PCI Terms and Acronyms
The world of PCI is full of terms and acronyms. Here is an overview of the most important ones you might encounter during your certification project.
Term
Definition
PCI DSS
(Payment Card Industry Data Security Standard)
An information security standard for organizations that regulates the special protection of credit card data. The PCI DSS applies to all businesses that process, store and/or transmit credit card data.
PCI SSC
(Security Standards Council)
Founded in 2004 by the credit card institutes American Express, Discover Financial Services, JCB International, Mastercard and Visa Inc. The council creates and manages PCI standards on behalf of the credit card organizations. The PCI SSC acts completely independent from its founding members.
QSA
(Qualified Security Assessor)
- Evaluates compliance of individual requirements within the company
- Ensures compliance of requirements
- Knowledgeable contacts for all questions regarding PCI DSS
- Responsible for providing appropriate documents during the audit
QSA Company
(Qualified Security Assessors Company)
- PCI Security Standards Council accredited company
- Qualified to perform assessments
- Handling of assessments by an accredited QSA consultant
ISA
(Internal Security Assessor)
Entitled to conduct on-site assessments for level 1 Visa- and Mastercard merchants. Filling out SAQ for level 2 Mastercard merchants. Kind of an internal compliance officer.
QIR
Qualified Integrator & Reseller
PCI Security Standards Council accredited companies. They are responsible for installation and maintenance of payment applications or terminals.
ASV
(Approved Scanning Vendor)
Company approved by the PCI SSC to conduct external vulnerability scanning services.
PCI SSF
(Software Security Framework)
Security standard for payment applications.
P2PE
(Point-to-Point Encryption Standard)
Security standard for point-to-point encryption. The Point-to-Point Encryption Standard defines both security requirements and testing procedures for Point-to-Point Encryption (P2PE) solutions and in most cases hardened POS terminals.
P2PE QSA
(Point-to-Point Encryption QSA)
PCI Point-to-Point Encryption (P2PE) Assessor who can perform validation of Point-to-Point Encryption solutions and applications against the latest standard in order for those solutions and applications to be listed on the PCI Council website.
PTS
(PIN Transaction Security)
PIN Transaction Security standard. Security standard for POS terminals.
PCI 3DS
(3DS Core Security / PIN Standard)
Security standard for credit card transactions using 3-D Secure authentication of end users when shopping through e-commerce channels.
PCI DSS v3.2.1
(May 2018 – 31 Mar 2024)
PCI DSS Standard in the version 3.2.1.
Valid until 31 March 2024.
PCI DSS v4.0
(Published 22 Mar 2022)
PCI DSS Standard in the version 4.0.
Valid since 22 March 2022.
SAQ
(Self-Assessment Questionnaire)
Reporting tool used to document self-assessment results from an entity’s PCI DSS assessment.
- Different types of questionnaires for merchants
- Service providers must always complete SAQ D
Credit card data
Credit card data consists of:
- Primary account number
- Cardholder name
- Expiration date
Sensitive credit card data
- Card Validation Codes/values (CVV, CVC, CSC, CCV)
- PIN/PUK validation code
- Full chip/magnetic stripe data
Merchants
Companies that accept credit card payments as a means of payment for goods or services.
Payment Service Provider
(PSPs or Service Provider)
Companies that accept credit card payments as a means of payment for goods or services.
Acquirer
Merchant Banks, often enabling merchants to accept credit card data from multiple brands.
Issuer
(Bank of Cardholder)
Card-issuing Bank. Issues a credit card to customers (cardholder).
E-Commerce
(payment channel)
Payments over the internet.
Point-of-Sale (POS)
(payment channel)
Payment on site (Face-2-Face).
Mail-/Telephone Order (MOTO)
(payment channel)
Acceptance of credit card data for payment via telephone, fax, letter, etc.
PCI DSS Categorization
Categorization of merchants and service providers in different levels.
Categorization depends on number of processed transactions and accepted credit cards.
