PCI Acronym Reference Guide

Article PCI DSS
PCI Acronym Reference Guide


It happens to the best of us. We are in a meeting, trying to plan what the next step in the organization’s compliance process should be, when the “tech talk” starts. Whether it’s the networking guy, the lady in charge of the system admins, or even your CampusGuard Security Advisor, you think to yourself, “What did they just say? Should I know what that means?”

To help you understand the lingo, below are some of the most common terms you might hear in reference to PCI and what exactly they are referring to.

PCI Acronym Guide
Acronym Meaning Definition


Attestation of Compliance

Form for merchants and service providers to attest to the results of a PCI DSS assessment. Since this form contains only summary level information, it can be shared outside of the organization.


Approved Scanning Vendor

Company approved by the PCI SSC to conduct vulnerability scanning services. Quarterly external vulnerability scans, for those that require them, must be conducted by an ASV in order to comply with the PCI DSS.


Business As Usual

Organization’s normal daily business operations.


Cardholder Data Environment

Any people, processes, or technology that store, process, or transmit cardholder data or sensitive authentication data.


Cardholder Data

Sensitive payment card data including, at a minimum, the full card number (aka PAN) and can also include the cardholder name, expiration date, and/or service code if combined with the PAN.


Certified Information Systems Security Professional

Globally recognized certification that confirms an individual’s knowledge about information security.


Card Verification Value (Visa, Disc)
Card Security Code (AmEx)
Card Validation Code (MC)

Data element on the magnetic stripe that protects the information on the stripe and can be used to reveal any alteration or counterfeiting.


Card Verification Value (Visa)
Card Identification Number (AmEx and Disc)
Card Validation Code (MC)

The three- or four-digit value printed on the payment card and used to validate possession of the physical card.


Data Loss Prevention

Software used to identify and block any sensitive data being sent outside the network. Data can be protected while in use, in motion, or at rest.


Demilitarized Zone

Physical or logical network that provides an additional layer of security between a public network (e.g. the Internet) and an organization’s internal network.


Domain Name System/Server

A system that stores human-readable names (aka domain names) along with the internet addresses for websites and other services. The system then provides name-resolution services so that the website “name” you type can be translated by your computer into the actual internet address.


Data Security Standard

The shortened abbreviation for the Payment Card Industry Data Security Standard, or PCI DSS.


End to End Encryption

A broad category of solutions that encrypt communications between endpoints. P2PE is a PCI SSC-validated subset of this category.


File Integrity Monitoring

Technology that monitors for changes in normally static files, systems, and applications in order to detect malicious activity.


File Transfer Protocol

Network protocol used to transfer data from one computer to another through a public network. Standard FTP is considered an insecure protocol because file content is sent unencrypted over the network.



Hardware and/or software technology that permits or denies computer traffic between trusted networks and external systems or networks.


Hardware Security Module

Hardware device that is used to manage and protect cryptographic keys.


Intrusion Detection Systems / Intrusion Prevention Systems

Systems used to monitor network traffic and report potential system anomalies or prevent intrusion attempts.

IP (Address)

Internet Protocol Address

Numeric code that uniquely identifies a particular computer (host) on the Internet.


Incident Response Plan

Specific procedures that define the steps to take in the event of a security breach, minimize the chaos, and hopefully limit the potential effects.


Local Area Network

Group of interconnected computers and/or other devices within a limited area.


Lightweight Directory Access Protocol

Authentication and authorization data repository used for storing, modifying, and validating user permissions, as well as granting access to internal resources.


Multi-Factor Authentication

Method of authenticating a user in which at least different two factors are tested and verified (something the user has, something the user knows, or something the user is or does).



Payments taken through the mail or over the phone.


Network Time Protocol

Protocol for synchronizing the clocks of computer systems and network devices.


Open Web Application Security Project

Non-profit organization focused on improving the security of application software. The “OWASP Top 10” is a respected and often-referenced list of the most threatening vulnerabilities.


Primary Account Number

Unique payment card number that identifies the issuer and particular cardholder account.


Payment Application Data Security Standard

Validation standard for software applications that store, process, or transmit cardholder data.


