Glossary
PCI DSS terms in plain English
The terms you'll see most often when you're working through a SAQ.
- PAN(Primary Account Number)
- The 16-digit (or sometimes 13–19) card number printed on the front of a payment card. The single most regulated piece of data in PCI DSS.
- CHD(Cardholder Data)
- PAN, plus optionally cardholder name, expiry date, and service code. Storing or transmitting any of these brings you into scope.
- SAD(Sensitive Authentication Data)
- Full magstripe contents, CVV/CVC2, and PIN block. PCI DSS forbids storing SAD after authorisation, even if encrypted.
- CVV / CVC2 / CID
- The 3- or 4-digit security number printed on the card (not encoded in the magstripe). Used to verify card-not-present transactions. Never stored after authorisation.
- CDE(Cardholder Data Environment)
- Every system, network, person, and process that stores, processes, or transmits cardholder data — plus everything connected to it. The smaller you keep your CDE, the less PCI work you have.
- Descope
- Architectural changes that remove cardholder data from a system or process so it falls outside PCI scope. Phone-payment descope solutions intercept card details before they reach the agent or call recording.
- SAQ(Self-Assessment Questionnaire)
- The form a merchant completes annually to attest PCI compliance. Nine variants (A, A-EP, B, B-IP, C-VT, C, P2PE, D-Merchant, D-Service Provider) covering different environments.
- AOC(Attestation of Compliance)
- A signed declaration that an entity (merchant or service provider) has completed its PCI assessment and meets requirements. You collect AOCs from your service providers annually.
- ASV(Approved Scanning Vendor)
- A PCI-Council-approved third party that runs quarterly external vulnerability scans against your internet-facing systems.
- QSA(Qualified Security Assessor)
- An individual or firm certified by the PCI Council to conduct on-site PCI DSS assessments. Required for Level 1 merchants; optional but useful for smaller ones.
- ROC(Report on Compliance)
- The full assessment report a QSA produces for Level 1 merchants. Replaces the SAQ for those merchants.
- P2PE(Point-to-Point Encryption)
- A PCI-validated approach where card data is encrypted at the point of capture (e.g. inside a payment terminal) and only decrypted by the processor. Massively reduces merchant scope.
- Tokenisation
- Replacing the PAN with a non-sensitive equivalent (a token) that has no exploitable value. Lets merchants reference customer cards (e.g. for refunds) without storing the PAN.
- DTMF masking
- Phone-payment technique where the customer types card details on their handset keypad and the DTMF tones are intercepted, captured by a PCI-compliant payment system, and replaced with masked tones in the call recording. The agent never hears or sees the card data.
- Acquirer
- The bank or financial institution that processes card payments on a merchant's behalf and ultimately decides whether the merchant is PCI-compliant.