ABA NUMBER
Also known as a routing or transit number, the ABA number contains nine digits and is used by banking systems and other financial institutions for identification purposes. This number is used by banks to route items like checks and credit or debit transactions to the correct financial institution.
ACH
An acronym that stands for the Automated Clearing House electronic network.
ACH AUTHORIZATION
An acknowledgment by an account holder that allows an ACH transaction, either credit or debit, to be applied to a particular account. An account holder who authorizes such a transaction is also known as a receiver. Although debit transactions must be confirmed or otherwise authenticated in writing, by PIN entry or by a digital signature, a credit transaction may be authorized orally.
ACH CREDIT
An act that is conducted by means of the ACH network that pays an account holder (receiver) by making a deposit in an account.
ACH DEBIT
An act that is conducted by means of the ACH network that subtracts funds from an individual account and its account holder (receiver).
ACH NETWORK
A monetary transfer system that is overseen by the Federal Reserve and the National Automated Clearing House Association (NACHA). The network allows participating financial institutions and consumers to route money and perform interbank and other transactions electronically.
ACH OPERATOR
The entity that processes ACH transactions between companies or individuals. As of right now, the Federal Reserve Bank and the Electronic Payments Network (EPN) are the two operators that help facilitate transactions between ACH originators and ACH receivers.
ACQUIRER
A financial institution or Merchant Service Provider (MSP) that processes and operates the credit card transactions for a business or other merchant customer.
ACQUIRING PROCESSOR
The credit card processor that an acquirer uses so that the acquirer can offer merchants various credit services, including billing, reporting, clearing, and settling. so that the acquirer can offer merchants various credit services, including billing, reporting, clearing, and settling.
ADDENDA RECORD
A type of record used in the ACH system that contains additional data that is needed to verify the identity of an account holder or to provide additional information regarding an ACH transaction.
ADJUSTMENTS
Used to process disputes or discrepancies with other financial institutions.
AMEX
Abbreviation for American Express, an organization that issues travel and entertainment cards and acquires transactions.
ANSI
The American National Standards Institute.
ANTI-VIRUS SOFTWARE
Software program that detects, removes, and protects against malicious software (also called “malware”) including viruses, worms, Trojans or Trojan horses, spyware, adware, and rootkits. Also called “anti-malware software.”
ATM Interchange Fee
The fee paid to the Acquirer Member by the Issuer Member for a STAR ATM Transaction as established from time to time by the STAR Network
APPROVED SCANNING VENDOR (ASV)
Company approved by the PCI Security Standards Council to conduct scanning services to identify common weaknesses in system configuration.
AUTHENTICATION
A process that is used in an ACH transaction to ensure that the data being exchanged between two parties of an ACH transaction is kept secure and unaltered.
AUTOMATED DEPOSIT
A one-time or recurring deposit that is made to a bank account or another depository financial institution (DFI) by means of the ACH network.
BANK IDENTIFICATION NUMBER (BIN)
The first six digits of any credit card, debit card or other similar financial instrument. A BIN can not only identify the bank from which the card was issued, but it can also identify the ACH network the card belongs to.
BANKING (BUSINESS) DAY
A day that a bank or other depository financial institution is open and is performing financial transactions and all of its normal financial operations. In regards to the ACH network, a banking day is any day that an ACH operator is open and performing ACH operations and transactions.
BATCH
The accumulation of captured (sale) transactions waiting to be settled. Multiple batches may be settled throughout the day.
BATCH PROCESSING
A type of data processing and data communications transmission in which related transactions are grouped together and transmitted for processing, usually by the same computer and under the same application.
BANK IDENTIFICATION NUMBER (BIN)
The first six digits (or more) of a payment card number that identifies the financial institution that issued the payment card to the cardholder.
CAPTURE DATE
The date on which a transaction is processed by an acquirer.
CARD DATA / CUSTOMER CARD DATA
At a minimum, card data includes the primary account number (PAN), and may also include cardholder name and expiration date. The PAN is visible on the front of the card and encoded into the card’s magnetic stripe and/ or the embedded chip. Also referred to as cardholder data. See also Sensitive Authentication Data for additional data elements which may be part of a payment transaction but which must not be stored after the transaction is authorized.
