The world of payments and fraud is full of acronyms and terminology. Here’s our handy guide to find your way through.
3D Secure (3DS) is a way for Issuing Banks to authenticate consumers who use their cards to pay online. Online payments which have been authenticated do not carry a financial fraud risk for the Merchant, as the liability shifts to the Issuer. The 3D refers to the three domains of the Acquirer, the card networks (the “interoperability domain”) and the Issuing Banks.
The original version of 3DS (3DS1) presents a screen to customers during the check-out process. Users authenticate by entering a password or a 4 digit PIN. This is a browser-based solution only, with poor usability on mobile devices. 3DS2 is the latest version of 3D Secure and is SCA-compliant. It supports additional authentication methods such as app-based biometrics, and is designed for the needs of mobile devices and native mobile apps. The latest version of 3DS2, v2.2.0, provides more options for requesting exemptions, and improves data sharing between merchants and Issuers.
The party requesting a 3DS authentication be initiated, such as a merchant or payment service provider.
When the 3DS Requestor initiates the authentication of a cardholder without their direct involvement. This could be used in the case of recurring transactions where the cardholder may not be present.
A software development kit (SDK), to be embedded in a mobile application, that assists in the 3DS process by collecting device information and facilitating the 3DS challenge for the issuer.
A 3DS Server is the component of 3D Secure which is managed by Acquirers or merchants. The 3DS Server communicates with the Directory Servers, sending and receiving different Requests and Responses and retrieving scheme, Acquirer, merchant and transaction data.
The Access Control Server is the component of 3D Secure which is managed by the Issuing Banks. The ACS contains authentication rules and generates authentication tokens. It is also responsible for providing the screen content for customer challenges and validating the responses.
Account Information Service Providers (AISPs) are providers that can extract a customer’s account information data including transaction history and balances. Banks, fintech companies and non-traditional financial services companies currently have the capacity to develop AISP solutions.
Account Servicing Payment Service Providers (ASPSPs) are financial institutions which offer online access to a payment account. Under PSD2, they must provide access to trusted third parties so that they can retrieve account information.
The Acquirer or “Acquiring Bank” is a bank which acquires funds for merchants from a cardholder.
Authentication is the process of proving an identity to be valid, typically using a shared secret. This is commonly an act of “logging in” using a static password, or a One Time Password (OTP) sent over SMS or generated by a 2nd factor device, known only to the two parties.
In payments, Authentication is the process of the consumer proving their identity to an Issuing Bank usually as a precursor to an Authorisation.
Authentication tokens are used to link the act of authentication to the specific payee and amount of the transaction. This dynamic linking is a requirement under PSD2. If either of the two attributes changes, then the authentication token must also be changed. Authentication tokens are a new feature for 3D Secure v2.
This is a card scheme-specific value generated after a successful 3D Secure authentication that is to be used for authorising the transaction. This is also referred to as “CAVV” (Cardholder Authentication Verification Value) by Visa, AAV (Accountholder Authentication Value) by Mastercard, and AEVV (American Express Verification Value) by American Express.
An Authorisation is the process of an Issuer verifying the payment details provided by a consumer and reserving funds in the consumer’s account. Once an Authorisation has been granted, the payment is completed by ‘capturing’ the Authorisation.
Issuers subject Authorisation requests to risk analysis based around the consumer’s prior activity and the details of the Authorisation attempt itself.
Once an Authorisation has been granted, the payment is not complete until it has been Captured. Capturing a payment starts the process of the funds transferring to the merchant from the consumer.
Card schemes, such as Visa, Mastercard and American Express, are payment networks that link to payment cards. They help members of their scheme to issue and/or acquire cards.
CIT refers to transactions which are initiated by the cardholder, also known as a payer-initiated or on-session payment. This is distinct from Merchant Initiated Transactions.
When the issuer presents a challenge to the cardholder in order for them to verify their identity.
The terms Chargeback and Dispute are used interchangably but collectively refer to the process by which a cardholder seeks a return of funds from a Merchant. The ‘Dispute Process’ is initiated by a cardholder complaint to their Issuing Bank about a particular transaction. The Merchant then has an opportunity to Defend the transaction by submitting evidence to support their belief that the transaction was fair. At the end of the process a decision is reached, at which point the cardholder and merchant will respectively Win or Lose.
Under PSD2, the Competent Authorities are organisations at a national level which monitor and supervise the implementation of the RTS in keeping with the advice of the EBA. For example, in the UK the FCA is the Competent Authority and in Spain it’s the Banco de España. See the EBA list of competent authorities.
An authentication type that occurs completely outside of the authentication flow. For example, Mail-Order-Telephone-Order (MOTO) or recurring transactions.
When the responsibility for performing Strong Customer Authentication is delegated by the acquirer to a compliant third party.
The Directory Server is the component of 3D Secure which is managed by the card networks. It secures message mediation between the 3DS Servers and the ACS. Its functions include authenticating the 3DS Server and routing messages correctly between the 3DS Server and ACS.
A value set by the card schemes to indicate the authentication outcome and liability shift status.
EMVCo is the organisation that sets technical standards for payment card types. The companies that formed the EMV originally were Europay, Mastercard and Visa. EMVCo manage the specification of 3DS version 2.
Tokens based on EMV’s Payment Tokenisation framework, designed to help reduce friction in the payment flow and improve security. These tokens are a surrogate value maintained by the card schemes. They can replace the PAN in both authentication and authorisation requests.
The European Banking Authority is an EU Authority which works to ensure effective regulation and supervision across the European banking sector. For PSD2, at a country level the supervision is managed by national Competent Authorities such as the FCA in the UK.
Exemptions under PSD2 are specific types of transactions which can avoid having SCA applied to them. Some examples of these transactions are low risk transactions and those under €30.
