Authentication, Authorization, and Accounting
Protocol for authenticating a user based on their verifiable identity, authorizing a user based on their user rights, and accounting for a user’s consumption of network resources.
Anti-money laundering (AML) is a term mainly used in the legal and financial industries to describe a set of procedures, regulations, or legal controls designed to detect, prevent, and report the practice of generating a source of income through illegal actions (money laundering).
Automated Clearing House
An Automated Clearing House (ACH) is a network capable of handling and processing electronic payments in significant volume. Most countries have at least one ACH which provides a fully automated way of collecting and settling payments; effectively, the ACH provides a secure electronic network to allow banks and financial institutions exchange to information.
Alternative Payment Method
Alternative Payment Methods (APM) relate to any electronic payment which is not made using a credit or debit card. This includes prepaid cards and e-vouchers, digital wallets, P2P solutions, mobile payments, and cryptocurrencies.
Address Verification System
This is a security system that requires merchants to provide the cardholder's address in “card not present” transactions (usually phone, mail or web transactions). The merchant’s system verifies the address with the records of the cardholder’s issuing bank. This is one of the older anti-fraud measures and assumes that if someone has a stolen credit card they didn’t also steal the wallet with the cardholder's address.
Many issuing banks are not actually set up to handle the AVS system or may only store the cardholder’s zip code. However, there really isn’t an industry standard for AVS and by even attempting to use it a merchant may qualify for a lower rate on those transactions where they do. The AVS does not necessarily ensure that a transaction is valid.
Attestation of Compliance
The AOC is a form for merchants and service providers to confirm the results of a PCI DSS assessment, as documented in the Self-Assessment Questionnaire or Report on Compliance.
Attestation of Validation
The AOV is a form for PA-QSAs confirming the results of a PA-DSS assessment, as documented in the PA-DSS Report on Validation.
Approved Scanning Vendor
Company approved by the PCI SSC to conduct external vulnerability scanning services.
Bank Identification Number
The first six digits of the credit card account number are used to identify both the credit card association and the issuing bank or financial institution through which the account was opened. This is also known as the Issuer Identification Number.
Bank Identifier Code
BIC stands for Bank Identifier Code. This is often referred to as a SWIFT code or SWIFT address as SWIFT owns and administers the BIC system.
Clearing House Automated Payment System
CHAPS is typically used for making high-value transactions where same-day guaranteed payment is required. Payments are guaranteed to be processed same-day providing instructions are received by 2 pm on a working day. Banks may charge up to £35 for CHAPS transfers and are only used to make bank-to-bank fund transfers in GBP.
Continuous Linked Settlement
Continuous Linked Settlement (CLS) is a settlement system run by CLS Bank International; a financial institution dedicated to settle foreign exchange trades. CLS operates a multi-currency settlement system that mitigates risk for FX transactions through the provision of its payment versus payment settlement service, which has direct links to the Real Time Gross Settlement (RTGS) systems of the 18 currencies it settles.
Card Not Present
A card not present transaction (CNP) is a remote purchase whereby the payment card and cardholder are not physically present for visual examination at the merchant’s point of sale, for example, purchases which are made over the internet, telephone, or by mail, fax, or mail-order. CNP transactions can be a major route for card fraud, as it is difficult for a merchant to verify whether or not the cardholder is actually authorizing a payment (compared to a card-present transaction, whereby the payment card and cardholder are both present so the PIN and/or customer signature can be verified).
Centre for Internet Security
A non-profit enterprise that helps organizations reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls.
Cardholder Verification Value
The CVV is the three or four-digit numeric code usually printed on the back of the credit card to verify its authenticity. CVV2 refers to the numbers actually printed on the card while CVV1 is the same code encoded on the magnetic stripe.
Deposit Correction Notice
These are adjustments, either debits or credits, made for an “out of balance” situation in a merchant’s batch. The correction is made by the acquirer prior to the transactions being entered into interchange.
Electronic Funds Transfer
Electronic Funds Transfer (EFT) refers to any transfer of funds initiated electronically, including card payments, ATM withdrawals, point-of-sale (POS) and debit transfers without requiring the intervention of bank staff. These transactions can take place within the same organization, or across accounts spread between one or more financial institutions in the banking network.
