Cardholder Data: At a minimum, cardholder data consists of the full PAN. Cardholder data also may appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.
Cardholder Data Environment: The people, processes and technology that store, process or transmit cardholder data or sensitive authentication data, including any connected system components.
Payment Card: Any payment card, including debit cards, which is issued by one of the leading payment card brands or associations.
Merchant: Any person or entity (such as a school/unit) that accepts payment cards bearing the logos of any of the five founding members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.
Payment Application Data Security Standard (PA DSS): Requirements and security assessment procedures that apply to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement where these payment applications are sold, distributed, or licensed to third parties. This standard includes what a payment application must support to facilitate an entity’s PCI DSS compliance.
Payment Card Industry Data Security Standard (PCI DSS): A comprehensive set of requirements established by the PCI SSC for enhancing payment account data security. It is a multifaceted standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical safeguard measures.
PCI Security Standards Council (PCI SSC): The organization founded by American Express, Discover, MasterCard, JCB and Visa that defines credentials and qualifications for assessors and vendors, as well as maintaining the PCI DSS.
Point of Sale (POS): Hardware and/or software used to process payment card transactions at merchant locations.
Primary Account Number (PAN): The composite number code of 14 or 16 digits embossed on a bank or payment card and encoded in the card’s magnetic strip. The PAN identifies the issuer of the card and the account including part of the account number, and contains a check digit that verifies the authenticity of the embossed account number.
Report on Compliance (ROC): Report containing details documenting an entity’s compliance status with the PCI DSS.
Self Assessment Questionnaire (SAQ): Tool used by any entity to validate its own compliance with the PCI DSS.
Sensitive Authentication Data: Security-related information including, but not limited to, card validation codes/values (e.g., threedigit or four-digit value printed on the front or back of a payment card, such as CVV2 and CVC2 data), full magnetic-stripe data, PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions. Sensitive authentication data must not be stored after authorization.