audit log
A chronological record of system activities. It provides a trail sufficient to permit reconstruction, review, and examination of the sequence of environments and activities surrounding or leading to an operation, procedure, or event in a transaction from inception to final results. Sometimes specifically referred to as the security audit trail.
card validation value or code
A data element on the magnetic stripe of a card that uses secure cryptographic process to protect data integrity on the stripe, and reveals any alteration or counterfeiting. Referred to as CAV, CVC, CVV, or CSC depending on payment card brand. The following list provides the terms for each card brand:
CAV Card Authentication Value (JCB payment cards)
CVC Card Validation Code (MasterCard payment cards)
CVV Card Verification Value (Visa and Discover payment cards)
CSC Card Security Code (American Express)
The second type of card validation value or code is the three-digit value printed to the right of the credit card number in the signature panel area on the back of the card. For American Express cards, the code is a four-digit un-embossed number printed above the card number on the face of all payment cards. The code is uniquely associated with each individual piece of plastic and ties the card account number to the plastic. The following list provides an overview:
CID Card Identification Number (American Express and Discover payment cards)
CAV2 Card Authentication Value 2 (JCB payment cards)
CVC2 Card Validation Code 2 (MasterCard payment cards)
CVV2 Card Verification Value 2 (Visa payment cards)
cardholder data
The full magnetic stripe or the PAN plus any of the following:
Cardholder name
Expiration date
Service code
ccsrch utility
ccsrch is an open source tool that searches for and identifies unencrypted and contiguous credit card numbers (PAN) and track data on Windows and UNIX operating systems. For more information, see the following web site: http://sourceforge.net/projects/ccsrch/
CTR
Centralized Transaction Retrieval (CTR) provides the Oracle Retail Point-of-Service application with the ability to retrieve transactions from a central database.
System settings determine where the application should look for an original transaction. When the system is prompted to retrieve an original transaction, the system may (based on a system setting) retrieve the original transaction locally only, centrally then if not found locally, or centrally only. The transaction information is displayed in the same manner whether the transaction was retrieved centrally or locally.
compensating control
Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must do the following:
Meet the intent and rigor of the original stated PA-DSS requirement.
Repel a compromise attempt with similar force.
Be above and beyond other PA-DSS requirements (not simply in compliance with other PA-DSS requirements).
Be commensurate with the additional risk imposed by not adhering to the PA-DSS requirement.
DTM
XML representation of a transaction that contains all data stored in the database. Placed on a JMS queue to move transaction data between the store and enterprise.
encryption
The process of converting information into an unintelligible form except to holders of a specific cryptographic key. The use of encryption protects information between the encryption process and the decryption process (the inverse of encryption) against unauthorized disclosure.
ISD
The ISD Tender Suite provides support for tender types including the following:
Credit Card
Debit Card
Check
Pre-Paid/Stored Value/Gift Card
Private Label Credit Card
Electronic Benefits Transfer (EBT)
Fleet Card
Phone Card
Payroll Card
Corporate Purchasing Card
The ISD Tender Suite can accept multiple tender types from a wide variety of transaction delivery channels including point-of-sale devices, call centers, wireless devices, and the Internet. It provides the ability to reliably process payments 24 hours, 7 days a week.
magnetic stripe data (track data)
Data encoded in the magnetic stripe used for authorization during transactions when the card is presented. Entities must not retain full magnetic stripe data subsequent to transaction authorization. Specifically, subsequent to authorization, service codes, discretionary data/Card Validation Value/CodeCVV, and proprietary reserved values must be purged. However, account number, expiration date, name, and service code may be extracted and retained, if needed for business.
OWASP
A worldwide free and open community focused on improving the security of application software. For more information, see the following web site: http://www.owasp.org
.
PA-DSS
A standard to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI-DSS.
PAN
The defining factor in the applicability of PCI-DSS requirements and the PA-DSS. If the PAN is not stored, processed, or transmitted for the purpose of authorization or settlement, PCI-DSS and PA-DSS do not apply.
PCI-DSS
A multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
POSLog
Data captured at the point-of-sale, represented as XML according to the schema defined by the IXRetail standard.
SSH
Protocol suite providing encryption for network services like remote login or remote file transfer.
strong cryptography
General term to indicate cryptography that is extremely resilient to cryptanalysis. That is, given the cryptographic method (algorithm or protocol), the cryptographic key or protected data is not exposed. The strength relies on the cryptographic key used. Effective size of the key should meet the minimum key size of comparable strength recommendations. One reference for minimum comparable strength notion, NIST Special Publication 800-57, August, 2005 (http://csrc.nist.gov/publications/
), and others that meet the following minimum comparable key bit security:
80 bits for secret key based systems (for example, TDES)
1024 bits modulus for public key algorithms based on the factorization (for example, RSA)
1024 bits for the discrete logarithm (for example, Diffie-Hellman) with a minimum 160 bits size of a large subgroup (for example, DSA)
160 bits for elliptic curve cryptography (for example, ECDSA)
temporary shopping pass
A customer can request a Temporary Shopping Pass to use as tender if they do not have a physical House Account card with them. A Temporary Shopping Pass is in receipt form with the customer's House Account number printed on it. The expiration date for the issued temporary shopping pass is set by a configurable parameter.
two-factor authentication
Authentication that requires users to produce two credentials to access a system. Credentials consist of something users have in their possession (for example, smartcards or hardware tokens) and something they know (for example, a password). To access a system, a user must produce both factors.