PCI Glossary of Terms: Frequently Used Terms for PCI Compliance

An IT consulting firm providing network management and IT support for learning about PCI compliant hosting on a computer screen.

The world of PCI DSS (Payment Card Industry Data Security Standards) is a fairly new industry requirement in the rapidly evolving world of online credit card transactions. With the first draft of standards coming on the scene in 2004, the PCI Security Standards Council (SSC) has since released seven updates aimed at encouraging merchants to keep up with the ever-changing threat of data breaches and cyber attacks on card holder data.

That’s a lot to keep track of for any business, but for small merchants sometimes it can feel like you need a cipher to decode what it all means. This list of the most common PCI terms can help you get started on decrypting the complex world of PCI requirements:

Acquirer – also referred to as “merchant bank,” “acquiring bank” or “acquiring financial institution: The entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer.

Anti-Virus – A program or software capable of detecting, removing and protecting against various forms of malicious software (also known as malware) including viruses, worms, Trojans or Trojan horses, spyware, adware and rootkits.

ASV – Acroynym for “Approved Scanning Vendor.” This is a company approved by the PCI SSC to conduct external vulnerability scanning services.

Audit Log – Also referred to as “trail log.” A chronological record of system activities. Provides an independently verifiable trail sufficient to permit reconstruction, review and examination of sequence of environments and activities surrounding or leading to operation, procedure or event in a transaction from inception to completion.

Card Verification Code or Value (CVV) – A data element on a credit card’s magnetic stripe that uses secure cryptographic processes to protect data integrity on the stripe; For Discover, JCB, MasterCard and Visa cards, this feature is a three-digit numeric code in the upper right hand corner on the back of the card tied to each individual piece of plastic and ties to the PAN (Primary Account Number). On an American Express branded credit card it is a four-digit numeric code on the front of the card.

Cardholder Data – May appear as the full primary account number (PAN) and could also include the cardholder name, expiration date and or service code.

Change Control – Processes and procedures to review, test and approve changes to systems and software for impact before implementation.

Disk Encryption – Technique or technology (either software or hardware) for encrypting all stored data on a device (for example a hard disk or flash drive).

Encryption – Process of converting information into an unintelligible form except to holders of a specific cryptographic key.

Masking – A method of concealing a segment of data when displayed or printed. Relates to protection of PAN.

Monitoring – Use of systems or processes that constantly oversee computer or network resources for the purpose of alerting personnel in case of outages, alarms or other predefined events.

Multi-Factor Authentication – Method of authenticating a user whereby at least two factors are verified. The factors may include something the user has (such as a smart card or dongle), something the user knows (such as a password, passphrase or PIN), or something the user does (such as fingerprints).

NTP – Acronym for “Network Time Protocol”: A protocol for synchronizing the clocks of computer systems, network devices and other system components.

Patch Management – Regularly updating existing software to add functionality or to correct a defect.

Penetration Test – A deliberate attempt to identify ways to exploit vulnerabilities to circumvent or defeat the security features of a system’s components. This includes network and application testing as well as controls and processes around the networks and applications, and occurs from both outside the environment (external testing) and inside the environment.

QSA – Acronym for “ Qualified Security Assessor”: This is a professional assessor qualified by the PCI SSC to perform PCI DSS on-site assessments.

Secure Coding – The process of creating and implementing applications that are resistant to tampering and or compromise.

Sensitive Authentication Data – Security-related information (i.e. card validation codes from a stripe or chip or PINs) used to authenticate cardholders and or authorize payment card transactions.

Service Provider – A business entity that is not a payment brand, directly involved in the processing, storage or transmission of cardholder data on behalf of another entity.

Track Data – Also referred to as “full track data” or “magnetic stripe data”: This is data encoded in the magnetic stripe or chip used for authentication and or authorization during payment transactions.

Vulnerability Scan – An automated process that detects and classifies computers, computer systems, networks or applications for weaknesses. Vulnerabilities are flaws or weaknesses, if exploited, may result in an intentional or unintentional compromise of a system.

As a PCI Level 1 service provider, ZZ Servers offers end-to-end PCI enabled hosting solutions.

Each PCI enabled environment is custom designed to meet the needs of every business we serve.

To review a complete list of PCI terms visit https://www.pcisecuritystandards.org/pci_security/glossary .

To learn more about ZZ Servers’ PCI solutions click here.

What do you think?

Leave a Reply

Related articles

Contact us

Partner with Us for Comprehensive IT

We’re happy to answer any questions you may have and help you determine which of our services best fit your needs.

Your benefits:
What happens next?

We Schedule a call at your convenience 


We do a discovery and consulting meting 


We prepare a proposal 

Schedule a Free Consultation