Altered Card: A card on which the original embossed or encoded information has been altered for fraudulent purposes.

Transcription

1 ABA: American Bankers Association, the trade association of American bankers. This body also has the registration authority to assign identification numbers. ABA Routing Number: A unique nine digit number assigned to each banking institution, used to identify the bank and direct ACH debits and credits. The ABA routing number is usually found at the bottom left corner of a personal or business check. ACH: Automated Clearing House. A group of processing institutions linked by a computer network to process electronic payment transactions between financial institutions. An electronic payment network most commonly associated with payroll direct-deposit and recurring payments. The ACH can be used also to clear electronic checks and other demand deposit account (DDA) transactions. Acceptor: A business that has qualified to accept credit or debit cards as payment. Acquirer / Acquiring Bank: A financial institution that is a member of Visa and/or MasterCard and maintains the merchant credit card processing relationship. The acquirer receives all transactions from the merchant to be distributed to the issuing banks. An acquirer is an organization licensed as an affiliated bank or bank/processor alliance that is in the business of processing credit card transactions for businesses (acceptors) and is always acquiring new merchants. A federally insured financial institution responsible for connecting merchants to Visa Inc. and MasterCard Worldwide authorization and settlement systems. Acquirers and merchants are the two signatories to merchant agreements. Acquirers can be thrifts, banks or credit unions. For example, First National Bank of Omaha is an acquirer and a bank. To sell bankcard services, it is necessary to have a signed agreement with an acquirer or be part of an ISO that is sponsored by an acquirer. Among other things, an acquirer deposits daily card totals to merchant accounts and debits monthly processing fees from those accounts. The acquiring bank must handle all funds, deposits and settlements with merchants. ISOs and other entities on the acquiring side of the bankcard business also refer to themselves informally as acquirers, as evidenced by several regional acquirers associations thriving throughout the United States, but strictly speaking, they are not acquirers. Acquirers Association: A regional, independent and nonprofit organization that provides training, education and networking opportunities for professionals working in the acquiring side of the bankcard industry, including financial institutions, ISOs, MLSs, equipment vendors and providers of value-added services. Adjustment: An adjustment is initiated by the acquirer to correct a processing error. The error could be a duplication of a transaction or the result of a cardholder dispute. The acquirer debits or credits the merchant's DDA account for the dollar amount of the adjustment. Agents: People who sell bankcard services to merchants on behalf of ISOs, acquirers and processors. Also known as merchant level salespeople (MLSs) and independent sales agents (ISAs), most agents are independent contractors. Others are paid employees of ISOs, acquirers and processors. Aggregator: A company that manages the commercial relationships, physical transactions and physical distribution of prepaid cards sold in a destination retailer through a gift card mall on behalf of issuers. Also called a distributor. Altered Card: A card on which the original embossed or encoded information has been altered for fraudulent purposes. American Express: A company that specializes in the issuance of Travel and Entertainment (T&E) cards. American Express services the cards it issues, serving as its own transaction processor with its own processing network. API: Advanced Programming Interface allow users to program to a pre-constructed interface, instead of individually programming a device or piece of software. Approval Response: An affirmative reply following a transaction authorization request. Arbitration: A procedure used by an acquirer on behalf of the merchant to resolve a chargeback-related dispute with a card issuer. ARC: Accounts Receivable Conversion. An electronic debit created from a consumer check processed in a lockbox, drop box, or other payment receivable processing environment.

2 ASP: Application Service Provider, an organization that hosts software applications on its own servers within its own facilities. Customers access the application via private lines or the Internet. Assessments: Assessments are processing fees merchants pay to the Card Associations to finance their roles in operating the network, setting rules, setting pricing, research and development, and marketing/branding. They are a set percentage of the sale and are generally collected on a daily or monthly basis. Association: MasterCard International, Visa U.S.A. or Visa International, which are licensing regulatory agencies for bankcard activities. Any entity formed to administer and promote credit and cards. ATM: Automated Teller Machine, an unattended computer terminal that performs basic teller functions when a cardholder inserts a card into the ATM and enters the correct PIN. Typical functions include dispensing cash, accepting deposits and loan payments, and accepting account transfers and inquiries. Also used by credit cardholders for receiving cash advances. ATM / Debit Card: The plastic card used in an ATM for deposits, cash withdrawals, account transfers and other related functions. A PIN must be entered to withdraw cash and access account functions. An ATM card may also be used to make a debit purchase if the merchant has a PIN pad to accept the key entry. Audio Response Unit (ARU): This is an electronic authorization and capture product where the merchant uses a touchtone telephone to process transactions. Authorization: The process by which a transaction is approved by the issuer or by Visa/MasterCard on behalf of the issuer. Permission is given to (or denied) the merchant, via the acquirer, to accept a specific transaction from the cardholder account. An authorization indicates only that the card is valid and that sufficient funds are available on the cardholder's credit limit at the time the request is made. The process of verifying that the credit card has sufficient funds (credit) available to cover the amount of the transaction. An authorization is obtained for every sale. An approval response in the form of a code sent to a merchant's POS equipment (usually a terminal) from a card issuing financial institution that verifies availability of credit or funds in the cardholder account to make the purchase. An electronic exchange between a card issuing bank and an acquiring bank, initiated through a POS terminal, confirming a cardholder has sufficient credit (or funds in a demand deposit account if it is a debit card) to cover a pending transaction. Authorization Approval Code: The numerical code designated by the issuer, assigned to a sales transaction as verification that the sale is authorized. A code that a credit card issuing bank returns in an electronic message to the merchant's POS equipment that indicates approval of the transaction. The code serves as proof of authorization. Authorization Only: Used to reserve an amount against a credit card's available credit limit for intended purchases. Authorization Only is most frequently used in the lodging (check-in), restaurant (tab) and car rental (pick-up) industries, where an approval is received for an estimated amount prior to the finalization of the charge amount. Authorization Request: A merchant's request for an authorization to accept a cardholder's sales transaction. An authorization request can occur electronically via a credit card processing terminal or via telephone as a voice authorization. Auto Close: A terminal feature that allows an end-of-day batch closing to occur automatically at a specified time, without having to be initiated by the merchant. Automated Clearing House File: A file with instructions for the exchange and settlement of electronic payments passed between financial institutions. It represents debits and credits to be deducted from an account automatically as they occur. Auto Re-presentment: Automatically sending information to resolve a chargeback on a merchant's behalf without the need for merchant intervention. Authorization Response: An issuing financial institution's electronic message reply to an authorization request, which may include Approvals, Declines or Call Center. Average Ticket: The average dollar amount of a merchant's typical sale. The average ticket amount is calculated by dividing the total sales volume by the total number of sales for the specified time period.

