Pci compliance what does it stand for

For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.

Monitoring: Use of systems or processes that constantly oversee computer or network resources for the purpose of alerting personnel in case of outages, alarms, or other predefined events. Multi-Factor Authentication: Method of authenticating a user whereby at least two factors are verified.

These factors include something the user has such as a smart card or dongle , something the user knows such as a password, passphrase, or PIN or something the user is or does such as fingerprints, other forms of biometrics, etc. Change of an IP address used within one network to a different IP address known within another network, allowing an organization to have internal addresses that are visible internally, and external addresses that are only visible externally.

Network: Two or more computers connected together via physical or wireless means. Network Administrator: Personnel responsible for managing the network within an entity.

Responsibilities typically include but are not limited to network security, installations, upgrades, maintenance and activity monitoring. Network Components: Include, but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Network Diagram: A diagram showing system components and connections within a networked environment. Security scans that include probing internal and external systems and reporting on services exposed to the network.

Scans may identify vulnerabilities in operating systems, services, and devices that could be used by malicious individuals.

Adequate network segmentation may reduce the scope of the cardholder data environment and thus reduce the scope of the PCI DSS assessment. Commerce Department's Technology Administration. NMAP: Security-scanning software that maps networks and identifies open ports in network resources. Non-Console Access: Refers to logical access to a system component that occurs over a network interface rather than via a direct, physical connection to the system component.

Non-Consumer Users: Individuals, excluding cardholders, who access system components, including but not limited to employees, administrators, and third parties. NVD includes databases of security checklists, security-related software flaws, misconfigurations, product names, and impact metrics. Off-the-Shelf: Description of products that are stock items not specifically customized or designed for a specific customer or user and are readily available for use.

Organizational Independence: An organizational structure that ensures there is no conflict of interest between the person or department performing the activity and the person or department assessing the activity.

For example, individuals performing assessments are organizationally separate from the management of the environment being assessed. OWASP maintains a list of critical vulnerabilities for web applications. Pad: In cryptography, the one-time pad is an encryption algorithm with text combined with a random key or "pad" that is as long as the plain-text and used only once. Additionally, if key is truly random, never reused, and, kept secret, the one-time pad is unbreakable.

Parameterized Queries: A means of structuring SQL queries to limit escaping and thus prevent injection attacks. Patch: Update to existing software to add functionality or to correct a defect. Payment Application: In the context of PA-DSS, a software application that stores, processes, or transmits cardholder data as part of authorization or settlement, where the payment application is sold, distributed, or licensed to third parties.

Entity engaged by a merchant or other entity to handle payment card transactions on their behalf. While payment processors typically provide acquiring services, payment processors are not considered acquirers unless defined as such by a payment card brand.

See also Acquirer. Penetration Test: Penetration tests attempt to identify ways to exploit vulnerabilities to circumvent or defeat the security features of system components. Penetration testing includes network and application testing as well as controls and processes around the networks and applications, and occurs from both outside the environment external testing and from inside the environment.

Personal Firewall Software: A software firewall product installed on a single computer. Personally Identifiable Information: Information that can be utilized to identify an individual including but not limited to name, address, social security number, phone number, etc.

Typical PINs are used for automated teller machines for cash advance transactions. An electronic transaction-acceptance product, a POI consists of hardware and software and is hosted in acceptance equipment to enable a cardholder to perform a card transaction. The POI may be attended or unattended. Policy: Organization-wide rules governing acceptable use of computing resources, security practices, and guiding development of operational procedures.

Port: Logical virtual connection points associated with a particular communication protocol to facilitate communications across networks. Private Network: Network established by an organization that uses private IP address space. Private networks are commonly designed as local area networks. Private network access from public networks should be properly protected with the use of firewalls and routers. Privileged User: Any user account with greater than basic access privileges.

Typically, these accounts have elevated or increased privileges with more rights than a standard user account. However, the extent of privileges across different privileged accounts can vary greatly depending on the organization, job function or role, and the technology in use.

Procedure: Descriptive narrative for a policy. Protocol: Agreed-upon method of communication used within networks. Specification describing rules and procedures that computer products should follow to perform activities on a network. Proxy Server: A server that acts as an intermediary between an internal network and the Internet. For example, one function of a proxy server is to terminate or negotiate connections between internal and external connections such that each only communicates with the proxy server.

Please refer to www. Public Network: Network established and operated by a third party telecommunications provider for specific purpose of providing data transmission services for the public. Examples of public networks include, but are not limited to, the Internet, wireless, and mobile technologies.

See also Private Network. Checks if information such as username and password that is passed to the RADIUS server is correct, and then authorizes access to the system. This authentication method may be used with a token, smart card, etc.

Rainbow Table Attack: A method of data attack using a pre-computed table of hash strings fixed-length message digest to identify the original data source, usually for cracking password or cardholder data hashes. Re-keying: Process of changing cryptographic keys.

Periodic re-keying limits the amount of data encrypted by a single key. Remote Access: Access to computer networks from a remote location. An example of technology for remote access is VPN. Risk Ranking: A defined criterion of measurement based upon the risk assessment and risk analysis performed on a given entity.

