCI DSS. Such brands are; VISA Inc, MasterCard Worldwide, American Express, JCB international and Discover Financial Services.

 

Credit card data discovery - Finding credit card data stored in an organisation is one of the key and initial steps needed for compliance with the Payment Card Industry (PCI) Data Security Standard (DSS).

Data breach - Data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.

Descoping - Descoping is to remove from the scope of a project. In the case of Credit Cards it means that the organisation no longer holds credit card data.

Encryption - Encryption is the conversion of data into a form, called a ciphertext that cannot be easily understood by unauthorised people. Decryption is the process of converting encrypted data back into its original form, so it can be understood. In recent years, a controversy has arisen over so-called strong encryption.

Ethical hacker - An Ethical hacker is a person who hacks into a computer network in order to test or evaluate its security, rather than with malicious or criminal intent.

Gap analysis - A gap analysis is an exercise to establish the “gap” or distance between an organisation’s current payment card environment and the requirements set out in the PCI DSS. The gap essentially gives an indication of how much work is needed to become PCI compliant.

Interactive voice response (IVR) - IVR is a technology that allows a computer to interact with humans through the use of voice and DTMF tones input via keypad.

Legacy systems - Legacy systems are outdated computer systems, programming languages or application software that are used instead of available upgraded versions.

Level 1 PCI DSS - Merchants fall under four categories of PCI compliance, depending on the number of transactions they process each year, and whether those transactions are performed from a brick and mortar location or over the Internet. Visa and MasterCard World Wide transactions totalling 6 million and up, per year, and any merchants who have experienced a data breach.

LUHN Formula - LUHN formula, also called modulus 10, is a simple algorithm used to validate the number on a credit card. It works on cards issued by all the major credit card companies, including American Express, Visa, Master Card, Discover, and Diner’s Club. Originally created by a group of mathematicians in the 1960s, the LUHN formula is in the public domain, and anyone can use it.

Man In The Middle (MITM) - MITM refers commonly to an attack (in this context against payment card data) on a payment transaction whereby the hacker intercepts sensitive payment data between a customer and the payment application. Very often the customer would be unaware that communications were being intercepted hence the need for regular penetration testing and application security testing.

Merchant - Merchant is an entity that trades goods and services and receives payment by means of credit or debit card.

Office of the Australian Information Commissioner (OAIC) - OAIC is an independent Australian Government agency established under the Australian Information Commissioner Act 2010.

Payment Card Industry Data Security Standard (PCI DSS) - PCI DSS is a document consisting of 12 requirements and various principles all designed to provide a framework to protect payment card data and systems.

Payment Card Industry Security Standards Council (PCI SSC) - PCI SSC is the global governing body for payment card security standards. The PCI Security Standards Council is responsible for the development, management, education, and awareness of the PCI Security Standards. These comprise the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS).

PCI Compliant - PCI Compliant refers to an organisation that has become compliant with the PCI DSS and has demonstrated this either through a Self-Assessment Questionnaire or through formal validation (audit) by a QSA firm.

 

Penetration Testing - Penetration testing refers to a technical security audit undertaken by ethical hackers who assess infrastructure, networks and applications for security flaws.

PIN Transaction Security (PTS) - PTS is a set of modular evaluation requirements managed by PCI Security Standards Council, for PIN acceptance POI terminals.

Primary Account Number (PAN) - Primary Account Number is essentially a payment card number (16 – 19 digits) which is generated according to the LUHNS algorithm).

Privacy Act - The Privacy Act 1988 (Privacy Act) regulates how personal information is handled. The Privacy Act includes ten National Privacy Principles (NPPs), which apply to certain private sector organisations, and 11 Information Privacy Principles (IPPs), which apply to Australian, ACT and Norfolk Island agencies.

Qualified Security Assessor (QSA) - A QSA is an Information Security and PCI expert who works for a QSA firm and who has been certified by the PCI SSC to be fit and proper to validate whether a company/environment is PCI compliant. A QSA consultant must belong to a registered and authorised firm.

Report on Compliance (ROC) - The report on compliance refers to a report that shows that an environment has been validated by a QSA in accordance with the PCI DSS. The outcome of the validation assessment may result in a Report of Compliance opinion of Compliant or Not Compliant depending on the evidence provided to support the compliance assertions provided by the merchant or service provider to the QSA. The report cites evidence against each of the 12 PCI DSS requirements demonstrating how compliance has been achieved.

Scope - The scope is a piece of work undertaken by an entity that stores, processes or transmits cardholder data and that is validated by a QSA as part of a PCI compliance programme. The scope is a definition of the cardholder data environment against which the PCI DSS must be applied.

Service Provider - A service provider is an entity that stores, processes or transmits cardholder data on behalf of merchants. Examples of service providers include hosting and payment services for merchants. Such providers do not have direct service provider contractual relationships with acquiring institutions, other than for their own merchant activities, but nonetheless still fall into scope for the PCI DSS where they store process or transmit payment cards on behalf of merchants. It is the merchant responsibility to ensure the service provider used to operate in a way that is compliant with the PCI DSS.

Token - A value provided by hardware or software that usually works with an authentication server or VPN to perform dynamic or two-factor authentication.

Tokenisation - Tokenisation is the process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security. Tokenisation, which seeks to minimize the amount of data a business needs to keep on hand, has become a popular way for small and mid-sized businesses to bolster the security of credit card and e-commerce transactions while minimising the cost and complexity of compliance with industry standards and government regulations.

Validation/Audit - Validation/Audit refers to the final stage of PCI compliance whereby a Qualified Security Assessor (QSA) will validate and attest the compliance status of the environment under assessment for compliance with the PCI DSS.

Vulnerability assessment - A vulnerability assessment is a technical security audit that uses automated tools to test for security flaws, misconfigurations and weaknesses in infrastructure and applications (to a relatively limited extent).

bottom of page