PCI Acronym Reference Guide

Article PCI DSS
PCI Acronym Reference Guide

 

It happens to the best of us. We are in a meeting, trying to plan what the next step in the organization’s compliance process should be, when the “tech talk” starts. Whether it’s the networking guy, the lady in charge of the system admins, or even your CampusGuard Security Advisor, you think to yourself, “What did they just say? Should I know what that means?”

To help you understand the lingo, below are some of the most common terms you might hear in reference to PCI and what exactly they are referring to.

PCI Acronym Guide
Acronym Meaning Definition

AOC

Attestation of Compliance

Form for merchants and service providers to attest to the results of a PCI DSS assessment. Since this form contains only summary level information, it can be shared outside of the organization.

ASV

Approved Scanning Vendor

Company approved by the PCI SSC to conduct vulnerability scanning services. Quarterly external vulnerability scans, for those that require them, must be conducted by an ASV in order to comply with the PCI DSS.

BAU

Business As Usual

Organization’s normal daily business operations.

CDE

Cardholder Data Environment

Any people, processes, or technology that store, process, or transmit cardholder data or sensitive authentication data.

CHD

Cardholder Data

Sensitive payment card data including, at a minimum, the full card number (aka PAN) and can also include the cardholder name, expiration date, and/or service code if combined with the PAN.

CISSP

Certified Information Systems Security Professional

Globally recognized certification that confirms an individual’s knowledge about information security.

CVV
CSC
CVC2

Card Verification Value (Visa, Disc)
Card Security Code (AmEx)
Card Validation Code (MC)

Data element on the magnetic stripe that protects the information on the stripe and can be used to reveal any alteration or counterfeiting.

CVV2
CID
CVC2

Card Verification Value (Visa)
Card Identification Number (AmEx and Disc)
Card Validation Code (MC)

The three- or four-digit value printed on the payment card and used to validate possession of the physical card.

DLP

Data Loss Prevention

Software used to identify and block any sensitive data being sent outside the network. Data can be protected while in use, in motion, or at rest.

DMZ

Demilitarized Zone

Physical or logical network that provides an additional layer of security between a public network (e.g. the Internet) and an organization’s internal network.

DNS

Domain Name System/Server

A system that stores human-readable names (aka domain names) along with the internet addresses for websites and other services. The system then provides name-resolution services so that the website “name” you type can be translated by your computer into the actual internet address.

DSS

Data Security Standard

The shortened abbreviation for the Payment Card Industry Data Security Standard, or PCI DSS.

E2EE

End to End Encryption

A broad category of solutions that encrypt communications between endpoints. P2PE is a PCI SSC-validated subset of this category.

FIM

File Integrity Monitoring

Technology that monitors for changes in normally static files, systems, and applications in order to detect malicious activity.

FTP

File Transfer Protocol

Network protocol used to transfer data from one computer to another through a public network. Standard FTP is considered an insecure protocol because file content is sent unencrypted over the network.

FW

Firewall

Hardware and/or software technology that permits or denies computer traffic between trusted networks and external systems or networks.

HSM

Hardware Security Module

Hardware device that is used to manage and protect cryptographic keys.

IDS/IPS

Intrusion Detection Systems / Intrusion Prevention Systems

Systems used to monitor network traffic and report potential system anomalies or prevent intrusion attempts.

IP (Address)

Internet Protocol Address

Numeric code that uniquely identifies a particular computer (host) on the Internet.

IRP

Incident Response Plan

Specific procedures that define the steps to take in the event of a security breach, minimize the chaos, and hopefully limit the potential effects.

LAN

Local Area Network

Group of interconnected computers and/or other devices within a limited area.

LDAP

Lightweight Directory Access Protocol

Authentication and authorization data repository used for storing, modifying, and validating user permissions, as well as granting access to internal resources.

MFA

Multi-Factor Authentication

Method of authenticating a user in which at least different two factors are tested and verified (something the user has, something the user knows, or something the user is or does).

MO/TO

Mail-Order/Telephone-Order

Payments taken through the mail or over the phone.

NTP

Network Time Protocol

Protocol for synchronizing the clocks of computer systems and network devices.

OWASP

Open Web Application Security Project

Non-profit organization focused on improving the security of application software. The “OWASP Top 10” is a respected and often-referenced list of the most threatening vulnerabilities.

PAN

Primary Account Number

Unique payment card number that identifies the issuer and particular cardholder account.

PA DSS

Payment Application Data Security Standard

Validation standard for software applications that store, process, or transmit cardholder data.

