(UCSB = Bank of America merchant services (aka “BAMS”))
Also referred to as “merchant bank,” “merchant processor,” “acquirer,” or “acquiring financial institution” Entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance. Note: UCSB is required to report the PCI compliance status of our merchants to our acquiring bank, BAMS.
Approved Scanning Vendor (“ASV”)
Company approved by the PCI Security Standards Council to conduct scanning services to identify common weaknesses in system configuration. The UC’s QSA, Coalfire Services, is our ASV.
Credit card issuing entities such as Visa and MasterCard that govern and oversee the use of credit cards for payment transactions.
Card Data / Customer Card Data
At a minimum, card data includes the primary account number (PAN), and may also include cardholder name and expiration date. The PAN is visible on the front of the card and encoded into the card’s magnetic stripe and/or the embedded chip. Also referred to as cardholder data. See also Sensitive Authentication Data for additional data elements which may be part of a payment transaction but which must not be stored after the transaction is authorized.
Chip / Chip Card / EMV (“Europay MasterCard Visa”)
Also known as “EMV Chip.” The microprocessor (or “chip”) on a payment card used when processing transactions in accordance with the international specifications for EMV transactions.
A data breach is an incident in which sensitive data may have potentially been viewed, stolen, or used by an unauthorized party. Data breaches may involve card data, personal health information (PHI), personally identifiable information (PII), trade secrets, or intellectual property, etc.
Offers various services to merchants and other service providers, where their customers’ data is “hosted” or resident on the provider’s servers. Typical services include shared space for multiple merchants on a server, providing a dedicated server for one merchant, or web apps such as a website with “shopping cart” options.
The process by which all parties involved in a credit card transaction (i.e., processors, acquirers, issuers, etc.) manage the processing, clearing and settlement of credit card transactions, including the assessment, and collection and/or distribution of fees between parties. Also known as Credit Card Interchange.
The person or business entity that sells goods or services to a customer. For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers
A financial institution or bank account that is used by a merchant specifically for the purpose of collecting proceeds consumer bank account or credit card payment transactions. A Card Present (CP) merchant account is used by merchants that receive payments in a physical location where payment is physically presented to the merchant by the customer at the time of the transaction. A Card Not Present (CNP) merchant account is used by merchants that receive payments electronically or in situations where payment is not physically presented to the merchant by the consumer at the time of the transaction.
Mobile Payment Acceptance
Using a mobile device to accept and process payment transactions. The mobile device is usually paired with a commercially available card-reader accessory. Only approved, secure mobile card readers may be used by UCSB merchants; consult the Coordinator for processing options.
MO/TO (“Mail Order / Telephone Order”)
The business of selling merchandise or services to consumers, where card payments are received through the mail or by telephone. Credit cards are typed into an internet-based payment portal using a secure, approved card reading device.
P2PE / PCI-Listed Point-to-Point Encryption Solution
Encryption solution that has been validated per the PCI Point-to-Point-Encryption (P2PE) standard and is listed on the PCI Council website.
(UCSB = Generally Authorize.net or Bluefin Payment Systems)
A system of technologies and processes that allow merchants to electronically submit payment transactions to the payment processing networks (i.e., the Credit Card Interchange and the ACH Network). Payment gateways also provide merchants with transaction management, reporting, and billing services.
Payment Processor / Processor
Entity engaged by merchants to handle payment card transactions on their behalf. While payment processors typically provide acquiring services, payment processors are not considered acquirers (merchant banks) unless defined as such by a payment card brand. Also called a “payment gateway” or “payment service provider” (PSP). See also Merchant Bank.
Encompasses the entire process for accepting card payments in a merchant retail location (including stores/shops and e-commerce storefronts) and may include a payment terminal, an electronic cash register, other devices or systems connected to the payment terminal (for example, Wi-Fi for connectivity or a PC used for inventory), servers with e-commerce components such as payment pages, and the connections out to a merchant bank.
Hardware device used to accept customer card payments via swipe, dip, insert, or tap. Also called “point-of-sale (POS) terminal,” “credit card machine,” or “PDQ terminal.”
Acronym for “Payment Card Industry.”
Acronym for the PCI Council's “Payment Card Industry Data Security Standard.” The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. Everyone storing, processing or transmitting cardholder information is required to follow the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS Compliant (“PCI Compliant”)
Meeting all applicable requirements of the current PCI DSS, on a continuous basis via a business-as-usual approach. Compliance is assessed and validated at a single point in time; however, it is up to each merchant to continuously follow the requirements in order to ensure robust security. Merchant banks and/or the payment brands may have requirements for formal annual validation of PCI DSS compliance.
PCI DSS Validated
Providing proof that all applicable PCI DSS requirements are met at a single point in time. Depending on specific merchant bank and/or payment brand requirements, validation can be achieved through the applicable PCI DSS Self-Assessment Questionnaire or by a Report on Compliance resulting from an onsite assessment.
Processing Platform / Platform
(UC = FDMS North, Nashville Platforms)
The processing system "engine" the merchant account uses.
Point of Sale (POS)
A term used in the payments industry that refers to the physical location where a payment transaction takes place. POS is also used to describe credit card payment acceptance systems that are designed for the place of sale, such as card swipe terminals.
An entity in the credit card processing network that handles the posting of transactions for authorization, clearing and settlement to consumer credit card accounts at the card associations; and the settlement of funds to merchant bank accounts. Processors may also provide merchants with billing and reporting services.
Qualified Security Assessor (“QSA”)
A company approved by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS requirements. Note: Coalfire Services is the QSA for the entire UC system.
The business of selling merchandise or services to consumers. Merchants that operate in a storefront or physical location and accept Card Present payments—meaning that payment is physically presented to the merchant, and credit cards are “swiped” into a card reading device. Also called “Brick and Mortar.”
Self Assessment Questionnaire (“SAQ”)
PCI DSS validation tool used to document self-assessment results from an entity’s PCI DSS assessment. Every credit card merchant is required to complete the SAQ appropriate for their processing environment annually.
Sensitive Authentication Data
Security-related information including, but not limited to, card validation codes/values (e.g., three-digit or four-digit value printed on the front or back of a payment card, such as CVV2 and CVC2 data), full magnetic-stripe data, PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions. Sensitive authentication data must not be stored after authorization.
A business entity that provides various services to merchants. Typically, these entities store, process, or transmit card data on behalf of another entity (such as a merchant) OR are managed service providers that provide managed firewalls, intrusion detection, hosting, and other IT-related services. Also called a “supplier” or “vendor.”
For credit card transactions, settlement occurs at the completion of transaction processing between the involved financial institutions and processing entities, and funds for the credit card transaction have been successfully deposited into the merchant’s bank account.
A process by which the primary account number (PAN) is replaced with an alternative value called a token. Tokens can be used in place of the original PAN to perform functions when the card is absent like voids, refunds, or recurring billing. Tokens also provide more security if stolen because they are unusable and thus have no value to a criminal.
Virtual Payment Terminal / Virtual Terminal
Web-browser-based access to an acquirer, processor or third-party service provider website to authorize payment card transactions. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card. The merchant manually enters payment card data via the securely connected web browser. Because payment card transactions are entered manually, virtual payment terminals are typically used instead of physical terminals in merchant environments with low transaction volumes. For security reasons, UCSB does not allow use of Virtual Terminal credit card processing except via an approved, secure payment terminal.