Electronic money (e-money) is a currency that is digitized to be stored on, and used via, mobile phones, prepaid cards, or online accounts. The E-Money Directive is a set of regulations that exist to benefit businesses, customers, and the wider economy. The E-Money Directive aims to enable secure e-money services, provide market access to new organizations, and foster healthy competition between all participants.
Europay, MasterCard, and Visa
Europay, MasterCard, and Visa (EMV) is a worldwide technical standard for payment cards that provides global telecommunications between all cards and acceptance networks (payment terminals). The EMV standard also applies to mobile payment solutions including mobile EMV with NFC (Near-Field-Communication).
The EURO1 is a large-value payment system for same-day euro transactions at a pan-European level, which processes transactions of high priority and urgency, and primarily of large amounts at a domestic and cross-border level on a multilateral net basis.
EURO1 processes in excess of 250,000 payments per day, with an overall value of approximately €210 billion. EURO1 is based on a messaging and IT infrastructure provided by SWIFT.
Fixes Acquirer Network Fee
The FANF is a Visa fee that is assessed based on a merchant owner/taxpayer basis and includes all merchant accounts owned by a single taxpayer ID for Visa payment card transaction processing. The fee is actually charged to the acquirer but is passed onto the merchant, possibly with a mark-up. The FANF is charged to anyone who accepts a Visa payment card regardless of whom the processor is. As with most fees in the industry, this one is fairly complicated. The fee is based on a Merchant Category Code, the number of locations the merchant has and whether they process only “card present” transactions or process both “card present” and “card not present” transactions or only “card not present” transactions.
FX / Forex
Foreign Exchange (FX) is the exchange, or conversion, of one currency into another currency. Foreign Exchange also refers to the global trading market whereby currencies are virtually exchanged around the clock, with the largest centers being based in London, New York, Tokyo, and Singapore. The term Foreign Exchange is frequently abbreviated to ‘forex’ as well as ‘FX’.
Host Card Emulation
Host Card Emulation (HCE) is a specialist software that permits a mobile device to act as a card in order to perform a transaction on a Near Field Communication (NFC) enabled device without the need of a secure element.
International Bank Account Number
An International Bank Account Number (IBAN) is an account number written in a standardized internationally recognized format that is used to identify an individual account, making it faster easier to process cross-border transactions across Europe. An IBAN is made up of a code that identifies the country the account belongs to, the bank the account belongs to, followed by the account number.
Knowledge-Based Authentication (KBA) is a security measure that seeks to prove the identity of a user who is attempting to access an online service, by asking them to answer at least one “secret” question. KBA is generally used as a component in multifactor authentication (MFA) and for self-served password retrieval.
Know Your Customer
Know Your Customer (KYC) is a mandatory banking regulation designed to protect the integrity of the banking system by reducing the likelihood of financial institutions becoming vehicles for money laundering, terrorist financing, and other unlawful activities. To mitigate risk, financial institutions perform KYC checks by obtaining sufficient information that can be used to develop a comprehensive profile of the customer, such as proof of address and photographic identification.
Large-Value Payment System
A Large-Value Payment System refers to Real Time Gross Settlement systems (RTGS), such as CHAPS, TARGET2, and country-specific equivalents. Payments via this method are sent securely, in real-time, with complete certainty that the payment will settle.
MiFIR / MiFID II Directive
Markets in Financial Instruments Directive
The Markets in Financial Instruments Directive (MiFID) is the EU legislation that regulates providers of services that are linked to ‘financial instruments', such as shares, bonds, investment schemes and derivatives, and the venues where these instruments are traded. In April 2014, the European Parliament approved an updated version of the law, MiFID II, which is set to expand the scope of the rules to cover more companies and products.
Merchant Category Code
Four-digit number that is assigned by the credit card associations to a merchant before a merchant starts accepting credit cards as payment. The merchant is assigned an MCC which classifies the merchant by what types of goods or services it offers. There are approximately 800 Merchant Category Codes.
When an issuer offers its cardholders, rewards based on what type of business they use their credit cards at, the merchant's MCC is what determines whether or not a purchase qualifies for the reward. The MCC is also used to determine which transactions must be reported to the IRS.
