Merchant Services Glossary

Acquirer (or processor):  The financial institution that processes payment card transactions for merchants and is defined by a payment brand as an acquirer.  Truist (formerly BB&T) is the University’s standard payment acquirer.

Attestation of Compliance (AOC):  The Attestation of Compliance is a form for merchants and service providers to attest to the results of a PCI DSS assessment.  For University merchants, this is documented in a Self-Assessment Questionnaire. 

Card Skimmer:  A physical device, often attached to a legitimate card-reading device, designed to illegitimately capture and/or store the information from a payment card.

Cardholder Data:  The full primary account number.  Data considered cardholder data when stored along with primary account number include the cardholder name, expiration date and/or service code.

Cardholder Data Environment (CDE):  The people, processes and technology that store, process or transmit cardholder data or sensitive authentication data.

Chargeback:  A chargeback is a forced transaction reversal in response to a claim of fraud or transaction dispute made by the cardholder.  It is the responsibility of the Merchant to investigate the chargeback, and confirm whether the chargeback is valid or not. Chargebacks must be responded to in a matter of days.

Compromise:  Unauthorized disclosure or theft, modification or destruction of cardholder data.

Consumer:  Individual purchasing goods, services or both.

EMV:  Stands for ‘Europay, Mastercard, and Visa’ (the 3 card brands that came up with the standard).  Payment cards that comply with the EMV standard are often called Chip and PIN or Chip and Signature cards.  While often tied together, EMV is not related to the PCI-DSS.

Issuer:  Entity that issues the consumer’s payment cards.

Merchant:  Any office, unit, department, or organization at the University that accepts payment cards as a form of payment for goods and/or services. This includes temporary, seasonal, or one-time events.

Merchant Identification Number (MID):  The account number assigned to University merchants associated with processing credit card payments

Payment Application:  A software application that stores, processes or transmits cardholder data.

Payment Cards:  Any credit card, debit card or pre-paid card with a brand logo on it, such as VISA, MasterCard, American Express, Discover, JCB International, etc.

Payment Card Industry Data Security Standard (PCI DSS):  The security standard established by the major card brands (Mastercard, Visa, American Express, etc).  The standard has 329 requirements covering people, processes and technology.

Payment Gateway:  Processes and authorizes credit card processing for e-commerce transactions.

Primary Account Number (PAN):  Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account.

Qualified Security Assessor (QSA):  Qualified Security Assessor companies are independent security organizations that have been qualified by the PCI Security Standards Council to validate a merchant’s adherence to PCI DSS.

Sensitive Authentication Data:  Security related information used to authenticate cardholders and/or authorize payments.  This information can include card validation codes/values, full track data, and PINs. This data can never be stored after authorization.

Service Provider:  Business entity (not a payment brand) directly involved in the processing, storing or transmission of cardholder data on behalf of another entity.  All University merchants will have one or more service providers.

Source:  PCI Security Standards Council:  https://www.pcisecuritystandards.org/pci_security/glossary