The FCA stands for Financial Conduct Authority, and it is a regulatory body in the UK that regulates financial markets to protect consumers and provide a level playing field for the industry. The FCA ensures that the market remains fair and effective and also promotes competition.
When the issuer uses Risk Based Authentication to determine whether a cardholder is fraudulent or not, without requiring a challenge authentication.
The General Data Protection Regulation (GDPR) applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Read more about Ravelin and the GDPR.
The Issuer or “Issuing Bank” is a bank that issues cards for cardholders to make payments with.
When the financial responsibility for a fraud related dispute is shifted from the merchant to the cardholder’s issuing bank.
A PSD2 SCA exemption that can be applied by acquirers and issuers if the transaction value is below €30, meaning that Strong Customer Authentication will not be applied. This exemption can only be used for five consecutive transactions, or until the total amount spent using that card reaches €150 (whichever comes first).
A code assigned by the card schemes to a merchant and transaction, based on the vertical or industry that transaction relates to.
MIT refers to transactions that use a token for payments and are initiated by the merchant. The cardholder does not need to take any action to initiate the transaction. MIT is commonly used for subscription charges. The cardholder is required to provide a mandate to authorise the merchant to initiate the transaction or series of transactions. MIT is also known as an off-session payment or a payee-initiated payment, as distinct from Cardholder Initiated Transactions which are known as on-session or payer-initiated payments.
The term used to describe the software required to initiate and facilitate authentication requests for 3D Secure version 1.
Authentication performed as a part of a non-payment event, such as adding a card to a wallet.
An authentication type that occurs during the authentication flow, but where the challenge itself is performed outside of the merchant’s browser or app. For example, when the cardholder is directed to their banking app to verify their identity.
In the language of PSD2, the Payee is the merchant; someone who is selling goods or services online.
In the language of PSD2, the Payer is the consumer, someone who is buying goods or services online.
In the language of PSD2, the “Payee’s PSP” means an Acquirer for Card payments.
In the language of PSD2, the “Payer’s PSP” means an Issuer for Card payments.
The Payment Account Reference (PAR) is a 29-character unique, consistent, non-sensitive identifier for the payment account behind an EMV Payment Token (aka Network Token).
Unlike a card Primary Account Number (PAN), which can change if a card is lost or stolen, the PAR can be remapped to identify a new PAN and so remains the same for the lifetime of the payment account.
The 29-character PAR comprises a 4-character BIN Controller Identifier followed by a unique 25-character value.
The PAR is issued by card schemes and is defined by the EMV® Payment Account Reference (PAR) White Paper (PDF download).
Authentication performed as a part of a payment transaction.
A Payment Gateway is a service that allows Merchants to initiate and manage online payments. Payment Gateways are not typically involved in the flow of money. When they offer other ‘bundled’ services they transmogrify into Payment Service Providers.
The Payments Services Directive 2 (PSD2) is European legislation that requires financial services to contribute to a more integrated and efficient payments ecosystem. One key part of the legislation relates to implementing Strong Customer Authentication on the majority of electronic transactions across the European Union and the European Economic Area.
The Payments Services Directive 3 (PSD3) is draft European legislation that is expected to extend current Strong Customer Authentication (SCA) requirements and improve consumer rights.
Contains detailed rules that all relevant payment service providers must follow in order to provide payment services, including previous and future payment services directives.
Payment Service Providers offer a variety of bundled services to Merchants, typically combining the services of a Payment Gateway with an Acquirer either of their own or through multiple connections to different Acquirers and payment networks.
From a regulatory perspective, ‘Payment Service Provider’ also refers to Issuing and Acquiring banks.
Merchants who wish to use the low risk TRA exemption from SCA need to ensure that their Acquirer’s fraud rate is within the thresholds defined by the RTS - the Exemption Threshold Values (ETV) which set the maximum possible value for a given reference fraud rate:
| Exemption Threshold Value (ETV) | Reference Fraud Rate (RFR) for remote card transactions |
|---|---|
| €100 | 0.13% |
| €250 | 0.06% |
| €500 | 0.01% |
For example, a transaction value of €70 is subject to the 0.13% reference fraud rate. For a transaction of €130 the 0.06% threshold applies, and for €300 the 0.01% applies. For transactions greater than €500 there is no reference fraud rate and a low risk exemption is not possible.
The Regulatory Technical Standards (RTS) are the regulatory requirements set by the EBA to ensure that payments across the EU are secure, fair and efficient.
A PSD2 SCA exemption that can be applied if the card used for a transaction is a virtual or lodged corporate card, meaning that Strong Customer Authentication will not be applied.
Strong Customer Authentication (SCA) is a method for proving that you are who you say you are when purchasing a product or service. SCA is mandatory for all electronic payments under PSD2, and requires at least two of the following three categories of information for authentication:
Third Party Payment Service Providers (TPPs), also known as third party processors, are processors that let you accept payments without a merchant account. A good example of a TPP is PayPal. TPPs offer consumers additional ways to access their money without needing to directly interact with their bank. Under PSD2 regulation, TPPs need to ensure that there are structures in place to provide extensive security of information and consumer data, in keeping with the scope of the regulatory standards.
Transaction risk analysis is the ability to assess the risk of a payment transaction. Under PSD2, PSPs and merchants will be encouraged to actively apply TRA. In conjunction with an appropriate Reference Fraud Rate, this can be used as an exemption from SCA.
A PSD2 SCA exemption that can be applied by acquirers and issuers if a transaction is deemed low risk after performing TRA, meaning that Strong Customer Authentication will not be applied.
A PSD2 SCA exemption that can be used by cardholders to trust a specific merchant, meaning that Strong Customer Authentication will not be applied.
Was this page helpful?