When it comes to PCI DSS jargon, are you A-OK or are you more “WTH?”?
Whether you know your POS from your POI or you wouldn’t know a QSA if one bit you on the nose, our glossary of PCI terms is bound to come in handy at some point. Here are just a few of the terms you’re likely to come across on your PCI DSS compliance journey.
A PCI Glossary
Acquirer – The financial institution that processes your payment card transactions.
Agent Assist – A secure, PCI DSS compliant solution that uses DTMF masking to disguise a customer’s key tones when a contact centre agent takes a payment over the phone.
AOC – Attestation of Compliance – a form that allows you to attest to your PCI DSS assessment results.
Audit Trail – A sequential log of your system activities.
CDE – Cardholder Data Environment – The entire environment (personnel, software, and hardware) in which data is stored, processed, and/or transmitted.
Console/Non-console Access – Direct or indirect access to a mainframe, server, or system.
CVSS – Common Vulnerability Scoring System – A method of ranking the seriousness of system vulnerabilities.
Data-flow Diagram – A comprehensive diagram documenting the flow of sensitive data through your system or network.
DESV – Designated Entities Supplemental Validation – An extra level of security validation required by some payment brands or acquirers.
DPA – Data Protection Act – the Act and relevant legislation regarding data security in the UK.
DTMF – Dual-Tone Multi-Frequency signalling – the system that recognises and processes the key tones on your phone.
DTMF Masking – Disguises the key tones as a contact centre agent takes a payment over the phone by masking them with a monotone beep so that the agent has no way of accessing card information.
De-scope – To remove your contact centre from the scope of PCI DSS entirely by using a third party service provider to process, transmit and/or store all card data.
DoS – A denial-of-service attack in which a hacker disables a system by overloading it with requests.
E2E – End-to-End Encryption. An encryption solution that does not meet P2PE standards.
GDPR – General Data Protection Regulation – The EU’s new standard for data security.
ICO – The Information Commissioner’s Office – the UK’s data protection regulator.
IDS – Intrusion detection system.
IPS – Intrusion prevention system.
IVR – Interactive Voice Response – An automated system that allows a computer to recognise and process speech and DTMF tones.
Multi-factor Authentication – The requirement of two or more levels of authentication to gain access to sensitive data or systems.
OS – Operating system.
P2PE – Point-to-Point Encryption – A standard of encryption for the secure transmission of data from the POI to processing.
PCI DSS – Just testing!
PCI SSC – The PCI Security Standards Council.
PFI – PCI Forensic Investigator – The person who investigates system breaches to analyse when, how, and why they occurred.
POI – Point of Interaction – The point at which cardholder data is taken.
QSA – Qualified Security Assessor – A PCI SSC-qualified PCI DSS assessor.
ROC – Report on Compliance – The report made after a PCI DSS assessment.
SAQ – Self-Assessment Questionnaire – the self-assessment section of a PCI DSS assessment.
Service Provider – A third-party organisation that provides cardholder data processing, storage, or transmission services.
Tokenisation – The use of tokens to represent sensitive data so that data is never accessible by the merchant.
Please let us know if there are any other PCI terms you regularly come across, but don’t understand. We’ll give you a full explanation and will add them to our PCI glossary!
This guide is the final chapter of our eBook ‘Starting Your PCI Compliance Journey’ – enter your details below to download it.