CARD ISSUER
1) The financial institution or retailer that authorizes the issuance of a card to a consumer (or another organization), and is liable for the use of the card. The issuer retains full authority over the use of the card by the person to whom the card is issued.
2) Any bank or organization that issues, or causes to be issued, bankcards to those who apply for them.
3) Any organization that uses or issues a personal identification number (PIN).
CARD VERIFICATION CODE (CVC)
A unique value calculated from the data encoded on the magnetic stripe of a MasterCard card, validating card information during the authorization process.
CARD VERIFICATION VALUE (CVV)
A unique value calculated from the data encoded on the magnetic stripe of a VISA card, validating card information during the authorization process.
CARDHOLDER
The person to whom a financial transaction card is issued or an additional person authorized to use the card.
CHARGEBACK
A transaction that is challenged by a cardholder or card issuing bank and is sent back through interchange to the merchant bank for resolution.
CHARGEBACK PERIOD
The number of calendar days (counted from the transaction processing date) during which the issuer has the right to charge the transaction back to the acquirer. The number of days varies according to the type of transaction from 45 to 180 days.
CHECK VERIFICATION
A service provided in which a merchant accesses a national negative file database through their terminal/register to verify or authorize the person has no outstanding bad check complaints at any of the member merchants. This is not a guarantee of payment to the merchant.
CHIP
A small square of thin semiconductor material, such as silicon, that has been chemically processed to have a specific set of electrical characteristics such as circuits storage, and/or logic elements.
CLEARING HOUSE
A group of depository financial institutions (DFIs) that clear checks or other electronic transactions and items by exchanging funds between group members.
COMMERCIALLY REASONABLE
A common procedure, practice or system that is used regularly by originators.
COMPLIANCE
The procedure a VISA or MasterCard member may use to resolve a dispute between members when no chargeback reason code applies. The challenging member must prove financial loss due to a violation of MasterCard and/or VISA rules by the other member.
COUNTERFEIT CARD
A plastic card which has been fraudulently printed, embossed or encoded to appear to be a genuine bank card, but which has not been authorized by MasterCard or VISA or issued by a member. A card originally issued by a member but subsequently altered without the issuer’s knowledge or consent.
CREDENTIAL
Information used to identify and authenticate a user for access to a system. For example, credentials are often the username and password. Credentials may include a fingerprint, retina scan, or a one-time number generated by a portable “token-generator.” Security is stronger when access requires multiple credentials.
CYBER-ATTACK
Any type of offensive maneuver to break into a computer or system. Cyber-attacks can range from installing spyware on a PC, breaking into a payment system to steal card data, or attempting to break critical infrastructure such as an electric power grid.
DATA BREACH
A data breach is an incident in which sensitive data may have potentially been viewed, stolen, or used by an unauthorized party. Data breaches may involve card data, personal health information (PHI), personally identifiable information (PII), trade secrets, or intellectual property, etc.
DATA ENCRYPTION STANDARD
The method that is used to scramble a message or other data into a coded series of bits before transmission.
DATA TRANSMISSION
The transfer of information and other data between two computers or other data processors.
DEBIT
A charge to a customer’s bankcard account.
DEBIT CARD
Any card that primarily accesses a Deposit Account.
DEBIT TRANSACTION
A bankcard used to purchase goods and services and to obtain cash, which debits the cardholder’s personal deposit account.
DECLINE or DECLINED
The denial of an Authorization Request by, or on behalf of, an Issuer Member.
DEFAULT PASSWORD
A simple password that comes with new software or hardware. Default passwords (like “admin” or “password” or “123456”) are easily guessed and usually are available via online search. They are intended as a placeholder and offer no real security—and must be changed to a stronger password after installing new software or hardware.
DESCRIPTIVE STATEMENT
An account summary that includes information for ACH entries that do not contain an enclosure document from the originating financial institution. All ACH entries need a descriptive statement as defined by Regulation E.
DFI
Depository Financial Institution.
DIRECT DEBIT
An ACH network transaction where debtors enable creditors to debit their accounts once their financial institutions have received corresponding entries from the individual creditors.
E-CHECK
The electronic equivalent of a paper check.
EFFECTIVE ENTRY DATE
The date given to an ACH transaction by its originator or an ODFI. Usually, this is the date on which an originator or an ODFI wants an ACH transaction to take place.
