Skip to main content



A bankcard association member that initiates and maintains relationships with merchants that accept payment cards.

Card Validation Value or Code

Data element on a card's magnetic stripe that uses secure cryptographic process to protect data integrity on the stripe, and reveals any alteration or counterfeiting. Referred to as CAV, CVC, CVV, or CSC depending on payment card brand. The following list provides the terms for each card brand:

  • CAV - Card Authentication Value - JCB
  • CVC - Card Validation Code - MasterCard
  • CVV - Card Verification Value - Visa and Discover
  • CSC - Card Security Code - American Express (AMEX)

The second type of card validation value or code is the rightmost three-digit value printed in the signature panel area on the back of the card (for Discover, Visa, MasterCard) or the four-digit non-embossed number printed above the PAN on the face of the card (for AMEX). The code is uniquely associated with each individual piece of plastic and ties the card account number to the plastic.

  • CID - Card Identification Number - AMEX and Discover
  • CAV2 Card Authentication Value 2 - JCB
  • CVC2 Card Validation Code 2 - MasterCard
  • CVV2 Card Verification Value 2 - Visa

The customer to whom a card is issued or individual authorized to use the card.

cardholder data

The information contained in the full magnetic strip, or the primary account number (PAN), plus any of the following:

  • Cardholder name
  • Expiration date
  • Service code
cardholder data environment

The area of a computer system network that possesses cardholder data or sensitive authentication data and those systems and segments that directly attach or support cardholder processing, storage, or transmission. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment, and thus the scope of the PCI assessment.


The Cash Management Office.

compensating controls

Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must (1) meet the intent and rigor of the original stated PCI DSS requirement, (2) repel a compromise attempt with similar force, (3) be above and beyond other PCI DSS requirements (not simply in compliance with other PCI DSS requirements), and (4) be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.


Doing business as. Compliance validation levels are based on transaction volume of a DBA or chain of stores, not of a corporation that owns several chains.


Demilitarized zone. A network added between a private and a public network to provide an additional layer of security.


The process of converting information into an unintelligible form except to holders of a specific cryptographic key. Use of encryption provides protection for information against unauthorized disclosure between the encryption process and the decryption process (the inverse of encryption).


Hardware, software, or both that protects resources of one network from intruders from other networks. Typically, an enterprise with an intranet that permits workers access to the wider Internet must have a firewall to prevent outsiders from accessing internal private data resources.

hosting provider

A provider of various services to merchants and other service providers. Services range from simple to complex; from shared space on a server to a whole range of shopping cart options; from payment applications to connections to payment gateways and processors; and for hosting dedicated to just one customer per server.


Internet protocol. A network-layer protocol containing address information and some control information that enables packets to be routed. IP is the primary network-layer protocol in the Internet protocol suite.

IP address

A numeric code that uniquely identifies a particular computer on the Internet.


Merchant Identification Number. An identifier required to process credit card transactions.

magnetic stripe data (track data)

Data encoded in the magnetic stripe that is used for authorization during transactions when the card is presented. Entities must not retain full magnetic stripe data subsequent to transaction authorization. Specifically, subsequent to authorization, service codes, discretionary data/Card Validation Value/Code, and proprietary reserved values must be purged; however, account number, expiration date, name, and service code may be extracted and retained, if needed for business.


Malicious software designed to infiltrate or damage a computer system, without the owner's knowledge or consent.


Use of system that constantly oversees a computer network including for slow or failing systems and that notifies the user in case of outages or other alarms.


Multi-protocol label switching.


Network address translation. Known as network masquerading or IP-masquerading, the change of an IP address used within one network to a different IP address known within another network.


Two or more computers connected together to share resources.

network components

Parts of a network that include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances.

network security scan

An automated tool that remotely checks merchant or service provider systems for vulnerabilities. The non-intrusive test involves probing external-facing systems based on external-facing IP addresses and reporting on services available to external networks (that is, services available to the Internet). Scans identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company's private network.


Primary account number. The payment card number (credit or debit) that identifies the issuer and the particular cardholder account. Also called "account number."


The successful act of bypassing security mechanisms and gaining access to a computer system.

penetration test

The security-oriented probing of a computer system or network to seek out vulnerabilities that an attacker could exploit. Beyond probing for vulnerabilities, this testing may involve actual penetration attempts. The objective of a penetration test is to detect identify vulnerabilities and suggest security improvements.


Personal identification number.


Point of sale.

service code

The three- or four-digit number on the magnetic stripe that specifies acceptance requirements and limitations for a magnetic-stripe read transaction.

service provider

A business entity that is not a payment card brand member or a merchant directly involved in the processing, storage, transmission, and switching of transaction data and cardholder information, or both. This also includes companies that provide services to merchants, services providers, or members that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS, and other services as well as hosting providers and other entities. Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded.


Secure sockets layer. An established industry standard that encrypts the channel between a Web browser and Web server to ensure the privacy and reliability of data transmitted over this channel.

strong cryptography

A general term indicating cryptography that is extremely resilient to cryptanalysis. That is, given the cryptographic method (algorithm or protocol), the cryptographic key or protected data is not exposed. The strength relies on the cryptographic key used. Effective size of the key should meet the minimum key size of comparable strengths recommendations. One reference for minimum comparable strength notion is National Institute of Standards and Technology (NIST) Special Publication 800-57, August 2005 or others that meet the following minimum comparable key bit security:

  • 80 bits for secret key based systems (for example TDES)
  • 1024 bits modulus for public key algorithms based on the factorization (for example, RSA)
  • 1024 bits for the discrete logarithm (for example, Diffie-Hellman) with a minimum 160 bits size of a large subgroup (for example, DSA)
  • 160 bits for elliptic curve cryptography (for example, ECDSA)

Terminal identification number. A number assigned by the acquirer to each processing method.


The practice of removing data segment. Commonly, when account numbers are truncated, the first 12 digits are deleted, leaving only the last four digits.


A weakness in system security procedures, system design, implementation, or internal controls that could be exploited to violate a system security policy.

vulnerability scan

A scanning process used to identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company's private network.