Acquirer (or processor)

The financial institution that processes payment card transactions for merchants and is defined by a payment brand as an acquirer.  The University of Washington is transitioning from Elavon to Fiserv as our Payment Acquirer.

Attestation of Compliance (AOC)

The Attestation of Compliance is a form for merchants and service providers to attest to the results of a PCI DSS assessment.

Breach (data breach)

A data breach is any security incident in which unauthorized parties gain access to sensitive or confidential information, including personal data (Social Security numbers, credit card numbers, healthcare data) or corporate data (customer data records, intellectual property, financial information).

Card Skimmer

A device designed to illegitimately capture and/or store the information from a payment card.

Cardholder Data

The full primary account number.  Data considered cardholder data when stored along with primary account number include the cardholder name, expiration date, and/or service code.

Cardholder Data Environment (CDE)

The people, processes, and technology that store, process or transmit cardholder data or sensitive authentication data.


A chargeback is a forced transaction reversal in response to a claim of fraud or transaction dispute made by the cardholder. It is the responsibility of the Merchant to investigate the chargeback and confirm whether the chargeback is valid or not.


Unauthorized disclosure or theft, modification, or destruction of cardholder data.

Convenience fees

Convenience Fees are forms of an alternative payment channel. In other words, if you take a face-to-face payment, you can charge a convenience fee by offering payments online, mail and/or phone. A great example of a convenience fee is a movie theatre ticket. If you buy a ticket in person, there is no fee. If you buy online or via a phone app, there is usually a charge. This charge is a set fee as per Visa's rules it cannot be a percentage. The fee must be properly disclosed and cannot be used for recurring payments.

Doing Business As (DBA)

The operating name of a company, as opposed to the legal name of the company. Washington state law requires all businesses file a DBA when they are using a name other than their legal name (the name used to form the business). 


"Europay, Mastercard, and Visa" – Payment cards that comply with the EMV standard are often called Chip and PIN or Chip and Signature cards.


Authorizes credit card processing for e-commerce transactions.


An entity that issues the payment cards.


Any office, unit, department, or organization at the University that accepts payment cards as a form of payment for goods and/or services. This includes temporary, seasonal, or one-time events.

Merchant Identification Number (MID)

The account number assigned to University merchants associated with processing credit card payments

Payment Application

A software application that stores, processes or transmits cardholder data.

Payment Cards

Any credit card, debit card, or pre-paid card with a brand logo on it, such as VISA, MasterCard, American Express, Discover, JCB International, etc.

Payment Card Industry Data Security Standard (PCI DSS)

The security standard established by the major card brands (Mastercard, Visa, American Express, etc)

Qualified Security Assessor (QSA)

Qualified Security Assessor companies are independent security organizations that have been qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS. QSA Employees are individuals who are employed by a QSA Company and have satisfied and continue to satisfy all QSA Requirements. The University of Washington has contracted with Campus Guard as our QSA.

Report on Compliance (ROC)

The formal document the QSA fills out as a result of the annual assessment. Very detailed, and considered confidential.


SAFE-T is Elavon’s Point-to-Point Encryption solution (P2PE).  P2PE encrypts the card number at the device, vastly reducing the overall risk landscape for the University and making it far easier to attest to PCI DSS.

Self Assessment Questionnaire (SAQ)

Reporting tool used to document self-assessment results from a PCI DSS assessment.

Sensitive Authentication Data

Security-related information that is used to authenticate cardholders and/or authorize payments.  This information can include card validation codes/values, full track data, and PINs.

Service Fees 

The service fee program is a special program restricted to government and education. Education payments must be tuition, tuition-related, and/or room and board. You must be registered in the Visa Service Program to charge the service fee and require a separate merchant ID for the collection of said fees. These service fees can be charged in-person as well as online or mail-order/telephone.

Service Provider

A business entity (not a payment brand) directly involved in the processing, storing, or transmission of cardholder data on behalf of another entity.


Surcharges only apply to credit cards (no debit). Visa, MasterCard, and our merchant processor must be notified 30 days prior to beginning the surcharge. A surcharge must be disclosed (true for all fee types) and listed on the receipt. The amount is limited to the merchant discount rate and cannot exceed 4%. Certain states and banks do not allow surcharging, although Washington currently does.