ELECTRONIC BANKING
A form of banking in which funds are transferred through an exchange of electronic signals between financial institutions, rather than an exchange of cash, checks or other negotiable instruments.
ELECTRONIC BILL PAYMENT (E-pay)
An alternative to paper checks for paying bills. Consumers can use PCs, telephones, screen phones or ATMs to send electronic instructions to their bank or bill payment provider to withdraw funds from their accounts and pay merchants. Payments may be made either electronically or by a paper check issued by the bill payment provider.
ELECTRONIC CASH REGISTER (ECR)
A device that registers and calculates transactions and may print out receipts, but does not accept customer card payments. Also called a “till.”
ELECTRONIC CHECK ACCEPTANCE or ECA
A system that captures banking information of a paper check and converts it into an electronic item processed through the Automated Clearing House network. With ECA, checks are processed similarly to credit cards, and the paper check is returned to the consumer at the point of sale.
ELECTRONIC COMMERCE (E-commerce)
The transacting of business electronically rather than via paper.
ELECTRONIC FUNDS TRANSFER
The term used when money is exchanged between individuals, businesses or other institutions without using a check or a draft.
ELECTRONIC FUNDS TRANSFER ACT
The law created by the United States federal government that regulates the usage and the management of electronic funds transfers and services.
ELECTRONIC SIGNATURES IN GLOBAL AND NATIONAL COMMERCE ACT (E-SIGN)
The law created by the United States federal government that manages and details the usage of digital signatures and records in electronic commerce.
EMV
EMV, or EuroPay, MasterCard and Visa, is a microchip-based technology designed to reduce fraud at the point-of-sale. Banks are beginning to issue payment cards with these embedded chips, which also support contactless payments.
ENCRYPTION
The technique of scrambling data automatically in the terminal or computer before data is transmitted for security/anti-fraud purposes.
FILE HEADER
The initial data of an ACH file that contains the information needed to route, validate and track the ACH transactions found in the file.
FINANCIAL INSTITUTION
Any organization in the business of moving, investing or lending money, dealing in financial instruments, or providing financial services. Includes commercial banks, thrifts, federal and state savings banks, savings and loan associations, and credit unions.
FIREWALL
Hardware and/or software that protects network resources from unauthorized access. A firewall permits or denies communication between computers or networks with different security levels based upon a set of rules and other criteria.
FORENSIC INVESTIGATOR
PCI Forensic Investigators (PFIs) are companies approved by the PCI Council to help determine when and how a card data breach occurred. They perform investigations within the financial industry using proven investigative methodologies and tools. They also work with law enforcement to support stakeholders with any resulting criminal investigations.
FUNDING
Refers to the payment to a merchant for his submitted deposits.
FUNDS AVAILABILITY
The day and time when money that has been involved in an ACH transaction is made available to an account holder.
FUNDS TRANSFER SYSTEM
A wire transfer network, ACH, or other communication system or clearing house or association of banks in which First Data’s Clearing/Funding Bank is a member and through which a payment order by a bank may be transmitted. Includes SWIFT, CHIPS, Fedwire, the National Association of Clearing House Associations, MasterCard, and VISA.
HACKER
A person or organization that attempts to circumvent security measures of computer systems to gain control and access. Usually, this is done in an effort to steal card data.
HOSTING PROVIDER
Offers various services to merchants and other service providers, where their customers’ data is “hosted” or resident on the provider’s servers. Typical services include shared space for multiple merchants on a server, providing a dedicated server for one merchant, or web apps such as a website with “shopping cart” options.
INTERCHANGE
The method by which all of the parties that are included in a credit card transaction regulate the processing, clearing and settlement of credit card transactions. This is also frequently defined as “Credit Card Interchange.”
ISSUING BANK
A bank or other financial institution that distributes credit cards to customers in place of a credit card association. The terms “Card Issuing Bank” and “Issuer” are often used in place of Issuing Bank.
JAPENESE CREDIT BUREAU (JCB)
Issuers of the JCB card.
LOG
A file that is created automatically when certain predefined (often security-related) events occur within a computer system or network. Log data includes date/time stamp, description of the event, and information unique to that event. These files are useful for troubleshooting technical issues or a data breach investigation. Also called an “audit log” or “audit trail.”
