An authentication protocol (e.g., the “Verified by Visa” experience) that adds a verification step to online card payments to reduce fraud.
A periodic check that every user still needs the access they hold — the evidence auditors ask for to prove least-privilege is real, not assumed.
An immutable, time-stamped record of who did what and when, so any action can be reconstructed and defended during an audit or investigation.
The Architecture Development Method — the step-by-step core of TOGAF for developing and governing enterprise architecture.
Approved Scanning Vendor — a PCI SSC-approved provider that performs the external vulnerability scans PCI DSS requires quarterly.
The OWASP Application Security Verification Standard — a detailed, testable set of application security requirements at three assurance levels.
The total set of points where an attacker could try to enter or extract data — reducing it is a core defensive goal.
A formal statement, often independently examined, that controls or facts meet stated criteria — e.g., a SOC 2 report or a SWIFT KYC-SA attestation.
Business Continuity Plan — documented procedures to keep critical activities running or recover them quickly after a disruption.
Business Impact Analysis — identifies critical activities and the impact of their disruption over time, setting RTO and RPO targets.
Broken Object Level Authorization — the top API security risk, where a user can access objects they shouldn’t by manipulating identifiers.
Under HIPAA, a vendor that handles protected health information for a covered entity — bound by a Business Associate Agreement (BAA).
India’s national computer emergency response team. CERT-In empanelment authorises a firm to perform security audits recognised by Indian regulators.
Under the DPDP Act, permission to process personal data that must be free, specific, informed and withdrawable — with proof of every consent event.
A safeguard — technical, procedural or physical — put in place to reduce a specific risk. Compliance frameworks are essentially structured sets of controls.
The Common Vulnerability Scoring System — a 0–10 severity score that helps teams prioritise which vulnerabilities to fix first.
Consensus Assessments Initiative Questionnaire — the CSA self-assessment aligned to the Cloud Controls Matrix.
Cyber Crisis Management Plan — an organisation’s plan to detect, respond to, contain and recover from a major cyber incident, expected by RBI.
Cardholder Data Environment — every system that stores, processes or transmits payment card data, plus connected systems; the core of PCI scope.
Consensus secure-configuration baselines for operating systems, cloud and applications, published by the Center for Internet Security.
Chief Information Security Officer — the executive accountable for an organisation’s information-security strategy and programme.
Configuration Management Database — a record of IT assets (configuration items) and their relationships, underpinning change and asset control.
Cybersecurity Maturity Model Certification — the US DoD programme verifying contractors protect FCI and CUI, built on NIST 800-171.
ISACA’s framework for the governance and management of enterprise IT — 40 objectives across five domains.
An alternative control used when a required control is not feasible, providing a similar level of protection with documented justification.
Cloud Security Posture Management — continuous checking of cloud configurations against best practice to catch misconfigurations.
Controlled Unclassified Information — US government information requiring safeguarding under NIST 800-171 and CMMC.
Common Vulnerabilities and Exposures — a standard identifier for a specific, publicly known security vulnerability.
Common Weakness Enumeration — a standard identifier for a type of software weakness (e.g., CWE-79 is cross-site scripting).
Dynamic Application Security Testing — probing a running application from the outside to find exploitable flaws in real conditions.
The individual whose personal data is being processed — the DPDP Act’s term for the person the data is about.
A party that processes personal data on behalf of another. A processor’s breach can still be your notification obligation.
India’s Digital Personal Data Protection Act — the national law governing how organisations collect, use, store and protect personal data.
Under the DPDP Act, the entity that determines the purpose and means of processing personal data — equivalent to a GDPR controller.
A legal requirement to store (and sometimes process) data within a country’s borders — e.g., RBI’s payment-data localisation directive.
Distributed Denial of Service — flooding a system with traffic from many sources to make it unavailable.
Data Loss Prevention — controls that detect and stop sensitive data from leaving an organisation improperly.
Data Protection Impact Assessment — a structured assessment of privacy risks for high-risk processing, required by GDPR and for DPDP SDFs.
Data Protection Officer — the role accountable for privacy compliance; mandatory for Significant Data Fiduciaries under the DPDP Act.
Disaster Recovery — the technology-focused process of restoring IT systems and data after a disruptive event.
