Glossary

The world of PCI DSS compliance is one of many acronyms and lots of jargon. Let’s decode some of them!

  • AOC: Attestation of Compliance, a document signed by a QSA or company officer attesting to the validity of the findings being reported.
  • AOSC: Attestation of Scan Compliance, a document provided by an ASV summarizing and attesting to the accuracy of quarterly external scan results.
  • ASV: Approved Scanning Vendor, a company authorized to conduct external vulnerability scans.
  • Council: common shorthand for the PCI Security Standards Council.
  • FIM: File Integrity Monitoring, software which detects the unauthorized creation, deletion, or modification, of files on a server.
  • ISA: Internal Security Assessor, a company employee who has successfully undergone ISA training by the PCI Council and is now authorized by some card brands to do on-site assessments in lieu of a QSA.
  • PCI: Payment Card Industry.
  • PCI DSS: Payment Card Industry Data Security Standard. The original security standard developed by the PCI SSC, and with which all the other security standards subsequently developed are aligned.
  • PCI SSC: Payment Card Industry Security Standards Council. The organization formed by the 5 card brands American Express, Discover, JCB, MasterCard, and Visa, to maintain the PCI DSS and associated programs.
  • QSA: Qualified Security Assessor. A company or an individual approved by the PCI SSC to conduct audits under the PCI frameworks.
  • QSAC: QSA Company. A specific company that is permitted to act as a QSA by the PCI SSC.
  • ROC: Report on Compliance, the detailed report of findings produced at the end of an on-site audit by a QSA, ISA, or other approriate person.
  • SSF: PCI Software Security Framework, a framework for secure development of software which has two associated Standards: SSS, and Secure SLC
  • SSS: PCI Secure Software Standard
  • Secure SLC: PCI Secure Software Lifecycle Standard