Near Field Communication (NFC) is a short-range method of wireless data transfer that enables two electronic devices to establish communication without an internet connection when they are in close proximity of one another. NFC chips are stored inside payment cards to enable contactless payments, and more recently, inside smartphones, stickers, and wearable devices.
Primary Account Number
Also referred to as “Account Number.” Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account.
Payment Card Industry
The Payment Card Industry (PCI) consists of all the organizations which store, process and transmit cardholder data, including automated teller machines (ATMs), point of sale (POS) terminals and credit, debit, prepaid, and electronic money cards. PCI is governed by the Payment Card Industry Security Standards Council.
Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle payment cards. This standard is governed by the Payment Card Industry Security Standards Council and exists to increase controls around cardholder data and to reduce credit card fraud. Compliance is validated on an annual basis, either by a qualified security assessor or by a self-assessment questionnaire, depending on the volume of transactions made by each organization.
Directive on Payment Services (AKA Payment Service Directive)
Established in 2007, the Directive on Payment Services (PSD) is EU legislation that provides the legal foundation for the creation of a single market for payments across the Eurozone, and the
necessary legal platform for the Single Euro Payments Area (SEPA). The introduction of PSD made cross-border payments easier and faster with SEPA payments being used to make transfers across the majority of Europe.
Another key goal for the PSD is to improve competition by opening up payment markets to new entrants, providing greater efficiency and cost-reduction to end-users.
Revised Directive on Payment Services (AKA Payment Service Directive II)
The Revised Directive on Payment Services (PSD2) builds on the existing PSD and has been developed to make certain provisions in PSD clearer, as well as putting emphasis on further opening up the payments industry for third party businesses and non-banks, to increase competition.
POS / mPOS
Point of Sale / Mobile Point of Sale
A Point of Sale (POS) is a cashier counter, or checkout, usually located within a retail shop, or an environment whereby transactions and purchases may occur. The term may also apply to the actual hardware and software including electronic cash registers, barcode scanners, touch screen displays receipt printers, and pole displays. In simpler terms, if something can be exchanged for monetary value, then this will happen at a Point of Sale.
A Mobile Point of Sale (MPOS) is a tablet, smartphone, or wireless device that performs the functions of a regular POS terminal. Any device can be transformed into an MPOS with the use of a dedicated app.
Payment Service Provider
A Payment Service Provider (PSP) is a third party that facilitates payments on the behalf of merchants, typically by partnering with an acquirer (such as a bank). The PSP takes on the responsibility of ensuring that electronic payments are processed in a secure and reliable way. Some PSPs are able to provide merchants with a connection to multiple payment methods and networks, including cross-border payments, digital wallets, P2P (peer-to-peer) transfers, and other alternative payment methods.
Real-Time Gross Settlement Systems
Real-Time Gross Settlement Systems (RTGS) are fund transfer systems designed to move high-value and wholesale payments between banks instantly. RTGS are usually controlled by the central bank of a country.
Payments made via a RTGS are settled as soon as they are processed, and once processed, payments are final and irrevocable. As these payments are high value, they do not need to be netted or bundled, meaning the transaction is settled on a one-to-one basis in real-time.
Single Euro Payments Area
The Single Euro Payments Area (SEPA) is a European payment initiative that was introduced in order to establish a single payment market; making it simple and less costly for consumers and businesses to make and receive payments across Europe.
SEPA payments are available in 35 countries, and provide cross-border bank transfer capabilities for businesses, merchants, and consumers in a way that is equivalent to making a domestic payment.
STEP1 and STEP2
STEP1 is a payment service offered by EBA Clearing for small and medium-sized banks for single euro payments of high priority and urgency, processing approximately 20,000 transactions on a daily basis.
STEP2 processes mass retail payments in euros which provides banks across Europe with one channel through which they can send and receive their SEPA Credit Transfers and SEPA Direct Debits.
Society for Worldwide Interbank Financial Telecommunication
Founded in 1973, the Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a cooperative utility that was initially made up of 239 banks from 15 countries. Their goal was to develop standardized messaging and processing of transaction services for financial institutions globally, making global cross-border transfers possible.
