In the context of PCI DSS, Administrative Access accounts have special rights and capabilities, allowing them to oversee systems, networks, and applications. For example, accounts in use for system administration can have different titles varying on the operating system. It can be an administrator, admin, or supervisor.

Adware is a hazardous type of malicious software that, once installed, can be challenging to remove. These programs force computers to download and display ads on the user’s screen in a destructive way. This software can be unknowingly installed by a person while visiting certain websites or downloading various files. For example, at least 50%…

The American National Standards Institute (ANSI) was established as an independent, privately funded non-profit organization based in Washington D.C. Today, ANSI has grown to host more than 200 consensus-based standards and conformity assessment systems for products and services used within the United States and abroad. These standards reflect the best practices for a given product…

An Attestation of Compliance (AOC) is a documented declaration of an organization’s compliance with the PCI DSS. It proves that a company can successfully implement outstanding security best practices to protect cardholder data.

Assessors and/or labs can certify the findings of an assessment on the Attestation of Validation (AOV) form, which are then included in the relevant Report on Validation.

An Approved Scanning Vendor (ASV) is an entity that verifies whether a company’s PCI DSS external scanning requirements have been met. ASVs use techniques similar to those used by hackers, such as penetration testing, to run an external vulnerability assessment of a company’s network or website. A quarterly network scan by an approved scanning vendor…

An audit log is an essential record of system activities that records the chronological sequence from the initiation to the completion of a transaction. It should be precise enough to provide all the information necessary for troubleshooting and understanding how events transpired.

Buffers are memory storage areas that keep data temporarily as it is moved from one location to another. When the amount of data exceeds the memory buffer’s storage capacity, a buffer overflow (or buffer overrun) occurs. The application that is trying to copy the data to the buffer, as a result, overwrites nearby memory locations.

Card skimmer is a device attached to the card reader that skims and steals the card information like card number, expiration date, and CVV code. This device reads the debit/credit card information from the magnetic stripe at the back of the card and stores it in its memory module. Generally, a card skimmer is placed…

A Card Verification Code/Value (CVC/CVV) is a series of numbers apart from the bank card number that is present on a debit or credit card. It provides an extra layer of security for card-not-present transactions where the PIN can’t be manually entered. In most cards, this is a three-digit number printed alongside the signature box.

Cardholder data (CD) consists of all personally identifiable information (PII), such as the cardholder’s name, card number, expiration date, and CVV security code of the individual with a credit or debit card. This is sensitive card information subject to security regulations like PCI DSS. Banks, payment merchants, and other entities that store and process this…

The Cardholder Data Environment (CDE) consists of all systems, networks, and applications used in the payment card transaction process. It includes all the places where payment card data is stored, processed, or transmitted. This data includes information such as the cardholder’s name, card number, expiration date, and other sensitive information. To comply with the PCI…

Computer Emergency Response Team (CERT) is a team of IT security experts responsible for responding to cybersecurity incidents, vulnerabilities, and threats to mitigate them at the earliest. They identify, analyze, and respond to cyber incidents that could impact the security of the company’s critical systems. They also perform vulnerability assessments and help organizations implement the…

Center for Internet Security (CIS) is a 501 non-profit organization formed in 2000. They are responsible for CIS controls and CIS Benchmarks and aim at developing best internet security practices for public and private sectors to prevent cyber threats. Their Multi-State Information Sharing and Analysis Center (MS-ISAC) also offers real-time threat intelligence. Organizations can reach…

It is a type of database encryption that selects specific attributes/data elements to be encrypted instead of the entire database or individual records. This type of encryption is generally implemented using algorithms like Triple Data Encryption Standard (TripleDES) or Advanced Encryption Standard (AES). This encryption benefits confidential or sensitive data such as personally identifiable information…

Also referred to as Alternative Controls, it is a set of security and privacy controls implemented by an organization in lieu of the NIST Special Publication 800-53 to mitigate risks and provide an alternative approach to achieving the same security objectives as primary controls. They are often used to reduce the impact of security breaches…

A cryptographic key is a string of characters, such as numbers or letters, which can encrypt and decrypt data when processed through an encryption algorithm. In simpler terms, a cryptographic key is a piece of data that transforms plaintext (unencrypted data) into ciphertext (encrypted data) and vice versa. In general, the key is used by…

