The world of payments and fraud is full of acronyms and terminology. Here’s our handy guide to find your way through.
3D Secure (3DS) is a way for Issuing Banks to authenticate consumers who use their cards to pay online. Online payments which have been authenticated do not carry a financial fraud risk for the Merchant, as the liability shifts to the Issuer. The 3D refers to the three domains of the Acquirer, the card networks (the “interoperability domain”) and the Issuing Banks.
The original version of 3DS (3DS1) presents a screen to customers during the check-out process. Users authenticate by entering a password or a 4 digit PIN. This is a browser-based solution only, with poor usability on mobile devices. 3DS2 is the latest version of 3D Secure and is SCA-compliant. It supports additional authentication methods such as app-based biometrics, and is designed for the needs of mobile devices and native mobile apps. The latest version of 3DS2, v2.2.0, provides more options for requesting exemptions, and improves data sharing between merchants and Issuers.
A 3DS Server is the component of 3D Secure which is managed by Acquirers or merchants. The 3DS Server communicates with the Directory Servers, sending and receiving different Requests and Responses and retrieving scheme, Acquirer, merchant and transaction data.
The Access Control Server is the component of 3D Secure which is managed by the Issuing Banks. The ACS contains authentication rules and generates authentication tokens. It is also responsible for providing the screen content for customer challenges and validating the responses.
Account Information Service Providers (AISPs) are providers that can extract a customer’s account information data including transaction history and balances. Banks, fintech companies and non-traditional financial services companies currently have the capacity to develop AISP solutions.
Account Servicing Payment Service Providers (ASPSPs) are financial institutions which offer online access to a payment account. Under PSD2, they must provide access to trusted third parties so that they can retrieve account information.
The Acquirer or “Acquiring Bank” is a bank which acquires funds for merchants from a cardholder.
Authentication is the process of proving an identity to be valid, typically using a shared secret. This is commonly an act of “logging in” using a static password, or a One Time Password (OTP) sent over SMS or generated by a 2nd factor device, known only to the two parties.
Authentication tokens are used to link the act of authentication to the specific payee and amount of the transaction. This dynamic linking is a requirement under PSD2. If either of the two attributes changes, then the authentication token must also be changed. Authentication tokens are a new feature for 3D Secure v2.
An Authorisation is the process of an Issuer verifying the payment details provided by a consumer and reserving funds in the consumer’s account. Once an Authorisation has been granted, the payment is completed by ‘capturing’ the Authorisation.
Issuers subject Authorisation requests to risk analysis based around the consumer’s prior activity and the details of the Authorisation attempt itself.
Once an Authorisation has been granted, the payment is not complete until it has been Captured. Capturing a payment starts the process of the funds transferring to the merchant from the consumer.
Card schemes, such as Visa, Mastercard and American Express, are payment networks that link to payment cards. They help members of their scheme to issue and/or acquire cards.
The Cardholder Authentication Verification Value (CAVV) is a unique value in 3DS1 which card schemes use to validate the integrity of transaction data and to prove that a transaction has been authenticated correctly. The Issuer sends the CAVV to the merchant once authentication has taken place. The merchant then includes it in the authorisation request. CAVV can still be used for 3DS2 if Issuers are using the same ACS.
CIT refers to transactions which are initiated by the cardholder, also known as a payer-initiated or on-session payment. This is distinct from Merchant Initiated Transactions.
Dispute are used interchangably but collectively refer to the process by which a cardholder seeks a return of funds from a Merchant. The ‘Dispute Process’ is initiated by a cardholder complaint to their Issuing Bank about a particular transaction. The Merchant then has an opportunity to
Defend the transaction by submitting evidence to support their belief that the transaction was fair. At the end of the process a decision is reached, at which point the cardholder and merchant will respectively
Under PSD2, the Competent Authorities are organisations at a national level which monitor and supervise the implementation of the RTS in keeping with the advice of the EBA. For example, in the UK the FCA is the Competent Authority and in Spain it’s the Banco de España. See the EBA list of competent authorities.
The Directory Server is the component of 3D Secure which is managed by the card networks. It secures message mediation between the 3DS Servers and the ACS. Its functions include authenticating the 3DS Server and routing messages correctly between the 3DS Server and ACS.
EMVCo is the organisation that sets technical standards for payment card types. The companies that formed the EMV originally were Europay, Mastercard and Visa. EMVCo manage the specification of 3DS version 2.
The European Banking Authority is an EU Authority which works to ensure effective regulation and supervision across the European banking sector. For PSD2, at a country level the supervision is managed by national Competent Authorities such as the FCA in the UK.
Exemptions under PSD2 are specific types of transactions which can avoid having SCA applied to them. Some examples of these transactions are low risk transactions and those under €30.
The FCA stands for Financial Conduct Authority, and it is a regulatory body in the UK that regulates financial markets to protect consumers and provide a level playing field for the industry. The FCA ensures that the market remains fair and effective and also promotes competition.
The General Data Protection Regulation (GDPR) applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Read more about Ravelin and the GDPR.
The Issuer or “Issuing Bank” is a bank that issues cards for cardholders to make payments with.
MIT refers to transactions that use a token for payments and are initiated by the merchant. The cardholder does not need to take any action to initiate the transaction. MIT is commonly used for subscription charges. The cardholder is required to provide a mandate to authorise the merchant to initiate the transaction or series of transactions. MIT is also known as an off-session payment or a payee-initiated payment, as distinct from Cardholder Initiated Transactions which are known as on-session or payer-initiated payments.
A Payment Gateway is a service that allows Merchants to initiate and manage online payments. Payment Gateways are not typically involved in the flow of money. When they offer other ‘bundled’ services they transmogrify into Payment Service Providers.
The Payments Services Directive 2 (PSD2) is European legislation that requires financial services to contribute to a more integrated and efficient payments ecosystem. One key part of the legislation relates to implementing Strong Customer Authentication on the majority of electronic transactions across the European Union and the European Economic Area.
Payment Service Providers offer a variety of bundled services to Merchants, typically combining the services of a Payment Gateway with an Acquirer either of their own or through multiple connections to different Acquirers and payment networks.
Merchants who wish to use the low risk TRA exemption from SCA need to ensure that their Acquirer’s fraud rate is within the thresholds defined by the RTS - the Exemption Threshold Values (ETV) which set the maximum possible value for a given reference fraud rate:
|Exemption Threshold Value (ETV)||Reference Fraud Rate (RFR) for remote card transactions|
For example, a transaction value of €70 is subject to the 0.13% reference fraud rate. For a transaction of €130 the 0.06% threshold applies, and for €300 the 0.01% applies. For transactions greater than €500 there is no reference fraud rate and a low risk exemption is not possible.
The Regulatory Technical Standards (RTS) are the regulatory requirements set by the EBA to ensure that payments across the EU are secure, fair and efficient.
Strong Customer Authentication (SCA) is a method for proving that you are who you say you are when purchasing a product or service. SCA is mandatory for all electronic payments under PSD2, and requires at least two of the following three categories of information for authentication:
Third Party Payment Service Providers (TPPs), also known as third party processors, are processors that let you accept payments without a merchant account. A good example of a TPP is PayPal. TPPs offer consumers additional ways to access their money without needing to directly interact with their bank. Under PSD2 regulation, TPPs need to ensure that there are structures in place to provide extensive security of information and consumer data, in keeping with the scope of the regulatory standards.
Transaction risk analysis is the ability to assess the risk of a payment transaction. Under PSD2, PSPs and merchants will be encouraged to actively apply TRA. In conjunction with an appropriate Reference Fraud Rate, this can be used as an exemption from SCA.