PCI Awareness Training Glossary of Terms

Analog Phone Line Analog electrical signal; A compliant method for transmitting cardholder data.

Attestation of Compliance Typically signed by a Qualified Security Assessor or Security Assessor. (AOC)

Card Verification Code (CVC) Data element on a card's magnetic stripe that uses secure cryptographic process to protect data integrity on the stripe, and reveals any alteration or counterfeiting. Referred to as CAV, CVC, CVV, or CSC depending on payment card brand.

Cardholder Data (CHD) Full magnetic stripe or the primary account number including cardholder name, expiration date, and service code.

Cardholder Data Environment Cardholder Data Environment, for IP-connected devices that process credit (CDE) cards, and devices that affect the security of said devices.

CERTIFI Compliant Electronic Receipt Transactions through Innovation and Financial Integrity. A committee established by the University in order to implement and manage the directives of the Payment Card Industry Security Standards Council, NACHA and the electronic commerce requirements set forth by the North Carolina Office of the State Controller and North Carolina State legislature.

Chip EMV Chip located on the front of most credit cards.

ClientLine FirstData’s merchant transaction reporting tool.

Credit Card Number A unique number used in a financial transaction that identifies a particular credit card account.

Fiserv Formerly know as First Data. This is North Carolina's contracted processor and merchant bank.

Front-end Software Program used to collect data or communicate a set amount of information.

Information Security Office The University’s Information Security Office oversees the security of the University’s electronic information. The Information Security Office is (ISO) responsible for coordinating and ensuring that information security across Version 01292020 PCI Awareness Training Glossary of Terms

the University is consistent with industry best practices and the University’s compliance obligations. To meet these objectives, the Information Security Office develops information security policies and oversees the implementation of strategic information security initiatives for the University.

Merchant A University department or unit that is authorized to accept credit card payments for goods or services provided to customers.

Merchant Identification (MID) Typically this is a 12-digit number issued by Fiserv (Formerly First Data) beginning with the digits 419.

Payment Gateway Service provider responsible for communicating payment information from the front end software to the acquiring bank.

PCI Data Security Standard The compliance requirements that have been established by the major card (PCI DSS) brands Visa, Mastercard, American Express, Discover Card with the objective of improving the safekeeping of cardholder information and the prevention of system breaches. This is the payment card compliance standard that the University adheres to.

PCI DSS Compliant The status of a merchant who has fulfilled all the requirements of the the PCI DSS.

PCI Security Standards Council A global open body formed to develop, enhance, disseminate and assist (PCI SSC) with the understanding of security standards for payment account security.

Point of Sale (POS) Terminal A device used to take customer card payments via swipe, dip, insert, tap, or manual entry.

Primary Account Number Unique payment card number (typically for credit or debit cards) that (PAN) identifies the issuer and the particular cardholder account.

Qualified Security Assessor A company approved by the PCI Security Standards Council to validate an (QSA) entity’s adherence to PCI DSS requirements.

Self-Assessment Pronounced "sack"; an annual compliance documentation. Questionnaire

Service Provider Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that Version 01292020 PCI Awareness Training Glossary of Terms

control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. If an entity provides a service that involves only the provision of public network access – such as a telecommunications company providing just the communication link – the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).

Validated Point-to-Point The only encryption devices qualified to complete a SAQ P2PE. Encryption

Version 01292020