Defining PCI Key Terms

 The technology world is, for better or worse, chock-full of acronyms and abbreviations.  Below you’ll find a list of common terms that are often abbreviated when dealing with PCI compliance.  The list is nowhere near exhaustive, nor does it include “techy” terms like RADIUS and TLS.  However, it should cover the basics when you’re new to PCI and trying to understand PCI lingo.

  • ASV (Approved Scan Vendor) – Company approved by the PCI-SSC to perform the external network scanning requirement of the PCI-DSS.
  • CAV2/CVC2/CVV2/CID (Card Verification/Authentication/Identification Code/Value) – A secondary authentication for card-not-present transaction.  It’s the 3-4 digit number on a card near the PAN or on the back.  This number uniquely ties the PAN to the physical piece of plastic (your card), verifying you have the plastic.  (This is why your CVV2 will change when you get a new card; it’s also why storing this data is a big no-no.)
  • CVV/CVC/CSC/CAV (Card Verification/Security/Authentication Code/Value) – Special authentication data stored in the magnetic strip or other printed feature of a card.
  • PAN (Primary Account Number) – Unique number for an issued card.  It’s your “credit card number”.
  • PABP (Payment Application Best Practices) – Set of standards for software designers to help secure cardholder data.  Was adopted by the PCI-SSC in 2008 and released as PA-DSS.
  • PA-DSS (Payment Application Data Security Standards) – A set of standards for software designers to help write secure code.  Required for off-the-shelf software used to handle cardholder data.  Originally PABP.
  • PA-QSA (Payment Application Qualified Security Assessor) – A company or individual approved by the PCI-SSC to perform PA-DSS audits.
  • PCI (Payment Card Industry) – Self-explanatory.
  • PCI-DSS (Payment Card Industry Data Security Standards) – The requirements for PCI Compliance.
  • PCI-SSC (Payment Card Industry Security Standards Council) – The organization in charge of maintaining the compliance requirements for all of PCI.
  • “Pen” Test (Penetration Test) – A thorough security test of a device, system, or network.  Required by the PCI-DSS.
  • QSA (Qualified Security Assessor) – A company or individual approved by the PCI-SSC to perform on-site audits.
  • QSAC (Qualified Security Assessor Company) – The company contracted to do an on-site audit.
  • ROC (Report on Compliance) – The document submitted by a QSA declaring a company’s compliance with the PCI-DSS.
  • ROV (Report on Validation) – The document submitted by a PA-QSA declaring a company’s compliance with the PA-DSS.
  • SAQ (Self-Assessment Questionnaire) – Simple worksheet to help determine compliance with the PCI-DSS.
  • “Scope” (Scope of Work) – The entirety of what needs validated for PCI compliance.
  • SOW (Statement of Work) – A document containing details for services rendered to a client.  For a PCI audit this will usually include scope, deadlines/milestones, fees, contact information, et cetera.  Often referred to as a “bid”, but the pricing is only part of a full SOW.
  • “Track” Data (Magnetic Stripe Data) – The data contained in the magnetic stripe or computer chip of a card.  Usually has 2 tracks.


The PCI-SSC has released a glossary of terms you can reference for more information.


Leave a Reply

Log in