SWIFT is often considered to be the backbone of the international finance industry and now serves more than 200 countries and territories. SWIFT payments are a type of international transfer sent via the SWIFT network; however, SWIFT does not facilitate the transfer of funds. Instead, it sends payment orders via its secure and reliable network, which must be then settled by the correspondent accounts that institutions have with each other. When sending or receiving international payments, a SWIFT code is used to identify a specific bank.
Trans-European Automated Real-Time Gross Settlement Express Transfer System
The Trans-European Automated Real-Time Gross Settlement Express Transfer System (TARGET2) is a real-time gross settlement system owned and operated by the Eurosystem.
TARGET2 handles mostly large-value central bank transactions across twenty-euro area central banks (including the ECB), as well as five central banks from non-euro area countries which include Bulgaria, Croatia, Denmark, Poland and Romania, which are made instantly and with immediate finality.
Tokenization in Name Only
TINO refers to products that offer ill-thought-out, mathematically-derived primary account number (PAN) encryptions that offer incomplete solutions. These products use the name “tokenization” but are not providing users with the levels of data protection or simplification of PCI compliance offered by a true solution.
Associations and Regulatory Bodies
European Banking Authority
The European Banking Authority (EBA) is a regulatory agency of the European Union that works to ensure effective regulation throughout the EU banking and financial sector. The overall objectives are to safeguard the orderly functioning of the banking sector, identify weaknesses, and maintain stability.
European Central Bank
The European Central Bank (ECB) manages the euro and administers the implementation of policy within the Eurozone. The capital stock of the central bank is owned by the banks of all EU member states, and the role of the ECB is to keep prices stable, in order to support economic growth and job creation throughout these states.
Emerging Payments Association
The Emerging Payments Association (EPA) is an advocating community for progressive payments companies, supporting them to become influencers in the payments landscape. The EPA also works to improve access to all people within the market, including sellers, buyers, and partners.
European Payments Council
The European Payments Council (EPC) is a decision-making body for payments within the European banking industry. The key purpose of EPC is to represent payment service providers (PSPs), and to oversee the development of the Single Euro Payment Area (SEPA)
European Securities and Markets Authority
The European Securities and Markets Authority (ESMA) is a regulatory financial institution that provides safeguarding to the European Union’s financial system by guarding investors and promoting stability in the financial market.
3D Secure authentication is an additional fraud prevention scheme to process transactions.
It allows shoppers to create and assign a password to their card that is then verified whenever a transaction is processed through a site that supports the use of the scheme. The addition of password protection allows extra security on transactions that are processed online. 3D Secure stands for 3 Domain Server. There are 3 parties that are involved in the 3D Secure process:
The company the purchase is being made from
The Acquiring Bank (the bank of the company)
VISA and MasterCard (the card issuers themselves)
The scheme is a collective of Verified by VISA (VBV), MasterCard Secure Code (MSC) and American Express (Safekey). It is the most recent fraud prevention initiative that is available at the moment. 3D Secure is also the only fraud prevention scheme that is available that offers companies liability cover for transactions that are verified by the checks. This provides additional protection to companies using the scheme as opposed to those that do not.
Payment methods are used as an alternative to credit card payments. Each alternative payment method has its own unique application and settlement process, language and currency support, and is subject to rules and regulations. The most common alternative payment methods are debit cards, charge cards, prepaid cards, direct debit, bank transfers, phone and mobile payments, e-wallets, checks, money orders and cash payments.
An acquirer (sometimes referred to as an acquiring bank) is an organization that manages the merchant’s account and processes payments on behalf of a merchant by accepting payment from an issuing bank.
The acquirer is responsible for receiving the credit and debit card transaction details, which are then passed to the card issuer via the card scheme for authorization. Once authorized, the acquirer completes the processing of the transaction by arranging for the transaction to be settled.
Back End Processor
The actual process of processing a credit card transaction is sometimes split between two organizations, the Front-End Processor and the Back End Processor. After the merchant’s batch has closed, the back-end processor receives the card capture file for MasterCard and Visa transactions from the Front-End Processor. The Back End Processor performs the compliance checks and risk management procedures and then transmits the transaction to MasterCard or Visa. At this point, the Back End Processor is done with the merchant for the day.
