Account number

Payment card number (credit or debit) that identifies the issuer and the particular cardholder account. Also called Primary Account Number (PAN).


Includes all purchased and custom software programs or groups of programs designed for end users, including both internal and external (web) applications.


Process of verifying identity of a subject or process.


A process by which a card issuer approves a transaction for a specified amount with a merchant.

Card Validation Value or Code

Data element on a card's magnetic stripe that uses secure cryptographic process to protect data integrity on the stripe, and reveals any alteration or counterfeiting. Referred to as CAV, CVC, CVV, or CSC depending on payment card brand. The following list provides the terms for each card brand:

  • CAV Card Authentication Value (JCB payment cards)
  • CVC Card Validation Code (MasterCard payment cards)
  • CVV Card Verification Value (Visa and Discover payment cards)
  • CSC Card Security Code (American Express)

Note: The second type of card validation value or code is the three-digit value printed to the right of the credit card number in the signature panel area on the back of the card. For American Express cards, the code is a four-digit unembossed number printed above the card number on the face of all payment cards. The code is uniquely associated with each individual piece of plastic and ties the card account number to the plastic. The following provides an overview:

  • CID Card Identification Number (American Express and Discover payment cards)
  • CAV2 Card Authentication Value 2 (JCB payment cards)
  • CVC2 Card Validation Code 2 (MasterCard payment cards)
  • CVV2 Card Verification Value 2 (Visa payment cards)


Customer to whom a card is issued or individual authorized to use the card. The person or entity whose name is embossed on the face of the card.

Cardholder data

As defined by the PCI Security Standards Council, consists of the Primary Account Number alone, and also includes the Cardholder Name, Service Code, and Expiration Date when any of these elements are stored in conjunction with the PAN.

Cardholder data environment

Area of computer system network that possesses cardholder data or sensitive authentication data and those systems and segments that directly attach or support cardholder processing, storage, or transmission. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment and thus the scope of the PCI assessment


A reversal of a payment card transaction initiated by the consumer who holds the card or the bank that issued the card used in the purchase.

Chargeback Notification This is the official notice for a chargeback. The notice provides sales information and a deadline for a response. There is a $9.00 fee from the Merchant Bank for this notice regardless of resolution.
Chargeback Summary Service Code Provides a status report of Chargebacks issued to the Merchant. No response is required.

Credit card

Payment method that allows the cardholder to make payments for goods and services and receive cash through credit from the card-issuing bank.

Charge card

A credit card which requires payment in full upon receipt of the statement.

Compensating controls

Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must 1) meet the intent and rigor of the original stated PCI DSS requirement; 2) repel a compromise attempt with similar force; 3) be "above and beyond" other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and 4) be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.

Data Compromise

Also referred to as a breach. Intrusion into computer system where unauthorized disclosure, modification, or destruction of cardholder data is suspected.

Debit card

Payment method that allows the cardholder to make payments through direct withdrawal from the cardholder's bank account.

Default password

Password on system administration or service accounts when system is shipped from the manufacturer; usually associated with default account. Default accounts and passwords are published and well known.


Process of converting information into an unintelligible form except to holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process (the inverse of encryption) against unauthorized disclosure.


Hardware, software, or both that protect resources of one network from intruders from other networks. Typically, an enterprise with an intranet that permits workers access to the wider Internet must have a firewall to prevent outsiders from accessing internal private data resources.

Hosting Provider

Offer various services to merchants and other service providers. Services range from simple to complex; from shared space on a server to a whole range of "shopping cart" options; from payment applications to connections to payment gateways and processors; and for hosting dedicated to just one customer per server.

Magnetic stripe data (Track Data)

Data encoded in the magnetic stripe used for authorization during transactions when the card is presented. Entities must not retain full magnetic stripe data subsequent to transaction authorization. Specifically, subsequent to authorization, service codes, discretionary data/ Card Validation Value/Code, and proprietary reserved values must be purged; however, account number,expiration date, name, and service code may be extracted and retained, if needed for business.


Any University entity that participates in card processing activities.

Merchant account

An account established by contractual agreement between a merchant/business and a bank or payment gateway.

Merchant Card Coordinator

University position that serves as the interface between the merchant bank and merchants. The Merchant Card Coordinator provides support, training, and general service to merchants in all areas relating to payment card processing (e.g., reconciliation, disputes, compliance).

Payment cards

Credit cardsdebit cards, and charge cards issued by a financial institution.

Payment gateway

An e-commerce application service provider service that authorizes payments for e-businesses, online retailers, bricks and clicks, or traditional brick and mortar. It is the equivalent of a physical point of sale terminal located in most retail outlets. Payment gateways encrypt sensitive information, such as credit card numbers, to ensure that information passes securely between the customer and the merchant.

Point to Point Encryption (P2PE)

A point - to - point encryption (P2PE) solution is provided by a third party solution provider, and is a combination of secure devices, applications and processes that encrypt data from the point of interaction (for example, at the point of swipe or dip) until the data reaches the solution provider's secure decryption environment.

Primary account number (PAN)

The payment card number (credit or debit) that identifies the issuer and the particular cardholder account. Also called Account Number.

Privileged Access

Access to more than one card number at a time, as opposed to access to a single card number for purposes of completing a transaction (Thus, the term describes positions such as database administrators of systems that house cardholder data, but not cashiers handling one card at a time).

Request for Transaction Documentation Customer does not recognize the transaction and requests additional information from the merchant such as a signed sales receipt. Notice will have a deadline for response. Customer still has the option of disputing the transaction with a Chargeback Notification then being issued. There is no charge for this request from the Merchant Bank

Sensitive Authentication Data

Data that may not be retained subsequent to the merchant receiving the initial authorization response message. Consists of:

  • Card Validation Code 2
  • Track 1 or Track 2 from the Magnetic Stripe
  • PIN Blocks

Service Provider

Business entity that is not a payment card brand member or a merchant directly involved in the processing, storage, transmission, and switching or transaction data and cardholder information or both. This also includes companies that provide services to merchants, services providers or members that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded.


Acronym for "Self-Assessment Questionnaire." Tool used by any entity to validate its own compliance with the PCI DSS.


Skimming is the theft of credit card information used in an otherwise legitimate transaction. It is typically an "inside job" by a dishonest employee of a legitimate merchant. The thief can procure a victim's credit card number using basic methods such as photocopying receipts or more advanced methods such as using a small electronic device (skimmer) to swipe and store hundreds of victim's credit card numbers.

SQL injection

Form of attack on database-driven web site. An attacker executes unauthorized SQL commands by taking advantage of insecure code on system connected to the Internet. SQL injection attacks are used to steal information from a database from which the data would normally not be available and/or to gain access to an organization's host computers through the computer that is hosting the database


Device that performs dynamic authentication

Two-factor authentication

Authentication that requires users to produce two credentials to access a system. Credentials consist of something the user has in their possession (for example, smartcards or hardware tokens) and something they know for example, a password). To access a system, the user must produce both factors.

Virtual Terminal

Allows merchants who have internet access to take orders over the phone or mail and manually enter credit card information without the need for an internet storefront.

Wireless technology

Includes any technology used to transmit data without a physical connection.


Cross-site scripting. Type of security vulnerability typically found in web applications. Can be used by an attacker to gain elevated privilege to sensitive page content, session cookies, and variety of other objects.