Transcription
Payment Card Industry (PCI)Data Security Standard (DSS)and Payment ApplicationData Security Standard (PA-DSS)Glossary of Terms, Abbreviations, andAcronymsVersion 3.2April 2016
TermDefinitionAAAAcronym for “authentication, authorization, and accounting.” Protocol forauthenticating a user based on their verifiable identity, authorizing a userbased on their user rights, and accounting for a user’s consumption ofnetwork resources.Access ControlMechanisms that limit availability of information or information-processingresources only to authorized persons or applications.Account DataAccount data consists of cardholder data and/or sensitive authenticationdata. See Cardholder Data and Sensitive Authentication Data.Account NumberSee Primary Account Number (PAN).AcquirerAlso referred to as “merchant bank,” “acquiring bank,” or “acquiring financialinstitution”. Entity, typically a financial institution, that processes paymentcard transactions for merchants and is defined by a payment brand as anacquirer. Acquirers are subject to payment brand rules and proceduresregarding merchant compliance. See also Payment Processor.Administrative AccessElevated or increased privileges granted to an account in order for thataccount to manage systems, networks and/or applications.Administrative access can be assigned to an individual’s account or a builtin system account. Accounts with administrative access are often referred toas “superuser”, “root”, “administrator”, “admin”, “sysadmin” or “supervisorstate”, depending on the particular operating system and organizationalstructure.AdwareType of malicious software that, when installed, forces a computer toautomatically display or download advertisements.AESAbbreviation for “Advanced Encryption Standard.” Block cipher used insymmetric key cryptography adopted by NIST in November 2001 as U.S.FIPS PUB 197 (or “FIPS 197”). See Strong Cryptography.ANSIAcronym for “American National Standards Institute.” Private, non-profitorganization that administers and coordinates the U.S. voluntarystandardization and conformity assessment system.Anti-VirusProgram or software capable of detecting, removing, and protecting againstvarious forms of malicious software (also called “malware”) includingviruses, worms, Trojans or Trojan horses, spyware, adware, and rootkits.AOCAcronym for “attestation of compliance.” The AOC is a form for merchantsand service providers to attest to the results of a PCI DSS assessment, asdocumented in the Self-Assessment Questionnaire or Report onCompliance.AOVAcronym for “attestation of validation.” The AOV is a form for PA-QSAs toattest to the results of a PA-DSS assessment, as documented in the PADSS Report on Validation.ApplicationIncludes all purchased and custom software programs or groups ofprograms, including both internal and external (for example, web)applications.PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms v3.2 2006-2016 PCI Security Standards Council, LLC. All Rights ReservedApril 2016Page 2
TermDefinitionASVAcronym for “Approved Scanning Vendor.” Company approved by the PCISSC to conduct external vulnerability scanning services.Audit LogAlso referred to as “audit trail.” Chronological record of system activities.Provides an independently verifiable trail sufficient to permit reconstruction,review, and examination of sequence of environments and activitiessurrounding or leading to operation, procedure, or event in a transactionfrom inception to final results.Audit TrailSee Audit Log.AuthenticationProcess of verifying identity of an individual, device, or process.Authentication typically occurs through the use of one or moreauthentication factors such as: Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometricAuthenticationCredentialsCombination of the user ID or account ID plus the authentication factor(s)used to authenticate an individual, device, or process,AuthorizationIn the context of access control, authorization is the granting of access orother rights to a user, program, or process. Authorization defines what anindividual or program can do after successful authentication.In the context of a payment card transaction, authorization occurs when amerchant receives transaction approval after the acquirer validates thetransaction with the issuer/processor.BackupDuplicate copy of data made for archiving purposes or for protecting againstdamage or loss.BAUAn acronym for “business as usual.” BAU is an organization’s normal dailybusiness operations.BluetoothWireless protocol using short-range communications technology to facilitatetransmission of data over short distances.Buffer OverflowVulnerability that is created from insecure coding methods, where a programoverruns the buffer’s boundary and writes data to adjacent memory space.Buffer overflows are used by attackers to gain unauthorized access tosystems or data.Card SkimmerA physical device, often attached to a legitimate card-reading device,designed to illegitimately capture and/or store the information from apayment card.PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms v3.2 2006-2016 PCI Security Standards Council, LLC. All Rights ReservedApril 2016Page 3
