Skip to main content

Glossary A-C

Updated

A

Account: Also referred to as “user ID’, ‘account ID” or “application ID”. Used to identify an individual or process on a computer system. See Authentication Credentials and Authentication Factor.

Account Data: Account data consists of cardholder data and/or sensitive authentication data. See Cardholder Data and Senstitive Authentication Data.

Acquirer: Bank or entity merchants use to process their payment card transactions. They receive authorization request from merchants and forward them to issuers for approval. They also provide authorization, clearing and settlement services to merchants. Acquirers are subject to payment brand rules and procedures regarding merchant compliance. See Payment Processor.

Anti-Malware: Software that is designed to detect, and remove, block, or contain various forms of malicious software.

AOC: Attestation of Compliance. The AOC is the official PCI SSC form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC).

Application: Includes all purchased, custom, and bespoke software programs or groups of programs, including both internal and external (for example, web) applications.

Application and System Accounts: Also referred to as “service accounts”. Accounts that execute processes or perform tasks on a computer system or in an application. These accounts usually have elevated privileges that are required to perform specialized tasks or functions and are not typically accounts used by an individual.  

ASV: Approved Scanning Vendor – These vendors are approved by the PCI SSC to conduct vulnerability scanning services for PCI Compliance purposes.

Audit Log: Also referred to as “audit trail”. Chronological record of system activities. Provides an independent verifiable trail sufficient to permit reconstruction, review, and examination of sequence of environments and activities surrounding or leading to operation, procedures, or event in a transaction from inception to final results.

Authentication: Process of verifying identity of an individual, device, or process. Authentication typically occurs with one or more authentication factors.

B

BAU: Business as usual

C

Card Skimmer: A physical device, often attached to a legitimate card-reading device, designed to illegitimately capture and/or store the information from a payment card.

Card Verification Code: Also referred to as Card Validation Code or Value, or Card Security Code. For PCI DSS purposes, it is the three- or four-digit value printed on the front or back of a payment card. May be referred to as CAV2, CVC2, CVN2, CVV2, or CID according to the individual Participating Payment Brands.

Cardholder: Customer to which a payment card is issued, or any individual authorized to use the payment card.

CDE: Acronym for “Cardholder Data Environment.” The CDE is comprised of:

  • The system components, people, and processes that store, process, or transmit cardholder data and/or sensitive authentication data, and,
  • System components that may not store, process, or transmit CHD/SAD but have unrestricted connectivity to system components that store, process, or transmit CHD/SAD.

CHD: Acronym for "Cardholder Data." At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.

See Sensitive Authentication Data for additional data elements that might be transmitted or processed (but not stored) as part of a payment transaction.

Change Control: Processes and procedures to review, test, and approve changes to systems and software for impact before implementation.

Cleartext Data: Unencrypted data.

Commercial Off-the-Shelf (COTS) Description of products that are stock items not specifically customized or designed for a specific customer or user and are readily available for use.

Compromise: Also referred to as “data compromise” or “data breach.” Intrusion into a computer system where unauthorized disclosure/theft, modification, or destruction of cardholder data is suspected.

CRM System: Customer Relationship Management System – A system (online or computer-based) where a merchant would keep information about their customers (Address, contact number, etc.).