Skip to main content

Glossary Q-W

Updated

Q

QIR: Acronym for “Qualified Integrator or Reseller.” Refer to the QIR Program Guide on the PCI SSC website for more information.

QSA: Acronym for “Qualified Security Assessor.” QSA companies are qualified by PCI SSC to validate an entity’s adherence to PCI DSS requirements. Refer to the QSA Qualification Requirements for details about requirements for QSA Companies and Employees.

R

Remote Access: Access to an entity’s network from a location outside of that network. An example of technology for remote access is a VPN.

Removeable Electronic Media: Media that stores digitized data that can be easily removed and/or transported from one computer system to another. Examples of removable electronic media include CD-ROM, DVD-ROM, USB flash drives, and external/portable hard drives. In this context, removable electronic media does not include hot-swappable drives, tape drives used for bulk back-ups, or other media not typically used to transport data from one location for use in another.

Risk Assessment: Enterprise-wide process that identifies valuable system resources and threats; quantifies loss exposures (that is, loss potential) based on estimated frequencies and costs of occurrence; and (optionally) recommends how to allocate resources to countermeasures to minimize total exposure. See Targeted Risk Analysis.

Risk Ranking: Process of classifying risks to identify, prioritize, and address items in the order of importance.

ROC: Acronym for “Report on Compliance.” Reporting tool used to document detailed results from an entity’s PCI DSS assessment.

Related Hosts: Any component discovered during an EVS which were not included in the scan scope.

S

SAQ: Acronym for “Self-Assessment Questionnaire.” Reporting tool used to document self-assessment results from an entity’s PCI DSS assessment.

Scoping: Process of identifying all system components, people, and processes to be included in a PCI DSS assessment. See PCI DSS section: 4 Scope of PCI DSS Requirements.

Secure Coding: The process of creating and implementing applications that are resistant to tampering and/or compromise.

Security Event: An occurrence considered by an organization to have potential security implications to a system or its environment. In the context of PCI DSS, security events identify suspicious or anomalous activity.

Security Officer: Primary responsible person for an entity’s security-related affairs.

Segmentation: Also referred to as “network segmentation” or “isolation.” Segmentation isolates system components that store, process, or transmit cardholder data from systems that do not.

Sensitive Authentication Data (SAD): Security-related information used to authenticate cardholders and/or authorize payment card transactions. This information includes, but is not limited to, card verification codes, full track data (from magnetic stripe or equivalent on a chip), PINs, and PIN blocks.

Service Provider: Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data (CHD) and/or sensitive authentication data (SAD) on behalf of another entity. This includes payment gateways, payment service providers (PSPs), and independent sales organizations (ISOs). This also includes companies that provide services that control or could impact the security of CHD and/or SAD. Examples include managed service providers that provide managed firewalls, IDS, and other services as well as hosting providers and other entities.

If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services). See Multi-Tenant Service Provider and Third-Party Service Provider.

Special Note: These are used to inform the scan customer of certain software or services residing on the network that may pose a threat to the scan customer’s environment.

SSL: Acronym for “Secure Sockets Layer.”

Static IP: An IP address that stays the same.

Strong Cryptography: Cryptography is a method to protect data through a reversible encryption process, and is a foundational primitive used in many security protocols and services. Strong cryptography is based on industry-tested and accepted algorithms along with key lengths that provide a minimum of 112-bits of effective key strength and proper key-management practices.

Effective key strength can be shorter than the actual ‘bit’ length of the key, which can lead to algorithms with larger keys providing lesser protection than algorithms with smaller actual, but larger effective, key sizes. It is recommended that all new implementations use a minimum of 128-bits of effective key strength.

Examples of industry references on cryptographic algorithms and key lengths include:

  • NIST Special Publication 800-57 Part 1,
  • BSI TR-02102-1,
  • ECRYPT-CSA D5.4 Algorithms, Key Size and Protocols Report (2018), and
  • ISO/IEC 18033 Encryption algorithms, and
  • ISO/IEC 14888-3:2-81 IT Security techniques – Digital signatures with appendix – Part 3: Discrete logarithm based mechanisms.

T

Third-Party Service Provider (TPSP): Any third party acting as a service provider on behalf of an entity. See Multi-Tenant Service Provider and Service Provider.

Third-Party Software: Software that is acquired by, but not developed expressly for, an entity. It may be open source, freeware, shareware, or purchased.

Token: In the context of authentication and access control, a token is a value provided by hardware or software that works with an authentication server or VPN to perform dynamic or multi-factor authentication.

Track Data: Also referred to as “full track data” or “magnetic-stripe data.” Data encoded in the magnetic stripe or chip used for authentication and/or authorization during payment transactions. Can be the magnetic-stripe image on a chip or the track data on the magnetic stripe.

Truncation: Method of rendering a full PAN unreadable by removing a segment of PAN data. Truncation relates to the protection of PAN when electronically stored, processed, or transmitted.

Trusted Network: Network of an entity that is within the entity’s ability to control or manage and that meets applicable PCI DSS requirements.

U

Untrusted Network: Any network that does not meet the definition of a “trusted network.”

V

Virtual Payment Terminal: In the context of Self-Assessment Questionnaire (SAQ) C-VT, a virtual payment terminal is web-browser-based access to an acquirer, processor, or third-party service provider website to authorize payment card transactions, where the merchant manually enters payment card data through a web browser. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual payment terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.

VPN: Acronym for “virtual private network.”

Vulnerability: Flaw or weakness which, if exploited, may result in an intentional or unintentional compromise of a system.

W

Web Application: An application that is generally accessed through a web browser or through web services. Web applications may be available through the Internet or a private, internal network.