PCI DSSGlossary

Mechanisms that limit access to system resources based on authorisation rules. PCI DSS Requirements 7, 8, and 9 address logical and physical access controls to restrict access to cardholder data on a need-to-know basis.

A financial institution (also called a merchant bank or acquiring bank) that establishes and maintains the business relationship with merchants for the acceptance of payment cards. Acquirers are responsible for ensuring their merchants comply with PCI DSS.

Attestation of Compliance. A formal declaration signed by the assessed entity and the assessor (QSA or ISA) confirming the results of a PCI DSS assessment. Required for both ROC and SAQ submissions.

Approved Scanning Vendor. An organisation approved by the PCI SSC to conduct external vulnerability scans of internet-facing environments as required by PCI DSS Requirement 11.

A payment network such as Visa, Mastercard, American Express, Discover, or JCB that sets the rules and standards for card transactions. Each brand operates its own compliance programme referencing PCI DSS.

Cardholder Data Environment. The people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data, plus any connected systems and network segments.

A structured process for making changes to systems, networks, or configurations in a controlled manner. PCI DSS Requirement 6.5 requires formal change management procedures to prevent unauthorised modifications to the CDE.

A reversal of a credit card transaction initiated by the cardholder's issuing bank. Excessive chargebacks can lead to increased compliance scrutiny, higher processing fees, or termination of card acceptance privileges.

Cardholder Data. At minimum, the full PAN. May also include the cardholder name, expiration date, and service code when stored alongside the PAN.

An alternative security measure that provides an equivalent level of protection when an organisation cannot meet a PCI DSS requirement as explicitly stated. Must be documented in a Compensating Controls Worksheet and approved by the assessor.

An alternative validation method introduced in PCI DSS 4.0 that allows organisations to meet a requirement's stated objective using controls different from those specified in the defined approach, provided the control objective is satisfied.

An incident in which sensitive, protected, or confidential data is accessed, disclosed, or stolen by an unauthorised party. A confirmed cardholder data breach typically triggers forensic investigation requirements and notification obligations.

A formal policy defining how long cardholder data is stored and the procedures for its secure deletion when no longer needed. PCI DSS Requirement 3.1 mandates limiting CHD storage to the minimum amount and time needed.

The traditional PCI DSS validation method where an organisation implements and is assessed against the specific, prescriptive requirements as stated in the standard.

Designated Entities Supplemental Validation. Additional validation criteria for organisations designated by a payment brand as requiring enhanced validation. Includes extra requirements beyond standard PCI DSS for service providers and large merchants.

Demilitarised Zone. A network segment that sits between an organisation's internal network and the external (untrusted) network. Provides an additional layer of security by isolating public-facing systems from the internal CDE.

The buying and selling of goods or services over the internet. E-commerce merchants must address specific PCI DSS requirements related to web application security, TLS encryption, and the protection of online cardholder data.

The process of converting plaintext data into an unreadable format (ciphertext) using a cryptographic algorithm and key. PCI DSS requires strong encryption for cardholder data both at rest and in transit.

A security control that detects unauthorised changes to critical system files, configurations, and content. PCI DSS Requirement 11.5 requires deploying FIM tools to alert personnel to unauthorised modifications.

A network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules. PCI DSS Requirement 1 mandates the installation and maintenance of network security controls.

A detailed examination conducted after a suspected or confirmed data breach to determine the cause, scope, and impact. Payment brands may require a PCI Forensic Investigator (PFI) to conduct the analysis.

A one-way cryptographic function that converts data into a fixed-length value. PCI DSS permits one-way hashes based on strong cryptography as a method of rendering PANs unreadable when stored.

Intrusion Detection System / Intrusion Prevention System. Network security tools that monitor network traffic for suspicious activity. IDS detects and alerts; IPS detects and actively blocks threats. Required by PCI DSS Requirement 11.4.

A documented set of procedures for detecting, responding to, and recovering from security incidents. PCI DSS Requirement 12.10 requires an incident response plan that is tested at least annually and includes specific notification procedures.

Internal Security Assessor. An individual within a merchant or service provider organisation who has been certified by the PCI SSC to conduct internal PCI DSS assessments for their employer.

A financial institution (issuing bank) that issues payment cards to consumers on behalf of the card brands. Issuers are responsible for cardholder authentication and authorising transactions.

The administration of cryptographic keys throughout their lifecycle, including generation, distribution, storage, rotation, and destruction. PCI DSS Requirement 3.6 specifies detailed key management procedures.

The practice of collecting, reviewing, and analysing audit logs to detect anomalies and security events. PCI DSS Requirement 10 requires logging of all access to system components and cardholder data, with daily log reviews.

A method of concealing a portion of the PAN when displayed. PCI DSS allows display of at most the first six and last four digits, with all other digits masked (e.g., 4111 **** **** 1234).

The highest merchant validation level, typically assigned to merchants processing over 6 million card transactions annually. Requires an annual on-site assessment by a QSA and quarterly ASV network scans.

Assigned to merchants processing 1 to 6 million card transactions annually. Typically requires an annual SAQ completed by an ISA or QSA and quarterly ASV network scans.

Assigned to merchants processing 20,000 to 1 million e-commerce transactions annually. Requires an annual SAQ and quarterly ASV network scans.

Assigned to merchants processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually. Requires an annual SAQ and quarterly ASV scans (requirements may vary by acquirer).

Multi-Factor Authentication. An authentication method requiring two or more independent verification factors: something you know, something you have, or something you are. Required by PCI DSS for all administrative access to the CDE.

Mail Order / Telephone Order. A payment channel where cardholder data is received via mail or phone rather than electronically. MOTO environments have specific PCI DSS scope considerations and may qualify for SAQ B or SAQ C-VT.