The card association (i.e. MasterCard and Visa) compile a blacklist which is known as the Member Alert to Control High-Risk (MATCH) list or formerly as the Terminated Merchant File (TMF). However, instead of listing deceitful buyers, they keep a registry of those merchants who have infringed the card associations’ rules. The main causes of this type of blacklisting are fraud, money laundering, insolvency, factoring (the selling of invoices by a business owner to a third party at a discount), dealing with a disproportionate number of chargeback cases and closing an account with a negative balance. This fraud prevention tool is also vastly used by the acquirers to check if applicants to a merchant account have been subject to termination in the past and based on that information the application is accepted or rejected. Yet, according to the card association rules, it is not prohibited to take on merchants on that list.
This is one of four pricing models merchant services providers/credit card processors may use to bill a merchant. This model is the simplest to understand. Basically, all the transactions are charged the same percentage and transaction fee. This usually means that the fee is above the minimum fee in order to make every transaction that would bill at a higher level even out. While this does tend to raise the cost of each transaction, many of the companies using this method (like PayPal) do not charge a monthly fee. That savings may or may not be enough to make up for the expense. This is the simplest of the pricing models but one of the most expensive per transaction.
Card Not Present Transaction
A card-not-present transaction is any transaction where the card is not present (“present” meaning either the magnetic stripe is swiped, or the chip is read) at the time of a transaction. Typically, this includes phone orders, mail orders, eCommerce orders, recurring charges, and those cases where a card will not read, and the account information has been manually entered into a terminal.
Card Present Transaction
This is any transaction where the cardholder’s payment card has the magnetic stripe swiped by the terminal or the EMV chip read by the terminal at the time of the transaction.
Any authorized person who has a payment card account is an authorized person who uses a payment card to pay for goods or services.
Any sensitive information belonging to the authorized holder of a payment card. The industry generally considers this to include the cardholder's name, cardholder address, payment card account number, PIN, verification codes and the magnetic stripe of EMV chip as a whole. This information DOES NOT belong to a merchant even after a transaction has been processed.
Chargeback is any payment card transaction that is billed back to the merchant after the sale has been completed. A chargeback is initiated by the cardholder’s card issuing bank or financial institution on behalf of the cardholder in disputes about the transaction. The most common reasons for chargebacks are non-delivery/damage of merchandise, disputes about the quality of the merchandise, and failure of the merchant to issue a timely refund. Chargebacks may also occur in fraud cases.
The process of sending an accumulated batch of payment card transactions from the merchant for processing. This usually occurs at end of the day but can be done more often for above-normal volume.
CO Branded Card
A co-branded card is a card that has been issued by an issuing bank that promotes another organization like a professional sports team, a university, or even a specific national non-profit. The credit card may be issued by HSBC, for instance, but the card will feature artwork promoting the co-branding organization, like a giant race car or the university logo on the front of the card. These cards are typically categorized as Reward cards.
Commercial Cards/Corporate Cards
These are credit cards issued to businesses for the purpose of covering travel, entertainment, expenses and purchasing. MasterCard and Visa have regulations that require special billing information to be captured at the time of the transaction and passed back to the issuing bank or financial institution. If the information is not passed back to the issuer the merchant will face a higher fee for that transaction.
Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must meet the intent and rigor of the original PCI DSS requirement; provide a similar level of defense as the original PCI DSS requirement; be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.
Merchants that accept credit cards are required to meet or exceed regulations set by the Credit Card Associations, the Payment Card Industry Security Standards Council (PCI) and of course, local laws. This is usually specified in the merchant agreement that the merchant signs to get a merchant account.
Cross-border payments are transactions that occur between accounts based in different countries (i.e. non-domestic payments). Typically, cross-border payments are made via an incumbent correspondent banking network, which involves the money traveling between multiple organizations, resulting in the process being slow and costly.
The electronic system used for debit card transactions to make purchases, get cash from ATMs, and pay bills online. The debit network’s logo, such as STAR, NYCE, or MAESTRO, is usually printed on the card.
You can use the credit and debit cards stored in your digital wallet to make purchases at participating merchants. Well-known digital wallets are Apple Pay, Android Pay, Samsung Pay, Microsoft Wallet, Visa Checkout and Masterpass.