3 AVS: Address Verification Service. A service supported by Visa, MasterCard, Discover and American Express that verifies the cardholder's billing address against the one on file with the issuer. AVS is designed to help combat fraud in nonface-to-face transactions. The process of validating a cardholder's given address against the issuer's records, to determine accuracy and deter fraud. This service is provided as part of a credit card authorization for mail order/telephone order transactions. A code is returned with the authorization result that indicates the level of accuracy of the address match and helps secure the most favorable interchange rates. A fraud deterrent technique used in card-not-present situations. AVS offers various levels of address verification detail, including cardholder ZIP codes and street numbers. B2B: Business to Business, refers to one business communicating with or selling to another. Back-End Network: The settlement provider responsible for finalizing transactions, routing payment to a merchant's account and generating statements. Balance Sheet: A financial statement that lists assets, liabilities and net worth as of a specific date. Bankcard: A card issued by a banking institution with a MasterCard or Visa brand. A credit card issued by a Visa or MasterCard sponsored financial institution. (American Express, Discover, Diners Club, JCB, etc., are issued directly from their respective operations, rather than through banks.) Batch: A group of approved credit card transactions usually accumulated during one business day. The accumulation of captured credit card transactions in the merchant's terminal or POS awaiting settlement. A collection of card receipts saved for submission, usually at the end of the business day. When the receipts are sent, the batch is "closed." Batch Deposit: The electronic depositing of a batch file transmitted to the transaction processor for settlement. Batch Processing: The authorization of transactions offline when immediate approval is not required. Transactions are collected in a batch and sent as one transmission for authorization and/or settlement. Batch processing is generally used with mail/telephone order transactions. Baud Rate: The speed at which a PC or terminal modem transmits data through the telephone line. BIN: Bank Identification Number. A unique series of numbers assigned by Visa/MasterCard to a member institution, which identifies that institution in transaction processing. The BIN comprises the first six digits of a standard credit card number. A numerical code assigned to each federally insured financial institution for the routing of transactions and other purposes. ISOs and MLSs board merchants using the BINs of their respective acquiring banks. Bisynchronous Communication: A communication method that transmits continuously with no starts and stop between the information bytes. Breakage: The unredeemed or unspent funds on a gift or prepaid card. Browser: A software application used to locate and display web pages. Business Card: A payment card typically issued to and used by owners of small businesses. Buy Rate: The acquiring bank's fee; it is equal to interchange (which is paid to the issuing bank) plus the acquiring bank's markup. Think of it as the wholesale price of a transaction to which processing and other fees are added to come up with the cost to a merchant. Buy rates have not been widely used since the multitude of interchange rates came into being; many ISOs and acquirers now use pricing models that involve splits of net revenue. Call Center: An authorization request response displayed on the credit card terminal screen, generated by the issuer or through stand-in processing. The merchant must then call for a voice authorization. If an approval is given, the user must enter the approval code manually into the POS device as a "force" or "post authorization." Capture: Receiving and storing transaction data at the processor's host computer, to be submitted later for processing and payment. The submission of an electronic credit card transaction for financial settlement. Authorized credit card sales must be captured and settled in order for a merchant to receive funds for those sales.

4 Card-Not-Present: A type of card transaction in which the card is not present at the point of sale for the magnetic stripe to be read. These are considered higher risk transactions. A transaction where the card is not present at the time of the transaction (such as mail order or telephone order). Credit card data is manually entered into the terminal, as opposed to swiping a card's magnetic stripe through the terminal. Card transactions (Internet or MO/TO purchases, for example) for which the customer's card is not physically handled by the merchant. Interchange is set higher on these transactions because there is a greater likelihood of fraud. Card Laundering: When a merchant processes sales through his or her merchant account on behalf of another merchant. Laundering violates the terms of merchant agreements. Also called draft laundering and factoring. Card Present: A type of transaction in which the card is present and is swiped through an electronic device that reads the contents of the magnetic stripe on the back of the card. Card Reader: Input device on a card terminal that translates the information stored on the magnetic stripe on the back of a card. Cardholder: The person to whom a payment card is issued, or an additional person authorized by the original cardholder to use the card. Customer to whom a card is issued or individual authorized to use the card. Cardholder Account Number: A sequence of numbers assigned specifically to a cardholder account that also identifies the issuer and type of payment card. The cardholder account number is the embossed number imprinted on the payment card. Full magnetic stripe or the PAN plus any of the following: Cardholder name, Expiration date, Service Code Cardholder Data Environment: Area of computer system network that possesses cardholder data or sensitive authentication data and those systems and segments that directly attach or support cardholder processing, storage, or transmission. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment and thus the scope of the PCI assessment. Cardholder Initiated Chargeback: A chargeback that results when a cardholder contacts the card issuer and refuses to accept a charge appearing on a monthly billing statement. Card Issuing Bank: An EFT Network Member Bank that runs a credit card or debit card "purchasing service" for their account holders. An example is CitiBank and the CitiBank Visa Card that they issue. Cash Advance: A transaction in which a cardholder obtains cash in person at the branch of a member financial institution or ATM. This is the only method of receiving cash from a credit card that is approved by the bankcard associations. CCD: A credit or debit entry, initiated by a merchant, to consolidate funds of that organization, from its branches, franchises or agents, or from other organizations; or to fund the accounts of its branches, franchises or agents, or of another organization. CDPD (Cellular Digital Packet Data): A method of sending data through cellular networks. CDPD is used with wireless credit card terminals to transmit transactions and deposits in mobile environments. Certificate Authority: An e-commerce service that validates Internet parties to an online transaction. Chargeback: A challenge to a transaction initiated by the issuer or cardholder that is returned to the acquirer for resolution. A credit card transaction that is billed back to the merchant after the sale has been settled. Chargebacks are initiated by the card issuer on behalf of the cardholder. Typical cardholder disputes involve product delivery failure or product/service dissatisfaction. Cardholders are urged to try to obtain satisfaction from the merchant before disputing the bill with the credit card issuer. When a cardholder's bank (issuer) reverses all or part of a card transaction back to the merchant bank (acquirer), which typically kicks the transaction back to the merchant's account, leaving the merchant financially liable for the payment and subject to fines. Chargebacks can be initiated by customers or by cardholders' banks (for example, due to procedural errors). Chargebacks that exceed 1 percent of monthly sales generally are considered excessive. Chargeback Fee: The amount assessed by the acquirer for processing chargebacks.