MAGNETIC STRIPE
A stripe (on the bankcard) of magnetically encoded cardholder account information affixed to a plastic card.
MALWARE
Malicious software designed to infiltrate a computer system with the intent of stealing data, or damaging applications or the operating system. Such software typically enters a network during many business-approved activities such as via email or browsing websites. Malware examples include viruses, worms, Trojans (or Trojan horses), spyware, adware, and rootkits.
MERCHANT BANK
A bank or financial institution that processes credit and/or debit card payments on behalf of merchants. Also called an “acquirer,” “acquiring bank,” “card processor,” or “payment processor.” See also Payment Processor.
MICR NUMBER METHOD
A check authorization procedure that uses the bank routing/transit numbers, checking account numbers and check number encoded along the bottom of the check.
MAGNETIC INFORMATION CHARACTER RECOGNITION (MICR)
Imprinted banking numbers (routing/transit number, checking account number, check number) at the bottom of the check.
MEMBER
A financial institution which is a member of VISA USA and/or MasterCard International. A member is licensed to issue cards to cardholders and/or accept merchant drafts.
MEMO POSTING
A notice posted to an account that specifies that a credit has been issued to the account but has not cleared or posted.
MERCHANT ACCOUNT
An account from a bank or a financial institution that a merchant uses specifically for collecting bank account, credit card or other ACH transactions. Merchant accounts can be either Card Present (CP) account, in which payment is physically given to the merchant when a transaction occurs, or a Card Not Present (CNP) account, in which payment is not physically obtained by the merchant when a transaction occurs.
MERCHANT ACCOUNT PROVIDER
A bank or other financial institution that issues a financial account to a merchant so that the merchant can collect funds from customer bank accounts and credit card transactions.
MERCHANT IDENTIFICATION NUMBER (MID)
A number that is given to each member merchant of a financial institution, such as a Merchant Service Provider (MSP), a processor or an Independent Sales Organization (ISO), that is used for identification purposes.
MOBILE DEVICE
General term for a class of consumer electronic devices such as smartphones and tablets that are small, portable, and can connect to computer networks wirelessly.
MOBILE PAYMENT ACCEPTANCE
Using a mobile device to accept and process payment transactions. The mobile device is usually paired with a commercially available card-reader accessory.
MULTI-FACTOR AUTHENTICATION
Method for authenticating a user when two or more factors are verified. These factors include something the user has (such as a smart card or dongle), something the user knows (such as a password, passphrase, or PIN) or something the user is or does (such as fingerprints, other forms of biometrics, etc.).
NACHA – (NATIONAL AUTOMATED CLEARING HOUSE ASSOCIATION)
The entity that establishes and oversees the NACHA Operating Rules. NACHA also manages all ACH operations and policies, including system education and the publication of payment-related materials.
NET PAYMENT
Payment to the merchant for sales drafts less credits minus the appropriate discount fee.
NET REVENUE
Discount income less interchange expense.
NET SETTLEMENT
The settlement, through an actual transfer of funds, of the net effect of a series of financial transactions involving customers of two or more banks.
NETWORK
Two or more computers connected together via physical or wireless means.
NON-BANK
In a payment system, a financial institution not offering retail banking services
NON-SUFFICIENT FUNDS
A rejection and return of an ACH transaction that is caused by a receiver’s financial account not having sufficient funds to complete a particular transaction.
NOTIFICATION OF CHANGE
A notice is given to a merchant from a bank or another financial institution that signifies there was an error with some of the account information that was provided with a particular transaction. Notification of changes will include the correct account information.
OPERATING SYSTEM
Software of a computer system that is responsible for the management and coordination of all activities and the sharing of computer resources. Examples include Microsoft Windows, Apple OSX, iOS, Android, Linux, and UNIX.
ODFI (ORIGINATING DEPOSITORY FINANCIAL INSTITUTION)
A DFI that participates with the ACH network to originate ACH transactions. These financial institutions can work immediately with ACH operators, or they can work with a Sending Point or other third-party processor.
ORIGINATOR
An institution or business that creates an ACH file and distributes it to an ODFI to be admitted to the ACH network.
P2PE
Acronym for the PCI Council’s Point-to-Point-Encryption standard. See details at www.pcisecuritystandards.org.
