Dictionary of Terms
Payment Application - A term that includes software vendors that develop payment applications that handle bank card transaction communications to and from a processing host. This includes, but is not limited to, POS vendors. Payment Applications are one of three primary categories (Payment Applications, Merchants, and Service Providers) in which a company or product is grouped according their role in handling bank card transactions. Separate audit requirements are in place for each category.
Merchant - A term that includes retailers that accept bank cards for payment. Merchants are one of three primary categories (Payment Applications, Merchants, and Service Providers) in which a company or product is grouped according their role in handling bank card transactions. Separate audit requirements are in place for each category.
Service Provider - A term that includes payment procession hosts. Service providers are organizations that process, store or transmit credit card transaction data on behalf of Merchants or other service Providers. Service Providers are one of three primary categories (Payment Applications, Merchants, and Service Providers) in which a company or product is grouped according their role in handling bank card transactions. Separate audit requirements are in place for each category.
PABP - Payment Application Best Practices. This is a Visa program of best practice interpretations of DSS for applications vendors. The program was/is strongly recommended but not mandatory, in spite of the fact that retailers and networks had deadlines that required application vendor compliance. Many of the components of PABP have become the basis for the PA-DSS.
DSS - Data Security Standard. DSS is a set of comprehensive requirements for enhancing payment account data security and was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is the basis for all PCI self assessments and audits for retailers, POS applications and processors.
PA-DSS - Payment Application Data Security Standard. PA-DSS was formerly known as PABP. PA-DSS is a program under the supervision of the PCI Security Standards Council. Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements.
PED - PIN Encryption Device. Any device such as a PIN pad that collects and encrypts a user’s financial PIN. Contact your PIN pad provider for details on their PED compliance status and specific deadlines related to PED. More details including a list of approved devices can be found at https://www.pcisecuritystandards.org/pin/
Known Vulnerable - A term sometimes used by member so of the PCI Council to describe a Payment application that is known to be out of compliance with PABP or PA-DSS. The known vulnerable list is not a publically published list but is available from a merchant’s bank or processor.
Verified - A term often used to mean a Payment Application that has been audited against and are in compliance with the PABP or PA-DSS requirements.
QSA - Qualified Security Assessor, more commonly known as a PCI auditor.
Tier - A term usually used to describe the size of a merchant and is often a reflection of the number of card transactions processed annually. Currently there are 4 tiers and each have their own specific deadlines for compliance and required annual tasks such as self assessment and scans.