Account Number
Payment card number (credit or debit) that identifies the issuer and the particular cardholder account. Also called Primary Account Number (PAN)

Includes all purchased and custom software programs or groups of programs designed for end users, including both internal and external (web) applications

Approved Scanning Vendor (ASV)
An organization that validates adherence to the PCI DSS by performing vulnerability scans of Internet facing environments or merchants and service providers

Attestation of Compliance (AOC)
A form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Self-Assessment Questionnaire or Report on Compliance

Audit Log
Also referred to as “audit trail.” Chronological record of system activities. Provides an independently verifiable trail sufficient to permit reconstruction, review, and examination of sequence of environments and activities surrounding or leading to operation, procedure, or event in a transaction from inception to final results

Card Validation Value (CVV)
Also known as Card Verification Code (CVC) or Value, or Card Security Code (CSC). Refers to either: (1) magnetic-stripe data, or (2) printed security features

Non-consumer or consumer customer to whom a payment card is issued to or any individual authorized to use the payment card

Cardholder Data (CHD)
At a minimum, cardholder data consists of the full PAN (Primary Account Number). Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not stored) as part of a payment transaction

Cardholder Data Environment (CDE)
Area of computer system network that possesses cardholder data or sensitive authentication data and those systems and segments that directly attach or support cardholder processing, storage, or transmission. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment and thus the scope of the PCI assessment

Cellular Technologies
Mobile communications through wireless telephone networks, including but not limited to Global System for Mobile communications (GSM), code division multiple access (CDMA), and General Packet Radio Service (GPRS)

Compensating Controls
Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must: (1) Meet the intent and rigor of the original PCI DSS requirement; (2) Provide a similar level of defense as the original PCI DSS requirement; (3) Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and (4) Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement

Also referred to as “data compromise,” or “data breach.” Intrusion into a computer system where unauthorized disclosure/theft, modification, or destruction of cardholder data is suspected

Screen and keyboard which permits access and control of a server, mainframe computer or other system type in a networked environment

Individual purchasing goods, services, or both

Traffic exiting a network across a communications link and into the customer’s network

Egress Filtering
Method of filtering outbound network traffic such that only explicitly allowed traffic is permitted to leave the network

Hardware and/or software technology that protects network resources from unauthorized access. A firewall permits or denies computer traffic between networks with different security levels based upon a set of rules and other criteria

Main computer hardware on which computer software is resident

Hosting Provider
Offers various services to merchants and other service providers. Services range from simple to complex; from shared space on a server to a whole range of “shopping cart” options; from payment applications to connections to payment gateways and processors; and for hosting dedicated to just one customer per server. A hosting provider may be a shared hosting provider, who hosts multiple entities on a single server

Intrusion Detection System (IDS)
Software or hardware used to identify and alert on network or system anomalies or intrusion attempts. Composed of: sensors that generate security events; a console to monitor events and alerts and control the sensors; and a central engine that records events logged by the sensors in a database. Uses system of rules to generate alerts in response to detected security events. See “Intrusion Prevention System”

Intrusion Prevention System (IPS)
Beyond an IDS, an IPS takes the additional step of blocking the attempted intrusion

Magnetic Stripe Data
Also referred to as “full track data” or “track data.” Data encoded in the magnetic stripe or chip used for authentication and/or authorization during payment transactions. Can be the magnetic-stripe image on a chip or the data on the track 1 and/or track 2 portion of the magnetic stripe

Malware/Malicious Software
Software or firmware designed to infiltrate or damage a computer system without the owner’s knowledge or consent, with the intent of compromising the confidentiality, integrity, or availability of the owner’s data, applications, or operating system. Such software typically enters a network during many business-approved activities, which results in the exploitation of system vulnerabilities. Examples include viruses, worms, Trojans (or Trojan horses), spyware, adware, and rootkits

A method of concealing a segment of data when displayed or printed. Masking is used when there is no business requirement to view the entire PAN. Masking relates to protection of PAN when displayed or printed. See Truncation for protection of PAN when stored in files, databases, etc.

For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers

Use of systems or processes that constantly oversee computer or network resources for the purpose of alerting personnel in case of outages, alarms, or other predefined events

Two or more computers connected together via physical or wireless means

Network Security Scan
Process by which an entity’s systems are remotely checked for vulnerabilities through use of manual or automated tools. Security scans that include probing internal and external systems and reporting on services exposed to the network. Scans may identify vulnerabilities in operating systems, services, and devices that could be used by malicious individuals.

See “Primary Account Number”

Payment Cards
For purposes of PCI DSS, any payment card/device that bears the logo of the founding members of PCI SSC, which are American Express, Discover Financial Services, JCB International, MasterCard, or Visa, Inc

Payment Card Industry

Payment Card Industry Data Security Standard

PCI Security Standards Council
Global organization responsible for the administration of the PCI DSS. Certifies Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV). Founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and VISA, Inc.

Point of Interaction (POI)
Acronym for “Point of Interaction,” the initial point where data is read from a card. An electronic transaction-acceptance product, a POI consists of hardware and software and is hosted in acceptance equipment to enable a cardholder to perform a card transaction. The POI may be attended or unattended.

Point of Sale (POS)
Hardware and/or software used to process payment card transactions at merchant locations

Public Network
Network established and operated by a telecommunications provider, for specific purpose of providing data transmission services for the public. Data over public networks can be intercepted, modified, and/or diverted while in transit. Examples of public networks in scope of the PCI DSS include, but are not limited to, the Internet, wireless, and mobile technologies

Qualified Security Assessor (QSA)
Person qualified by PCI SSC to perform PCI DSS on-site assessments

Removable Electronic Media
Media that store digitized data and which can be easily removed and/or transported from one computer system to another. Examples of removable electronic media include CD-ROM, DVD-ROM, USB flash drives and removable hard drives

Report on Compliance (ROC)
Form completed by a Qualified Security Assessor (QSA). Used to validate a merchant/service provider’s compliance with PCI DSS

Type of malicious software that when installed without authorization, is able to conceal its presence and gain administrative control of a computer system

Self-Assessment Questionnaire (SAQ)
Reporting tool used to document self-assessment results from an entity’s PCI DSS assessment

Security Event
An occurrence considered by an organization to have potential security implications to a system or its environment. In the context of PCI DSS, security events identify suspicious or anomalous activity

Sensitive Authentication Data
Security-related information (including but not limited to card validation codes/values, full track data (from the magnetic stripe or equivalent on a chip), PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions

Type of malicious software that when installed, intercepts or takes partial control of the user’s computer without the user’s consent

Track Data
Also referred to as “full track data” or “magnetic-stripe data.” Data encoded in the magnetic stripe or chip used for authentication and/or authorization during payment transactions. Can be the magnetic-stripe image on a chip or the data on the track 1 and/or track 2 portion of the magnetic stripe

Method of rendering the full PAN unreadable by permanently removing a segment of PAN data. Truncation relates to protection of PAN when stored in files, databases, etc. See Masking for protection of PAN when displayed on screens, paper receipts, etc.

Flaw or weakness which, if exploited, may result in an intentional or unintentional compromise of a system

Web Application
An application that is generally accessed via a web browser or through web services. Web applications may be available via the Internet or a private, internal network

Web Server
Computer that contains a program that accepts HTTP requests from web clients and serves the HTTP responses (usually web pages)

Wide Area Network (WAN)
Computer network covering a large area, often a regional or company-wide computer system

Wireless Network
Network that connects computers without a physical connection to wires

Special thanks to the PCI Security Standards Council ( for glossary information

Last Reviewed: 11/2019

Last Reviewed by: PCI Oversight Committee