PA-DSS
Acronym for the PCI Council’s “Payment Application Data Security Standard.” See details at www.pcisecuritystandards.org
PAPER
Sales slips, credit slips, cash disbursement slips and other obligations indicating use of a card or a card account. Also referred to as “media.”
PARTICIPATING DEPOSITORY FINANCIAL INSTITUTION
A DFI that has received permission from an ACH operator to originate or receive ACH transactions.
PATCH
Update to existing software that adds functionality or corrects a defect (or “bug”).
PAYMENT APPLICATION
Related to PA-DSS, a software application that stores, processes, or transmits cardholder data as part of authorization or settlement of payment transactions.
PAYMENT APPLICATION VENDOR
An entity that sells, distributes, or licenses a payment application to POS integrators/resellers for integration into merchant payment systems, or directly to merchants for their own installation and use.
PAYMENTS GATEWAY
An electronic system that lets merchants submit payment transactions to payment processing networks. This system also gives merchants transaction reports, as well as management and billing services.
PAYMENT MIDDLEWARE
A general term for software that connects two or more, perhaps unrelated, payment applications together. For example, it may pass card data between an application on a payment terminal and other merchant systems that send card data to a processor.
PAYMENT SYSTEM
Encompasses the entire process for accepting card payments in a merchant retail location (including stores/shops and e-commerce storefronts) and may include a payment terminal, an electronic cash register, other devices or systems connected to the payment terminal (for example, Wi-Fi for connectivity or a PC used for inventory), servers with e-commerce components such as payment pages, and the connections out to a merchant bank.
PAYMENT TERMINAL
A hardware device used to accept customer card payments via swipe, dip, insert, or tap. Also called “point-of-sale (POS) terminal,” “credit card machine,” or “PDQ terminal.”
PCI
Acronym for Payment Card Industry.
PCI DSS
Acronym for the PCI Council’s “Payment Card Industry Data Security Standard.” See details at www.pcisecuritystandards.org
PCI DSS COMPLIANT
Meeting all applicable requirements of the current PCI DSS, on a continuous basis via a business-as-usual approach. Compliance is assessed and validated at a single point in time; however, it is up to each merchant to continuously follow the requirements in order to ensure robust security. Merchant banks and/or the payment brands may have requirements for formal annual validation of PCI DSS compliance.
PCI DSS VALIDATED
Providing proof that all applicable PCI DSS requirements are met at a single point in time. Depending on specific merchant bank and/or payment brand requirements, validation can be achieved through the applicable PCI DSS Self-Assessment Questionnaire or by a Report on Compliance resulting from an onsite assessment.
PCI VALIDATED PAYMENT APPLICATION
A software application that has been validated per the PCI Payment Application Data Security Standard (PA-DSS) and is listed on the PCI Council website.
PCI-LISTED POINT-to-POINT ENCRYPTION SOLUTION
Encryption solution that has been validated per the PCI Point-to-Point-Encryption (P2PE) standard and is listed on the PCI Council website.
PIN (PERSONAL IDENTIFICATION NUMBER)
The confidential individual number or code used by a cardholder to authenticate card ownership for ATM or POS terminal transactions.
PIN AUTHORIZATION REQUEST
A procedure enabling the issuer to validate cardholder identity by comparing the PIN to the account numbers.
PIN PAD
A Tamper Resistant Security Module that enables a Cardholder to enter his or her PIN at a Terminal.
PIN VERIFICATION
A procedure utilized by or on behalf of the Issuer Participant to verify the identification of the Cardholder as a result of the use of the PIN upon receipt of a Transaction request.
PRIMARY ACCOUNT NUMBER (PAN)
Unique number for credit and debit cards that identify the cardholder account.
POINT OF SALE (POS)
The location of a merchant where the customer makes a purchase.
POINT-OF-SALE SYSTEM
An electronic system that accepts financial data at or near a retail selling location and transmits that data to a computer or authorization network for reporting activity, authorization and transaction logging.
POS TERMINAL
A device placed in a merchant location that is connected to the bank’s system or authorization service provider via telephone lines and is designed to authorize, record and forward data by electronic means for each sale.
PREPAID CARDS
A reloadable or non-reloadable debit card that allows the holder to only spend up to the amount that has been pre-deposited into the account.
