Acquiring bank (or payment acquirer): A financial institution that processes payment card transactions for merchants. It is defined by a payment brand as an acquirer.
Cardholder data: Any personal data that allows a cardholder to be easily identified: account number, expiry date, name, address, etc.
Merchant: refers to a University of Ottawa department or operating area that has applied for, and been approved to, credit/debit card payments for goods and/or services by uOttawa’s Financial Resources section. A merchant is assigned a specific merchant account (MID), which is used to process all credit/debit card transactions via a uOttawa-approved payment card processor.
Merchant ID responsible person: a uOttawa employee responsible for requesting a new merchant account. This person is also responsible for ensuring that the systems and people handling cardholder data (CHD) comply with PCI DSS.
Payment card: refers to any payment card/device that bears the logo of the founding members of PCI SSC, which are American Express, Discover Financial Services, JCB International, MasterCard, or Visa, Inc. The uOttawa campus card, which is issued by uOttawa Card Services, is exempt from the PCI DSS.
Payment card processor: Entity engaged by a merchant to handle payment card transactions on its behalf; it may also be known as a “payment gateway”. Payment processors are not considered acquirers.
PCI DSS: Payment Card Industry Data Security Standard
PCI DSS Committee: Cross-organizational governance body that ensures that the University remains compliant with the Payment Card Industry Data Security Standard (PCI DSS).
PCI Security Standards Council (PCI SSC): Organization responsible for establishing norms aimed at protecting users’ credit card data.
PCO (PCI DSS Compliance Office): University office operated by Financial Resources that oversees and administers the PCI compliance process at uOttawa. This process includes initiating and overseeing an annual PCI DSS self-assessment for each merchant, and coordinating any remediation activities as required by the PCI DSS or other applicable policies and procedures.
POS (Point-of-sale) terminal: A terminal used in a store instead of a cash register for customer checkout that may also be used to record inventory data, transfer funds and check credit.
POS employee: Any employee handling and interacting with a POS terminal.
QSA (Qualified Security Assessor): Professional who assists companies in identifying gaps in their cybersecurity and in their cybersecurity awareness training. These individuals are employed by QSA companies, which are independent security organizations that have been authorized by the PCI Security Standards Council to verify a company’s adherence to the Payment Card Industry Data Security Standard (PCI DSS).
SAQ (Self-Assessment Questionnaire): Validation tool used by eligible organizations or merchants to self-assess their PCI DSS compliance.
Service provider: Service providers include payment processors, payment gateways, managed POS providers, and companies that come into direct contact with card data in the payment process.
