Terms to Know

Card Association

Visa and MasterCard are not banks and do not issue credit cards or merchant accounts; instead, they act as a custodian and clearing house for their respective card brand.  They also function as the governing body of a community of financial institutions, ISOs and MSPs that work together in association to support credit card processing and electronic payments — hence the name, “card associations.”  Card Associations govern the members of their associations, including interchange fees and qualification guidelines, act as the arbiter between issuing and acquiring banks, maintain and improve the card network and their brand, and generate profit.  Visa uses their VisaNet network to transmit data between association members, and MasterCard uses their Banknet network. 

Note that American Express is not a card association; American Express issues credit lines and physical cards on its own without an association of other financial institutions, ISOs and MSPs.

Card Issuer

Any association member financial institution, bank, credit union, or company that issues, or causes to be issued, plastic cards to cardholders.

Card Member

An individual to whom a card is issued, or who is authorized to use an issued card.

Card Reader

A device that is capable of reading the encoding on plastic cards.

Card Verification Code or Value

Also known as Card Validation Code or Value, or Card Security Code.  Refers to either: (1) magnetic-stripe data, or (2) printed security features.

  1. Data element on a card's magnetic stripe that uses secure cryptographic processes to protect data integrity on the stripe, and reveals any alteration or counterfeiting. Referred to as CAV, CVC, CVV, or CSC depending on payment card brand.  The following list provides the terms for each card brand:
    • CAV - Card Authentication Value (JCB payment cards)
    • CVC - Card Validation Code (MasterCard payment cards)
    • CVV - Card Verification Value (Visa and Discover payment cards)
    • CSC - Card Security Code (American Express)
  2. For Discover, JCB, MasterCard, and Visa payment cards, the second type of card verification value or code is the rightmost three-digit value printed in the signature panel area on the back of the card.  For American Express payment cards, the code is a four-digit non-embossed number printed above the embossed primary account number on the face of the payment cards.  The code is uniquely associated with each individual piece of plastic and ties the primary account number to the plastic.

Charge Card

A payment card that requires a full payment of the charge each billing cycle by the statement due date. Unlike credit cards, which give borrowers a revolving line of credit that can be accessed and paid down over time, charge cards do not allow balances to be carried forward and do not charge an interest rate. American Express began as a charge card and continues to offer these types of products (like the Green, Gold and Platinum American Express cards) in addition to general use credit cards.

Chargeback

A transaction returned through interchange by an issuer to an acquirer.  A transaction may be returned because it was non-compliant with the association rules and regulations or because a cardholder disputed the transaction.

Clearing

The process by which the acquirer sends purchase information to the card network which in turn sends it to the issuing institution. The issuer then prepares the information for the card member’s statement.

Compensating Controls

Compensating controls may be considered when an organization cannot meet a PCI DSS requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. 

Compensating controls must: (1) Meet the intent and rigor of the original PCI DSS requirement; (2) Provide a similar level of defense as the original PCI DSS requirement; (3) Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and (4) Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement. 

Compromise

Also referred to as “data compromise,” or “data breach.”  Intrusion into a computer system where unauthorized disclosure/theft, modification, or destruction of cardholder data is suspected.

Contact Card

All smart cards contain embedded integrated circuits, which is a microchip inside the card that’s programmed to work with only a specific scanner. Contact smart cards require cardholders to actually insert the card for identification purposes. Conversely, contactless (RFID) smart cards only require the cardholder to be near the scanner for reading.

Contactless Card

All smart cards contain embedded integrated circuits, which is a microchip inside the card that’s programmed to work with only a specific scanner. Contact smart cards require cardholders to actually insert the card for identification purposes. Conversely, contactless smart cards, which are commonly known as RFID (radio frequency ID), only require the cardholder to be near the scanner for reading. With a contactless card, the antenna around the embedded chip is visible on the card.

Credit Bureau

A company that catalogs and sells information regarding the payment behavior of consumers and issues credit reports with related information. The three major national credit bureaus are Experian, Equifax and TransUnion.

Credit Card

A plastic payment card that is accepted by merchants worldwide with an encoded magnetic stripe on the back and/or an encoded chip (EMV cards) that can be read at the point of sale.  Credit Cards offer card members the ability to pay balances over time by applying an interest rate to outstanding balances.