PRENOTIFICATION (PRENOTE)
An entry for zero dollars that allows a receiving depository financial institution (RDFI) to validate account and entry information. A prenotification must be transmitted through the ACH network at least six days before actual entries are scheduled to impact accounts at RDFIs.
PRIVILEGE ABUSE
Using computer system access privileges in an abusive manner. Examples include a system administrator accessing card data for malicious purposes, or someone stealing and using an administrator’s elevated access privileges for malicious purposes.
PROCESSOR
An organization that is connected to VISANet and or Banknet and provides authorization and/or clearing and settlement services on behalf of a member.
PTS
Acronym for the PCI Council’s PIN Transaction Security standard. PTS is a set of modular evaluation requirements for PIN acceptance point-of-interaction (POI) terminals. See details at www.pcisecuritystandards.org.
Questionable ACH Return – R17
Under the Return for Questionable Transaction Rule, RDFIs may (but are not required) use Return Reason Code R17 – File Record Edit Criteria to indicate that the RDFI believes the entry containing invalid account information was initiated under questionable circumstances
QIR
Acronym for “Qualified Integrator or Reseller.”
QUALIFIED SECURITY ASSESSOR (QSA)
A company approved by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS requirements.
REASON CODE
A code used to provide additional information to the receiving clearing member regarding the nature of a chargeback, subsequent presentment, fee collection, funds disbursement, or request for a source document.
RECEIPT
A hard copy description of the transaction that took place at the point-of-sale, containing at minimum: date, merchant name/location, primary account number, type of account accessed, amount, reference number, and an action code.
RECURRING TRANSACTION
A transaction charged to the cardholder (with prior permission) on a periodic basis for recurring goods and services, i.e., health club memberships, book-of-the-month clubs, etc.
RECEIVER
The individual, company or institution that has given an originator permission to issue a refund or charge a transaction to their bank account.
RDFI (RECEIVING DEPOSITORY FINANCIAL INSTITUTION)
A depository financial institution (DFI) that receives ACH transactions. A RDFI can work immediately with an ACH operator to facilitate and complete these transactions, or it can work through a Receiving Point or other third-party processor.
RECEIVING POINT
A processing site that collects entries from an ACH operator for an RDFI.
REGIONAL PAYMENTS ASSOCIATION
An organization that was created by DFIs to help manage and endorse the processes of electronic transactions.
REGULATION CC
A regulation that was administered by the Federal Reserve Bank Board of Governors that enacted the Expedited Funds Availability Act and the Check Clearing for the 21st Century Act.
REGULATION E
A regulation that was administered by the Federal Reserve Bank Board of Governors that defined consumers’ rights regarding their responsibilities and liabilities when dealing with electronic fund transfers and financial institutions that offer electronic fund transfers.
REMOTE ACCESS
Access to a computer network from a location outside of that network. Remote access connections can originate either from inside the company’s own network or from a remote location. An example of technology for remote access is a virtual private network (VPN). Remote access can be either internal (e.g. IT support) or external (e.g., service providers, third-party agents, integrators/resellers).
RETURNED ITEM
An ACH transaction that was denied by a RDFI because it could not be posted or cleared.
REVERSING ENTRY
An entry made by a Sending Point that is used to negate a previous entry made in error.
ROUTER
Hardware or software that connects two or more internal or external computer networks to “route” or guide data through a network, and to ensure the data flows properly between those networks. The router can also create more security by permitting only approved traffic and denying unapproved traffic.
ROUTING/TRANSIT NUMBER
The nine-digit number that is used by banks and financial institutions for identification and routing purposes. This number is also known as the ABA number.
SALES DRAFT
Paper documentation of a transaction. Also called a sales slip, charge slip or hard copy.
SECURITY COMPLIANCE REVIEW
A review that is based on an approved checklist and that is performed by a Member’s or Processor’s Approved Auditor to verify the Member’s or the Processor’s compliance with these Rules.
SECURE CARD READER (SCR)
A PTS-approved device that attaches to a mobile phone or tablet for securely accepting payment cards. PCI PTS-approved SCRs protect and encrypt the card data via SRED. See also SRED.