5 Chargeback Reason Code: A numerical code which identifies the specific reason for a chargeback. MasterCard and Visa each have their own chargeback codes. Check Card: A bankcard that can be used with a PIN at an ATM or without a PIN at the point of sale, also known as an offline debit card. When used at the point of sale, the transaction is processed through interchange as a credit card transaction with the funds debited from the cardholder's checking account. Check Digit Verification (MOD 10 check): A check digit is the last position of a card account number, generated from an algorithm performed on a primary card account number. Verification of this number is referred to as a MOD 10 check and is used to validate a credit card number. Check Guarantee: A service that guarantees check payment to a merchant up to a specified amount. However, merchants are required to perform correct authorization procedures. Check Reader: A device that reads the numbers encrypted on the bottom of most checks. Check Scanner: A counter-top device used to scan images of checks, according to legal specifications, for electronic clearing and settlement. Check Verification: A service that provides merchants with some security against bad checks. The person writing the check is matched against a national negative file database to flag outstanding or bad checks on record from other members of this service. CID: Card Identification Number/Card Identifier, An American Express and Discover verification process that utilizes a non-embossed three or four digit number printed when authorizing credit card transactions where the physical card is not present. On American Express cards, the CID is a four digit code printed on the front of the card. On Discover cards, the CID is a three digit code printed next to the card number in the signature panel. CIS: Center for Internet Security. Non-profit enterprise with mission to help organizations reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls. Cipher text: The encrypted text of a message, which may be decrypted only by someone who has the correct key. Close: Sending a merchant's completed transactions to the host for processing. (See also "Settlement") Close Batch: The process of sending the batch for settlement. Closed-loop: Cards (such as retail gift cards) issued by a single corporate entity. Such cards can only be redeemed within that entity or within a series of entities that have agreed to take the cards. Code 10 Authorization: If the POS device reads "Lost or Stolen Card," or "Pick Up Card" or a similar message, the merchant should call the authorization center for a Code 10 Authorization. The operator will ask questions to determine if the transaction is valid. Commercial Cards: Credit or charge cards issued to businesses to cover expenses such as travel and entertainment and procurement. Includes the multiple payment card brands of purchasing cards, business cards, corporate cards and multiutility fleet cards. Visa and MasterCard now have special procedures for passing billing information back to the card issuing bank so that it can be displayed on card holder statements; this is a program for promoting the use of credit cards for business purchases by providing purchase tracking to business users. New regulations require that this billing information be passed back with the transactions; otherwise a higher pass through fee will be incurred. Corporate Card: Usually issued to the employees of a large corporation where the corporation assumes all liability for the card's usage. Purchasing Card: Issued to corporations. It allows the corporation numerous parameters to control daily and monthly spending limits, total credit limits and where the card may be used. Many employees may be issued the same card number. Business Card: Similar to the Corporate Card, but issued to a business with fewer employees. Each employee is responsible for his or her purchases. Compliance: Compliance to the Visa and MasterCard regulatory bylaws. Also, a method of resolving a dispute between members if no chargeback reason code applies. The challenging member must prove financial loss due to a violation of MasterCard or Visa rules by the other member.

6 Compensating Controls: Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must 1) meet the intent and rigor of the original stated PCI DSS requirement; 2) repel a compromise attempt with similar force; 3) be above and beyond other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and 4) be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement. Compromise: Intrusion into computer system where unauthorized disclosure, modification, or destruction of cardholder data is suspected. Corporate Card: Charge card designed for business-related expenses, such as travel and entertainment. Please see Commercial Card. Counterfeit Card: A plastic card which has been fraudulently printed, embossed or encoded to appear to be a genuine bankcard, but which has not been issued by a Visa or MasterCard member. It could also be a card which was originally issued by a member, but was subsequently altered without the issuer's knowledge or consent. Credit: A refund or price adjustment given for a previous purchase. Nullification of an authorized transaction (sale) that has not been settled. If supported by the card issuer, a reversal will immediately "undo" an authorization and return it to the open-to-buy balance on a cardholder's account. Some card issuers do not support reversals. Credit Card: A plastic card with a credit limit used to purchase goods and services and to obtain cash advances on credit. The cardholder is then billed by the issuer for repayment of the credit extended. Can be issued by banks and nonbanks and are associated with such brand names as AmEx, Discover Financial Services, MasterCard, JCB International Co. Ltd. and Visa. Credit Slip: A form stating a refund or price adjustment will be credited to a cardholder account. Also referred to as a credit voucher or credit draft. Cryptography: The process of protecting information by transforming it into an unreadable format. The information is encrypted using a "key" that makes the data unreadable. It is later decrypted, making the information readable again. CSP: Commerce Service Provider, an organization that hosts commerce software applications on its own servers within its own facilities. CVC2: Card Validation Code, MasterCard term for the three digit code printed next to the card number in the signature panel and used as part of the authorization process. For a list of CVC2 response codes, click here. CVV2: Card Verification Value, Visa term for the three digit code printed next to the card number in the signature panel and used as part of the authorization process. The three digit number on the back of Visa Inc. and MasterCard Worldwide credit and debit cards. It is used as a security feature in card-not-present transactions. The CVV number helps guard against the use of data stolen from payment networks by hackers. Intercepted data will usually comprise the cardholder name, card number and card expiration date, but not the CVV, which is generally obtained only by viewing the physical card. Data Breach: The capture of sensitive payment card data by an un-trusted party. Data Encryption: The scrambling of data so only the intended users can read and understand the encrypted information. DBA: Doing Business As, the name a business uses to operate. DDA: Demand Deposit Account, a checking account.

7 Debit Card: A bankcard used to purchase goods and services and to obtain cash, which debits the cardholder's personal checking account. During online debit transactions, the cardholder must enter a PIN. A payment card whose funds are withdrawn directly from the cardholder's checking account at the time of sale (online debit on a Debit Network) or after batch settlement (offline debit on a Credit Card Network). Issued by financial institutions and tied to cardholders' DDAs. Debit cards come in online/offline and offline-only versions. Online in this context means able to interface with the card brand networks for authorization at the POS. Debit cards can be co-branded with Discover, MasterCard or Visa. Online debit requires customers to enter PINs; offline debit card payments are authorized with cardholder signatures. Debit Switch: A portal that transmits debit data between gateway banks and debit card issuers. It s also referred to as "Debit Network." Only financial institutions may be members of debit switches. Decline: A response from the card issuer denying the use of the card for the attempted transaction. If a request for approval is declined, the merchant must ask the cardholder for another form of payment. Decryption: Use of an algorithmic key to unscramble data that has been encrypted. The key is secret to all except the party authorized to use it and renders the data readable once again. Deposit Correction Notice (DCN): Adjustments (debits or credits) made for an out-of-balance condition due to various problems in the transmittal. The correction is made by the merchant's acquirer at the time of capture prior to being sent out for interchange. DDA: Demand deposit account: A checking account with a financial institution. DES: Data Encryption Standard (DES). Block cipher elected as the official Federal Information Processing Standard (FIPS) for the United States in Successor is the Advanced Encryption Standard (AES). Dial-Up Terminal: An authorization terminal that uses a telephone line to communicate with the authorization center. Digital Certificate: An encrypted attachment to an electronic message, used for security purposes. The most common use of a digital certificate is to verify that a user sending a message is who he or she claims to be. The receiver is also provided with a way to encode a reply. DIP Switches: Dual In-Line Package Switches, a series of connected switches that determine the proper configuration for a payment card terminal printer. Direct Response: Term used to describe a merchant processing primarily non face-to-face or card-not-present transactions. Discount Rate: The fees charged by the card acquirer to the merchant for processing payment card transactions. The percentage of card sales acquirers collect from merchants for transaction authorization, settlement and so forth. Display: The backlit panel on a payment card device that shows characters on the screen. DSS: Data Security Standard. Discount Rate: The percentage of sales amounts that the bankcard acquirer or travel and entertainment (T&E) card issuer charges the merchant for the settlement of the transactions. Draft Laundering: When a merchant processes sales through his or her merchant account on behalf of another merchant. Laundering violates the terms of merchant agreements. Also called draft laundering and factoring. Duality: The membership of a financial institution in both MasterCard and Visa associations. Dues & Assessments: Dues & Assessments are processing fees merchants pay to the Card Associations to finance their roles in operating the network, setting rules, setting pricing, research and development, and marketing/branding. They are a set percentage of the sale and are generally collected on a daily or monthly basis. DUKPT: Derived Unique Key per Transaction, a method of PIN pad encryption.