The practice of dividing a network into separate segments or zones to isolate the cardholder data environment from the rest of the network. While not a PCI DSS requirement itself, proper segmentation reduces the scope of the assessment.

Point-to-Point Encryption. A PCI SSC-validated solution that encrypts cardholder data from the point of interaction (e.g., a payment terminal) until it reaches the decryption environment, significantly reducing PCI DSS scope.

Primary Account Number. The unique payment card number (typically 14-19 digits) that identifies the issuer and the cardholder account. Protecting the PAN is a central requirement of PCI DSS.

The process of identifying, acquiring, installing, and verifying software patches and updates. PCI DSS Requirement 6.3 requires that critical security patches be installed within one month of release.

A service provider that enables sub-merchants to accept electronic payments. Payment facilitators (PayFacs) aggregate merchants under their own merchant ID and are responsible for PCI DSS compliance of their sub-merchant ecosystem.

A service that authorises and processes card payments for e-commerce and brick-and-mortar businesses. Acts as an intermediary between the merchant and the payment processor, encrypting sensitive data in transit.

An entity that handles payment card transactions by routing transaction data between merchants, acquirers, card networks, and issuers. Processors must maintain PCI DSS compliance.

Payment Card Industry Data Security Standard. A set of security requirements designed to ensure that all organisations that accept, process, store, or transmit credit card information maintain a secure environment.

Payment Card Industry Security Standards Council. The global forum founded by Visa, Mastercard, American Express, Discover, and JCB that develops, manages, and promotes PCI security standards.

A simulated cyberattack conducted by a qualified professional to identify exploitable vulnerabilities. PCI DSS Requirement 11.4 requires annual penetration testing of the CDE, plus testing after significant infrastructure changes.

Point of Sale. The location and system where a retail transaction is completed. POS terminals used in card-present environments are subject to PCI PTS requirements and must be included in the CDE scope.

PIN Transaction Security. A set of PCI SSC requirements for the secure management, processing, and transmission of PIN data during online and offline payment card transactions. Applies to hardware devices like payment terminals.

Qualified Security Assessor. An individual certified by the PCI SSC to perform on-site PCI DSS assessments. QSAs work for QSA Companies (QSACs) approved by the Council.

Role-Based Access Control. An approach to restricting system access based on the roles of individual users within an organisation. Supports PCI DSS Requirement 7 (restrict access to cardholder data by business need-to-know).

One of the twelve high-level security objectives defined by PCI DSS, grouped into six control objectives. Each requirement contains multiple sub-requirements specifying the detailed controls to be implemented.

A formal process of identifying threats and vulnerabilities to determine the level of risk to organisational assets. PCI DSS Requirement 12.3.1 mandates a targeted risk analysis to support each requirement where flexibility is allowed.

Report on Compliance. A detailed assessment report produced by a QSA (or ISA) documenting the results of an on-site PCI DSS assessment for Level 1 merchants and service providers.

Sensitive Authentication Data. Security-related information including full track data, CAV2/CVC2/CVV2/CID, and PINs/PIN blocks used to authenticate cardholders. SAD must never be stored after authorisation.

Self-Assessment Questionnaire. A validation tool for merchants and service providers not required to undergo a full on-site assessment. Different SAQ types (A, A-EP, B, B-IP, C, C-VT, D, P2PE) correspond to different payment processing environments.

Self-Assessment Questionnaire A. For e-commerce or mail/telephone-order merchants that have fully outsourced all cardholder data functions to PCI DSS compliant third parties, with no electronic storage, processing, or transmission of CHD on their systems.

Self-Assessment Questionnaire B. For merchants using only imprint machines or standalone dial-out terminals with no electronic cardholder data storage.

Self-Assessment Questionnaire C. For merchants with payment application systems connected to the internet but with no electronic cardholder data storage.

Self-Assessment Questionnaire D. The most comprehensive SAQ, for merchants that do not fit the criteria for any other SAQ type, or for service providers eligible for SAQ-based validation.

Techniques used to minimise the number of systems, processes, and people subject to PCI DSS requirements. Methods include network segmentation, tokenisation, and outsourcing payment processing to compliant third parties.

The process of identifying and confirming all system components, people, processes, and technologies that are in scope for a PCI DSS assessment. PCI DSS 4.0 requires scope validation at least annually and upon significant changes.

A programme designed to educate employees about security threats and their responsibilities for protecting sensitive data. PCI DSS Requirement 12.6 requires training upon hire and at least annually thereafter.

A business entity (not a payment brand) directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. Service providers must validate PCI DSS compliance and may require a ROC or SAQ D.

Security Information and Event Management. A solution that aggregates, correlates, and analyses log data from multiple sources to detect security incidents. Supports PCI DSS Requirement 10 for log monitoring and review.

A specific, testable control within a PCI DSS requirement. For example, Requirement 8.3.6 specifies minimum password length. Sub-requirements define the detailed implementation expectations.

Any vendor, partner, or contractor that stores, processes, or transmits cardholder data on behalf of a merchant, or that could impact the security of CHD. PCI DSS Requirement 12.8 mandates formal management of TPSP relationships.

Transport Layer Security. A cryptographic protocol that provides secure communication over a network. PCI DSS requires TLS 1.2 or higher for transmitting cardholder data across open, public networks.

The process of replacing sensitive data (such as a PAN) with a non-sensitive equivalent (a token) that has no exploitable value. Tokens can be mapped back to the original data only through a secure tokenisation system.

An automated process that identifies security vulnerabilities in systems, networks, and applications. PCI DSS requires quarterly internal and external vulnerability scans, with external scans performed by an ASV.

Web Application Firewall. A security solution that monitors, filters, and blocks HTTP/HTTPS traffic to and from a web application. PCI DSS Requirement 6.4 requires a WAF or equivalent for public-facing web applications.