Cross-Site Request Forgery (CSRF) is a security vulnerability that allows a cyber threat actor to perform actions on behalf of the user without their knowledge or consent. The CSRF attack occurs when the user clicks on a malicious link or visits a malicious website. This action makes the user’s browser send requests to legitimate websites…

Database administrators are IT technicians responsible for installing, managing, configuring, and maintaining an organization’s database systems’ performance, security, and availability. A database administrator’s primary role is to ensure the database is accessible, secure, and performing optimally. The responsibilities of a database administrator include monitoring database performance, ensuring data security and data integrity, backing up and…

It is a graphical representation using defined symbols and charts to explain the flow of data through a system or process. System analysts, database administrators, and designers often use the visual tool to describe the flow of information in a system visually and how that information is processed. The diagram comprises different components such as…

A Designated Record Set is the records maintained by or for a covered entity to make decisions about people. It usually contains billing records, medical records, payment and claims records, case management records, health plan enrollment records, and so on.

A Disaster Recovery Plan is an official document developed by a company that gives precise instructions on how to respond to unanticipated situations such as natural disasters, power outages, cyber-attacks, and other disruptive events. In order for an organization to continue operating or swiftly resume critical functions, the plan includes tactics to mitigate the effects…

A minor is considered to be emancipated if they have either been legally released from parental supervision and custody, or if they have achieved the age of majority. These people are expected to provide for and take care of themselves.

External entity can be an outside individual, organisation or an outside system/application that is a source or recipient of data-flow. These entities do not lie inside the investigated subject and can be a potential threat to it.

Facility Security Plan lays down the policies and procedures to prevent, detect, respond to and recover from security incidents that may occur in or around the facility and its servicing vessels.The protection of the facility here includes the security of the people on the facility, the inventory and other assets and equipment.

The United States Department of Health and Human Services (HHS) is an executive branch agency of the federal government of the United States that was established to safeguard the health of the country’s citizens and provide necessary human services.

Human Investigation Committee (HIC) are a group of people who ensure that the research on the human subjects involving their personal health information is conducted ethically. The compliance of all federal laws is also monitored by the committee. It has the right to approve, disapprove or request amendments in the research whenever required. The Committee…

A Hybrid Entity in HIPAA is a covered entity that performs some of its functions as a covered entity (relating to healthcare) and others as a non-covered entity. These entities can avail some regulatory relief as their non-covered function doesn’t need to comply with the full scope of HIPAA privacy rules.

Intrusion Detection System (IDS) is a system or software that monitors the network traffic and system for signs of malicious activities and violation of any security policies. The IDS then issues alerts on the detection of any intrusions or security threats in real time so that database administrators or security analysts can take necessary actions…

The Internet Engineering Task Force (IETF), formed in 1986, is a Standards Development Organization (SDO) for the Internet. It is responsible for developing and evolving standards that comprise the Internet protocol suite. It is a large international community of network operators, designers, and researchers who work towards a common goal to develop and promote standards…

Payment Application Data Security Standard (PA DSS) is a set of security requirements and assessment procedures created by PCI DSS that aims at helping software vendors develop secure payment applications to protect cardholder data and comply with PCI DSS. The standard is intended for developers and vendors who create various payment applications, such as POS…

PCI DSS – Level 1 is the highest level of this compliance. It applies to any merchant that processes more than 6 million card transactions per year. At this level of compliance, a merchant must adhere to the level 1 grade controls that include making an annual report by a qualified security assessor (QSA) or…

PCI DSS – Level 2 applies to merchants that process more than 1 million and less than 6 million card transactions annually. At this level of compliance, a merchant must adhere to the level 2 grade controls that include completing the self-assessment questionnaire and having an onsite audit.

Level 3 applies to merchants that process 20,000 to 1 million card transactions annually. At this level of compliance, a merchant must adhere to level 3 grade controls and policies. Some of these are completing the self-assessment questionnaire, doing quarterly scans to check vulnerabilities, submitting an attestation compliance form, etc.

