It is very common to hear the terms "Audit of PCI DSS’ or ‘PCI DSS Auditor» within the jargon related to compliance with PCI DSS standard. The use of this terminology is overcrowded even in Qualified Security Advisors (Qualified Security Assessor – QSAs) and in entities requiring compliance with PCI SSC standards (merchants, service providers, banks, etc.), especially Spanish-speaking ones. However, the use of these terms is INCORRECT from the point of view of Payment Card Industry Security Standards Council (PCI SSC), as well as other related terms that are usually used as synonyms without actually being synonymous.

In order to use the same terminology and avoid ambiguities and confusions around the standards, from PCI Hispano we invite you to incorporate the following terminology into the vocabulary related to compliance with these standards.

Why is the term "PCI DSS Audit" wrong?

Since its inception, the PCI SSC has avoided using the term "audit" to refer to the assessment of compliance with its standards or "auditor" for advisors who can perform such assessments.  The reason why this terminology is not used is because, in many countries, the execution of an audit can only be carried out by professionals certified by the Certified Public Accountant (CPA) or similar entities. In Texas (USA), for example, it is prohibited by law the use of the terms "auditor’ or ‘accountant» if the person using them is not duly certified.

Even though the concept of "accountant' (accountant) or 'auditor» is usually linked to verifications of a financial nature, it can also cover other more technical areas. Such is the case of audits of System and Organization Control (SSAE 16/SOC 1, 2 and 3) or Sarbanex-Oaxley, which are assessed on the basis of the criteria described in Generally Accepted Auditing Standards (GAAS), must be audited by personnel certified as CPA (mandatory in the case of SOC, recommended in the case of SOX).

In this sense, and to avoid legal issues, the PCI SSC has opted for the following terminology:

  • ‘Assessment» (Assessment), to refer to the review of compliance with the standard.
  • ‘Assessor» (Advisor), to refer to certified professionals who can perform assessments of compliance with PCI SSC standards. In the case of PCI DSS, they are called Qualified Security Advisors (SSAs).Qualified Security Assessors – QSA).

Although in Spain and Latin America these restrictions may not apply (depending on the region and its local laws), it is important that the same terminology is used to avoid misinterpretations and legal problems.

That being so:

  • It is not said: "PCI DSS Audit". It should read: ‘PCI DSS Assessment’ or ‘PCI DSS Compliance Assessment’.
  • It is not said: "PCI DSS Auditor". It should read: ‘PCI DSS Qualified Advisor’ or simply ‘PCI DSS Advisor’

These concepts are equally applicable to any assessment of compliance with the different standards the PCI SSC.

Other terms to avoid in the scope of PCI SSC standards

Taking advantage of this article, I would also like to comment on some terms that should be avoided in order to use the same terminology used by the PCI SSC:

  • It is not said "Test of Intrusion". It should read "Proof of Penetration" (Penetration testing, in accordance with req. 11.3 of PCI DSS)
  • It does not say "two-factor authentication" or "double-factor authentication" (Two-factor Authentication). It should read "Multi-factor authentication" (Multi-factor Authentication or MFA (req. 8.3 of PCI DSS)
  • It does not say "PCI standard". It should read "PCI DSS standard" (or PCI PIN, PCI 3DS, PCI P2PE, etc.). In this case, PCI stands for Payment Card Industry, but not of the particular standard.
  • It does not say "PCI DSS regulation". It should be said "PCI DSS standard" (or PCI PIN, PCI 3DS, PCI P2PE, etc.), since the translation of standard is simply "standard».

Now, please read the article again but this time with the voice of Paris Danielle 🙂

Posted by David Acosta

Qualified Security Assessor (QSA) for PCI DSS, PCI PIN, PCI 3DS, P2PE and PCI TSP. CISSP, CISA, CISM, CRISC, C|EH, C|HFI.

Leave to Reply