PCI DSS Security Scan
- Quarterly, automated execution
- (Internal + external scans)
- For external scans (see ASV scans)
- Identification of security risks in systems, services and devices accessible from the internal network and the internet
PCI DSS Penetration Test
- Annual extensive manual security assessment
- Testing of internet-accessible systems, internal systems as well as external and internal applications
PCI DSS Compliance
A company is compliant according to PCI DSS if it fulfils all relevant requirements. A company can exclude non-applicable requirements, for example if no WLAN is used for the transfer of cardholder data.
Safe Harbor Rule
In case of a data compromise, a company might be exempted from fines under the following circumstances:
- Valid PCI DSS certification at the time of the compromise
- Proven compliance with the requirements of the PCI DSS
PCI DSS Scope
The PCI DSS Scope consists of the cardholder data environment (CDE):
- Locations
- Persons
- Applications
- IT-Systems
The CDE includes all of the above including personnel which receive, store and/or process credit card data.
Network Segmentation
Network segmentation isolates system components that store, process, or transmit cardholder data from systems that do not.
Reduces the PCI DSS Scope but is not a requirement of PCI DSS.
SAQ Types (E-Commerce)
(card-not-present)
E-Commerce: Payment over the internet
- SAQ A (iFrame, URL Redirect)
- SAQ A-EP (Direct POST)
- SAQ D-Mer (API-Process)
SAQ Types (MOTO)
(card-not-present)
MOTO: Mail order/telephone order
Acceptance of credit card data for payment via telephone, fax, letter, etc.
- SAQ A
- SAQ C
- SAQ C-VT
- SAQ D-Mer
SAQ Types (POS)
(card-present)
(Face-to-face)
POS: Payment on site (Face-2-Face)
- SAQ B (imprint/phone line)
- SAQ B-IP (IP connection & PTS certification)
- SAQ C (payment application with internet connection)
SAQ Types (POS)
(card-present)
(Face-to-face)
POS: Payment on site (Face-2-Face)
- SAQ B (imprint/phone line)
- SAQ B-IP (IP connection & PTS certification)
- SAQ C (payment application with internet connection)
- SAQ P2PE (P2PE devices)
- SAQ D-Mer
P2PE Solution
PCI-listed Point-to-Point Encryption (P2PE) Solution. By using a P2PE Solution the network infrastructure of the user is not a part of the PCI DSS scope anymore.
Payment Terminal
(POS-Terminal)
Also referred to as (POS-Terminal). Device used for accepting payments of customers.
Electronic Check-Out
Captures and calculates outstanding total and prints out check-out receipts. Does not perform card payments.
Integrated Payment Terminal
Is a combination of payment terminal and electronic check-out. It fulfils the following tasks:
- Handling of payments
- Captures and calculates outstanding total
- Prints out check-out receipts
Virtual Payment Terminal
A virtual payment terminal is web-browser-based access to an acquirer, processor or third-party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card.
AoC
(Attestation of Compliance)
- Formal confirmation of compliance in addition to the audit report
- Relief of the auditor
RoC
(Report on Compliance)
- Summarized results of audit by QSA
- Approval by acquirer and / or credit card organization
- Quality assurance by PCI SSC
ASV Scans
- Evidence of successfully passed external scans performed by an accredited ASV (quarterly)
Internal vulnerabilities scans
- Evidence of successfully passed internal scans of relevant systems (quarterly)
- Evidence of successfully passed internal scans of wireless LANs (quarterly)
Compensating Controls
Compensating measures with at least the same security level of requirements that cannot be fulfilled.
PCI DSS goals
The PCI DSS is based on six primary goals. These goals are:
- Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
PCI DSS Requirements
There are 12 PCI DSS Requirements which are designed to meet these PCI DSS goals:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Protect all systems against malware and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need to know.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for all personnel.
Masking
Masking refers to the concealment of certain digits of a PAN during display or printing, even when the entire PAN is stored on a system. This is different from truncation! Masked PAN can be “unmasked”.
Truncation
In the case of truncation, truncated digits are removed and cannot be retrieved within the system. There is no “un-truncation” without recreating the PAN from another source.