Qualified Security Assessor

Individual or organization qualified by the PCI SSC to conduct payment card-related audits and assessments.


Payment Card Industry Security Standards Council

Global organization that was formed to develop, enhance, disseminate, and assist with the understanding of security standards for payment account security. Founding members include American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.


PIN Entry Device

Device used by consumer to enter in their PIN during a face-to-face payment transaction.


P2PE Instruction Manual

Guideline document that P2PE service providers deliver to merchants regarding chain-of-custody, shipping and receiving devices, secure storage of devices, implementation, device inspections, etc. These instructions must be followed in order to receive the full benefits of the P2PE solution.


Personal Identification Number

Secret numeric password known only to the user and a system to authenticate the user.


Point of Interaction

The initial point where data is read from a payment card. A POI device consists of hardware and software, and enables a cardholder to perform a card transaction. POI transactions are typically chip and/or magnetic-stripe card-based payment transactions.


Point of Sale

Hardware and/or software used to process payment card transactions.


Point to Point Encryption

PCI SSC-specific label given to payment solutions that encrypt the cardholder data from the point of interaction through a validated solution to the payment processor, thereby reducing the scope of PCI requirements for this payment channel.


PIN Transaction Security

PTS is a set of modular evaluation requirements, managed by the PCI SSC, for POI terminals that accept PIN entry.


Qualified Integrator or Reseller

Third-party vendor that has been qualified by the PCI SSC to implement, configure, and/or support PA-DSS validated Payment Applications on behalf of merchants and service providers.


Report on Compliance

Reporting tool used to document an organization’s results from their QSA-led onsite PCI assessment.


Sensitive Authentication Data

Security-related information (e.g. card validation codes, full track data, PINs, and PIN blocks) used to authenticate cardholders.


Self-Assessment Questionnaire

Reporting tool used to self-document an entity’s PCI DSS assessment results.


System Development Life Cycle or Software Development Life Cycle

Phases of the development of a software or computer system including: planning, analysis, design, testing, and implementation.

SHA-1/ SHA-2

Secure Hash Algorithm

Family or set of related cryptographic hash functions used to confirm accuracy of information after it has been received.


Secure File Transfer Protocol

Secure way to encrypt files/data in transit.


Simple Network Management Protocol

A set of protocols for network management and monitoring. These protocols are supported by many typical network devices such as routers, switches, servers, workstations, and other network components and devices. Supported devices are all network-attached items that must be monitored to detect conditions. These conditions must be addressed for ongoing network administration.


Structured Query Language

Computer language used to create, modify, and retrieve data from database systems.


Secure Shell

Protocol and interface providing encryption for network services like remote login or remote file transfer.


Secure Socket Layer

Internet security standard for encrypting the link between a website and a browser to enable the transmission of sensitive
information. Now superseded by TLS.


Transport Layer Security

Designed with the goal of providing data secrecy and data integrity between two communicating applications.


Uniform Resource Locator

Formatted text string used by web browsers to identify a network resource on the Internet (web address).


Virtual Desktop Infrastructure or Virtual Desktop Interface

Refers to the software, hardware, and other resources required for the virtualization of a standard desktop system. Process of accessing a virtualized machine that lives on a remote service.


Virtual Local Area Network

Computers, servers, and networks configured to be on the same LAN, even though they may be in different locations geographically.


Virtual Private Network

Enabling remote computers to send and receive data securely over the Internet as if they were directly connected to the organization’s private network.


Wired Equivalent Privacy

Weak security algorithm used to encrypt wireless networks. Replaced with WPA / WPA2.


Wi-Fi Protected Access

Security Protocol designed to secure wireless networks.


Cross-site Scripting

Attack that enables hackers to inject code into public-facing web pages and gain access.


About the Author
Katie Johnson

Katie Johnson


Manager, Operations Support

As the manager of Operations Support, Katie leads the team responsible for supporting and delivering CampusGuard services including online training, vulnerability scanning, and the CampusGuard Central® portal. With over 15 years of experience in information security awareness training, Katie is also the Product Lead for CampusGuard’s online training services. As a Senior Customer Relationship Manager for a limited number of customers, Katie assists organizations with their information security and compliance programs and is responsible for coordinating the various teams involved.