8 EBT: Electronic Benefits Transfer, the automation of government benefits through electronic authorization, data capture and settlement processes. Plastic cards with magnetic stripes are used, eliminating paper benefits and coupon distribution. ECA/ECP: Electronic Check Acceptance/ Electronic Check Processing, process that converts a paper check into an electronic check at the point of sale. The check is electronically processed through the ACH network. E-Commerce: Electronic Commerce, the sale and purchase of goods or services over the Internet. ECR: Electronic Cash Register, a cash register that also emulates a point-of-sale terminal for processing credit card transactions. EDC: Electronic Draft Capture, the use of a point-of-sale device to authorize and settle credit card transactions. Edit Rejects: The rejection of a sales draft by Visa or MasterCard before a transaction processes through interchange, but after it has been paid by the acquirer. Electronic Cash Register (ECR): A device used for cash sales. Can also be integrated to accept credit cards. Electronic Date Capture (EDC): Process of electronically authorizing, capturing and settling a credit card transaction. EFT: Electronic Funds Transfer, an electronic system that automatically moves funds, e.g., an ATM withdrawal or pay-byphone transaction. A way of performing financial transactions electronically. The Pulse and Star networks are examples of EFT systems. Encryption: Method of scrambling data to protect a cardholder's personal information. Process of converting information into an unintelligible form except to holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process (the inverse of encryption) against unauthorized disclosure. In its simplest form, encryption refers to the process of using special algorithms to scramble data into a format that's indecipherable to anyone without the proper decryption key. End-to-end Encryption: End-to-end encryption ensures cardholder data is protected from card swipe all the way through to the processing banks. State of the art encrypted magnetic card readers scan and encrypt cardholder information prior to performing an electronic payment transaction. High grade algorithmic schemes that protect data (like account numbers and PINs) from the moment a credit or debit card is swiped and throughout the processing cycle. Entitlement: License or permission to accept a particular type of payment card or other payment vehicle. EPROM: Erasable Programmable Read Only Memory, industry initiated standards used to identify terminal types and components. Europay (EMV): a nearly global standard for chip and PIN cards, also known as smart cards, developed and backed by four of the major card brands. EMV has not yet achieved critical mass in the United States. Exceeded Timeliness: A transaction that is deposited too late to qualify for the best interchange rate. Expiration Date: The embossed date on a bankcard. After that date, the card becomes invalid and should no longer be accepted. Date after which a card can no longer be used. Most network branded cards have an expiration date. Some closed-loop cards expire after a certain period of inactivity or after a certain date, although this is becoming increasingly rare. Factoring: When a legitimate merchant processes another merchant's transactions in return for payment. This practice is forbidden by the associations. When a merchant processes sales through his or her merchant account on behalf of another merchant. Laundering violates the terms of merchant agreements. Also called draft laundering and factoring. Financial Institution: Any organization in the business of moving, investing or lending money, dealing in financial instruments, or providing financial services. This includes commercial banks, thrifts, federal and state savings banks, saving and loan associations, and credit unions.

9 Fleet Card: Payment card designed mainly for fueling, maintenance and repairs of corporate motor vehicles. Fleet cards are normally used to provide specialized reporting. Private label credit cards designed mainly for repairs, maintenance and fueling of business vehicles. Floor Limit: The payment amount above which credit and debit card transactions must be authorized; this amount is specified in each merchant's processing agreement. Folio: A number assigned by a lodging merchant for tracking a guest's charges. Footer: Text printed at the bottom of a sales draft. A merchant can customize the footer (i.e., Have a Nice Day, No Refunds, Thank You for Shopping With Us, etc.). Force: The process by which a voice authorized transaction is key entered to be settled electronically with a batch of transactions. Also known as a post-auth. Force Deposit: The transaction by which a merchant deposits funds on a consumer s card, without obtaining an approved authorization from the issuing financial institution of that account. This opens up the merchant to bank initiated chargebacks, since no valid authorization was granted for that deposit transaction to be made. These transactions carry an addition $.10 fee placed on the merchant by the associations. Frame Relay: A TCP/IP link for data that has high transmission speeds, low network delay, high connectivity and efficient bandwidth use. Fraud Investigation: The process of identifying suspicious merchant or cardholder activity. Front-End Network: Network provider responsible for authorizing and capturing transactions and forwarding the information to the back-end network. FTP: File Transfer Protocol, a protocol used to transfer files over a TCP/IP network (Internet, UNIX, etc.). Gateway: Manages the electronic connection between consumers and their financial institutions and transmits data. General Purpose / General Spend Card: An open-loop or network branded card whose sole purpose is to facilitate normal spending transactions, with functionality similar to a debit card but without the need for a bank account. Gift Card: A reusable, stored value card that enables merchants to have an electronic alternative to paper gift certificates. Gift Card Mall: A physical or virtual rack or display unit that allows customers of a destination retailer to buy a prepaid card issued by a range of different prepaid card issuers. Also referred to as "gift card center" and "gift card shop." Good Faith: An attempt by a card association member to resolve a dispute with another member in writing. A good faith attempt at resolution must be made before filing a compliance case. Hard Decline: A declined authorization attempt resulting from a lost or stolen card, pick-up card, etc. A Code 10 call should be made by the merchant to the authorization center. HCS: Host Capture System, a transaction is transmitted with an authorization request to the host computer at the front end, the information is captured at the host, then sent back to the POS device. Since the information is already stored at the host, it can be settled without the merchant performing a settlement function. Hold Back: The money set aside from a merchant's credit card receipts to cover potential chargebacks or other disputes. Typically, the amount is returned after a specified period. Also known as a reserve. Hologram: A laser created photograph that uses a three dimensional image that is difficult to duplicate. Used as an anticounterfeiting measure on many payment cards.