TermDefinitionCard VerificationCode or ValueAlso known as Card Validation Code or Value, or Card Security Code.Refers to either: (1) magnetic-stripe data, or (2) printed security features.(1) Data element on a card's magnetic stripe that uses securecryptographic processes to protect data integrity on the stripe, andreveals any alteration or counterfeiting. Referred to as CAV, CVC,CVV, or CSC depending on payment card brand. The following listprovides the terms for each card brand: CAV – Card Authentication Value (JCB payment cards) PAN CVC – Card Validation Code (MasterCard payment cards) CVV – Card Verification Value (Visa and Discover payment cards) CSC – Card Security Code (American Express)(2) For Discover, JCB, MasterCard, and Visa payment cards, the secondtype of card verification value or code is the rightmost three-digit valueprinted in the signature panel area on the back of the card. ForAmerican Express payment cards, the code is a four-digit unembossednumber printed above the PAN on the face of the payment cards. Thecode is uniquely associated with each individual piece of plastic andties the PAN to the plastic. The following list provides the terms foreach card brand: CID – Card Identification Number (American Express and Discoverpayment cards) CAV2 – Card Authentication Value 2 (JCB payment cards) PAN CVC2 – Card Validation Code 2 (MasterCard payment cards) CVV2 – Card Verification Value 2 (Visa payment cards)CardholderNon-consumer or consumer customer to whom a payment card is issued toor any individual authorized to use the payment card.Cardholder DataAt a minimum, cardholder data consists of the full PAN. Cardholder datamay also appear in the form of the full PAN plus any of the following:cardholder name, expiration date and/or service codeSee Sensitive Authentication Data for additional data elements that may betransmitted or processed (but not stored) as part of a payment transaction.CDEAcronym for “cardholder data environment.” The people, processes andtechnology that store, process, or transmit cardholder data or sensitiveauthentication data.Cellular TechnologiesMobile communications through wireless telephone networks, including butnot limited to Global System for Mobile communications (GSM), codedivision multiple access (CDMA), and General Packet Radio Service(GPRS).CERTAcronym for Carnegie Mellon University's “Computer Emergency ResponseTeam.” The CERT Program develops and promotes the use of appropriatetechnology and systems management practices to resist attacks onnetworked systems, to limit damage, and to ensure continuity of criticalservices.PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms v3.2 2006-2016 PCI Security Standards Council, LLC. All Rights ReservedApril 2016Page 4
TermDefinitionChange ControlProcesses and procedures to review, test, and approve changes to systemsand software for impact before implementation.CISAcronym for “Center for Internet Security.” Non-profit enterprise with missionto help organizations reduce the risk of business and e-commercedisruptions resulting from inadequate technical security controls.Column-LevelDatabase EncryptionTechnique or technology (either software or hardware) for encryptingcontents of a specific column in a database versus the full contents of theentire database. Alternatively, see Disk Encryption or File-Level Encryption.CompensatingControlsCompensating controls may be considered when an entity cannot meet arequirement explicitly as stated, due to legitimate technical or documentedbusiness constraints, but has sufficiently mitigated the risk associated withthe requirement through implementation of other controls. Compensatingcontrols must:(1) Meet the intent and rigor of the original PCI DSS requirement;(2) Provide a similar level of defense as the original PCI DSS requirement;(3) Be “above and beyond” other PCI DSS requirements (not simply incompliance with other PCI DSS requirements); and(4) Be commensurate with the additional risk imposed by not adhering tothe PCI DSS requirement.See “Compensating Controls” Appendices B and C in PCI DSSRequirements and Security Assessment Procedures for guidance on theuse of compensating controls.CompromiseAlso referred to as “data compromise,” or “data breach.” Intrusion into acomputer system where unauthorized disclosure/theft, modification, ordestruction of cardholder data is suspected.ConsoleScreen and keyboard which permits access and control of a server,mainframe computer or other system type in a networked environment.ConsumerIndividual purchasing goods, services, or both.Critical systems /critical technologiesA system or technology that is deemed by the entity to be of particularimportance. For example, a critical system may be essential for theperformance of a business operation or for a security