What do all those acronyms stand for anyway?

Gary Glover, Director of Security Assessments
By: Gary Glover
Acronyms in the payment card industry are pervasive, to say the least. You may come across them in actual PCI DSS documents created by the PCI Council, hear them in a conversation with your PCI auditor, or find them online during security research.


Here’s the lingo you should understand to grasp PCI security requirements.

AES (Advanced Encryption Standard): government encryption standard to secure sensitive electronic information.

AOC (Attestation of Compliance): a declaration of a merchant’s adherence to the PCI DSS.

APT (Advanced Persistent Threat): network attack in which a hacker breaks into a network undetected and harvests information over a long period of time. IDS/IPS and FIM are used to detect these attacks.

ASV (Approved Scanning Vendor): a company approved by the PCI SSC to conduct vulnerability scanning tests.

BCP (Business Continuity Plan): identifies an organization’s exposure to internal and external threats.

CDE (Cardholder Data Environment): any individual, software, system, or process that stores, processes, transmits, or handles cardholder data.

CERT (Computer Emergency Response Team): designated group to handle computer security incidents.

CHD (Cardholder Data): sensitive data found on payment cards, such as an account holder name or primary account number (PAN) data.

CISSP (Certified Information Systems Security Professional): a globally recognized certification that confirms an individual’s knowledge about information security.

CVV/CSC/CVC/CAV (Card Verification Value): element on a payment card that protects information on the magnetic stripe. Specific acronym depends on card brand.

CVSS (Common Vulnerability Scoring System): standardized method for rating and describing IT vulnerabilities.

DLP (Data Loss Prevention): a piece of software or strategy used to catch unencrypted data being exfiltrated or sent outside the network.

DMZ (Demilitarized Zone): neutral zone between a private and public network, providing an additional buffering layer of security, typically where web servers are hosted.

DNS (Domain Name Server): a way to translate URLs to IP addresses.

DSS (Data Security Standard): (see PCI DSS)

FIM (File Integrity Monitoring): a method to watch for changes in software, systems, and applications in order to detect potential malicious activity.

FTP (File Transfer Protocol): an insecure way to transfer computer files from computer to computer using the Internet. (see SFTP)

FW (Firewall): system designed to screen incoming and outgoing network traffic.

GPG (GNU Privacy Guard): the free version of PGP (a file encryption standard).

HTTP (Hypertext Transfer Protocol): A method of communication between servers and browsers. (See: HTTPS)

HTTPS (Hypertext Transfer Protocol Over Secure Socket Layer): A secured method of communication between servers and browsers.

HSM (Hardware Security Module): a physical computing device that safeguards and manages digital keys for strong authentication.

IDS/IPS (Intrusion Detection System/Intrusion Prevention System): a system used to monitor network traffic and report potential malicious activity.

IMAP (Internet Message Access Protocol): a communication protocol used to access email from your mail server.

IP (Internet Protocol): defines how computers send packets of data to each other.

IRP (Incident Response Plan): policies and procedures to effectively limit the effects of a security breach.

IT (Information Technology): anything relating to networks, computers, and programming, and the people that work with those technologies.

LPAR (Logical Partition): partitioning a computer’s resources, processors, memory, and storage into a smaller unit, normally a term associated with mainframe computers.

MAC (Message Authentication Code): information used to authenticate a message to ensure its authenticity.

NAC (Network Access Control): restricts data that users, apps, and programs can access on a computer network.

NVD (National Vulnerability Database): a repository of all known vulnerabilities, maintained by NIST.

NIST (National Institute of Standards and Technology): federal agency that measures standards and maintains the NVD.

OWASP (Open Web Application Security Project): a non-profit organization focused on software security improvement. Often heard in the context of “OWASP Top 10”, a list of top threatening vulnerabilities.

PAN (Primary Account Number): the 14 or 16 digits that identify a payment card. Also called a bank card number.

PA DSS (Payment Application Data Security Standard): validation standard for software applications that store, process, or transmit cardholder data.

PA QSA (Payment Application Qualified Security Assessor): individual or organization qualified by the PCI SSC to conduct PA DSS audits.

PCI SSC (Payment Card Industry Security Standards Council: established in 2006 by Visa, MasterCard, American Express, Discover Financial Services, and JCB International to regulate cardholder data security.

PCI DSS (Payment Card Industry Data Security Standard): requirements put together by the PCI SSC, required of all businesses that process, store, or transmit payment card data, to prevent cardholder data theft.

PGP (Pretty Good Privacy): data encryption computer program that provides privacy for encrypting emails, files, directories, and disks.

P&P (Policies and Procedures): guidelines and principles adopted by an entity with respect to organizational security.

P2PE (Point-To-Point Encryption): credit/debit card data encryption from the point of interaction to a merchant solution provider.

QIR (Qualified Integrator or Reseller): third party qualified by the PCI SSC to use security best practices while installing or maintaining payment systems.

QSA (Qualified Security Assessor): the individuals and firms certified by the PCI SSC to perform PCI compliance assessments.

RBAC (Role-Based Access Control): the act of restricting users’ access to systems based on their role within the organization.

ROC (Report on Compliance): a report documenting a company’s results from their PCI assessment, usually written by a QSA.

ROV (Report on Validation): a report on a company’s security that must be submitted to the PCI SSC.

SAQ (Self-Assessment Questionnaire): a collection of documents used to document an entity’s PCI DSS assessment results, based on their processing environment.

SEE ALSO: Updating to PCI 3.2 SAQs: The Changes You Should Know

SFTP (Secure File Transfer Protocol): a secure way to encrypt data in transit.

SSL (Secure Socket Layer): Internet security standard for encrypting the link between a website and a browser to enable the transmission of sensitive information (predecessor to TLS).

TCP (Transmission Control Protocol): (see IP)

TFA (Two-Factor Authentication): two out of three independent methods of authentication are required to verify a computer or network user. The three possible factors are:
  • Something you know (such as a username and password)
  • Something you have (such as an RSA token or cell phone which gives you a new code for each login)
  • Something you are (such as fingerprint or iris scan)
TLS (Transport Layer Security): (See SSL)

VLAN (Virtual Local Area Network): computers, servers and networks on the same LAN, even though they may be geographically dispersed.

VPN (Virtual Private Network): a strategy of connecting remote computers to send and receive data securely over the Internet as if they were directly connected to the private network.

WEP (Wired Equivalent Privacy): an outdated and weak security algorithm for wireless networks.

WLAN (Wireless Local Area Network): network that links to two or more devices wirelessly.

WPA (Wi-Fi Protected Access): security protocol designed to secure wireless computer networks.

WPA2 (Wi-Fi Protected Access II): a more secure version of WPA (see WPA)

XSS (Cross-Site Scripting): An attack that enables hackers to inject code into public-facing web pages and gain access into a system.

3DES (Triple Data Encryption Standard): a secure encryption standard that encrypts data three times.

Did I miss any PCI acronyms?

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.