Click for next page ( 29


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 28
ManageEngine website: http://www.manageengine.com/ QUALYS. PCI for Dummies. http://www.qualys.com/ products/security-manager/pci-dss-compliance-check forms/ebook/pcifordummies/ttp://www.qualys.com/ list.html. forms/ebook/pcifordummies/. MasterCard (card brand) website: http://www.master SearchMidMarketSecurity.com: http://searchmidmarket card.com. security.techtarget.com/news/article/0,289142,sid Mastercard. Security Rules and Procedures-Merchant 198_gci1359064,00.html. Edition. http://www.mastercard.com/us/merchant/ SITA. Common Use Systems and PCI Compliance. Pre- resources/downloads.html. sented atACI-NA Conference, Austin, Tex., Oct., Motorola Helps Customers with PCI Solutions. http:// 2009. www.motorola.com. Society of Payment Security Professionals website: https:// NDB Advisory website. http://www.pciassessment.org/ www.paymentsecuritypros.com/. ndb-advisory.php. Trustwave website: https://www.trustwave.com/pciData PCI Compliance Guide. http://www.pcicomplianceguide. SecurityStandard.php org/pcifaqs.php. Visa. Cardholder Information Security Program. http:// PCI DSS and MasterCard Site Data Protection Program. usa.visa.com/merchants/risk_management/cisp.html. http://www.mastercard.com/us/merchant/security/ sdp_program.htmlAmerican Express Data. PCI FAQS and Myths. http://www.pcicompliance APPENDIX C--GLOSSARY OF TERMS guide.org. PCI Security Standards Council, LLC website: https:// ABA--American Bankers Association. www.pcisecuritystandards.org. Acquirer--bankcard (Visa, MasterCard, etc.) member PCI Security Standards Council, LLC. Navigating PCI that receives bankcard transactions from a merchant. DSS. https://www.pcisecuritystandards.org/pdfs/pci_ American Express (AMEX)--payment card issuer brand. dss_saq_navigating_dss.pdf Application--purchased, in-house developed, or cus- PCI Security Standards Council, LLC. PCI--Glossary of tomized software designed for business use by inter- Terms, Abbreviations, and Acronyms. https://www. nal users or passenger/customer use. pcisecuritystandards.org/pdfs/pci_dss_glossary.pdf Asset--hardware, software, or other items used in the stor- PCI Security Standards Council, LLC. PCI Quick Refer- age, processing, or transmission of payment card data. ence Guide. https://www.pcisecuritystandards.org/ ASV--approved scanning vendor. pdfs/pci_ssc_quick_guide.pdf. Authorization--granted to an individual for access rights PCI Security Standards Council, LLC. PCI DSS 1.2 FAQs. to information, applications, administration, or man- https://www.pcisecuritystandards.org/pdfs/pci_dss_ agement purposes. 1.2_faqs.pdf. Backup--redundant or duplicate data intended for archival PCI Security Standards Council, LLC. Summary of or restoration purposes. Changes from PCI DSS Version 1.1 to 1.2. https:// Card Brand--financial organization issuing a payment www.pcisecuritystandards.org/pdfs/pci _dss_sum card. mary_of_changes_v1-2.pdf. Cardholder Data--Primary account number plus the The following are downloads available on the PCI Security cardholder name, and/or card expiration date, and/or Standards Council website in the Attestation of Com- service code. pliance section: https://www.pcisecuritystandards. Card Validation Code--data element encoded within the org/saq/index.shtml: magnetic stripe of a payment card, used to protect the Payment Card Industry (PCI) Data Security Standard integrity of the card data. Also known as: Self-Assessment Questionnaire Instructions and CVC: card validation code (MasterCard) Guidelines. CVV: card verification value (Visa and Discover) Payment Card Industry (PCI) Data Security Standard CAV: card authentication value (JCB) Self-Assessment Questionnaire A and Attestation of CSC: card security code (American Express) Compliance. CLUB--common local user board. Payment Card Industry (PCI) Data Security Standard CPISA--certified payment card industry security advisor. Self-Assessment Questionnaire B and Attestation of CPISM--certified payment card industry security Compliance. manager. Payment Card Industry (PCI) Data Security Standard CUPPS--common use passenger processing system. Self-Assessment Questionnaire C and Attestation of CUSS--common use self service (IATA recommended Compliance. practice for). Refers to the airline- and airport-provided Payment Card Industry (PCI) Data Security Standard check-in units travelers can use, often independently, Self-Assessment Questionnaire D and Attestation of for managing their travel check-in process. Often Compliance. deployed in kiosk form, but not necessarily. 28