function to bemaintained. Examples of critical systems often include security systems,public-facing devices and systems, databases, and systems that store,process, or transmit cardholder data. Considerations for determining whichspecific systems and technologies are critical will depend on anorganization’s environment and risk-assessment strategy.Cross-Site RequestForgery (CSRF)Vulnerability that is created from insecure coding methods that allows for theexecution of unwanted actions through an authenticated session. Oftenused in conjunction with XSS and/or SQL injection.Cross-Site Scripting(XSS)Vulnerability that is created from insecure coding techniques, resulting inimproper input validation. Often used in conjunction with CSRF and/or SQLinjection.PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms v3.2 2006-2016 PCI Security Standards Council, LLC. All Rights ReservedApril 2016Page 5
TermDefinitionCryptographic KeyA value that determines the output of an encryption algorithm whentransforming plain text to ciphertext. The length of the key generallydetermines how difficult it will be to decrypt the ciphertext in a givenmessage. See Strong Cryptography.Cryptographic KeyGenerationKey generation is one of the functions within key management. Thefollowing documents provide recognized guidance on proper key generation: NIST Special Publication 800-133: Recommendation for CryptographicKey Generation ISO 11568-2 Financial services — Key management (retail) — Part 2:Symmetric ciphers, their key management and life cycleo ISO 11568-4 Financial services — Key management (retail) — Part 4:Asymmetric cryptosystems — Key management and life cycleo 4.3 Key generation6.2 Key life cycle stages — GenerationEuropean Payments Council EPC 342-08 Guidelines on AlgorithmsUsage and Key Managemento6.1.1 Key generation [for symmetric algorithms]o6.2.1 Key generation [for asymmetric algorithms]Cryptographic KeyManagementThe set of processes and mechanisms which support cryptographic keyestablishment and maintenance, including replacing older keys with newkeys as necessary.CryptographyDiscipline of mathematics and computer science concerned with informationsecurity, particularly encryption and authentication. In applications andnetwork security, it is a tool for access control, information confidentiality,and integrity.CryptoperiodThe time span during which a specific cryptographic key can be used for itsdefined purpose based on, for example, a defined period of time and/or theamount of cipher-text that has been produced, and according to industrybest practices and guidelines (for example, NIST Special Publication 80057).CVSSAcronym for “Common Vulnerability Scoring System.” A vendor agnostic,industry open standard designed to convey the severity of computer systemsecurity vulnerabilities and help determine urgency and priority of response.Refer to ASV Program Guide for more information.Data-Flow DiagramA diagram showing how data flows through an application, system, ornetwork.DatabaseStructured format for organizing and maintaining easily retrievableinformation. Simple database examples are tables and spreadsheets.DatabaseAdministratorAlso referred to as “DBA.” Individual responsible for managing andadministering databases.PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms v3.2 2006-2016 PCI Security Standards Council, LLC. All Rights ReservedApril 2016Page 6
TermDefinitionDefault AccountsLogin account predefined in a system, application, or device to permit initialaccess when system is first put into service. Additional default accounts mayalso be generated by the system as part of the installation process.Default PasswordPassword on system administration, user, or service accounts predefined ina system, application, or device; usually associated with default account.Default accounts and passwords are published and well known, andtherefore easily guessed.DegaussingAlso called “disk degaussing.” Process or technique that demagnetizes thedisk such that all data stored on the disk is permanently destroyed.DependencyIn the context of PA-DSS, a dependency is a specific software or hardwarecomponent (such as a hardware terminal, database, operating system, API,code library, etc.) that is necessary for the payment application to meet PADSS requirements.Disk EncryptionTechnique or technology (either software or hardware) for encrypting allstored data on a device (for example, a hard disk or flash drive).Alternatively, File-Level Encryption or Column-Level Database Encryption isused to encrypt contents of specific files or columns.DMZAbbreviation for “demilitarized zone.” Physical or logical sub-network thatprovides an additional layer of security to an organization’s internal privatenetwork. The DMZ adds an additional layer of network security between theInternet and an organization’s internal network so that external parties onlyhave direct connections to devices in the DMZ rather than the entire internalnetwork.DNSAcronym for “domain name system” or “domain name server.” A system thatstores information associated with domain names in a distributed databaseto provide name-resolution services to users on networks such as theInternet.DSSAcronym for “Data Security Standard.” See PA-DSS and PCI DSS.Dual ControlProcess of using two or more separate entities (usually persons) operatingin concert to protect sensitive functions or information. Both entities areequally responsible for the physical protection of materials involved invulnerable transactions. No single person is permitted to access or use thematerials (for example, the cryptographic key). For manual key generation,conveyance, loading, storage, and retrieval, dual control requires dividingknowledge of the key among the entities. (See also Split Knowledge.)Dynamic PacketFilteringSee Stateful Inspection.ECCAcronym for “Elliptic Curve Cryptography.” Approach to public-keycryptography based on elliptic curves over finite fields. See StrongCryptography.Egress FilteringMethod of filtering outbound network traffic such that only explicitly allowedtraffic is permitted to leave the network.PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms v3.2 2006-2016 PCI Security Standards Council, LLC. All Rights ReservedApril 2016Page 7
TermDefinitionEncryptionProcess of converting information into an unintelligible form except toholders of a specific cryptographic key. Use of encryption protectsinformation between the encryption process and the decryption process (theinverse of encryption) against unauthorized disclosure. See StrongCryptography.Encryption AlgorithmAlso called “cryptographic algorithm.” A sequence of mathematicalinstructions used for transforming unencrypted text or data to encrypted textor data, and back again. See Strong Cryptography.EntityTerm used to represent the corporation, organization or business which isundergoing a PCI DSS review.File IntegrityMonitoringTechnique or technology under which certain files or logs are monitored todetect if they are modified. When critical files or logs are modified, alertsshould be sent to appropriate security personnel.File-Level EncryptionTechnique or technology (either software or hardware) for encrypting the fullcontents of specific files. Alternatively, see Disk Encryption or Column-LevelDatabase Encryption.FIPSAcronym for “Federal Information Processing Standards.” Standards thatare publicly recognized by the U.S. Federal Government; also for use bynon-government agencies and contractors.FirewallHardware and/or software technology that protects network resources fromunauthorized access. A firewall permits or denies computer traffic betweennetworks with different security levels based upon a set of rules and othercriteria.ForensicsAlso referred to as “computer forensics.” As it relates to information security,the application of investigative tools and analysis techniques to gatherevidence from computer resources to determine the cause of datacompromises.FTPAcronym for “File Transfer Protocol.” Network protocol used to transfer datafrom one computer to another through a public network such as the Internet.FTP is widely viewed as an insecure protocol because passwords and filecontents are sent unprotected and in clear text. FTP can be implementedsecurely via SSH or other technology. See S-FTP.GPRSAcronym for “General Packet Radio Service.” Mobile data service availableto users of GSM mobile phones. Recognized for efficient use of limitedbandwidth. Particularly suited for sending and receiving small bursts of data,such as e-mail and web browsing.GSMAcronym for “Global System for Mobile Communications.” Popular standardfor mobile phones and networks. Ubiquity of GSM standard makesinternational roaming very common between mobile phone operators,enabling subscribers to use their phones in many parts of the world.PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms v3.2 2006-2016 PCI Security Standards Council, LLC. All Rights ReservedApril 2016Page 8
TermDefinitionHashingProcess of rendering cardholder data unreadable by converting data into afixed-length message digest. Hashing is a one-way (mathematical) functionin which a non-secret algorithm takes any arbitrary length message as inputand produces a fixed length output (usually called a “hash code” or“message digest”). A hash function should have the following properties:(1) It is computationally infeasible to determine the original input given onlythe hash code,(2) It is computationally infeasible to find two inputs that give the samehash code.In the context of PCI DSS, hashing must be applied to the entire PAN for thehash code to be considered rendered unreadable. It is recommended thathashed cardholder data include an input variable (for example, a “salt”) tothe hashing function to reduce or defeat the effectiveness of pre-computedrainbow table attacks (see Input Variable).For further guidance, refer to industry standards, such as current versions ofNIST Special Publications 