Converting data into an unreadable form that only an authorised key can reverse — protecting information in transit and at rest.
The proof that a control is actually operating — screenshots, configs, logs or records collected and mapped to the requirement it satisfies.
Essential Cybersecurity Controls — Saudi Arabia’s mandatory baseline controls issued by the National Cybersecurity Authority (NCA).
A bank account through which a payment aggregator must route funds without using them, per RBI PA-PG guidelines.
The Australian Signals Directorate’s eight prioritised mitigation strategies against common cyber attacks.
A control that filters network traffic against a defined ruleset, allowing legitimate connections and blocking the rest.
Federal Contract Information — US government contract information requiring basic safeguarding under CMMC Level 1.
The US programme for authorising cloud services for government use, built on NIST 800-53 baselines.
Financial Information Provider — in India’s Account Aggregator ecosystem, an institution that holds and shares customer financial data on consent.
Financial Information User — in the Account Aggregator ecosystem, an institution that consumes shared financial data to provide services.
The EU’s General Data Protection Regulation — a strict, extraterritorial data-protection law with significant penalties for non-compliance.
Governance, Risk and Compliance — the discipline of running policy, risk management and regulatory obligations as one coordinated programme.
The US health-sector law setting privacy and security standards for protected health information (PHI).
Reducing a system’s attack surface by removing unnecessary services, changing defaults and applying secure configuration.
A certifiable security framework that harmonises HIPAA, ISO, NIST and PCI — common in US healthcare.
Hardware Security Module — a tamper-resistant device that securely generates, stores and uses cryptographic keys.
Identity and Access Management — the systems and policies that decide who can access what, and prove it.
The planned process for detecting, containing, investigating and recovering from a security incident — and learning from it.
The international standard for an Information Security Management System (ISMS) — a risk-based programme for protecting information.
Industrial Control Systems — the operational technology running physical processes in manufacturing, utilities and infrastructure (see IEC 62443).
Insecure Direct Object Reference — accessing data by manipulating an identifier because authorisation is not properly enforced.
The leading standard series for the cybersecurity of industrial automation and control systems (OT).
Information Security Management System — the risk-based system of policies, processes and controls certified by ISO 27001.
IT General Controls — foundational controls over access, change and operations that underpin reliable financial systems (key to SOX).
Key Risk Indicator — a metric that signals rising risk exposure, used to monitor and escalate risks proactively.
Granting users and systems only the minimum access needed to do their job — a core access-control principle.
Multi-Factor Authentication — requiring more than one proof of identity (e.g. password plus device) before granting access.
The OWASP Mobile Application Security Verification Standard — testable security requirements for mobile apps.
A scale (often 0–5) describing how well-defined, managed and optimised a process or control is, used to set targets and measure progress.
A knowledge base of adversarial threats to AI and machine-learning systems, extending ATT&CK into the AI domain.
A knowledge base of real-world adversary tactics and techniques, used for detection, threat hunting and red teaming.
Mean Time to Detect — the average time to identify a security incident; a key metric for detection capability.
Mean Time to Respond or Recover — the average time to contain or recover from an incident.
The US National Institute of Standards and Technology Cybersecurity Framework — a widely used, risk-based control framework.
Non-Banking Financial Company — an RBI-regulated financial institution subject to graded IT governance and cyber expectations.
The UAE Information Assurance standards (historically under NESA) for government and critical entities.
The Payment Card Industry Data Security Standard — mandatory controls for any organisation that stores, processes or transmits cardholder data.
An authorised, simulated attack by security experts to find and demonstrate real, exploitable weaknesses before an attacker does.
Personally Identifiable Information — any data that can identify a specific individual, directly or in combination.
Point-to-Point Encryption — encrypting card data from the payment terminal to a secure decryption environment, reducing PCI scope.
RBI’s guidelines regulating Payment Aggregators and Payment Gateways, including authorisation and an annual System Audit.
Protected Health Information — health data protected under HIPAA’s Privacy and Security Rules.
Privacy Information Management System — the privacy management system certified by ISO 27701, extending ISO 27001.
Plan of Action and Milestones — a tracked list of open security gaps with owners and remediation dates (used in NIST/FedRAMP/CMMC).
