A cardholder authentication protocol that aims to reduce fraud and enhance security in eCommerce. The ‘D’ in ‘3D’ refers to the ‘three domains’: the merchant/acquirer domain, the issuer domain and the interoperability domain.

A 3Ds requestor is the party that initiates the 3-D Secure 2.0 authentication request to confirm that an account is still available or to verify a cardholder. For instance, the requestor could be a retailer or a digital wallet requesting authentication during the purchase flow.

Embedded software within a merchant's mobile app that facilitates cardholder authentication. When a cardholder initiates an in-app (mobile) transaction, the 3DS SDK notifies the 3DS Core Components to verify the cardholder.

A 3Ds server provides the functional link between the DS and 3DS Requestor Environment flows. It  is accountable for collecting the required data elements for 3-D Secure messages, authenticating the DS, validating the DS, the 3DS SDK, and the 3DS Requestor, as well as protecting the message contents.

The issuer domain (banks) of 3-D Secure includes the Access Control Server (ACS). Each card issuer is required to maintain an ACS utilised for supporting cardholder authentication. 

A bank or financial institution that processes credit or debit card payments on behalf of a merchant. The acquirer allows merchants to accept card payments from card-issuing banks. To accept card payments, an acquirer should be licensed by corresponding card networks and either partner with a payment processor, or be a payment processor itself. 

An agreement between an ISV, ISO, or payment facilitator and the acquirer that sells processing services. This contract is negotiated and determines a variety of topics including but not limited to: processing rates, transaction fees, value added services, liability, and applicable service level agreements (SLAs).

In credit card transactions, the Acquirer Reference Number (ARN) is a unique number assigned to a transaction when it goes from the merchant's bank (acquirer) through the card scheme at the cardholder's bank (issuer).The ARN can be used to track a payment or refund. Shoppers can contact their banks to do so and the banks can then use the ARN to track the payment or refund. Merchants can retrieve the ARN from the Customer Area or the shopper's bank.

Fees charged for the verification of a credit cardholder's address. This is typically performed via the Address Verification System (AVS), which verifies that the zip code submitted at the time of processing matches the zip code on the cardholder's billing statement.

A tool that verifies the cardholder’s billing address (the zip code) in order to help combat fraud in card not present card payment environment (available mainly in the US and UK).

Alternative payment methods can be categorised as any form of payment which isn’t cash, or a credit card issued by a major bank. Mobile payments, digital wallets, bank transfers, Buy Now Pay Later and prepaid cards are all examples of frequently used APMs. Also known as a local payment method.

Fees associated with a credit card. This can include membership fees, as well as rewards costs.

Anti-Money Laundering activities and controls are practices and procedures designed to identify and protect against financial criminals seeking to disguise illicitly gained funds as legitimate. Many institutions, especially those in the financial sectors, are required by the Bank Secrecy Act (BSA) to have detailed programs in place to prevent, detect, and report potential money laundering activities.

API stands for Application Programming Interface. This is a general term for programming techniques that are available for software developers when they integrate with a particular service or application. These techniques vary on the software type and may include web API, remote API, SDKs, libraries, frameworks, and much more. In the payments industry, APIs are usually provided by any party participating in the money flow (e.g. payment gateways, processors, service providers) to facilitate the money transferring process.

The procedure a member can initiate to resolve a chargeback-related dispute between two members.

Authentication is the process of verifying a user or device before allowing access to a system or resources. In other words, authentication means confirming that a user is who they say they are. This ensures only those with authorized credentials gain access to secure systems. When a user attempts to access information on a network, they must provide secret credentials to prove their identity. Authentication allows you to grant access to the right user at the right time with confidence. But this doesn’t occur in isolation.

A code that an issuer provides to indicate approval of a transaction. The code is returned in the authorisation response message and is usually recorded on the transaction receipt as proof of authorisation.

Technically called an authorisation request fee, this is what is charged each time a transaction is sent to the issuer to be authorised. The fee applies whether or not the request is approved. Note that this is not the same as a transaction fee.

This is the process of the card issuer (like Visa or Mastercard) verifying payment details and reserving the funds to capture it later .In ecommerce, in-app and point-of-sale payments, authorisation is implemented as an API call to the payment gateway. The gateway and payment processor then perform required validation and risk checks, and ask a corresponding card network to authorise this payment from an issuer to an acquirer. When a payment was authorised but hasn't been captured yet, a merchant can also decide to cancel it for some reason (like a high risk of fraud). Note that authorisation is valid only for a limited amount of time. In case an authorised payment hasn't been captured or cancelled, it expires after the predefined deadline is missed.

A network between banks that facilitates the transfer of money between depository accounts at participating banks.

Funds are electronically deposited into a bank account.

Funds are electronically debited from a bank account.

A returned ACH transaction.

A failed ACH transaction.

An electronic banking terminal that can be physically located at a bank branch, retail business, or other locations. Most commonly used to facilitate cash withdrawals with debit and credit cards.