10 Host: Offer various services to merchants and other service providers. Services range from simple to complex; from shared space on a server to a whole range of shopping cart options; from payment applications to connections to payment gateways and processors; and for hosting dedicated to just one customer per server. Hosting Provider: Main computer hardware on which computer software is resident. Idle Prompt: The standard display on a payment card terminal waiting to process the next transaction. Imprinter: A device used to imprint embossed card information onto a sales draft for payment card transactions. An imprinter is used if the card is present and the POS device cannot read the contents of the magnetic stripe. Independent Sales Agent (ISA): People who sell bankcard services to merchants on behalf of ISOs, acquirers and processors. Also known as merchant level salespeople (MLSs) and independent sales agents (ISAs), most agents are independent contractors. Others are paid employees of ISOs, acquirers and processors. Independent Sales Organization (ISO): An organization registered with Visa and sponsored by an acquiring bank to sell VISA card acceptance services; also refers to an organization that works with and does business under the name of such a registered ISO. ISOs may also service merchant accounts once they are registered, dependent upon the contract with the acquirer. MasterCard uses the term "member service provider" to describe ISOs. However, it is common within the payments industry to use the term "ISO" when referring to independent sales organizations registered with either or both card brands. Interac: National debit card network in Canada. Interchange: The exchange of transaction data between acquiring and issuing institutions. The standardized electronic exchange of financial and non financial data associated with sale and credit data between merchant acquirers and card issuers on various types of MasterCard and Visa transactions. The fee paid to the card issuing bank by the card acquiring bank by way of the processor. Interchange is the base fee to which all other acquiring and processing fees are added to come up with the merchant discount rate. Interchange rates vary widely based on card type, transaction amount, risks and retail sector. It is assessed on all Visa and MasterCard branded cards, even PIN-based debit cards. In certain circumstances interchange flows in reverse, such as following a chargeback. Interchange Fees: Fees paid by the acquirer to the issuer to compensate for transaction related costs. MasterCard and Visa establish interchange fee rates. A fee paid by an acquirer to an issuer for transactions entered into interchange. The interchange fee is a percentage applied, according to Visa/MasterCard regulations, to the dollar value of each transaction. There are multiple categories of interchange, and Visa and MasterCard each have their own criteria for their own categories. A transaction must meet the specified criteria for a category in order for that category's rate to be applied. Each transaction is evaluated individually, so various interchange rates may apply within one batch of merchant transactions. ISDN: Integrated Services Digital Network, a digital phone service link capable of supporting up to three types of communication devices simultaneously. ISO: An organization registered with Visa and sponsored by an acquiring bank to sell VISA card acceptance services; also refers to an organization that works with and does business under the name of such a registered ISO. ISOs may also service merchant accounts once they are registered, dependent upon the contract with the acquirer. MasterCard uses the term "member service provider" to describe ISOs. However, it is common within the payments industry to use the term "ISO" when referring to independent sales organizations registered with either or both card brands. ISP: Internet Service Provider, an organization that provides access to the Internet. Internet Service Providers (ISPs) are the Website Hosting companies that provide a home for merchant's web sites. They typically resell and/or support the services of a Secure Gateway Provider and/or ISO or Agent or Bank. Issuer, Issuing Bank: The financial institution and member of Visa or MasterCard that holds contractual agreements with, and issues cards to, cardholders. The bank or other financial institution that extends credit to a cardholder through bankcard accounts. The financial institution issues a credit card and bills the cardholder for purchases against the bankcard account. This is also referred to as the cardholder's financial institution. Simply put, the issuer is a bank or other institution that issues a credit card or debit card to an individual. Key (encryption): a key contains the necessary information to decrypt an encrypted transaction.

11 Leased Line: A dedicated telecom connection with either point-to-point or multi-point configuration. Level I Data: Level I purchasing card data includes the same information captured during a traditional credit card purchase transaction. This includes: total purchase amount, date, merchant category code and supplier/retailer name. Level II Data: Level II purchasing card data includes the same information captured at Level I, plus the following: sales tax amount, customer's accounting code, merchant's tax ID number, applicable minority and women owned business status, and sales outlet zip code. Level III Data: Level III purchasing card data includes the same information captured at Levels I and II, plus the following: quantities, product codes, product descriptions, ship to zip, freight amount, duty amount, order/ticket number, unit of measure, extended item amount, discount indicator, discount amount, net/gross indicator, tax rate applied, tax type applied, debit or credit indicator, and alternate tax identifier. Line of Credit: The amount of credit a lender will extend to a borrower over a specified period of time. Lockbox: A service that processes payments by check and credits the appropriate business. Magnetic Stripe: A panel located on the back of a payment card containing magnetically encoded cardholder account information. Data encoded in the magnetic stripe used for authorization during transactions when the card is presented. Entities must not retain full magnetic stripe data subsequent to transaction authorization. Specifically, subsequent to authorization, service codes, discretionary data/ Card Validation Value/Code, and proprietary reserved values must be purged; however, account number, expiration date, name, and service code may be extracted and retained, if needed for business. Magnetic Ink Character Reader: A countertop device used to scan and recover information contained in magnetic ink characters printed on checks and documents. The magnetic ink character recognition (MICR) line, usually printed at the bottom of a check, is a sequence of digits that provides details about the bank and account on which the check is drawn. The MICR line supports authorization and clearing routines. Magnetic Stripe Reader: A point-of-sale device that reads the encoded information from the magnetic stripe when the card is passed through the reader. Readers may read Track Two, which contains the cardholder account number and expiration date, or both Track Two and Track One, which contains the cardholder name. Mail Order/Telephone Order (MOTO): Credit card transactions initiated via mail, or telephone. Also known as card-not-present transactions. A category of card-not-present transactions involving purchases made through mail order or telesales companies. In this type of transaction, the merchant typically has a card terminal and manually keys in required card information for transmission to the appropriate authorization network. Interchange rates for these transactions are among the highest. Malware: Software that's designed to infiltrate and damage a computer without the user's knowledge. Think worms, Trojan horses and bot-nets. According to published reports, malware attacks increased by a factor of 10 between 2008 and Manual Close: A batch close that must be initiated by the merchant on a daily basis, as opposed to an auto close at a pre-set time. MasterCard International Incorporated: A member owned international bankcard association, governed by a board of directors, which licenses members to issue cards or accept merchant drafts under the MasterCard Program. MasterCard owns and operates its own international processing network. MCC: Merchant Category Code, a universal four digit merchant classification code that identifies the merchant by type of processing, authorization and settlement. Similar to a Standard Industrial Classification (SIC), but more defined. Media: The documentation of monetary transactions (i.e., sales drafts, credit slips, computer printouts, etc.). Media Retrieval Requests: Media retrieval is the process of obtaining paper documents from a centralized location. There are two types of media retrieval requests: 1) requests for sales records from cardholders, and 2) requests for documentation in defense of a chargeback from card issuers.

