Glossary

The world of payments and fraud is full of acronyms and terminology. Here’s our handy guide to find your way through.

3D Secure or “3DS”

3D Secure (3DS) is a way for Issuing Banks to authenticate consumers who use their cards to pay online. Online payments which have been authenticated do not carry a financial fraud risk for the Merchant, as the liability shifts to the Issuer. The 3D refers to the three domains of the Acquirer, the card networks (the “interoperability domain”) and the Issuing Banks.

The original version of 3DS (3DS1) presents a screen to customers during the check-out process. Users authenticate by entering a password or a 4 digit PIN. This is a browser-based solution only, with poor usability on mobile devices. 3DS2 is the latest version of 3D Secure and is SCA-compliant. It supports additional authentication methods such as app-based biometrics, and is designed for the needs of mobile devices and native mobile apps. The latest version of 3DS2, v2.2.0, provides more options for requesting exemptions, and improves data sharing between merchants and Issuers.

3DS Requestor

The party requesting a 3DS authentication be initiated, such as a merchant or payment service provider.

3DS Requestor Initiated (3RI) Authentication

When the 3DS Requestor initiates the authentication of a cardholder without their direct involvement. This could be used in the case of recurring transactions where the cardholder may not be present.

3DS SDK

A software development kit (SDK), to be embedded in a mobile application, that assists in the 3DS process by collecting device information and facilitating the 3DS challenge for the issuer.

3DS Server

A 3DS Server is the component of 3D Secure which is managed by Acquirers or merchants. The 3DS Server communicates with the Directory Servers, sending and receiving different Requests and Responses and retrieving scheme, Acquirer, merchant and transaction data.

Access Control Server (ACS)

The Access Control Server is the component of 3D Secure which is managed by the Issuing Banks. The ACS contains authentication rules and generates authentication tokens. It is also responsible for providing the screen content for customer challenges and validating the responses.

Account Information Service Providers (AISPs)

Account Information Service Providers (AISPs) are providers that can extract a customer’s account information data including transaction history and balances. Banks, fintech companies and non-traditional financial services companies currently have the capacity to develop AISP solutions.

Account Servicing Payment Service Providers (ASPSPs)

Account Servicing Payment Service Providers (ASPSPs) are financial institutions which offer online access to a payment account. Under PSD2, they must provide access to trusted third parties so that they can retrieve account information.

Acquirer or “Acquiring Bank”

The Acquirer or “Acquiring Bank” is a bank which acquires funds for merchants from a cardholder.

Authentication

Authentication is the process of proving an identity to be valid, typically using a shared secret. This is commonly an act of “logging in” using a static password, or a One Time Password (OTP) sent over SMS or generated by a 2nd factor device, known only to the two parties.

In payments, Authentication is the process of the consumer proving their identity to an Issuing Bank usually as a precursor to an Authorisation.

Authentication Tokens

Authentication tokens are used to link the act of authentication to the specific payee and amount of the transaction. This dynamic linking is a requirement under PSD2. If either of the two attributes changes, then the authentication token must also be changed. Authentication tokens are a new feature for 3D Secure v2.

Authentication Value

This is a card scheme-specific value generated after a successful 3D Secure authentication that is to be used for authorising the transaction. This is also referred to as “CAVV” (Cardholder Authentication Verification Value) by Visa, AAV (Accountholder Authentication Value) by Mastercard, and AEVV (American Express Verification Value) by American Express.

Authorisation or Authorization

An Authorisation is the process of an Issuer verifying the payment details provided by a consumer and reserving funds in the consumer’s account. Once an Authorisation has been granted, the payment is completed by ‘capturing’ the Authorisation.

Issuers subject Authorisation requests to risk analysis based around the consumer’s prior activity and the details of the Authorisation attempt itself.

Capture

Once an Authorisation has been granted, the payment is not complete until it has been Captured. Capturing a payment starts the process of the funds transferring to the merchant from the consumer.

Card schemes

Card schemes, such as Visa, Mastercard and American Express, are payment networks that link to payment cards. They help members of their scheme to issue and/or acquire cards.

Cardholder-Initiated Transactions (CIT)

CIT refers to transactions which are initiated by the cardholder, also known as a payer-initiated or on-session payment. This is distinct from Merchant Initiated Transactions.

Challenge Authentication

When the issuer presents a challenge to the cardholder in order for them to verify their identity.