SECURITY CODE
A three- or four-digit value printed onto the front or back signature panel of a payment card. This code is uniquely associated with an individual card and is used as an additional check to ensure that the card is in possession of the legitimate cardholder, typically during a card-not-present transaction. Also referred to as card security code.
SENDING POINT
A processing site that routs transactions to an ACH operator for an ODFI.
SELF ASSESSMENT QUESTIONAIRE (SAQ)
PCI DSS validation tool used to document self-assessment results from an entity’s PCI DSS assessment.
SENSITIVE AUTHENTICATION DATA
Security-related information used to authenticate cardholders and/or authorize payment card transactions, stored on the card’s magnetic stripe or chip.
SERVICE PROVIDER
A business entity that provides various services to merchants. Typically, these entities store, process, or transmit card data on behalf of another entity (such as a merchant) OR are managed service providers that provide managed firewalls, intrusion detection, hosting, and other IT-related services. Also called a “vendor.”
SETTLEMENT
The confirmation and accounting of transactions that have been processed by an ACH operator.
SETTLEMENT DATE
The actual date on which a transaction is completed and funds change ownership.
SIMILARLY AUTHENTICATED
A way to allow both signed and written authorizations to be acquired electronically. To be considered “in writing,” an electronic authorization must be legible on a display screen so that the consumer can read it and give their authorization.
SHOPPING CART SOFTWARE
Shopping cart software allows the cardholder to select items from an online store and place them in a virtual shopping basket or shopping cart. The shopping cart remembers which items are selected while the cardholder views other items within the virtual storefront, keeps a running total, and may calculate taxes and shipping. The items in the shopping cart are eventually ordered if the cardholder chooses.
SKIMMING
Stealing card data directly from the consumer’s payment card or from the payment infrastructure at a merchant location such as with a rogue hand-held card reader or via modifications made to the merchant’s payment terminal. Its purpose is to commit fraud, the threat is serious, and it can hit any merchant’s environment.
SKIMMING DEVICE
A physical device, often attached to a legitimate card-reading device, designed to illegitimately capture and/or store the information from a payment card. Also called a “card skimmer.”
SMALL MERCHANT
A business that typically has a single location or possibly a few locations, with limited to no IT budget and usually with no IT personnel on staff.
SMART CARD
A plastic card resembling traditional credit or debit cards that contains a computer chip; the chip is capable of storing significantly more information than a magnetic stripe.
SOURCE DOCUMENT
A document, such as a check or draft, that is used to initiate an ACH entry.
STAND-ALONE TERMINAL
A payment terminal that does not rely on connection to any other device within the merchant environment and performs no other functions. The only requirement for it to operate is a connection to the processor through either an Internet connection or a telephone line. If the terminal requires connection to a computerized electronic cash register or is multi-function (like a mobile device), it is not a stand-alone terminal.
STANDARD ENTRY CLASS CODE (SEC)
A three-character code that is used in ACH documents to identify the different types of ACH transactions and route them accordingly.
STRONG AUTHENTICATION
Used to verify the identity of a user or device to ensure the security of the system it protects. The term strong authentication is often synonymous with multifactor authentication (MFA).
SUBMISSION
The process of sending batch deposits to Merchant Services for processing. This may be done electronically or by mail.
SUPPORT DOCUMENTATION
The forms necessary to effect a chargeback processing cycle, and any additional material to uphold a dispute.
TELEPHONE BILL PAYMENT
A service that permits a customer to pay bills electronically. The customer gives a corporation the authority to debit his or her account for a specific amount or within a specified range of amounts.
THIRD-PARTY SENDER
A service provider that works with an ODFI or another third-party sender to facilitate and originate transactions through the ACH network. In a situation like this, an agreement is not made between the originator and the ODFI. A third-party sender is a subset of a third-party service provider.
THIRD-PARTY SERVICE PROVIDER
A financial institution or bank that provides ACH services to other businesses, individuals and financial institutions.
TOKENIZATION
A process by which the primary account number (PAN) is replaced with a surrogate value called a token. Tokens can be used in place of the original PAN to perform functions when the card is absent like voids, refunds, or recurring billing. Tokens also provide more security if stolen because they are unusable and thus have no value to a criminal.