An identification number assigned by the card schemes to each of its affiliated financial institutions, banks and processors. It is shown on the payment card as the leading siz or eight digits of the card number. Also referred as an ‘issuer identification number (IIN)’.
The BIN can be used to determine the:
Card network.
Financial institution that issued the card.
The BIN cannot be used to determine:
The card type, for example credit or debit card.
The BIN can be used to determine the: direct way to know if a card number contains a six or an eight-digit BIN.

Identifies the beneficiary's bank. It is the same as the bank's SWIFT code.

U.S. law requiring financial institutions to assist government agencies in detecting and preventing money laundering. The BSA is also known as the Anti-Money Laundering Law (AML).

A method of electronic funds transfer from one person or entity to another.

A financial term that describes a common unit of measure. One basis point is equal to 1/100th of 1% or 0.01%.

A term that collectively refers to all payment card transactions processed during a given period of time.

Fee charged for each submission of a batch file to a payment processor. Batch fee(s) are volume based fees charged for the processing load on the system that ingests and ultimately executes the transactions specified in a given batch file.

Verification of an individual's identity based on their unique biological characteristics, including facial recognition or voice identification. Biometric authentication systems compare captured biometric data with confirmed authentic database data. For authentication to be validated, both biometric data samples must match.

Classifies any transaction or use case where a business sends money to another business.

Classifies any transaction or use case where a business sends money to a consumer.

An APM that allows consumers to spread the cost of a purchase by paying in instalments, often without interest. 

An authorised payment can be either captured (where funds are sent to a merchant's account) or cancelled (where a merchant decides to reject the payment for some reason like a high risk of fraud).Note that cancelling a payment is not possible for transactions that have already been captured. In this case the merchant should initiate a refund to send funds back to a shopper. Captures, cancels, and refunds together are called modifications, because they modify the state of an authorised payment request.

A payment that has been authorised by the payment processor must be captured to be completed. Capturing is the act of transferring the reserved funds from the shopper to the merchant. By default, payments are captured automatically, immediately after authorisation. Many payment methods support separate authorisation and capture. This means you can set up a capture delay; capture payments manually (both in the Customer Area and using API calls); perform partial captures; or cancel an authorisation. Captures, cancels, and refunds together are called modifications, because they modify the state of an authorised payment request.

The bank, credit union or other financial institution through which a cardholder obtains a card.

Payment networks that set rules and provide infrastructure to issue cards and process payments made with cards. For a payment to be made, both an issuer and an acquirer must be members of the same network as the card. Examples of some popular card networks are Visa, Mastercard, American Express, and UnionPay.Card schemes charge fees for processing payments, and also regulate the value of the interchange fee, which depends on many factors for each specific payment.

A payment card transaction made where the cardholder does not or cannot physically present the card for a merchant's visual examination at the time that an order is given, and payment effected. It's mostly used for online payments, but also mail-order or telephone-order transactions. 

Every payment card (be it a debit, credit, gift, or a similar card) has a unique number associated with it. This number is usually printed on the card and required to uniquely identify this card and to refer to it in every transaction.The whole card number is called Primary Account Number (PAN), and the first six or eight digits of it are also called the Bank Identification Number (BIN).Also, a card may contain a card security code, which, along with the card number, can be used in card-not-present transactions.

When card details are stored to streamline the checkout process for returning customers. This can be used for one-click payments, pay-per use services, or any recurring payment that does not follow a fixed schedule. A recurring payment that occurs on a fixed schedule is referred to as a subscription. If a merchant is PCI-Compliant at Level 1/Level 2, they can store card details by themselves. 

More than just the physical presence of the credit card, a transaction is considered “card present” only if electronic data is captured at the time of the sale. Data can be captured by swiping a magnetic strip card, dipping an EMV chip card, or tapping an NFC/contactless digital wallet with a stored card, like a smartphone with Apple Pay enabled.

The 3- or 4-digit numeric code that is printed on a card in addition to the card number. The security code is used in card-not-present transactions to verify the identity of a cardholder.
This code may have different names, for instance:
Visa: Card Verification Value (CVV, CVV2)
Mastercard: Card Validation Code (CVC, CVC2)
Amex and Discover: Unique Card Code (CID)
The security code is an example of Sensitive Authentication Data, and as such in scope of PCI DSS compliance restrictions

The person or entity whose name is embossed on a payment card and who is the holder or an authorised user of a debit or credit card.

The Cardholder Authentication Verification Value (CAVV) is a cryptographic value used in online transactions to verify that the cardholder was indeed the one who authorized the purchase.

Type of verification method used to confirm a payment instrument, such as a credit card, being used in a purchase is in the possession of its owner.

Plastic cards issued by shoppers' banks to enable cashless payments either on a point of sale, via an ecommerce website, or inside a mobile application. Cards may be debit, credit or prepaid, and are usually operated by card networks. Sometimes cards may be linked to ewallets or other local payment methods, but most commonly they are used to withdraw cash or make cashless payments.A typical card contains a card number, which uniquely identifies a card. It also contains a security code, used in combination with other information (a card expiry date and cardholder name) to verify card-not-present payments (for example, when paying for goods or services on a ecommerce website or inside a mobile application).