12 Member: A financial institution that is a member of Visa and/or MasterCard. A member is licensed to issue cards to cardholders (issuer) and/or accepts merchant drafts (acquirer). Member Service Provider: A MasterCard Worldwide term applied to entities that provide transaction and cardholder processing, as well as merchant and cardholder solicitation. Member Service Providers (MSPs) fall under two categories: ISOs and third party processors (TPPs). TPP services include electronic data capture and mobile remote payment, among others. Merchant: Store owner or seller of products. Customer of a processor/acquirer. Merchant Agreement: The written contract between the merchant and acquirer that details their respective rights, responsibilities and warranties. Merchant Bank: A federally insured financial institution responsible for connecting merchants to Visa Inc. and Master- Card Worldwide authorization and settlement systems. Also called an acquiring bank, merchant bank or sponsor bank. Acquirers and merchants are the two signatories to merchant agreements. Acquirers can be thrifts, banks or credit unions. For example, First National Bank of Omaha is an acquirer and a bank. To sell bankcard services, it is necessary to have a signed agreement with an acquirer or be part of an ISO that is sponsored by an acquirer. Among other things, an acquirer deposits daily card totals to merchant accounts and debits monthly processing fees from those accounts. The acquiring bank must handle all funds, deposits and settlements with merchants. ISOs and other entities on the acquiring side of the bankcard business also refer to themselves informally as acquirers, as evidenced by several regional acquirers associations thriving throughout the United States, but strictly speaking, they are not acquirers. Merchant Discount: The fee an acquiring member charges the merchant to cover the costs of providing deposit credit and handling credit card sales transactions. Consists of interchange fees charged to merchants by issuing banks for the ability to accept bankcard transactions combined with fees charged to merchants by acquirers to cover such services as processing, terminal installation, help desks and statement rendering. The merchant discount is set by the acquirer at a percentage of the purchase amount, typically between 1.5 percent and 3.5 percent. Sometimes the acquirer's portion of the merchant discount is referred to as the net merchant discount. Also referred to as a transaction fee. See Discount Rate. MICR Number (Magnetic Ink Character Recognition): the bank routing and transit, checking account number and check number encoded at the bottom of a check that can be used to authorize the check. MID: Merchant Identification Number. The identification number assigned to a merchant by the acquirer. This number is generated by a processor/acquirer and is specific to each individual merchant location. This number is used to identify the merchant during processing of daily transactions, rejects, adjustments, chargebacks, end-of-month processing fees, etc. MOP: Method Of Payment - the way a merchant chooses to accept payment for products or services. Examples include: MasterCard, Visa, American Express, Discover, Carte Blanche, Diners Club, JCB, Electronic Check and private label cards. MSP: A MasterCard Worldwide term applied to entities that provide transaction and cardholder processing, as well as merchant and cardholder solicitation. Member Service Providers (MSPs) fall under two categories: ISOs and third party processors (TPPs). TPP services include electronic data capture and mobile remote payment, among others. NACHA: NACHA develops operating rules and business practices for the Automated Clearing House (ACH) Network and for electronic payments in the areas of Internet commerce, electronic bill and invoice presentment and payment (EBPP, EIPP), e-checks, financial electronic data interchange (EDI), international payments, and electronic benefits services (EBS). Additional Information: Network: An entire system of communication hardware and software used to transfer electronic information during the authorization and settlement process. Network Branded: A prepaid product that can be accepted as payment by any merchant subscribing to that network's service. Also called open-loop. Non Face to Face Transaction: Any transaction in which the card is not presented, such as a phone, mail or Internet purchase. See Card-Not-Present.

13 Non Qualified Transaction Fees (Non Qual): Bankcard sales transactions that do not meet set Visa/MasterCard criteria for that particular merchant and are processed at a higher interchange rate. An example of this is a merchant that is retail (card present) that processes a card-not-present transaction (or manually enters card data rather than swiping the magnetic stripe through the terminal). The merchant will pay the difference between what they should have paid on retail and what they actually qualified for (card not present). This difference is called non qualified interchange fees. Non-Reloadable: A prepaid product with a fixed value. Additional funds cannot be added to the existing value. No-Show: A charge to a cardholder account by a lodging merchant if the person either fails to arrive or fails to cancel the guaranteed reservation. Offline Debit: Debit transaction that occurs when a Visa/MasterCard check card is authorized through the credit card system and the amount is debited from the cardholder's checking (DDA) account. Offline Transaction: A transaction that is authorized through a voice authorization and later keyed into a POS terminal prior to settlement. OK Number: A validation number from the host computer confirming a successful batch deposit. Online Transaction: A transaction that is authorized electronically from the front-end network. Payment Application Data Security Standards (PA-DSS): The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data. Established to help software vendors and others develop secure payment applications that do not store prohibited data and to ensure their compliance with the PCI DSS. Payment applications that are sold, distributed or licensed to third parties are subject to PA DSS requirements. In-house payment applications developed by merchants or service providers that are not sold to a third party are not subject to PA DSS requirements but must still be secured in accordance with the PCI DSS. Payment Card Industry Data Security Standards (PCI DSS): The PCI DSS is a multifaceted security standard that includes requirements for security management, policies & procedures. Established by the major payment brands, including American Express Co., Discover Financial Services, JCB International Co. Ltd., MasterCard Worldwide and Visa Inc., the PCI DSS is now managed by the PCI Security Standards Council. The PCI DSS is designed to enhance payment account data security worldwide and consists of 12 requirements governing security management, policies, procedures, network architecture, software design and other areas critical to the protection of cardholder data. Failure to adhere to the standard (by any party that handles card information, including merchants and ISOs) can result in hefty fines. Often shortened to PCI. Payments Processing Information Sharing Council: A private sector organization that helps facilitate sharing of information among payment companies regarding data security. It operates under FS-ISAC. Payroll Card: A reloadable, network branded prepaid card on which is deposited an employee's salary (usually through a bank transfer). Used as an alternative to cash or check where the employee does not have a bank account or prefers this method of payment. PBX Access Code: An access number that is dialed to reach an outside line. PC Software: A software program that is designed to perform a specific function on a computer system. Examples would be accounting systems, manufacturing systems, order entry and fulfillment, ticketing, reservations, etc. The application is either purchased or built by the merchant, and must be interfaced with a credit card authorization system in order to provide on-line transaction processing. PCI: Payment Card Industry PCI Compliance: PCI Compliance refers to industry mandated security standards that apply to all businesses that handle, process or store credit or debit cards. The three PCI compliance standards are PCI DSS, PA-DSS and the PCI PED. PCI Compliance Deadlines: Deadlines for merchants, service providers and software applications to be compliant with the corresponding PCI standard.

14 PCI DSS: Established by the major payment brands, including American Express Co., Discover Financial Services, JCB International Co. Ltd., MasterCard Worldwide and Visa Inc., the PCI DSS is now managed by the PCI Security Standards Council. The PCI DSS is designed to enhance payment account data security worldwide and consists of 12 requirements governing security management, policies, procedures, network architecture, software design and other areas critical to the protection of cardholder data. Failure to adhere to the standard (by any party that handles card information, including merchants and ISOs) can result in hefty fines. Often shortened to PCI. Also known as: Payment Card Industry (PCI) Data Security Standard (DSS) PCI PIN Entry Device (PCI PED): Renamed PIN Transaction Security (PTS), this is a special list of security requirements for PIN-enabled card acceptance modules. PCI Security Standards Council (PCI SSC): An agency responsible for the development, management and education of the PCI security standards, including the PCI DSS, PA DSS, and PTS. The council was founded in 2006 by AmEx, Visa, MasterCard, JCB and Discover. Phishing: Phishers pose as trusted entities (such as banks or credit card companies) and, using and text messaging, con consumers (and increasingly businesses) into providing sensitive information, like user names and passwords, which are then used for fraudulent purposes. Pick Up Card: An issuer's electronic response to an authorization request, asking that the card be retained by the merchant and returned to the issuer. PIN: Personal Identification Number, a numeric code used as verification to complete a transaction via a payment card. The number is entered into a keypad and is encrypted to travel along with the authorization. A number used by a cardholder to authorize card payments. It is often abbreviated as PIN. PIN Debit: A debit card transaction authorized by the cardholder using a personal identification number. PIN Transaction Security (PTS): A special list of security requirements for PIN-enabled card acceptance modules. This was formerly called the PCI PIN Entry Device (PCI PED) requirements. POP: Point of Purchase Conversion. A one-time ACH debit from a consumer's bank account for in-person purchases made at the point-of-sale; upon receipt of a check and signed authorization. POS (Point Of Sale): The location at which a payment card transaction occurs, usually by way of a device such as a credit card terminal or cash register. A location where credit card transactions are performed with the cardholder present, such as a retail store. The card is read magnetically, and the cardholder's signature is obtained as insurance against the transaction. This is the most secure form of credit card commerce. POS Terminal: A terminal at the point of sale, connected via telecommunication lines to a central computer. Authorization, recording and transmission of electronic transactions are performed through the terminal. Equipment used to capture, transmit and store credit card transactions at the point of sale. Examples are VeriFone terminals. Posting: The process of recording debits and credits to an account. PPD: A credit or debit entry, initiated by a merchant, pursuant to a standing, or one time authorization from a consumer, to effect an electronic funds transfer, to or from a consumer's bank account. Prenote: In the electronic check processing environment, a non-dollar transaction sent through the ACH network for the purpose of verifying the accuracy of the cardholder's account data. Prepaid Card: A payment card with a set amount of money that has been preloaded onto it for future use by the consumer. It is not a credit card or debit card. Prepaid cards can be used in an open-loop (branded by Visa, MasterCard and so forth) or closed-loop (merchant or mall branded). The most common type of prepaid card in use today is the gift card. Presentment Currency: The currency in which a purchase is authorized through Visa, MasterCard or American Express.