800-107 and 800-106, Federal InformationProcessing Standard (FIPS) 180-4 Secure Hash Standard (SHS), and FIPS202 SHA-3 Standard: Permutation-Based Hash and Extendable-OutputFunctions.HostMain computer hardware on which computer software is resident.Hosting ProviderOffers various services to merchants and other service providers. Servicesrange from simple to complex; from shared space on a server to a wholerange of “shopping cart” options; from payment applications to connectionsto payment gateways and processors; and for hosting dedicated to just onecustomer per server. A hosting provider may be a shared hosting provider,who hosts multiple entities on a single server.HSMAcronym for “hardware security module” or “host security module.” Aphysically and logically protected hardware device that provides a secureset of cryptographic services, used for cryptographic key-managementfunctions and/or the decryption of account data.HTTPAcronym for “hypertext transfer protocol.” Open internet protocol to transferor convey information on the World Wide Web.HTTPSAcronym for “hypertext transfer protocol over secure socket layer.” SecureHTTP that provides authentication and encrypted communication on theWorld Wide Web designed for security-sensitive communication such asweb-based logins.HypervisorSoftware or firmware responsible for hosting and managing virtualmachines. For the purposes of PCI DSS, the hypervisor system componentalso includes the virtual machine monitor (VMM).IDIdentifier for a particular user or application.PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms v3.2 2006-2016 PCI Security Standards Council, LLC. All Rights ReservedApril 2016Page 9
TermDefinitionIDSAcronym for “intrusion-detection system.” Software or hardware used toidentify and alert on network or system anomalies or intrusion attempts.Composed of: sensors that generate security events; a console to monitorevents and alerts and control the sensors; and a central engine that recordsevents logged by the sensors in a database. Uses system of rules togenerate alerts in response to detected security events. See IPSIETFAcronym for “Internet Engineering Task Force.” Large, open internationalcommunity of network designers, operators, vendors, and researchersconcerned with evolution of Internet architecture and smooth operation ofInternet. The IETF has no formal membership and is open to any interestedindividual.IMAPAcronym for “Internet Message Access Protocol.” An application-layerInternet protocol that allows an e-mail client to access e-mail on a remotemail server.Index TokenA cryptographic token that replaces the PAN, based on a given index for anunpredictable value.Information SecurityProtection of information to ensure confidentiality, integrity, and availability.Information SystemDiscrete set of structured data resources organized for collection,processing, maintenance, use, sharing, dissemination, or disposition ofinformation.Ingress FilteringMethod of filtering inbound network traffic such that only explicitly allowedtraffic is permitted to enter the network.Injection FlawsVulnerability that is created from insecure coding techniques resulting inimproper input validation, which allows attackers to relay malicious codethrough a web application to the underlying system. This class ofvulnerabilities includes SQL injection, LDAP injection, and XPath injection.Input VariableRandom data string that is concatenated with source data before a one-wayhash function is applied. Input variables can help reduce the effectiveness ofrainbow table attacks. See also Hashing and Rainbow Tables.InsecureProtocol/Service/PortA protocol, service, or port that introduces security concerns due to the lackof controls over confidentiality and/or integrity. These security concernsinclude services, protocols, or ports that transmit data or authenticationcredentials (for example, password/passphrase) in clear-text over theInternet, or that easily allow for exploitation by default or if misconfigured.Examples of insecure services, protocols, or ports include but are not limitedto FTP, Telnet, POP3, IMAP, and SNMP v1 and v2.IPAcronym for “internet protocol.” Network-layer protocol containing addressinformation and some control information that enables packets to be routedand delivered from the source host to the destination host. IP is the primarynetwork-layer protocol in the Internet protocol suite. See TCP.IP AddressAlso referred to as “internet protocol address.” Numeric code that uniquelyidentifies a particular computer (host) on the Internet.PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms v3.2 2006-2016 PCI Security Standards Council, LLC. All Rights ReservedApril 2016Page 10