Chargebacks and Disputes

The terms Chargeback and Dispute are used interchangably but collectively refer to the process by which a cardholder seeks a return of funds from a Merchant. The ‘Dispute Process’ is initiated by a cardholder complaint to their Issuing Bank about a particular transaction. The Merchant then has an opportunity to Defend the transaction by submitting evidence to support their belief that the transaction was fair. At the end of the process a decision is reached, at which point the cardholder and merchant will respectively Win or Lose.

Competent Authority (CA)

Under PSD2, the Competent Authorities are organisations at a national level which monitor and supervise the implementation of the RTS in keeping with the advice of the EBA. For example, in the UK the FCA is the Competent Authority and in Spain it’s the Banco de España. See the EBA list of competent authorities.

Decoupled Authentication

An authentication type that occurs completely outside of the authentication flow. For example, Mail-Order-Telephone-Order (MOTO) or recurring transactions.

Delegated Authentication

When the responsibility for performing Strong Customer Authentication is delegated by the acquirer to a compliant third party.

Directory Server (DS)

The Directory Server is the component of 3D Secure which is managed by the card networks. It secures message mediation between the 3DS Servers and the ACS. Its functions include authenticating the 3DS Server and routing messages correctly between the 3DS Server and ACS.

Electronic Commerce Indicator (ECI)

A value set by the card schemes to indicate the authentication outcome and liability shift status.

EMVCo

EMVCo is the organisation that sets technical standards for payment card types. The companies that formed the EMV originally were Europay, Mastercard and Visa. EMVCo manage the specification of 3DS version 2.

EMV Payment Tokens (Network Tokens)

Tokens based on EMV’s Payment Tokenisation framework, designed to help reduce friction in the payment flow and improve security. These tokens are a surrogate value maintained by the card schemes. They can replace the PAN in both authentication and authorisation requests.

European Banking Authority (EBA)

The European Banking Authority is an EU Authority which works to ensure effective regulation and supervision across the European banking sector. For PSD2, at a country level the supervision is managed by national Competent Authorities such as the FCA in the UK.

Exemptions under PSD2

Exemptions under PSD2 are specific types of transactions which can avoid having SCA applied to them. Some examples of these transactions are low risk transactions and those under €30.

Financial Conduct Authority (FCA)

The FCA stands for Financial Conduct Authority, and it is a regulatory body in the UK that regulates financial markets to protect consumers and provide a level playing field for the industry. The FCA ensures that the market remains fair and effective and also promotes competition.

Frictionless Authentication

When the issuer uses Risk Based Authentication to determine whether a cardholder is fraudulent or not, without requiring a challenge authentication.

GDPR

The General Data Protection Regulation (GDPR) applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Read more about Ravelin and the GDPR.

Issuer or “Issuing Bank”

The Issuer or “Issuing Bank” is a bank that issues cards for cardholders to make payments with.

Liability Shift

When the financial responsibility for a fraud related dispute is shifted from the merchant to the cardholder’s issuing bank.

Low Value Exemption

A PSD2 SCA exemption that can be applied by acquirers and issuers if the transaction value is below €30, meaning that Strong Customer Authentication will not be applied. This exemption can only be used for five consecutive transactions, or until the total amount spent using that card reaches €150 (whichever comes first).

Merchant Category Code (MCC)

A code assigned by the card schemes to a merchant and transaction, based on the vertical or industry that transaction relates to.

Merchant-Initiated Transactions (MIT)

MIT refers to transactions that use a token for payments and are initiated by the merchant. The cardholder does not need to take any action to initiate the transaction. MIT is commonly used for subscription charges. The cardholder is required to provide a mandate to authorise the merchant to initiate the transaction or series of transactions. MIT is also known as an off-session payment or a payee-initiated payment, as distinct from Cardholder Initiated Transactions which are known as on-session or payer-initiated payments.

Merchant Plug-In (MPI)

The term used to describe the software required to initiate and facilitate authentication requests for 3D Secure version 1.

Non-Payment Authentication (NPA)

Authentication performed as a part of a non-payment event, such as adding a card to a wallet.

Out-of-Band

An authentication type that occurs during the authentication flow, but where the challenge itself is performed outside of the merchant’s browser or app. For example, when the cardholder is directed to their banking app to verify their identity.

Payee

In the language of PSD2, the Payee is the merchant; someone who is selling goods or services online.

Payer

In the language of PSD2, the Payer is the consumer, someone who is buying goods or services online.

Payee’s PSP

In the language of PSD2, the “Payee’s PSP” means an Acquirer for Card payments.