PCI DSS – Level 4 applies to merchants that process less than 20,000 card transactions per year. At this level, merchants are required to adhere to level 4 grade protocols, and the business should not have encountered cyber attacks that compromised card holder’s data.

An ASV is an organization that uses a set of security tools and services (called “ASV scan solution”) to perform external vulnerability scans. Their goal is to test the security posture of a business environment and identify vulnerabilities, misconfigurations, and other gaps in a security system that can be used to cause a security incident. …

PCI DSS rules are global security standards for any organization dealing with cardholder data to reduce security incidents, information theft, and data breaches in the payment industry.  Here are the 12 PCI compliance requirements or rules you need to know:

The PCI Data Security Standard (PCI DSS) safeguards cardholder data and sensitive authentication information when processed, stored, or transmitted. The PCI DSS universe is built of 3 important components. They are: PCI Data Security Standard (PCI DSS) This component applies to any company that deals with cardholder data, whether it’s storing, processing, or transmitting it….

PCI Environment is a global security standard that applies to organizations that process cardholder data or sensitive authentication data.  This standard sets a minimum level of security to protect consumers and reduce fraud and data breaches in the payment industry. It’s relevant for any organization that accepts or processes payment cards. Is PCI compliance legally…

PCI patch management is an important aspect of PCI Requirement 6.2. According to the rule, an auditor should review your company’s policies and procedures to confirm the existence of a patch management process.  The specific section that addresses the patching is 6.3 – “Security vulnerabilities are identified and addressed.” However, while you can see that…

PTS stands for PIN Transaction Security. It’s a set of security evaluations created by the Payment Card Industry Security Standard Council (PCI SSC). PTS safeguards cardholder data at interaction points (like payment terminals) and hardware security modules (HSMs). Why is PCI PTS Important?  In the payment industry, trust is important. Organizations must be reliable to…

The PCI Security Standards Council has a program called Qualified Security Assessors (QSAs) for security companies. QSAs need to get certified and re-certified each year. The founders of the Council trust QSAs certified by them with the task of auditing companies to ensure adherence to the PCI DSS standard. PCI Security Standards Council has set…

PCI security drafts the guidelines organizations must adhere to to comply with the Payment Card Industry Data Security Standard (PCI DSS). These guidelines ensure that any company processing credit card information has and maintains a secure environment to protect cardholder data.  PCI DSS was established in 2006. The PCI Security Standards Council (PCI SSC), created…

PCI SSC is the acronym for Payment Card Industry Security Standards Council. The council was created by the collective efforts of American Express, JCB International, Master Card, Visa Inc, and Discover Financial Services on Sep 7th, 2006. The primary purpose of PCI SSC was to manage the Payment Card Industry Data Security Standard (PCI DSS)…

PCI SSF, or the PCI Software Security Framework, has a significant impact on software vendors. It blends traditional and modern security requirements and is designed to work with the latest technology and development methods. It covers old and new security practices for payment applications. PCI SSF allows software vendors to offer PCI-validated payment software. This…

PCI Validation is a part of handling cardholder data. You might be a small startup or a big company, but you need to follow the PCI DSS as part of your contract. However, it’s not a one-time thing; you must stay compliant and validate it yearly. Hence, to validate your PCI compliance, you must keep…

A wide range of physical security measures that prevent unauthorised access to covered entity’s physical assets and electronic information assets. This protection is ensured from both natural and environmental hazards or any kind of intentional encroachment. Examples include installing security cameras, fire safety systems, biometric access controls etc.

An authorised point of contact for handling privacy-issues and concerns to ensure confidentiality and security of protected information. So, any breach related complaints will be made to the Privacy official.

A systematised procedure that involves identifying the current and potential risks, and analysing the magnitude of each risk to manage the threats accordingly. It helps take better and well-informed decisions.

A subcontractor is a third-party entity that a primary contractor hires to carry out particular cybersecurity-related services or tasks on the contractor’s behalf. Services like penetration testing, vulnerability assessments, and incident response may fall under this category.

Cross-Site Scripting (XSS) is a security vulnerability which allows a cyber threat actor to inject malicious code into a web page viewed by other users to steal their sensitive information or perform unauthorized actions. The attacker exploits the vulnerabilities in the website’s code and then injects scripts that can be executed in the website users’…