Prepaid Payment Instrument — wallets and prepaid cards regulated by RBI’s MD-PPI, subject to periodic system audit.
A collaborative exercise where offensive (red) and defensive (blue) teams work together to improve detection and response.
A Qualified Security Assessor — an individual or firm authorised by the PCI Council to validate PCI DSS compliance.
Role-Based Access Control — granting permissions by job role rather than per person, so access stays consistent and reviewable.
A structured evaluation of what could go wrong, how likely it is and how much it would hurt — the basis for where to invest in security.
Records of Processing Activities — the inventory of what personal data you hold, where it flows and why, that data-protection laws expect you to maintain.
An objective-driven adversary-emulation exercise that tests people, process and technology the way a real attacker would.
The NIST Risk Management Framework — a seven-step process to categorise, select, implement, assess, authorise and monitor system controls.
Report on Compliance — the formal PCI DSS assessment report produced by a QSA for Level 1 merchants and service providers.
Recovery Point Objective — the maximum acceptable amount of data loss, measured in time, after a disruption.
Recovery Time Objective — the maximum acceptable time to restore a critical activity after a disruption.
Static Application Security Testing — analysing source code for insecure patterns early in development, before the app is even run.
Security Information and Event Management — a system that aggregates and analyses logs to detect and alert on threats.
Segregation of Duties — splitting sensitive tasks across people so no single individual can complete a high-risk action alone.
An attestation report on how well a service organisation manages security, availability, confidentiality, processing integrity and privacy.
A business-driven, risk-based methodology for developing enterprise security architecture, often used with TOGAF.
Sensitive Authentication Data — full track data, card verification values and PINs that must never be stored after authorisation under PCI DSS.
Self-Assessment Questionnaire — the PCI DSS self-validation form; the correct SAQ type depends on how you accept card payments.
System Audit Report — the annual audit a CERT-In empanelled auditor produces for RBI-authorised payment system operators.
Software Bill of Materials — an inventory of the components and dependencies in a piece of software, aiding vulnerability management.
Significant Data Fiduciary — a DPDP Act designation carrying extra duties (DPO, DPIA, independent audit) based on volume and risk.
Isolating parts of a network so that a compromise in one zone cannot easily spread — a key way to reduce PCI scope and limit blast radius.
Service Level Agreement — a documented commitment to service performance (e.g., uptime, response times) between provider and customer.
Statement of Applicability — the central ISO 27001 document listing which Annex A controls apply, why, and their status.
Supplier Performance Risk System — where US contractors submit their NIST 800-171 self-assessment score for CMMC.
Server-Side Request Forgery — tricking a server into making unintended requests, potentially reaching internal systems.
The CSA Security, Trust, Assurance and Risk programme — a registry and certification/attestation for cloud providers’ security.
A shareable page where an organisation publishes its security and compliance posture so customers can self-serve due diligence.
A structured exercise to identify how a system could be attacked and which defences matter most — done early in design.
The automotive industry’s information-security assessment and exchange standard, based on the VDA ISA and aligned to ISO 27001.
The Open Group Architecture Framework — the leading enterprise-architecture framework and method (the ADM).
Replacing sensitive data (like a card number) with a non-sensitive token, so systems handle tokens instead of real data and reduce scope.
Third-Party Application Provider — a UPI app (e.g., a payment app) that must pass NPCI-mandated security audits.
Third-Party Risk Assessment — evaluating the security and compliance risk a vendor introduces before and during the relationship.
Trust Services Criteria — the AICPA criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) behind a SOC 2 report.
Vulnerability Assessment and Penetration Testing — combining automated scanning with expert manual testing to find and prove security gaps.
The risk introduced by third parties with access to your data or systems — assessed and monitored because their breach becomes your problem.
A weakness in a system that could be exploited to compromise its security — the thing testing is designed to surface.
Web Application Firewall — filters and monitors HTTP traffic to protect applications from common attacks like injection and XSS.
Cross-Site Scripting — injecting malicious scripts into web pages viewed by other users; a common and high-impact web flaw.
A security model that trusts nothing by default — every request is verified regardless of where it comes from, inside the network or out.