Payer’s PSP

In the language of PSD2, the “Payer’s PSP” means an Issuer for Card payments.

Payment Account Reference (PAR)

The Payment Account Reference (PAR) is a 29-character unique, consistent, non-sensitive identifier for the payment account behind an EMV Payment Token (aka Network Token).

Unlike a card Primary Account Number (PAN), which can change if a card is lost or stolen, the PAR can be remapped to identify a new PAN and so remains the same for the lifetime of the payment account.

The 29-character PAR comprises a 4-character BIN Controller Identifier followed by a unique 25-character value.

The PAR is issued by card schemes and is defined by the EMV® Payment Account Reference (PAR) White Paper (PDF download).

Payment Authentication (PA)

Authentication performed as a part of a payment transaction.

Payment Gateway

A Payment Gateway is a service that allows Merchants to initiate and manage online payments. Payment Gateways are not typically involved in the flow of money. When they offer other ‘bundled’ services they transmogrify into Payment Service Providers.

Payment Services Directive 2 (PSD2)

The Payments Services Directive 2 (PSD2) is European legislation that requires financial services to contribute to a more integrated and efficient payments ecosystem. One key part of the legislation relates to implementing Strong Customer Authentication on the majority of electronic transactions across the European Union and the European Economic Area.

Payment Services Directive 3 (PSD3)

The Payments Services Directive 3 (PSD3) is draft European legislation that is expected to extend current Strong Customer Authentication (SCA) requirements and improve consumer rights.

Payment Services Regulation (PSR)

Contains detailed rules that all relevant payment service providers must follow in order to provide payment services, including previous and future payment services directives.

Payment Service Provider

Payment Service Providers offer a variety of bundled services to Merchants, typically combining the services of a Payment Gateway with an Acquirer either of their own or through multiple connections to different Acquirers and payment networks.

From a regulatory perspective, ‘Payment Service Provider’ also refers to Issuing and Acquiring banks.

Reference Fraud Rate

Merchants who wish to use the low risk TRA exemption from SCA need to ensure that their Acquirer’s fraud rate is within the thresholds defined by the RTS - the Exemption Threshold Values (ETV) which set the maximum possible value for a given reference fraud rate:

Exemption Threshold Value (ETV) Reference Fraud Rate (RFR) for remote card transactions
€100 0.13%
€250 0.06%
€500 0.01%

For example, a transaction value of €70 is subject to the 0.13% reference fraud rate. For a transaction of €130 the 0.06% threshold applies, and for €300 the 0.01% applies. For transactions greater than €500 there is no reference fraud rate and a low risk exemption is not possible.

Regulatory Technical Standards (RTS)

The Regulatory Technical Standards (RTS) are the regulatory requirements set by the EBA to ensure that payments across the EU are secure, fair and efficient.

Secure Corporate Exemption

A PSD2 SCA exemption that can be applied if the card used for a transaction is a virtual or lodged corporate card, meaning that Strong Customer Authentication will not be applied.

Strong Customer Authentication (SCA)

Strong Customer Authentication (SCA) is a method for proving that you are who you say you are when purchasing a product or service. SCA is mandatory for all electronic payments under PSD2, and requires at least two of the following three categories of information for authentication:

  • Knowledge - something the user knows, e.g. a password
  • Possession - something the user has, e.g. a mobile device
  • Inherence - something the user is, e.g. a fingerprint

Third Party Payment Service Providers (TPPs)

Third Party Payment Service Providers (TPPs), also known as third party processors, are processors that let you accept payments without a merchant account. A good example of a TPP is PayPal. TPPs offer consumers additional ways to access their money without needing to directly interact with their bank. Under PSD2 regulation, TPPs need to ensure that there are structures in place to provide extensive security of information and consumer data, in keeping with the scope of the regulatory standards.

Transaction Risk Analysis (TRA)

Transaction risk analysis is the ability to assess the risk of a payment transaction. Under PSD2, PSPs and merchants will be encouraged to actively apply TRA. In conjunction with an appropriate Reference Fraud Rate, this can be used as an exemption from SCA.

Transaction Risk Analysis (low risk) Exemption

A PSD2 SCA exemption that can be applied by acquirers and issuers if a transaction is deemed low risk after performing TRA, meaning that Strong Customer Authentication will not be applied.

Trusted Listing

A PSD2 SCA exemption that can be used by cardholders to trust a specific merchant, meaning that Strong Customer Authentication will not be applied.

Feedback