The Green Sheet Online Edition
February 22, 2010 • Issue 10:02:02
Glossary of common data security terms
Following are 19 terms pertaining to payments industry data security that have been added to our online glossary of common industry terms. The full glossary can be reached on our Web site at www.greensheet.com/glossary.php. If you'd like to suggest terms to add, please e-mail us at email@example.com.
address verification service (AVS):
A fraud deterrent technique used in card-not-present situations. The AVS offers various levels of address verification detail, including cardholder ZIP codes and street numbers.
certificate authority: An e-commerce service that validates Internet parties to an online transaction.
card verification value (CVV) number: The three-digit number on the back of Visa Inc. and MasterCard Worldwide credit and debit cards. It is used as a security feature in card-not-present transactions. The CVV number helps guard against the use of data stolen from payment networks by hackers. Intercepted data will usually comprise the cardholder name, card number and card expiration date, but not the CVV, which is generally obtained only by viewing the physical card.
data breach: The capture of sensitive payment card data by an untrusted party.
encryption: A method of protecting data. Encryption transforms readable information using an algorithm (called a cipher) and makes it unintelligible to anyone except those who possess a key that converts the information back into readable form. See also end-to-end data encryption.
end-to-end data encryption: Refers to the process of converting card data to seemingly unreadable text from the moment it gets entered at the POS and through to the final authorization.
Payment Application Data Security Standard (PA DSS): Established to help software vendors and others develop secure payment applications that do not store prohibited data and to ensure their compliance with the PCI DSS. Payment applications that are sold, distributed or licensed to third parties are subject to PA DSS requirements.
In-house payment applications developed by merchants or service providers that are not sold to a third party are not subject to PA DSS requirements but must still be secured in accordance with the PCI DSS.
Payment Card Industry Data Security Standard (PCI DSS): Established by the major payment brands, including American Express Co., Discover Financial Services, JCB International Co. Ltd., MasterCard Worldwide and Visa Inc., the PCI DSS is now managed by the PCI Security Standards Council.
The PCI DSS is designed to enhance payment account data security worldwide and consists of 12 requirements governing security management, policies, procedures, network architecture, software design and other areas critical to the protection of cardholder data.
Failure to adhere to the standard (by any party that handles card information, including merchants and ISOs) can result in hefty fines. Often shortened to PCI.
PCI PIN Entry Device (PCI PED): Renamed PIN Transaction Security (PTS), this is a special list of security requirements for PIN-enabled card acceptance modules.
PCI Security Standards Council (PCI SSC): An agency responsible for the development, management and education of the PCI security standards, including the PCI DSS, PA DSS, and PTS. The council was founded in 2006 by AmEx, Visa, MasterCard, JCB and Discover.
personal identification number: A number used by a cardholder to authorize card payments. It is often abbreviated as PIN.
PIN debit: A debit card transaction authorized by the cardholder using a personal identification number.
PIN Transaction Security (PTS): A special list of security requirements for PIN-enabled card acceptance modules. This was formerly called the PCI PIN Entry Device (PCI PED) requirements.
Qualified Security Assessor (QSA): An auditor, certified by the PCI SSC, who assesses the PCI compliance of payment systems to ensure they are properly protecting card data. The PCI DSS requires that all Level 1 merchants (those that process over 6 million card transactions a year) be evaluated annually by a QSA.
Self-Assessment Questionnaire (SAQ): A document used as a validation tool by merchants and service providers to demonstrate compliance with the PCI DSS.
Updated in 2008, it is designed to simplify and streamline the assessment process and aid small and mid-sized merchants who are not required to have on-site PCI compliance assessments. The new SAQ comes in four versions with questions tailored specifically for different categories of card acceptors.
skimming: Running credit or debit cards through an electronic device (skimmer) to capture and store account information from cards' magnetic stripes. The data are then used to create counterfeit cards or fraudulent transactions.
Often skimmers are placed surreptitiously over legitimate payment equipment, from which they lift the payment data from any subsequent transactions.
sniffer: Malware used by hackers to intercept payment card data traveling through merchant or processor networks.
tamper resistant security module: A payment acceptance device with built-in physical protection to prevent tampering, such as the placement of a skimming device on the module.
tokenization: A process for protecting card information by which the data are replaced with an alpha-numeric substitute ("token") for their storage in a POS system. The token can be used to identify the purchaser for chargebacks or other post-transaction issues but is useless if stolen.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.