Glossary

Audit Log; Audit Trail

Chronological record of system activities. Provides an independently verifiable trail sufficient to permit reconstruction, review, and examination of sequence of environments and activities surrounding or leading to operation, procedure, or event in a transaction from inception to final results.

Cardholder Data

Cardholder data comprises, at a minimum, the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date, and service code.

See Sensitive Authentication Data for additional data elements that may be transmitted or processed, but not stored, as part of a payment transaction.

Critical System; Critical Technology

A system or technology that is deemed by the entity to be of particular importance. Critical systems can include security systems, public-facing devices and systems, databases, and systems that store, process, or transmit cardholder data. Considerations for determining which specific systems and technologies are critical will depend on an organization’s environment and risk-assessment strategy.

Encryption

The process of transforming information with an algorithm to make it unreadable to anyone except those possessing special knowledge.

Entity

For the purposes of the PCI DSS, a broad term referring to a corporation, organization, or business undergoing a PCI DSS review.

Host

The main computer hardware on which computer software resides.

Issuer; Issuing Bank; Issuing Financial Institution

An entity, such as a bank or processor, that issues payment cards or performs, facilitates, or supports issuing services.

Merchant

For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC – American Express, Discover, JCB, MasterCard, and Visa – as payment for goods and/or services. Merchants that accept payment cards as payment for goods and/or services can also be service providers.

Network Segmentation

Also referred to as “segmentation” or “isolation.” Network segmentation isolates system components that store, process, or transmit cardholder data from systems that do not. Adequate network segmentation may reduce the scope of the PCI DSS assessment.

Payment Card Industry Data Security Standard (PCI DSS)

An information-security standard for organizations that handle branded credit cards from the major card schemes; the PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council.

Personally Identifiable Information (PII); Personal Data

Personal, private, or sensitive information, including name, address, Social Security number (SSN), mother's maiden name, and phone number, that can be used to identify a specific individual.

Compare to Anonymized Data.

Point-to-Point Encryption (P2PE)

A standard established by the PCI Security Standards Council. Payment solutions that offer similar encryption but do not meet the P2PE standard are referred to as end-to-end encryption solutions.

Policy

Organization-wide rules governing the acceptable use of computing resources, security practices, and guidance related to the development of operational procedures.

Primary Account Number (PAN); Account Number

A unique payment-card number, typically for credit or debit cards, that identifies the issuer and the particular cardholder account.

Procedure

The descriptive narrative or "how to" for a policy, which details how the policy is to be implemented.

Proxy Server

A server that acts as an intermediary, such as between an internal network and the internet.

Self-Assessment Questionnaire A (SAQ-A)

The most basic Self-Assessment Questionnaire for merchants processing card-not-present sales, such as those for ecommerce or for mail and telephone orders. Applies to those who have fully outsourced all cardholder-data functions to PCI DSS–compliant third-party service providers; there is no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. SAQ-A is not applicable to face-to-face channels.

The SAQ-A has only 24 questions and touches just five of the 12 total PCI requirements (#2, #6, #8, #9, and #12).

Note: The SAQ-A is intended only for merchants at extremely low risk of exposing payment data. Qualifying merchants can be considered a "card-not-present merchant" only if they (a) never see a customer's physical payment card and (b) always accept payments over the phone, by traditional mail, or via an ecommerce website. These merchants must have little to no direct interaction with cardholder data electronically and would not see cardholder data unless it was on a paper report or paper receipt, neither of which would be received electronically. (Disqualifying electronic formats include text files on a workstation, Excel spreadsheets, emails, databases, and other software solutions.)

Self-Assessment Questionnaire P2PE (SAQ-P2PE)

The Self-Assessment Questionnaire for P2PE Merchants that are using only hardware-based payment terminals that are included in and managed via a validated, PCI SSC–listed P2PE solution, with no electronic cardholder data storage.

The SAQ-P2PE has only 3 questions and touches just three of the 12 total PCI requirements (#3, #9, #12).

Note: The SAQ-P2PE is not applicable to ecommerce channels.

Scoping

The process of identifying all system components, people, and processes to be included in a PCI DSS assessment. Accurately determining the scope of the review is the first step of a PCI DSS assessment.

Strong Cryptography

A method for protecting data; includes both reversible encryption and nonreversible, "one-way" hashing. Cryptography is based on industry-tested and -accepted algorithms, as well as key lengths that provide a minimum of 112-bits of effective key strength and align with proper key-management practices.

System Components

Any network component, server, or application included in or connected to the cardholder-data environment.

Token

In the context of authentication and access control, a token is a value provided by hardware or software that works with an authentication server or VPN to perform dynamic or two-factor authentication.