Glossary for ISU Payment Card Merchant Agreement for Internet Transactions


Administrative Interface- Interface with third party credit card processor.

Affiliate- A related organization which is a legally separate entity, controlled by separate boards of directors and not financially accountable to the University.

Card refund- refund to the customer created by return of goods or services originally paid for by credit card.

Chargeback- The deduction of a disputed sale previously credited to a department's account when the department fails to prove that the customer authorized the credit card transaction.

Credit Card Processor- A third party vendor who processes the credit card information.

Credit card receipts- credit card transaction information identifying daily credit card payments.

Credit Draft- A transaction creating a credit to the purchaser's account.

Credit Memo (CME)- a document to record the receipt of non-cash/check payments.

Debit Memo (DME)- a document to record the disbursement of non-cash/check payments.

Iowa State University Financial Management System- central University accounting system.

Merchant- A department or affiliate that accepts credit cards as a method of payment for goods or services.

Merchant account- an account established for a department or affiliate to process credit card transactions.

Settle- the transfer of funds from the cardholders financial institution to the University’s financial institution.

Settlement- the process of transferring the funds from the cardholders financial institution to the University’s financial institution.

Third party transaction fees- a percent and/or per-transaction fee that is deducted from the department’s gross credit card receipts and paid to the third party credit card processor.


Glossary for sections B, C, D, and E of ISU's E-commerce Policy


Section B

Logical access - logical access refers to user based authenticated access to the application systems and the data that is processed.

Physical access - physical access refers to the physical access to the computing systems, facilities, and paper records.


Section C

Antivirus software - software tools that scan for known viruses and take action to disarm and/or remove them. Such tools should be included as part of the computing systems environment that the web services are delivered from.

Disaster backup and recovery - software, hardware, and procedures that provide offline backup of the computer operating systems platform and the application data that is part of the computing environment. Recovery procedures are predefined and used to reestablish the computing environment in the event of an unforeseen disaster.

Encrypt - encryption is the use of a mathematical based method of "scrambling" the data before it is sent over the data network so that it becomes unreadable except by authorized users. The current de-facto standard for encryption for web based traffic is SSL (Secure Sockets Layer).

Information security - an all encompassing term that refers to the security of the information systems that are used and the data that is processed.

System security patches - server operating systems are primarily software based and are constantly being upgraded. Some of the software upgrades become available in the form of "patches" or small sets of software code. Security updates, or patches, need to be kept current.

Vendor- supplied defaults - server operating systems are delivered in a default configuration to many different customers. Required system administrative user accounts are distributed with a documented default password .


Section D

Merchant ID - an electronic ID assigned to each merchant.


Section E

Automated reconciliations - data that is passed on to, or received from, other related computing systems needs to be processed through routines that can verify the completeness and integrity of the data being passed.

Change controls - definition of who has the ability to make changes to the data being stored and the programs that are being used.

Confidential passwords - an individual user's password should not be shared or posted.

File access capabilities - definition of who has computing system access to specific data files and/or portions of data files.

Input controls and edits - input controls and edits are sections of application program code that check to ensure required data has been entered by the user, and that the data entered is "reasonable". An example of this would be code that would check to ensure that the value entered in a numeric "month" field would fall between the numbers 01 through 12.

Order confirmation number - a unique identifier for this particular purchase transaction from this particular user. This number is generated and then stored as part of the permanent record of the purchase transaction.

Output controls - section of the application code that provides the user with direct feedback of the status of their request once it has been submitted.

Password maintenance - procedures and processes used to establish and maintain the password portion of the authentication service that allows access to the application systems.

Processing controls and edits - processing controls and edits are sections of application or operating system code that focus on ensuring the integrity of the "interaction" with the user. An example of this type of code would be code that would ensure that all required changes to a set of databases were made as part of a transaction.

Update access - the user can update the data (including deletions) being stored.

View access - the user can only view the data being stored. The data cannot be changed.