TRANSACTION
Any event that causes a change in an organization’s financial position or net worth, resulting from normal activity. Advance of funds, purchase of goods at a retailer or when a borrower activates a revolving line of credit. Activities affecting a deposit account carried out at the request of the account owner. One example of a transaction is the process that takes place when a cardholder makes a purchase with a credit card.
TRANSACTION DATE
The actual date on which a transaction occurs. Used in recording and tracking transactions.
TRANSACTION FEES
Service costs charged to a merchant on a per-transaction basis.
UCOMMERCE
Short for Universal Commerce, UCommerce is the intersection of online, kiosk, and in-store payment enablement, incorporating social media and near-field communications. With UCommerce, the mobile device is at the center of the user experience.
UNAUTHORIZED RETURNS
An Unauthorized Return is an ACH transaction that is coming back unpaid and unauthorized by the Customer. Unauthorized ACH Returns can come back for several different reasons.
The Unauthorized Return Reason Codes and Reasons are Below:
- R05 – Unauthorized debit to consumer account using a corporate SEC (Standard Entry Class) code)
- R07 – Authorization revoked by the customer)
- R10 – Customer Advises Originator is Not Known to Receiver and/or Originator is Not Authorized by Receiver to Debit Receiver’s Account. This code should be used for all returns of an unauthorized debit to a consumer account.
- R11 -Customer Advises Entry Not in Accordance with Terms of the Authorization. This code should be used when:
- The amount is different than that authorized by the receiver
- Payment posted earlier than authorized by the receiver
- Incomplete transaction (i.e., a payment to an intended third-party payee that was not made or completed by the originator)
- Improperly reinitiated entry
- Improperly originated ARC, BOC, or POP entries.
- R29 – Corporate customer advised transaction was unauthorized)
- R51 – Item related to an RCK (Re-presented Check) entry is ineligible or entry is improper
UNIFORM COMMERCIAL CODE ARTICLE 4A (UCC 4A)
A body of state law that manages and commands commercial transactions. Article 4A specifically covers money transfers that are not subject to the Electronic Funds Transfer Act. ACH credit transactions are covered by this article.
UPIC (UNIVERSAL PAYMENT IDENTIFICATION CODE)
A unique code that is issued to bank accounts so that businesses and institutions can collect electronic payments without revealing their private banking information. UPICs can only be used for credit payments, and they can travel between one institution and another.
UNENCRYPTED DATA
Any data that is readable without the need to decrypt it first. Also called “plaintext” and “clear text” data.
VENDOR
A business entity that supplies a merchant with a product or service needed for the course of business. Where services are offered, the vendor may be considered a service provider and may require access to physical locations or computer systems within the merchant environment that could affect the security of card data.
VIRTUAL PAYMENT TERMINAL
Web-browser-based access to an acquirer, processor or third-party service provider website to authorize payment card transactions. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card. The merchant manually enters payment card data via the securely connected web browser. Because payment card transactions are entered manually, virtual payment terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.
VIRTUAL PRIVATE NETWORK (VPN)
The VPN consists of virtual circuits within a larger network, such as the Internet, instead of direct connections by physical wires. The end points of the VPN “tunnel” through the larger network, which is done to create a private, secure connection.
VIRUS
Malware that replicates copies of itself into other software or data files on an “infected” computer. Upon replication, the virus may execute a malicious payload, such as deleting all data on the computer. A virus may lie dormant and execute its payload later, or it may never trigger a malicious action. A virus that replicates itself by resending itself as an e-mail attachment or as part of a network message is called a “worm.”
VULNERABILITY
Flaw or weakness which, if exploited, may result in an intentional or unintentional compromise of a system.
VULNERABILITY SCAN
A software tool that detects and classifies potential weak points (vulnerabilities) on a computer or network. A scan may be performed by an organization’s IT department or a security service provider (such as an Approved Scanning Vendor).
WAREHOUSING
The capability of an ODFI to obtain and hold an ACH entry from an originator before the Effective Entry Date and before needing to release it, or the capability of a RDFI to obtain and hold an ACH entry without posting it until the Settlement Date.
WHOLESALE CREDIT
A credit transaction that is either originated or received by a non-consumer account.
Wi-Fi
Wireless network that connects computers without a physical connection to wires.
WIRELESS PAYMENT TERMINAL
Payment terminal that connects to the Internet using any of various wireless technologies.