Ecommerce Glossary

  • ACH: Automated Clearing House
  • AES: Advanced Encryption Standard
  • Attack Vector
  • AOC: Attestation of Compliance. Application form submitted by a merchant/service provider to PCI SSC for PCI DSS assessment registration.
  • AOV: Attestation of Validation
  • ATM Card: Automated Teller Machine Card
  • Authorization: First state of payment transaction: payment processor checks that the account associated with the card has sufficient funds or credit for the transaction
  • BDK: Base Derivation Key
  • BIN: Bank Identification Number
  • BOP: Business Online Payment
  • BOS: Back Office Server
  • Carding: Buying/selling stolen payment card data
  • Card-not-present Transaction: When a payment system doesn’t physically read the magnetic stripe of the card
  • Card-present Transaction: The POS system reads the magnetic stripe. (… or cashier manually enters information from the card)
  • CCH: Commerce Clearing House.  A Wolters Kluwer business that provides software and information services for tax, accounting and audit workers.
  • Chargeback: Rejected payment transaction. The charge a credit card merchant pays a customer after the customer successfully disputes an item on the statement.
  • CHD: Cardholder Data (sensitive data)
  • Completion: Second stage of a payment transaction processing (after authorization)
  • CVV: Card Verification Value.  3- or 4-digit code located at magnetic tracks 1 and 2 of a payment card
  • CVV2: Card Verification Value 2. 3-digit code on the back (or front?) of a plastic payment card.
  • DCC: Dynamic Currency Conversion
  • CRM: Customer Relationship Management (including CRM systems).
  • DEK: Data Encryption Key.
  • DES: Data Encryption Standard. (Deprecated)
  • DUKPT: Derived Unique Key Per Transaction. Encryption and key management mechanism for debit PIN protection and P2PE.
  • EPS: Electronic Payments Server
  • Failover: Ability of a payment application to switch to a different communication type or authorization host if the main connection or host is offline.
  • Fallback: Either Offline Fallback Processing or Failover.
  • FIPS: Federal Information Processing Standards
  • HSM: Hardware Security Module
  • ICCR: Integrated Circuit Card Reader
  • IIN: Issuer Identification Number
  • ISO Prefix: (also IIN, BIN). The first 6 digits of PAN that identify the card issuer
  • KEK: Key Encryption Key
  • KIF: Key Injection Facility
  • KSN: Key Serial Number
  • MITM: Man-in-the-Middle
  • MSR: Magnetic Stripe Reader
  • NIST: National Institute of Standards and Technology
  • P2PE: Point-to-Point Encryption. Aka End-to-End Encryption
  • PA: Payment Application
  • PA-DSS: Payment Application Data Security Standard
  • PAN: Primary Account Number. Identifies the cardholder; usually 16 digits long.
  • PA-QSA: Payment Application Qualified Security Assessor. Company or person authorized by PCI SSC to perform PA-DSS validation.
  • PA-QSA (P2PE): Payment Application Qualified Security Assessor, Point-to-Point Encryption
  • Payment Gateway: Company-service provider that accepts transaction requests from multiple stores and routes them to different Payment Processors depending on merchant configuration.
  • Payment Processor: Aka Authorizer. Company that processes electronic payments for merchants. (Accepts authorization, completion and settlement messates).
  • Payment Switch: Aka Switch. Server or group of servers at the merchant’s or Payment Gateway’s data center. Consolidates transaction messages from multiple stores.
  • PCI: Payment Card Industry. PCI now generally refers to the standards developed to regulate electronic payment systems in general.
  • PCI SSC: PCI Security Standards Council.
  • PCI DSS: PCI Data Security Standard. Standard for merchants and service providers.
  • PED: PIN Entry Device
  • PIN: Personal Identification Number
  • POI: Point of Interaction.  Aka PED, PIN pad, pinpad, payment terminal.
  • POS: Point of Sale: Aka Register, lane, point of service
  • Post Void: Cancellation of payment that was processed after POS transaction is finalized.
  • PreAuth: The process of obtaining authorization so it can be stored and used later for transaction completion.
  • PTS: PIN Transaction Security
  • QSA (P2PE): Qualified Security Assessor, Point-to-Point Encryption
  • QSA: Qualified Security Assessor
  • Redemption: Payment with gift card.
  • Response Timeout: Maximum time allowed for a response to be returned by the server to the client.
  • Return: Refund
  • ROC: Report on Compliance
  • ROV: Report of Validation
  • RSA: Rivest, Shamir, Adleman. Asymmetric encryption algorithm created in 1977.
  • S&F: Store and Forward. Aka SAF, Fallback, Stand-in. Allows authorization and completion of payment transaction if network or host is down.
  • SAQ: Self-assessment questionaire (part of PCI process)
  • SCD: Secure Cryptographic Device
  • SCR; Secure Card Reader
  • Sensitive Data: Info that identifies the cardholder and can be used to process fraudulent payment transactions.
  • SHA: Secure Hash Algorithm
  • Split Dial: Ability of a payment application to route transactions to different payment processors based on BIN range, transaction type. or other parameters.
  • SRED: Secure Reading and Exchange of Data
  • Stand-in: See S&F
  • Switch: See Payment Switch
  • Tender: Payment method (e.g. cash, credit, check)
  • Tipping: Painting the embossed numbers and letters using gold or silver foil.
  • Token: Unique ID that identifies the PAN without compromising the actual cardholder data.
  • Tokenization: Technology that protects cardholder data by using a token instead of PAN
  • TOR: Timeout Reversal. A cancellation of the previous attempt to send a message in case of no response (response timeout) from the authorization host.
  • Track 1, Track 2. Info encoded on the magnetic stripe of payment cards.
  • Triple DEA: Triple Data Encryption Algorithm. AKA Triple DES, 3DES, TDES, TDEA. Symmetric block cipher used as a standard algorithm for debit PIN encryption.
  • TRSM: Tamper-Resistand Security Module
  • Two-Factor Authentication
  • Void: Cancellation of a payment tender during the same POS transaction
  • Zero Day Attack.