Skip to Content
ResourcesGlossaryCompliance Terms

Compliance Terms

A

AML (Anti-Money Laundering)

Laws, regulations, and measures to prevent and combat money laundering activities through financial systems.

Requirements:

  • Customer identification (KYC)
  • Transaction monitoring
  • Suspicious transaction reporting

C

CCPA (California Consumer Privacy Act)

California Consumer Privacy Act that protects personal information privacy rights of California residents.

Main Rights:

  • Right to know: Learn what personal information is collected
  • Right to delete: Request deletion of personal information
  • Right to opt-out: Refuse sale of personal information
  • Right to non-discrimination: Not discriminated against for exercising privacy rights

Scope: Businesses operating in California that meet specific conditions.

Compliance

Meeting requirements of relevant laws, regulations, industry standards, and internal policies.

Payment Industry Compliance Requirements:

  • PCI DSS (Payment Card Industry Data Security Standard)
  • AML (Anti-Money Laundering)
  • KYC (Know Your Customer)
  • GDPR (EU General Data Protection Regulation)
  • CCPA (California Consumer Privacy Act)

D

Data Protection

Measures to protect personal data and sensitive information from unauthorized access, use, disclosure, modification, or destruction.

Key Measures:

  • Data encryption
  • Access control
  • Data minimization
  • Regular security audits

Data Residency

Requirement that data must be stored in specific geographic location or jurisdiction.

Example: Some countries require citizens’ personal data to be stored within their borders.

E

Encryption

Process of converting data into ciphertext; only those with the key can decrypt and read.

Types:

  • Transmission encryption: TLS/SSL
  • Storage encryption: AES-256
  • End-to-end encryption: E2EE

G

GDPR (General Data Protection Regulation)

EU General Data Protection Regulation that protects personal data privacy of EU citizens.

Core Principles:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

Data Subject Rights:

  • Right of access
  • Right to rectification
  • Right to erasure (right to be forgotten)
  • Right to restriction of processing
  • Right to data portability
  • Right to object

Scope: All organizations processing EU residents’ personal data, regardless of organization location.

K

KYC (Know Your Customer)

Process where financial institutions verify customer identity and assess risk.

Purpose:

  • Prevent identity fraud
  • Prevent money laundering
  • Prevent terrorist financing

Verification Content:

  • Identity proof (passport, driver’s license, etc.)
  • Address proof
  • Business nature
  • Source of funds

P

PAN (Primary Account Number)

Primary account number, i.e., payment card number. PAN is highly sensitive data that must be strictly protected.

PCI DSS Requirements:

  • Cannot store complete PAN (unless encrypted)
  • Must be masked when displayed (only show first 6 and last 4 digits)
  • Must be encrypted during transmission

PCI DSS (Payment Card Industry Data Security Standard)

Payment Card Industry Data Security Standard, global standard for protecting cardholder data security.

12 Requirements:

  1. Install and maintain firewall configuration
  2. Don’t use vendor-supplied default passwords
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data
  5. Use and regularly update antivirus software
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data
  8. Assign unique ID to each user
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources
  11. Regularly test security systems and processes
  12. Maintain information security policy

Compliance Levels:

  • Level 1: Annual transaction volume > 6 million
  • Level 2: Annual transaction volume 1-6 million
  • Level 3: Annual transaction volume 20,000-1 million
  • Level 4: Annual transaction volume < 20,000

Related Documentation: PCI DSS Compliance Guide

PII (Personally Identifiable Information)

Personal identifiable information that can be used alone or combined with other information to identify individual identity.

Examples:

  • Name
  • ID number
  • Passport number
  • Phone number
  • Email address
  • Bank account number
  • Credit card number

Protection Requirements:

  • Encrypt storage and transmission
  • Access control
  • Data minimization
  • Regular audits

Privacy Policy

Document explaining how organization collects, uses, stores, and protects user personal information.

Must Include:

  • What information is collected
  • How information is used
  • Whether information is shared
  • How information is protected
  • User rights
  • Contact information

S

SAQ (Self-Assessment Questionnaire)

PCI DSS self-assessment questionnaire used by merchants to assess their PCI DSS compliance status.

SAQ Types:

  • SAQ A: E-commerce merchants, payment processing fully outsourced
  • SAQ A-EP: E-commerce merchants, partially outsourced
  • SAQ B: Merchants using standalone dial terminals
  • SAQ B-IP: Merchants using standalone IP terminals
  • SAQ C: Merchants using payment applications
  • SAQ D: All other merchants

Related Documentation: PCI DSS Compliance Guide

Sensitive Authentication Data / SAD

Sensitive data used to verify cardholder identity, including:

  • CVV/CVC (Card Verification Code)
  • PIN (Personal Identification Number)
  • Track Data (Magnetic stripe data)

PCI DSS Requirement: After transaction authorization, prohibited from storing any sensitive authentication data.

T

Tokenization

Technology that replaces sensitive data (such as card numbers) with randomly generated tokens to reduce data breach risk.

Advantages:

  • Reduce PCI DSS compliance scope
  • Lower data breach risk
  • Simplify security management

How It Works:

  1. Original card number sent to token service
  2. Token service generates unique token
  3. Mapping relationship between token and original card number securely stored
  4. Subsequent transactions use token instead of card number

Two-Factor Authentication / 2FA

Security measure that uses two different types of authentication factors to verify user identity.

Authentication Factor Types:

  • Knowledge factor: Password, PIN
  • Possession factor: Phone, hardware token
  • Biometric factor: Fingerprint, facial recognition

Example: Password + SMS verification code

Other

Audit

Independent inspection and evaluation of systems, processes, or data to ensure compliance with standards and requirements.

Types:

  • Internal audit
  • External audit
  • PCI DSS audit
  • Security audit

Vulnerability Scanning

Using automated tools to detect security vulnerabilities in systems.

PCI DSS Requirement: Conduct internal and external vulnerability scans at least quarterly.

Penetration Testing

Method of testing system security by simulating hacker attacks.

PCI DSS Requirement: Conduct penetration testing at least annually and after major system changes.

Access Control

Security measures that restrict user or system access to resources.

Principles:

  • Principle of least privilege
  • Separation of duties
  • Regular permission reviews

Data Masking

Hiding partial content of sensitive data, only displaying necessary information.

Examples:

  • Card number: 4111 **** **** 1111
  • Phone number: 138****5678
Last updated on
Technical TermsChangelog