OCR for page 28
CUTE--common use terminal equipment. Printed CVC--three- or four-digit code printed on the DSE--data storage entities. payment card for unique identification of the card. DMZ--demilitarized zone. A network layer positioned Also known as: for security between a private and public network. CID: card identification number (American Ex- Encryption--data conversion technique that renders data press and Discover) unreadable except to authorized data receiver using CVV2: card verification value 2 (Visa) the conversion key. CAV2: card authentication value 2 (JCB) EPN--electronic payments network. CVC2: card validation code 2 (MasterCard) IATA--International Air Transportation Association. PSP--payment service provider. IPSEC--Internet protocol security. PVKI--PIN verification key indicator. ISO--International Organization for Standardization. PVV--PIN verification value. Encoded data on magnetic IT--information technology. stripe of payment card. LAN--local area network. QSA--qualified security assessor. LRC--longitudinal redundancy character. SAQ--self-assessment questionnaire. Magnetic Stripe Data--data encoded within specified Service Code--number on the magnetic-stripe data Track formats (tracks) for the authorization of transactions 1 and Track 2 that specifies acceptance and limita- for payment or identification purposes. tions for a read transaction. Network Scan--network tool capable of remotely check- Service Provider--any business that processes, stores, or transmits cardholder data on behalf of a merchant, ing merchant or service provider systems for poten- other service providers, or any entity where cardholder tial privacy vulnerabilities. data is used. PAN--primary account number. Payment card identi- SPSP--Society of Payment Security Professionals. fication number linking cardholder to a specific SSL--secure socket layer. account. SSU--self-service unit. A synonym for CUSS, used as a Payment Cardholder--authorized user of a payment card. means of differentiating the housing of the hardware PA DSS--payment application data security standard. device from the generic term "kiosk," typically as- PCI DSS--payment card industry (PCI) data security sociated with CUSS, permitting more descriptive standard (DSS). The standards for compliance for application of the hardware in dual-head counter payment card data protection that merchants, service configurations, imbedded counter configurations, providers, and organizations using payment cards in and freestanding configurations. The use of SSU also the operation of the business must abide by and attest permits specific definition of hardware that displays compliance with. all airlines on the start page versus those of a specific PCI-Council--PCI Security Standards Council. A collab- airline in an allocated ticket counter scenario. oration between Visa, MasterCard, Discover, Ameri- TLS--transport layer security. can Express, and JCB International to create common TPP--third-party processor. industry security requirements. Transaction Data--cardholder data involved in a process PIN--personal identification number. Number assigned, (electronic or manual). generally at discretion of cardholder, to authorize use VPN--virtual private network. of payment card. WAN--wide area network. POS--point of sale. Wi-Fi--wireless fidelity. 29

OCR for page 28

OCR for page 28

OCR for page 28
Transportation Research Board 500 Fifth Street, NW Washington, DC 20001 ISBN 978-0-309-15502-1 90000 Subscriber Categories: Aviation Administration and Management Data and Information Technology 9 780309 155021 These digests are issued in order to increase awareness of research results emanating from projects in the Cooperative Research Programs (CRP). Persons wanting to pursue the project subject matter in greater depth should contact the CRP Staff, Transportation Research Board of the National Academies, 500 Fifth Street, NW, Washington, DC 20001. COPYRIGHT INFORMATION Authors herein are responsible for the authenticity of their materials and for obtaining written permissions from publishers or persons who own the copyright to any previously published or copyrighted material used herein. Cooperative Research Programs (CRP) grants permission to reproduce material in this publication for classroom and not-for-profit purposes. Permission is given with the understanding that none of the material will be used to imply TRB, AASHTO, FAA, FHWA, FMCSA, FTA, or Transit Development Corporation endorsement of a particular product, method, or practice. It is expected that those reproducing the material in this document for educational and not-for-profit uses will give appropriate acknowledgment of the source of any reprinted or reproduced material. For other uses of the material, request permission from CRP.