PCI Compliance Glossary
Clear definitions of key terms in PCI DSS, cybersecurity, and compliance — written for business owners, not IT pros.
Understand the Language of PCI Compliance
Confused by acronyms like SAQ, AOC, or ASV? This glossary explains every important term so you can feel confident navigating your compliance journey.
A – C
🔐 AOC (Attestation of Compliance)
A formal document that confirms your organization has met PCI DSS requirements. Submitted to your acquiring bank or payment processor as proof of compliance. Required annually.
🏦 Acquirer / Acquiring Bank
The financial institution that processes credit card transactions on behalf of a merchant. Your acquirer determines your compliance requirements and receives your AOC.
🔍 ASV (Approved Scanning Vendor)
A security company authorized by the PCI Security Standards Council to perform external vulnerability scans. ASV scans are required quarterly for many SAQ types.
💳 Cardholder Data (CHD)
Any personally identifiable information associated with a payment card — primarily the Primary Account Number (PAN), but also cardholder name, expiration date, and service code.
🏢 CDE (Cardholder Data Environment)
The people, processes, and technology that store, process, or transmit cardholder data. Defining your CDE is the first step in PCI compliance — everything in scope must meet PCI DSS requirements.
📁 Compensating Control
A security measure that replaces a PCI requirement when the original control is not technically or financially feasible, while still meeting the intent of the rule. Must be documented and approved.
🔢 CVV / CVC / CVV2
The 3 or 4-digit security code on payment cards. This “sensitive authentication data” must never be stored after transaction authorization, per PCI DSS.
D – M
🔒 Encryption
Scrambling sensitive information (like card numbers) using cryptographic algorithms so it can only be read with the correct decryption key. A fundamental requirement of PCI DSS for data at rest and in transit.
🌐 External Scan
A vulnerability scan performed from outside your network, simulating an attacker’s view. ASV external scans are required quarterly for most SAQ types except SAQ A and SAQ B.
🏠 Internal Scan
A vulnerability scan performed from inside your network to identify security issues on internal systems. Required quarterly but can be performed by internal staff or third parties.
📊 Merchant Level
Classification based on your annual number of card transactions. Levels range from 1 (highest: over 6 million transactions) to 4 (lowest: under 20,000 e-commerce transactions). Determines which compliance requirements apply.
🔄 MFA (Multi-Factor Authentication)
Requiring two or more authentication factors (something you know, have, or are) to access systems. Required by PCI DSS 4.0 for all access to the CDE and for remote access.
N – P
🌐 Network Segmentation
Isolating your cardholder data environment from other parts of your network. Proper segmentation reduces PCI scope and makes compliance easier. Must be validated by segmentation testing.
💳 PAN (Primary Account Number)
The 14-19 digit number on the front of a payment card. The PAN is the most critical piece of cardholder data and triggers PCI DSS requirements when stored, processed, or transmitted.
🛡️ PCI DSS (Payment Card Industry Data Security Standard)
The global security standard that all businesses handling credit card information must follow to protect customer data. Current version is 4.0, managed by the PCI Security Standards Council.
🏛️ PCI SSC (PCI Security Standards Council)
The organization that manages and develops PCI DSS. Founded by Visa, Mastercard, American Express, Discover, and JCB. Maintains the standard and certifies QSAs and ASVs.
🔓 Penetration Testing (Pen Test)
A simulated cyberattack performed by ethical hackers to identify exploitable vulnerabilities. Required annually by PCI DSS Requirement 11.4 and after significant changes.
🔐 P2PE (Point-to-Point Encryption)
A PCI-validated encryption standard for payment terminals that encrypts card data from the point of swipe/dip/tap until it reaches the payment processor. Significantly reduces PCI scope.
Q – Z
👤 QSA (Qualified Security Assessor)
An individual certified by the PCI SSC to assess organizations against PCI DSS requirements. Level 1 merchants and service providers typically need QSA audits rather than self-assessment.
🛠️ Remediation
The process of fixing or mitigating issues found during a PCI scan or assessment. Includes software updates, configuration changes, or system improvements needed to pass compliance.
📋 ROC (Report on Compliance)
A detailed report documenting the results of a QSA assessment. Required for Level 1 merchants and service providers. Much more comprehensive than an SAQ.
📄 SAQ (Self-Assessment Questionnaire)
A series of forms designed to help merchants and service providers self-evaluate their PCI DSS compliance. Different SAQ types (A, A-EP, B, B-IP, C, C-VT, D) apply based on how you process card data.
🏢 Service Provider
A business entity that stores, processes, or transmits cardholder data on behalf of other businesses (merchants). Service providers have their own PCI compliance requirements, often stricter than merchants.
📦 Tokenization
A process of replacing sensitive card data with non-sensitive “tokens” that have no exploitable value. Tokens can be used for recurring billing without storing actual card numbers, reducing PCI scope.
🔍 Vulnerability Scan
An automated tool that checks your systems for known security issues, misconfigurations, and outdated software. External ASV scans are required quarterly by PCI DSS for many SAQ types.
Quick Reference: Common Acronyms
The most frequently used PCI terms at a glance.
AOC
Attestation of Compliance
ASV
Approved Scanning Vendor
CDE
Cardholder Data Environment
CHD
Cardholder Data
PAN
Primary Account Number
QSA
Qualified Security Assessor
ROC
Report on Compliance
SAQ
Self-Assessment Questionnaire
Your Complete PCI DSS Terminology Guide
Understanding PCI compliance terminology is the first step toward a successful compliance journey. Whether you’re completing your first SAQ or preparing for a QSA audit, knowing the difference between an AOC and an ROC — or understanding what your ASV scan results mean — is essential.
This glossary covers all the key terms you’ll encounter during PCI DSS compliance, from basic acronyms like PAN and CDE to technical concepts like tokenization, network segmentation, and compensating controls. Every definition is written in plain English for business owners, not just IT professionals.
Bookmark this page as your go-to reference, and if you still have questions about any PCI term or requirement, our expert team is here to help. We make PCI compliance simple and human-friendly.
Still Have Questions?
Our experts can walk you through any term or requirement. We make PCI compliance simple and human-friendly.
Talk to an ExpertFree assessment • Plain-English guidance • Expert support
