Established to help software vendors and others develop secure payment applications that do not store prohibited data and to ensure their compliance with the PCI DSS. Payment applications that are sold, distributed or licensed to third parties are subject to PA DSS requirements.
In-house payment applications developed by merchants or service providers that are not sold to a third party are not subject to PA DSS requirements but must still be secured in accordance with the PCI DSS.
Consists of interchange fees charged to merchants by issuing banks for the ability to accept bankcard transactions combined with fees charged to merchants by acquirers to cover such services as processing, terminal installation, help desks and statement rendering. The merchant discount is set by the acquirer at a percentage of the purchase amount, typically between 1.5 percent and 3.5 percent. Sometimes the acquirer’s portion of the merchant discount is referred to as the net merchant discount. Also referred to as a transaction fee.
A category of card-not-present transactions involving purchases made through mail order or telesales companies. In this type of transaction, the merchant typically has a card terminal and manually keys in required card information for transmission to the appropriate authorization network. Interchange rates for these transactions are among the highest.
People who sell bankcard services to merchants on behalf of ISOs, acquirers and processors. Also known as merchant level salespeople (MLSs) and independent sales agents (ISAs), most agents are independent contractors. Others are paid employees of ISOs, acquirers and processors.
When a cardholder’s bank (issuer) reverses all or part of a card transaction back to the merchant bank (acquirer), which typically kicks the transaction back to the merchant’s account, leaving the merchant financially liable for the payment and subject to fines. Chargebacks can be initiated by customers or by cardholders’ banks (for example, due to procedural errors). Chargebacks that exceed 1 percent of monthly sales generally are considered excessive.
A document used as a validation tool by merchants and service providers to demonstrate compliance with the PCI DSS.
Updated in 2008, it is designed to simplify and streamline the assessment process and aid small and mid-sized merchants who are not required to have on-site PCI compliance assessments. The new SAQ comes in four versions with questions tailored specifically for different categories of card acceptors.
An auditor, certified by the PCI SSC, who assesses the PCI compliance of payment systems to ensure they are properly protecting card data. The PCI DSS requires that all Level 1 merchants (those that process over 6 million card transactions a year) be evaluated annually by a QSA.
A processor is any entity that is physically processing a credit card transaction from swipe to settlement. It is a front-end network that enables a dial terminal, POS or gateway to connect to the Visa and MasterCard systems for authorization from an issuing bank. Any back-end or settlement network that is receiving those authorizations and settling them to a sponsor bank is also a processor. This network would have either a front-end or back-end, or both, that is involved in the physical authorization or settlement of a transaction.
Established by the major payment brands, including American Express Co., Discover Financial Services, JCB International Co. Ltd., MasterCard Worldwide and Visa Inc., the PCI DSS is now managed by the PCI Security Standards Council.
The PCI DSS is designed to enhance payment account data security worldwide and consists of 12 requirements governing security management, policies, procedures, network architecture, software design and other areas critical to the protection of cardholder data.
Failure to adhere to the standard (by any party that handles card information, including merchants and ISOs) can result in hefty fines.