TermDefinitionIP Address SpoofingAttack technique used to gain unauthorized access to networks orcomputers. The malicious individual sends deceptive messages to acomputer with an IP address indicating that the message is coming from atrusted host.IPSAcronym for “intrusion prevention system.” Beyond an IDS, an IPS takes theadditional step of blocking the attempted intrusion.IPSECAbbreviation for “Internet Protocol Security.” Standard for securing IPcommunications at the network layer by encrypting and/or authenticating allIP packets in a communication session.ISOIn the context of industry standards and best practices, ISO, better knownas “International Organization for Standardization” is a non-governmentalorganization consisting of a network of the national standards institutes.IssuerEntity that issues payment cards or performs, facilitates, or supports issuingservices including but not limited to issuing banks and issuing processors.Also referred to as “issuing bank” or “issuing financial institution.”Issuing servicesExamples of issuing services may include but are not limited to authorizationand card personalization.LANAcronym for “local area network.” A group of computers and/or otherdevices that share a common communications line, often in a building orgroup of buildings.LDAPAcronym for “Lightweight Directory Access Protocol.” Authentication andauthorization data repository utilized for querying and modifying userpermissions and granting access to protected resources.Least PrivilegeHaving the minimum access and/or privileges necessary to perform theroles and responsibilities of the job function.LogSee Audit Log.LPARAbbreviation for “logical partition.” A system of subdividing, or partitioning, acomputer's total resources—processors, memory and storage—into smallerunits that can run with their own, distinct copy of the operating system andapplications. Logical partitioning is typically used to allow the use of differentoperating systems and applications on a single device. The partitions mayor may not be configured to communicate with each other or share someresources of the server, such as network interfaces.MACIn cryptography, an acronym for “message authentication code.” A smallpiece of information used to authenticate a message. See StrongCryptography.MAC AddressAbbreviation for “media access control address.” Unique identifying valueassigned by manufacturers to network adapters and network interfacecards.Magnetic-Stripe DataSee Track Data.PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms v3.2 2006-2016 PCI Security Standards Council, LLC. All Rights ReservedApril 2016Page 11
TermDefinitionMainframeComputers that are designed to handle very large volumes of data input andoutput and emphasize throughput computing. Mainframes are capable ofrunning multiple operating systems, making it appear like it is operating asmultiple computers. Many legacy systems have a mainframe design.Malicious Software /MalwareSoftware or firmware designed to infiltrate or damage a computer systemwithout the owner's knowledge or consent, with the intent of compromisingthe confidentiality, integrity, or availability of the owner’s data, applications,or operating system. Such software typically enters a network during manybusiness-approved activities, which results in the exploitation of systemvulnerabilities. Examples include viruses, worms, Trojans (or Trojan horses),spyware, adware, and rootkits.MaskingIn the context of PCI DSS, it is a method of concealing a segment of datawhen displayed or printed. Masking is used when there is no businessrequirement to view the entire PAN. Masking relates to protection of PANwhen displayed or printed. See Truncation for protection of PAN whenstored in files, databases, etc.Memory-ScrapingAttacksMalware activity that examines and extracts data that resides in memory asit is being processed or which has not been properly flushed or overwritten.MerchantFor the purposes of the PCI DSS, a merchant is defined as any entity thataccepts payment cards bearing the logos of any of the five members of PCISSC (American Express, Discover, JCB, MasterCard or Visa) as paymentfor goods and/or services. Note that a merchant that accepts payment cardsas payment for goods and/or services can also be a service provider, if theservices sold result in storing, processing, or transmitting cardholder data onbehalf of other merchants or service providers. For example, an ISP is amerchant that accepts payment cards for monthly billing, but also is aservice provider if it hosts merchants as customers.MO/TOAcronym for “Mail-Order/Telephone-Order.”MonitoringUse of systems or processes that constantly oversee computer or networkresources for the purpose of alerting personnel in case of outages, alarms,or other predefined events.MPLSAcronym for “multi-protocol label switching.” Network or telecommunicationsmechanism designed for connecting a group of packet-switched networks.Multi-FactorAuthenticationMethod of authenticating a user whereby at least two fa
CVV - Card Verification Value (Visa and Discover payment cards) CSC - Card Security Code (American Express) (2) For Discover, JCB, MasterCard, and Visa payment cards, the second . for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the