Rootkit: Type of malicious software that when installed without authorization, is able to conceal its presence and gain administrative control of a computer system. Router: Hardware or software that connects two or more networks.

Functions as sorter and interpreter by looking at addresses and passing bits of information to proper destinations. Software routers are sometimes referred to as gateways. S-FTP has the ability to encrypt authentication information and data files in transit. See FTP. Sampling: The process of selecting a cross-section of a group that is representative of the entire group. Sampling may be used by assessors to reduce overall testing efforts, when it is validated that an entity has standard, centralized PCI DSS security and operational processes and controls in place.

See www. Schema: Formal description of how a database is constructed including the organization of data elements. Secure Cryptographic Device: A set of hardware, software and firmware that implements cryptographic processes including cryptographic algorithms and key generation and is contained within a defined cryptographic boundary. Security Event: An occurrence considered by an organization to have potential security implications to a system or its environment.

Security Policy: Set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information. Security Protocols: Network communications protocols designed to secure the transmission of data. Sensitive Area: Any data center, server room or any area that houses systems that stores, processes, or transmits cardholder data.

This excludes the areas where only point-of-sale terminals are present such as the cashier areas in a retail store. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.

It is important to be familiar with your merchant account agreement, which should outline your exposure. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers. This also includes companies that provide services that control or could impact the security of cardholder data. A: What constitutes a payment application as it relates to PCI compliance? The term payment application has a very broad meaning in PCI.

A payment application is anything that stores, processes, or transmits card data electronically. This means that anything from a Point of Sale system e.

Therefore any piece of software that has been designed to touch credit card data is considered a payment application. A: Payment gateways connect a merchant to the bank or processor that is acting as the front-end connection to the card brands. They are called gateways because they take many inputs from a variety of different applications and route those inputs to the appropriate bank or processor. Gateways communicate with the bank or processor using dial-up connections, web-based connections or privately held leased lines.

If you qualify for any of the following SAQs under version 3. The tool will conduct a non-intrusive scan to remotely review networks and web applications based on the external-facing Internet protocol IP addresses provided by the merchant or service provider. Learn more about vulnerability scans here. Merchants and service providers should submit compliance documentation successful scan reports according to the timetable determined by their acquirer.

A: PCI is not, in itself, a law. For a little upfront effort and cost to comply with the PCI DSS, you greatly help reduce your risk from facing these extremely unpleasant and costly consequences. Home users are arguably the most vulnerable simply because they are usually not well protected. A: While many payment card data breaches are easily preventable , they can and do still happen to businesses of all sizes.

We recommend the following:. A: Absolutely. California is the catalyst for reporting data breaches to affected parties. The state implemented its breach notification law in , and now nearly every state has a similar law in place.

Click on the links below to find answers to frequently asked questions. There are four different levels of compliance; these levels stipulate the requirements for which sellers are responsible. The PCI Council deems the pass mark is compliance with percent of criteria.

Because of this complicated responsibility, many larger companies choose to work with a PCI-compliance consultant on standards and how to meet these PCI-compliant level requirements. Every seller falls into one of the four categories depending on their transaction volume during a month period. In fact, a Verizon Data Breach Incident Report found that there were almost 80, data security incidents this year.

If your business does not comply with PCI standards, you could be at risk for data breaches, fines, card replacement costs, costly forensic audits and investigations into your business, brand damage, and more if a breach occurs.

Penalties are not highly publicised, but they can be destructive for businesses. The banks often pass this cost along to the merchant and can terminate contracts or increase fees for transactions, in response to breaches and violations.

Aside from the financial cost, there are also other potential liabilities that could affect your business. Becoming and maintaining a PCI-compliant business can be costly, depending on the type and size of your company and the compliance level to which you are held.

Your costs include regular scans by ASVs and increase based on the size of your computer network and number of IP addresses, plus the cost of completing the annual Self-Assessment Questionnaire and Attestation of Compliance.

Watch out for predatory service providers that charge expensive fees but only satisfy a portion of your PCI requirements. We maintain PCI compliant software at no additional cost to you, with no monthly contracts or long-term commitments. Square is the merchant of record for every transaction.

We deal with the banks on your behalf and take care of PCI compliance, regulation, and processing. We advocate on your behalf to make sure that simple errors, honest mistakes, and disputes are resolved equitably. We adhere to industry-leading PCI standards to manage our network, secure our web and client applications, and set policies across our organization. Plus, we monitor every transaction from swipe to payment, continuously innovate in fraud prevention, and protect your data like our business depends on it—because it does.

Square meets PCI standards across software, hardware, and payment processing. For chip and PIN countries, we are working on evolving mobile security standards alongside the card schemes and PCI Council, where we are a member of the Board of Advisors. Just as there was previously no standard for card readers that plug into mobile phones, there currently is no PCI standard for mobile PIN entry.

Square is, and has always been, committed to innovating with payments industry leaders to make secure card payments accessible to all.