Resources

Payment Security Glossary

Plain-English definitions of key terms in payment security, PCI compliance, and secure telephone payments.

PCI Compliance

PCI DSS

PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security requirements designed to protect cardholder data wherever it is stored, processed, or transmitted. Any organisation that accepts, processes, or handles card payments must comply with PCI DSS.

PCI DSS Compliance

PCI DSS compliance means that an organisation meets all applicable requirements of the Payment Card Industry Data Security Standard for protecting cardholder data. Achieving compliance involves assessing your environment, implementing required security controls, and validating compliance through the appropriate method for your merchant level.

PCI DSS Levels

PCI DSS levels are four categories that classify merchants based on the number of card transactions they process each year. Level 1 is the highest, covering merchants that process over 6 million transactions annually, while Level 4 covers those processing fewer than 20,000. Each level has different compliance validation requirements.

SAQ (Self-Assessment Questionnaire)

A Self-Assessment Questionnaire (SAQ) is a form that businesses fill out to demonstrate their compliance with PCI DSS requirements. The SAQ type you need depends on how you accept card payments, with simpler questionnaires available when card data never enters your environment.

Attestation of Compliance

An Attestation of Compliance (AOC) is the formal document that certifies a business meets PCI DSS requirements. It is submitted alongside a Self-Assessment Questionnaire or audit report and serves as official proof of compliance to acquiring banks and payment brands.

Payment Security

DTMF Masking

DTMF masking is a security technology that suppresses or replaces the dual-tone multi-frequency sounds made when a caller enters card details on their phone keypad. This prevents call centre agents and call recordings from capturing sensitive payment data. It is a cornerstone of secure telephone payment processing and PCI DSS compliance.

Tokenization

Tokenization is a security technique that replaces sensitive card data — such as the full card number — with a unique, randomly generated string called a token. The token has no exploitable value if stolen, because it cannot be reversed to reveal the original card details.

CVV / CVC / CV2

CVV (Card Verification Value), CVC (Card Verification Code), and CV2 (Card Verification Value 2) are different names for the same thing: the three-digit security code printed on the back of most debit and credit cards. This code provides an additional layer of verification for card not present transactions, helping to confirm that the person making the payment has the physical card in their possession.

Card Security Code

A card security code is a short numeric code printed on a payment card that is used to verify card not present transactions. It is most commonly three digits on the back of the card (for Visa and Mastercard) or four digits on the front (for American Express). The code is also known as CVV, CVC, or CV2 depending on the card network.

3D Secure / SCA

3D Secure (3DS) is an additional authentication step for online and card-not-present payments, where the cardholder verifies their identity — typically via a one-time passcode, biometric or banking app prompt. Strong Customer Authentication (SCA) is the regulatory requirement under PSD2 that makes this type of verification mandatory for most electronic payments in the UK and Europe.

PAN (Primary Account Number)

The PAN (Primary Account Number) is the long number embossed or printed on the front or back of a payment card — typically 16 digits for Visa and Mastercard. It uniquely identifies the cardholder's account and is the most sensitive piece of data involved in a card payment.

Payment Methods

Card Not Present (CNP)

A card not present (CNP) transaction is any payment where the physical card is not presented to the merchant at the point of sale. This includes payments made over the phone, online, by post, or through a mobile app. CNP transactions carry higher fraud risk than in-person payments because the merchant cannot physically verify the card or cardholder.

Virtual Terminal

A virtual terminal is a software application, typically accessed through a web browser, that allows merchants to process card payments without a physical card terminal. Agents enter the customer's card details into an on-screen form to process the transaction. Virtual terminals are commonly used in call centres, back offices, and any setting where payments are taken remotely. They are classified as card-not-present (CNP) payment channels and carry specific PCI DSS compliance obligations depending on how the card data is captured and transmitted.

IVR Payment

An IVR payment is an automated telephone payment where a customer enters their card details using their phone keypad, guided by a pre-recorded Interactive Voice Response system. No human agent is involved in the transaction, which reduces costs and improves security.

Pay by Link

Pay by link is a payment method where a business sends a customer a secure URL to complete a payment. The customer clicks the link, enters their card details on a hosted payment page, and the transaction is processed without the business needing to handle card data directly.

Open Banking

Open banking is a UK and EU regulatory framework that allows authorised third-party providers to access bank account data and initiate payments with the account holder's consent. It enables faster, cheaper bank-to-bank payments without the need for card networks.

Payment Operations

Payment Gateway

A payment gateway is the technology service that processes card payment transactions between a merchant and the financial institutions involved. It securely transmits transaction data, handles authorisation requests, and returns the approval or decline to the merchant in real time.

Payment Reference

A payment reference is a unique identifier assigned to a transaction so it can be tracked, matched and reconciled. It allows both the business and the customer to identify a specific payment, which is essential for resolving queries, processing refunds and maintaining accurate financial records.

Chargeback

A chargeback occurs when a customer disputes a card transaction and their bank reverses the payment, taking the funds back from the merchant. Chargebacks exist to protect consumers from fraud and billing errors, but they can be costly and disruptive for businesses.

BIN (Bank Identification Number)

A Bank Identification Number (BIN) is the first six to eight digits of a payment card number. These digits identify the card-issuing bank, the card brand, the card type, and the country of issue, helping payment processors route transactions correctly.

All Terms A–Z

3D Secure / SCAAttestation of ComplianceBIN (Bank Identification Number)Card Not Present (CNP)Card Security CodeChargebackCVV / CVC / CV2DTMF MaskingIVR PaymentOpen BankingPAN (Primary Account Number)Pay by LinkPayment GatewayPayment ReferencePCI DSSPCI DSS CompliancePCI DSS LevelsSAQ (Self-Assessment Questionnaire)TokenizationVirtual Terminal

Ready to see secure payments in action?

Book a personalised demo and we'll show you how Paytia works with your setup.

Request a Demo