15 Private Label Card: A card issued by a merchant that can only be used in the issuing merchant's business. An example would be a department store credit card. Credit, debit or stored value cards that can be used only within a specific merchant's store. Also referred to as proprietary cards. Processing Fees: The fees associated with the processing of credit card transactions. Processor: A company responsible for processing interchange transactions, operated by an acquirer or acting on the acquirer's behalf. The company that moves transactions on behalf of acquirers among merchants, banks and the card networks. Some, but not all acquirers are processors. Processing Network (Vendor): The medium of data transport between the merchant application and the processor. This company authorizes and captures credit card transactions. Some examples of processing networks are FDR, MAPP and Envoy. Procurement/Purchasing Cards: Charge cards used by businesses to cover purchasing expenses, such as raw materials or office supplies. Program Manager: The entity responsible for managing the core attributes of a prepaid card program. Program managers can either manage for other companies, or be responsible for issuing their own prepaid card products. For MasterCard Worldwide, entities are required to have an ISO/MSP license in order to become program managers. Protocol: A set of rules that allow data communications to work. Purchasing Card: A payment card used by companies to replace paper invoices. Qualified Security Assessor (QSA): An auditor, certified by the PCI SSC, who assesses the PCI compliance of payment systems to ensure they are properly protecting card data. The PCI DSS requires that all Level 1 merchants (those that process over 6 million card transactions a year) be evaluated annually by a QSA. RAM: Random Access Memory, short term memory for a computer or payment card terminal. Reason Code: A two digit code identifying the reason a chargeback was initiated. Re-authorization: To request an additional amount to be authorized on an existing transaction. Used in the lodging industry when the original authorization is not sufficient to cover the charges. Real Time Processing: Real Time Processing means that when a web site's customer conducts an online purchase, that the check or credit card information is conveyed to the Processor at that exact time so that an authorization can be requested and received at that moment. Real Time Processing always implies that a Secure Payment Gateway is being utilized, whether proprietary or third party. Please see Secure Payment Gateways and Real Versus Non Real Time Processing. Recurring Billing: A tool for submitting and managing recurring or subscription based, transactions. Recurring Transaction: A transaction charged to a cardholder's account (with prior permission) on a periodic basis for recurring goods and services, i.e., health club memberships. Referral: The message received from an issuing bank when an attempt for authorization requires a call to the Voice Authorization Center. Refund: A refund occurs when the merchant rebates all, or a portion, of an original transaction amount to the cardholder. Refunds are made to the same card that was used for the original transaction. Similar to a Credit. Remittance Card: A card that enables the user to transfer funds to another party, normally overseas, and often in another currency. No bank is required to transfer the money, and the recipient has instant access to the funds made available, either to spend in a retail outlet or to obtain cash through an ATM.

16 Remote Deposit Capture (RDC): Electronic check services by which paper checks are converted into digital images for electronic clearing and settlement, through either electronic check or ACH systems. Re-presentment: An attempt to reverse a chargeback initiated by a merchant or acquirer to the issuing bank that presented the chargeback, backed by supporting documentation. Reserve: The money set aside from a merchant's credit card receipts to cover potential chargebacks or other disputes. Typically, the amount is returned after a specified period. Also known as a hold back. Response code: A number provided by a card issuing bank to a merchant either verifying that a particular transaction was accepted or explaining why it was declined. Restricted Authorization Network: Pertains to cards issued by a corporate entity, or group of corporate entities. They can only be redeemed within a restricted selection of corporate entities, defined by geography, type of business, type of terminal et cetera. Also known as restricted loop card or semi open-loop cards. Retail Transaction: A face-to-face transaction in which the cardholder presents a card to the merchant to pay for goods or services. Retrieval Request: A request by the issuer to the acquirer for a copy of the original sales ticket. Reversal: When an acquirer successfully represents a chargeback to the issuer, the chargeback is reversed and the funds are returned to the merchant. A method of recourse for merchants to counter chargeback claims. Cardholders can also set reversals in motion when they rescind chargeback claims. ROM: Read Only Memory, memory and information that cannot be changed. RS232: The standard port on POS device used to support a wireless transmission via VSAT, Frame, VPN or Motient. May also be used with various peripheral devices i.e. Check Reader or Personal Computer. Sales Draft (Ticket): A form showing an obligation on the cardholder's part to pay money (i.e., the sales amount) to the card issuer. This is the piece of paper that is signed when making the purchase. Sales draft data can be captured electronically and sent to be processed over the phone lines. Also see Electronic Data Capture. Sales Transaction Fee: The amount the financial institution charges a merchant for each sales transaction. SDK: Software Development Kit, a "kit" that is built to help a developer incorporate software into another program or system. Secure Payment Gateway: Secure Payment Gateway companies help other processors conduct secure business on the internet using Secure Socket Layer (SSL) technology. They provide a system that passes credit card data, authorization requests, and authorization responses over the internet using encryption technology. The transaction information is sent by the payment gateway secure server via leased line to the credit card network where the validity of the card is checked and the availability of funds on that account is verified. An authorization code is returned via leased line to the payment gateway; the authorization is encrypted by the payment gateway and transmitted in encrypted form to the web server of the merchant, which triggers fulfillment of the order. Rather than try and create their own Secure Web System, many banks and bank/processor alliances will use a Secure Payment Gateway Provider to perform this task for them. Secure POS Vendor Alliance: includes representatives from the major terminal manufacturers who collaborate on fraud intelligence and hardware protection standards. Self Assessment Questionnaire (SAQ): A document used as a validation tool by merchants and service providers to demonstrate compliance with the PCI DSS. Updated in 2008, it is designed to simplify and streamline the assessment process and aid small and mid-sized merchants who are not required to have on-site PCI compliance assessments. The new SAQ comes in four versions with questions tailored specifically for different categories of card acceptors.