As opposed to a magnetic stripe card which must be swiped, an EMV card must actually be inserted into an EMV compatible terminal and left there while the transaction completes. The common nickname for this act of inserting the EMV chip card is Dipping.
This is the fee paid to the acquirer bank by the merchant for the settlement of the merchant’s payment card transactions and the depositing of the funds into the merchant’s account. The fee is a mark-up of the interchange rate plus credit card association assessments plus mark-ups. Perhaps most simply thought of as the amount a merchant’s payment card transaction dollar amount is discounted in order to get it processed and settled through interchange.
Dispute Management is a term used to describe the process of managing payment disputes. These are situations where a cardholder has requested information about the payment from their issuing bank. This may mean that they intend to chargeback the transaction.
Dispute Management is where all disputed invoices are monitored, forwarded to the responsible persons, and followed up.
Dynamic Payment Splitting
The cost of a basket of goods purchased on a marketplace contains services/goods that are provided by multiple suppliers, including the marketplace itself. Payments need to be split accordingly. Payment splitting refers to the process of splitting customer transactions and settling multiple sellers and marketplace bank accounts. Dynamic Payment Splitting moves the money in real-time. Payment Providers that are integrated directly into existing ERP, purchasing, and invoicing systems, are able to provide a real-time complete end-to-end solution for B2B transactions.
Faster Payments is a UK payment system that allows transactions to be made 24/7, 365 days a year. Originally the network was restricted to established incumbent banks, but this has recently begun to open up, allowing new entrants access to the network.
Foreign Exchange Fee / FX Fee
FX fees are typically charged as a mark up to the mid-market (AKA interbank) rate. The mid-point between the buy and the sell prices of the two currencies on the global currency markets determines this rate.
Providers that process FX payments often add a high commission to this rate in order to make a profit from the transaction. Fees may also be added when a transaction has to pass through multiple correspondent banks to reach the recipient.
Fraud Preventions Tools
There are four key fraud prevention tools in CNP transactions:
Address Verification Service (AVS): The comparison of the address provided when submitting the purchase order against the billing address contained in the issuing bank’s data. Its purpose is to corroborate that the addresses coincide.
Card Security Code (CSC): Depending on the card company is where the code is to be found. For MasterCard and Visa cards it is a three-digit code placed at the back of the card. For American Express cards it is a four-digit code located on the front of the card.
3-D Secure: It is a security scheme that consists of providing a password before completing an online transaction. Its aim is to verify the card user’s identity to legitimate the purchase. The service is offered by the card brands under different names, e.g. Verified by Visa, MasterCard SecureCode and American Express SafeKey.
Fraud Detection Software: Third parties offer many options of fraud screening technologies that enable merchants to assess orders and detect fraud in real-time. However, these technologies can also be developed internally. In addition to these fraud prevention tools, in the United Kingdom, there is the Industry Hot Card File (IHCF), which is an electronic file where cards that have been reported lost or stolen are registered. Participating retailers in the IHCF program get a warning when a card that is compatible with the details contained in the file is being used to do a purchase.
Fraud prevention tools are not infallible. Therefore, it is highly recommendable that merchants implement a combination of measures to counteract fraudulent activities.
An issuer (sometimes referred to as an issuing bank) is a financial institution that issues cards on behalf of credit and debit card networks. An issuer assumes responsibility for paying the acquiring bank on behalf of the customer.
An interchange fee is a fee paid by a merchant bank (acquiring bank) to the card issuer for the acceptance of card-based transactions. The interchange fee charged is often higher for Card Not Present (CNP) transactions, where the risk of fraud is higher.
A merchant is an individual or company that conducts business either to provide wholesale or retail products to end-users.
A payment gateway is a secure application that automates a transaction, allowing a merchant to accept forms of electronic payment by facilitating communication between the issuer and acquirer.
The payment gateway acts as a mediator between the transactions that occur on a website and the payment processor and is responsible for acquiring transaction authorization and data encryption. Payment gateways usually charge merchants a per-transaction fee to process payments.
A transaction fee is a cost that is charged when sending and receiving money; typically, when funds are being transferred internationally.