Talking the Compliance Talk: Your Glossary of PCI DSS Terms
PCI DSS: AKA PCI compliance. The non-abbreviated name is Payment Card Industry Data Security Standard. It’s the standard anybody who touches card data in any way is expected to follow to better protect the integrity of that data and lessen the likelihood it can be compromised. In as few words as possible, PCI DSS is card protection.
PCI SSC: The card brands came together to create the PCI Security Standards Council, which released the first PCI DSS in 2006. While the SSC sets the standard for compliance and provides education about that standard, it doesn’t handle compliance activity or enforcement—that’s on the individual card brands, who set their own compliance rules and enforce and/or fine accordingly.
Service Provider Level: Any entity handling cardholder data is classified by level based on the number of transactions they handle each year. A business handling a small number of transactions would be considered Level 4, whereas a business handling a large volume of transactions is a Level 1 merchant or vendor. (For those wondering, PaymentSpring is certified as a Level 1 Service Provider.)
QSA: Stands for Qualified Security Assessor. This is someone who is certified by the SSC and comes on site to review a service provider’s data, interview their staff and test their processes and procedures.
SAQs: A Self-Assessment Questionnaire is a tool provided by the PCI SSC to help merchants and service providers report the results of their compliance self-assessment. Some of these have been simplified to account for more merchants using encryption and tokenization. Pro tip: Merchants using PaymentSpring’s gateway solution correctly will generally qualify for a more expedited SAQ, as they’ll have little to no interaction with a user’s actual card number.
Now that you’ve got the terminology mastered, find out what all these words mean for you. Download our PCI DSS guide for more information on why compliance matters and how you can reduce your scope.