The world of PCI DSS compliance is one of many acronyms and lots of jargon. Let’s decode some of them!
- AOC: Attestation of Compliance, a document signed by a QSA or company officer attesting to the validity of the findings being reported.
- AOSC: Attestation of Scan Compliance, a document provided by an ASV summarizing and attesting to the accuracy of quarterly external scan results.
- ASV: Approved Scanning Vendor, a company authorized to conduct external vulnerability scans.
- Council: common shorthand for the PCI Security Standards Council.
- FIM: File Integrity Monitoring, software which detects the unauthorized creation, deletion, or modification, of files on a server.
- ISA: Internal Security Assessor, a company employee who has successfully undergone ISA training by the PCI Council and is now authorized by some card brands to do on-site assessments in lieu of a QSA.
- PCI: Payment Card Industry.
- PCI DSS: Payment Card Industry Data Security Standard. The original security standard developed by the PCI SSC, and with which all the other security standards subsequently developed are aligned.
- PCI SSC: Payment Card Industry Security Standards Council. The organization formed by the 5 card brands American Express, Discover, JCB, MasterCard, and Visa, to maintain the PCI DSS and associated programs.
- QSA: Qualified Security Assessor. A company or an individual approved by the PCI SSC to conduct audits under the PCI frameworks.
- QSAC: QSA Company. A specific company that is permitted to act as a QSA by the PCI SSC.
- ROC: Report on Compliance, the detailed report of findings produced at the end of an on-site audit by a QSA, ISA, or other appropriate person.
- SSF: PCI Software Security Framework, a framework for secure development of software which has two associated Standards: SSS, and Secure SLC
- SSS: PCI Secure Software Standard
- Secure SLC: PCI Secure Software Life Cycle Standard
