Terms and Definitions

Annual Report on Compliance (ROC): A PCI-approved, independent security assessor performs an annual on-site review of Level 1 Merchant documenting adherence to the Digital Dozen and resulting in a Report on Compliance. Report on Compliance from a Level 1 merchant’s internal auditor will be accepted provided that a letter signed by an executive-level officer of the merchant accompanies the report. Payment Card Industry-approved assessors can be found on the card association Web sites (see links below) or by contacting your relationship manager. The ROC is also required for Level 1 and Level 2 Third Parties.

Confirmation of ReportAccuracy (CORA):  Form signed by merchant submitted to their Visa acquirer with ROC or SAQ and Quarterly Scan results. 

Connected Entity:  DSE or MS that receives cardholder or transaction data from Processor or that receives cardholder or transaction data from cardholder or merchant on behalf of merchant. Also see “Merchant Connected Entity” and “Processor Connected Entity”. Processor Connected Entities are reported quarterly to Visa and member bank to ensure that member bank has registered the Connected Entity as DSE or MS. 

Data Storage: The temporary or permanent retention of account data in any form (including logs) for subsequent processing, retrieval, or other use.

Data Storage Entity (DSE): Any entity other than the acquiring member, merchant, or TPP that stores MasterCard account data on behalf of merchants, web hosting providers, and payment gateways. This may include terminal drivers and processors. Storage may be temporary or permanent and in any form (including logs).

Merchant Connected Entity:  DSE or MS that receives cardholder or transaction data from cardholder or merchant on behalf of merchant.  Also see “Connected Entity” and “Processor Connected Entity”.  Merchant Connected Entity must be PCI DSS compliant and registered by the member bank as DSE or MS.  Also, merchant must have agreement with Merchant Connected Entity regarding merchant ownership and security of transaction data.  See Card Acceptance Guide.

Merchant Servicer (MS): Visa Merchant Servicer includes non-members other than the merchant and processor that receive, pass, or store transaction data on their internal systems on behalf of the merchant. This includes third party servicers, Web hosting companies or shopping carts, and media back-up companies. Every member bank must register its merchant servicers with Visa USA.  Visa USA will bill its membership and annual renewal fee directly to the first member to register the merchant servicer, not each member using the MS.

Processor Connected Entity:  DSE or MS that receives cardholder or transaction data from Processor.  This includes payment gateways, loyalty vendors, risk vendors, and ISO/MSPs that receive files containing full cardholder account number.  Also see “Connected Entity” and “Merchant Connected Entity”.  Processor Connected Entities are reported quarterly to Visa and member bank to ensure that member bank has registered the Connected Entity as DSE, MS, and/or TPSP. 

Self-Assessment Questionnaire (SAQ): Compliance questionnaire required for Level 2 and Level 3 merchant (and Level 3 Third Parties) to determine adherence to the Digital Dozen on the basis of a self-assessment questionnaire.  Merchants (and Third Parties) must also undergo at least quarterly a System Perimeter Scan performed by a Payment Card Industry approved security assessor and a pen test.

System Perimeter Scan: A PCI-approved, independent security assessor performs a system perimeter scan at least quarterly. A system perimeter scan involves an automated tool that checks the merchant’s systems for vulnerabilities. This applies to merchants with external-facing Internet protocol (IP) addresses with internal systems that receive, pass, or store cardholder transaction data. Even if a merchant does not offer Web-based transactions, there are other services such as e-mail and employee Internet access that will result in the Internet-accessibility of a company’s network. The tool will conduct a non-intrusive scan to remotely review networks and Web applications based on the external facing IP addresses provided by the merchant. Required for Level 1, 2, and 3 Merchants (and Level 1, 2, and 3 Third Parties).

Third Party Processor (TPP): MasterCard Third Party Processor.  Processor  provides services to MasterCard member financial institutions and must be registered by each member.

Third Party Servicer (TPS): Visa Third Party Servicer includes non-members other than the merchant and processor that receive, pass, or store transaction data on their internal systems on behalf of the member, the merchant, or another Third Party. TPS includes merchant vendors, including Web hosting companies or shopping carts, and media back-up companies. These merchant vendors are classified as Merchant Servicers. Also includes Independent Sales Organizations (ISO), loyalty program vendors, risk management vendors, chargeback vendors, and credit bureaus that provide services to member financial institutions or their merchants. Every member bank must register its third party servicers with Visa USA. Visa USA will bill its membership and annual renewal fee directly to TPS, not the member(s).

VisaNet Processor (VNP): Processors, member financial institutions, or merchants directly connected to Visa’s proprietary network for transaction authorization. Non-member processor VisaNet registration and member financial institution processor designation is required by Visa.