AOC - Attestation of Compliance 

A report prepared by a PCI

Cardholder Data

refers to displaying or printing more than the last four (4) digits of a customer's sixteen (16) digit credit or debit card number. 

CVV  Card Verification Value Code (a.k.a CVV2)

This is a three (3) digit number on the back of a credit card. In the case of American Express, this is a four (4) digit code on the front of the credit card.

DSS (Data Security Standards)

The credit or debit card data security standards are established by the PCI Council.  Merchants at The Ohio State University must refer to the current and applicable provisions of the DSS.

IP Address

Internet Protocol Address is a unique number used to represent every computer in a network.  The format of an IP Address is four sets of numbers separated by dots (e.g.


A merchant is a department, entity, or affiliate that accepts cardholder payments using the University's merchant processor(s).  An OSU merchant is assigned a merchant account number by the Office of Financial Services. 

PCI  Software

PCI software is installed on an OSU computer and determined by the credit card industry to follow the industry's best practices for securing credit card information.  This includes customized, pre-installed, and "off-the-shelf" software and wireless devices.  The following link provides a complete list of PCI approved Payment is external)

PAN (Primary Account Number)

The 16 digit card number.

PED (Pin Entry Device)

Terminal that allows entry of a customer's Personal Identification Number.

PIN (Personal Identification Number)

Personal number used in debit card transactions.

PCI Council (Payment Card Industry)

Visa, MasterCard, American Express, and Discover, has formed a Council to establish Data Security Standards (DSS) for the industry.  Please see the following link for their website.

Payment Gateway

A payment gateway is a type of service provider that transmits, processes, or stores credit cardholder data as part of a payment transaction.  They facilitate payment transactions such as authorizations and settlement between merchants or processors, also called endpoints.  Merchants may send transactions directly to an endpoint or indirectly using a payment gateway.

Sensitive Authentication Data

Refers to the three (3) or four (4) digit validation code, CVV2, on the front or back of a card and PIN number, personal identification numbers.  PCI does not permit this data to be stored even if it is protected according to the PCI Data Security Standards. 

Service Provider

A vendor that provides access to the Internet and to applications to facilitate the transfer and/or storage of credit card information.  The following link provides a complete list of PCI Compliant Service Providers.  (Please note, this list is maintained on Visa's website.)