17 Settlement: The process in which a merchant transmits batches of transactions to the acquirer. In interchange, it is the process by which acquirers and issuers exchange financial data resulting from sales transactions, cash advances, merchandise credits, etc. The process of sending a merchant's batch to the network for processing and payment. For nonbankcards, the issuer pays the merchant directly (less applicable fees) and then bills the cardholder. For bankcards, the acquirer pays the merchant (less applicable fees) with funds from Visa/MasterCard. The bankcard issuer then bills the cardholder for the amount of the sale. Settlement Currency: The currency in which a merchant receives funds after the completion of a foreign exchange conversion. Shopping Cart Software Providers: Shopping Cart Software Providers are software companies that either produce, utilize or resell Shopping Cart Applications (programs) that display merchandise and/or services, and take orders for merchants. SIC: Standard Industrial Code, a universal four digit code that designates a merchant's industry type. Similar to an MCC code. Signature Debit: A Visa Debit or Debit MasterCard transaction authorized by a cardholder's signature; to the casual observer it looks just like a credit card transaction. Skimming: requires the use of small swipe devices (called skimmers) to capture unsuspecting customers' credit and debit card numbers at ATMs and POS devices. Smart Card: A payment card with a built-in microprocessor (chip) that stores information. Smart cards can be used for stored value cards, credit cards, loyalty programs and security access. A credit type card that electronically stores account information in the card itself. Credit and debit cards featuring tiny silicon chips that contain information like account numbers and PINs that can be read only by compatible POS terminals. Sniffer: Malware used by hackers to intercept payment card data traveling through merchant or processor networks. Soft Decline: A declined authorization attempt that does not necessarily mean the card is bad (i.e., call referral, issuer unavailable or cardholder over limit). These transactions may be resubmitted a day or two later in an attempt to obtain a valid authorization. Split Dial: The capability of a card terminal to dial different telephone numbers to obtain an authorization or settlement of different card types. Sponsor Bank: A federally insured financial institution responsible for connecting merchants to Visa Inc. and MasterCard Worldwide authorization and settlement systems. Also called an acquiring bank, merchant bank or sponsor bank. Acquirers and merchants are the two signatories to merchant agreements. Acquirers can be thrifts, banks or credit unions. For example, First National Bank of Omaha is an acquirer and a bank. To sell bankcard services, it is necessary to have a signed agreement with an acquirer or be part of an ISO that is sponsored by an acquirer. Among other things, an acquirer deposits daily card totals to merchant accounts and debits monthly processing fees from those accounts. The acquiring bank must handle all funds, deposits and settlements with merchants. ISOs and other entities on the acquiring side of the bankcard business also refer to themselves informally as acquirers, as evidenced by several regional acquirers associations thriving throughout the United States, but strictly speaking, they are not acquirers. SSL: Secure sockets layer. Established industry standard that encrypts the channel between a web browser and web server to ensure the privacy and reliability of data transmitted over this channel. Stored Value Card: A stored value card is used by a merchant to issue spending credit to their customers. The merchant's customers are given a magnetic stripe card in exchange for money received, merchandise returned or other considerations. The card represents a dollar value that the merchant's customer can either use or give to another individual. There is no security associated with the card itself. The actual record of the balance on the card is maintained on a stored value card database. Structured Query Language (SQL) Injections: computer language slipped into web forms in order to provide access to financial accounts where information can be modified or deleted.

18 Submission: A file sent by the merchant that contains one or more transactions. Summary Adjustment: A correction to a deposit, made by the acquirer, when there is an error in the submitted deposit. Super ISO: A large, independent sales organization that supports multiple downstream ISOs and MLSs. Some super ISOs are also processors. Synchronous: Communication method that transmits continuously with no stops and start bytes between information bytes. Tamper Resistant Security Module: A payment acceptance device with built-in physical protection to prevent tampering, such as the placement of a skimming device on the module. T&E Cards: Cards that are developed for and used primarily in travel related services. T&E Merchant: An airline, car rental company or lodging establishment with a primary function of providing travel related services. TCSL Terminal Capture System: The process in which transactions are stored in the terminal until the batch is settled to the host. Most often used in restaurant applications where tip adjustments need to be made. TEL: An electronic debit from a consumer's bank account based on oral authorization by phone. A company can only initiate the telephone call when there is an existing relationship with the consumer. Telemarketing: Selling goods or services over the phone, for payment by credit card. Terminal: Equipment used to capture, transmit and store credit card transactions. A POS device, usually with a small display monitor and keyboard, connecting to the Visa and MasterCard payment network and/or to a proprietary network that authorizes payment card transactions and transmits card data to a receiving institution. Terminal Software: Programming that determines the characteristics and features of the terminal. Third-Party Processor: A Third Party Processor is an independent processor that is contracted with by a Bank or Processor to conduct some part of the transaction processing process. Some of these Third Party Processors specialize in running and hosting networks of Point Of Sale (POS) terminals connected to their Host via dial out modem; they produce the software in the POS terminals as well as in their host, and route authorization requests to Visa or MasterCard as needed (MAPP, MDI, FDR, for example). Other Third Party Processors specialize in the Settlement of credit card transactions with Visa and MasterCard so that merchants can be paid (FDR for example). In the world of Internet Credit Card Processing, the Secure Payment Gateway Provider is another type of Third Party Processor. TID: Terminal Identification Number, number identifying a merchant to the front-end network. Token: A token is an alias representing an individual transaction or customer account. Transactions that are tokenized get stored in secure data servers (or vaults) following settlement and are accessible using only the correct tokens. Tokenization: A process for protecting card information by which the data are replaced with an alpha-numeric substitute ("token") for their storage in a POS system. The token can be used to identify the purchaser for chargebacks or other post transaction issues but is useless if stolen. Track One: Track One information, stored on the magnetic stripe on the back of a card, has the cardholder's name in addition to the account number and expiration date stored in it. Track Two: Track Two information, stored on the magnetic stripe on the back of a card, has the account number and expiration date. Transaction: Any action between a cardholder and a merchant or member that results in activity on the account, such as a purchase, cash advance or credit.

19 Transaction Date: The actual date on which a transaction occurs. Transaction Fee: The amount a merchant pays per transaction for processing. Travel & Entertainment (T&E) Cards: Credit or charge card used by businesses for travel and entertainment expenses. Examples of these cards are American Express, Diners Club, Carte Blanche and JCB. Also see Corporate Cards. Valid Date: The date embossed on a payment card stating when the card may first be used. Value Added Reseller (VAR): Third party vendor that enhances or modifies existing hardware or software, adding value to the services provided by the processor or acquirer. VAR: Value Added Reseller, a third party that certifies their software to be used on a processor's system Virtual Terminal: A tool that allows merchants to manually process credit card transactions from any computer with an Internet connection. Visa USA: A member-owned national bankcard association, governed by a board of directors, which licenses members to issue cards and accept merchant drafts under the Visa Program. MasterCard owns and operates its own international processing network. Voice Authorization: Transactions authorized by a voice operator. Voice approved transactions must be "forced" into a terminal batch for settlement. WEB: An electronic debit from a consumer's bank account created during a secure Internet session between a company and consumer. Whaling: Phishers pose as trusted entities (such as banks or credit card companies) and, using and text messaging, con consumers (and increasingly businesses) into providing sensitive information, like user names and passwords, which are then used for fraudulent purposes. Zero Floor Limit: Requires that all transactions receive authorization