Glossary

Question 1

Acquirer

Answer 1

Merchant Bank
Acquiring Bank
Acquiring Financial Institution

Entity,typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer.

Acquirer are subject to payment brand rules and procedures regarding merchant compliance.

Question 2

Account Number

Answer 2

Primary ACcount Number (PAN)

16 Digit
or
15 Digit (AMERICAN EXPRESS)

Question 3

AOC (Attestation of Compliance)

Answer 3

The AOC is a form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Self-Assessment Questionnaire or Report on Compliance.

Quick Summary of the ROC.

Question 4

ASV (Approved Scanning Vendor)
(Req 11)

Answer 4

Company approved by the PCI SSC to conduct external vulnerability scanning service.

Question 5

Card Skimmer
(Req 9.9)

Answer 5

A physical device, often attached to a legitimate card-reading device, designed to illegitimately capture and/or store the information from a payment card.

Question 6

Card Verification Code or Value

Answer 6

Card Validation Code or Value or Card Security Code.

1. Magnetic-stripe data
2. printed security feature

Question 7

Card holder

Answer 7

Non-consumer or consumer customer to whom a payment card is issued to or any individual authorized to use the payment card.

Question 8

Cardholder Data

Answer 8

Full PAN plus cardholder name, expiration date and/or service code.

Question 9

CDE (Cardholder Data Environment)

Answer 9

The people, process, and technology that store process, or transmits cardholder data or sensitive authentication data.

Question 10

Insecure Protocol/Service Port
(Req 2)

Answer 10

A protocol, service, port that Introduce security concern due to lack of controls over confidentiality and/or integrity.

These security concerns include service, protocols, or ports that transmits data or authentication credentials (password/passphrase) in clear-text over the Internet, or easily allow for exploitations by defaults or if misconfigured.

EX: FTP, Telnet, POP3, IMAP, and SNMP v1 adn v2

Question 11

Masking

Answer 11

In the context of PCI DSS, it is a method of concealing a segment of data when displayed or printed.

Masking is used when there is no business requirement to view the entire PAN.

Masking relates to protection of PAN when displayed or printed.

Question 12

Payment Processor

Answer 12

Sometimes referred to as payment gateway or payment service provider.

Entity engaged by a merchant or other entity to handle payment card transactions on their behalf.

While payment processors typically provide acquiring services, payment processors are not considered acquires unless defined as such by a payment card brand.

EX: website > Stripe , Paypal

Question 13

ROC (Report on Compliance)
“ROCK”

Answer 13

Report documenting detailed results from an entity PCI DSS assessment.

Should NEVER be shared that’s what the AOC is for!

Question 14

Sensitive Authentication Data

SAD data!

Answer 14

Security-related information (included but not limited to card validation codes/values, full track data (from magnetic stripe or equivalent on a chips), PINs, and PIN blocks) used to authenticate cardholders and /or authorize payment card transactions.

Question 15

Strong Cryptography

Answer 15

Cryptography based on industry-tested and accepted algorithms, along with key lengths that provide minimum of 112-bits of effective key strength and proper key-management practices.

Cryptography is a method to protect data and includes both encryption (which is reversible) and hashing (which is “one way”; that is, not reversible) .