QSA

Qualified Security Assessor

Individual or organization qualified by the PCI SSC to conduct payment card-related audits and assessments.

PCI SSC

Payment Card Industry Security Standards Council

Global organization that was formed to develop, enhance, disseminate, and assist with the understanding of security standards for payment account security. Founding members include American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.

PED

PIN Entry Device

Device used by consumer to enter in their PIN during a face-to-face payment transaction.

PIM

P2PE Instruction Manual

Guideline document that P2PE service providers deliver to merchants regarding chain-of-custody, shipping and receiving devices, secure storage of devices, implementation, device inspections, etc. These instructions must be followed in order to receive the full benefits of the P2PE solution.

PIN

Personal Identification Number

Secret numeric password known only to the user and a system to authenticate the user.

POI

Point of Interaction

The initial point where data is read from a payment card. A POI device consists of hardware and software, and enables a cardholder to perform a card transaction. POI transactions are typically chip and/or magnetic-stripe card-based payment transactions.

POS

Point of Sale

Hardware and/or software used to process payment card transactions.

P2PE

Point to Point Encryption

PCI SSC-specific label given to payment solutions that encrypt the cardholder data from the point of interaction through a validated solution to the payment processor, thereby reducing the scope of PCI requirements for this payment channel.

PTS

PIN Transaction Security

PTS is a set of modular evaluation requirements, managed by the PCI SSC, for POI terminals that accept PIN entry.

QIR

Qualified Integrator or Reseller

Third-party vendor that has been qualified by the PCI SSC to implement, configure, and/or support PA-DSS validated Payment Applications on behalf of merchants and service providers.

ROC

Report on Compliance

Reporting tool used to document an organization’s results from their QSA-led onsite PCI assessment.

SAD

Sensitive Authentication Data

Security-related information (e.g. card validation codes, full track data, PINs, and PIN blocks) used to authenticate cardholders.

SAQ

Self-Assessment Questionnaire

Reporting tool used to self-document an entity’s PCI DSS assessment results.

SDLC

System Development Life Cycle or Software Development Life Cycle

Phases of the development of a software or computer system including: planning, analysis, design, testing, and implementation.

SHA-1/ SHA-2

Secure Hash Algorithm

Family or set of related cryptographic hash functions used to confirm accuracy of information after it has been received.

SFTP

Secure File Transfer Protocol

Secure way to encrypt files/data in transit.

SNMP

Simple Network Management Protocol

A set of protocols for network management and monitoring. These protocols are supported by many typical network devices such as routers, switches, servers, workstations, and other network components and devices. Supported devices are all network-attached items that must be monitored to detect conditions. These conditions must be addressed for ongoing network administration.

SQL

Structured Query Language

Computer language used to create, modify, and retrieve data from database systems.

SSH

Secure Shell

Protocol and interface providing encryption for network services like remote login or remote file transfer.

SSL

Secure Socket Layer

Internet security standard for encrypting the link between a website and a browser to enable the transmission of sensitive
information. Now superseded by TLS.

TLS

Transport Layer Security

Designed with the goal of providing data secrecy and data integrity between two communicating applications.

URL

Uniform Resource Locator

Formatted text string used by web browsers to identify a network resource on the Internet (web address).

VDI

Virtual Desktop Infrastructure or Virtual Desktop Interface

Refers to the software, hardware, and other resources required for the virtualization of a standard desktop system. Process of accessing a virtualized machine that lives on a remote service.

VLAN

Virtual Local Area Network

Computers, servers, and networks configured to be on the same LAN, even though they may be in different locations geographically.

VPN

Virtual Private Network

Enabling remote computers to send and receive data securely over the Internet as if they were directly connected to the organization’s private network.

WEP

Wired Equivalent Privacy

Weak security algorithm used to encrypt wireless networks. Replaced with WPA / WPA2.

WPA/ WPA2

Wi-Fi Protected Access

Security Protocol designed to secure wireless networks.

XXS

Cross-site Scripting

Attack that enables hackers to inject code into public-facing web pages and gain access.

Share

About the Author
Katie Johnson

Katie Johnson

PCIP

Manager, Operations Support

As the manager of Operations Support, Katie leads the team responsible for supporting and delivering CampusGuard services including online training, vulnerability scanning, and the CampusGuard Central® portal. With over 15 years of experience in information security awareness training, Katie is also the Product Lead for CampusGuard’s online training services. As a Senior Customer Relationship Manager for a limited number of customers, Katie assists organizations with their information security and compliance programs and is responsible for coordinating the various teams involved.