Chargeback refers to the return of funds used to make a purchase, initiated by the bank or financial institution that issued the funds. If a chargeback occurs, the cardholder's bank will be held responsible. An excessive number of chargebacks can result in issues with card networks who may refuse to onboard merchants on their networks.  A chargeback occurs when a customer initiates the reversal of a payment transaction made with a credit or debit card. Customers typically request a chargeback if they believe the payment was erroneous, fraudulent, or if they encounter issues with the product or service they purchased, such as problems with its specifications, quality, or delivery. This process is facilitated through the customer's bank or credit card company, and the payment amount is refunded from the customer's account. While chargebacks are designed to safeguard consumers' rights and address their concerns, they can result in financial losses for sellers and harm their reputation.

Fee charged for a chargeback. In the instance of a chargeback, additional work may be required to remediate the issue, including but not limited to: notifications, evidence collecting, escalation and others. Most if not all service providers involved in the transaction may charge chargeback fees to the end merchant that incurs the initial chargeback.

The number of calendar days during which the issuer has the right to charge the transaction back to the acquirer. This may not exceed 120 days. However, there are various occasions where the chargeback timeframe is calculated on a different basis, therefore time limits may vary. 

A post-transaction banking term used to describe the process of ensuring the reconciliation and settlement of the transactions are done in agreement with the underlying rules and frameworks governing the transaction.

The cryptographic technique of encrypting data on the sender's side before it is transmitted to a server, such as a cloud storage service. Also known as encryption at source.

The level of risk in a bank's portfolio arising from concentration to a single counterparty, sector, or country.

Classifies any transaction where a consumer pays a business.

A type of payment that can be made without the card, or chosen device, coming into contact with the card reader. NFC (Near Fied Communication) is the technology used in contactless payments. Apple Pay, Google Pay and Samsung Pay all use the standard NFC protocol and are therefore accepted. We also wrote an in-depth article about it.

Contactless payments allow your shoppers to make payments without inserting or swiping their card. In the context of POS, NFC is the technology used in contactless payments. Apple Pay, Google Pay and Samsung Pay all use the standard NFC protocol and are therefore accepted. These payment methods are considered strongly authenticated and therefore support high-volume transactions.

The process that occurs when a payment method used has been issued in one country to pay someone (a peer or a merchant) that is based in another. Also known as an ‘international payment’, this is a more complicated type of payment that requires the right, regulated payments infrastructure. Read our guide to cross-border payments here. 

A digital or virtual currency that is secured by cryptography, making it nearly impossible to counterfeit. Popular cryptocurrencies include Bitcoin and Ethereum. We wrote an article about its history, why it’s so popular and the future of cryptocurrencies.

A report that U.S. financial institutions are required to file with FinCEN for each deposit, withdrawal, exchange of currency or other payment, or transfer that exceeds a certain monetary threshold.

A bank, a financial institution, or other entity that is responsible for managing, administering, or safekeeping assets for other persons or institutions. A custodian holds assets to minimize risk of theft or loss, and does not actively trade or handle the assets.

The act of or authority to safeguard and administer clients’ investments or asset

Policies, practices, and procedures that enable a financial institution to predict with relative certainty the types of transactions in which the customer is likely to engage.

An amount withdrawn from an account.

Used to identify customers who have shopped with the merchant previously across channels. Can be used for loyalty programs.

A software application usually used in conjunction with a mobile payment system to facilitate electronic payments for online transactions and, increasingly, purchases at physical shops. Apply Pay and Samsung Pay are both popular examples. Also known as an eWallet.

A 3D Secure Directory Server (DS) acts like a central traffic controller in the 3D Secure (3DS) payment authentication process. It facilitates communication and data exchange between the different parties involved in an online transaction

When a shopper for some reason wants funds returned from a merchant, and a payment was already captured, the shopper can initiate a refund. If the merchant refuses, the shopper may ask their issuer to make a chargeback. If a merchant disagrees, they can dispute the chargeback.If disputing a chargeback is allowed (for more information, see Payment methods), the merchant must provide documents confirming the delivery of a product/service, and send these documents either to the acquiring bank or the payment service provider. Also known as a chargeback. A claim made by a cardholder to the issuing bank that questions the validity of a credit or debit charge.

Fee paid to the card network for use of their credit card and to process transactions on their networks.

Allows shoppers to convert the transaction amount to their card's default currency when making a payment abroad.The shopper is presented with the choice to convert the transaction amount, when the transaction is in a currency other than the default configured on the card and the terminal has been configured to allow DCC. Full details on the exchange rate are provided to the shopper on the terminal to allow an informed decision, and simultaneously to the POS app for merchant information.The shopper either accepts or rejects the DCC offer and proceeds with the selected amount and currency. If the shopper chooses DCC, related information is shown on the receipt. Shoppers can immediately understand the full amount charged for the transaction in a familiar currency.

Fee that merchant(s) may incur as a result of the merchant terminating the processing agreement before the end of a specified period of time.

An electronic form of a check.

A reversed eCheck.

A failed eCheck.

The process of electronically buying or selling products over the Internet. The rate of digital acceleration in payments has been unprecedented from 2020 onwards. 

Payments made by shoppers via electronic commerce (like websites, webshops, social networks) for either goods or services provided by merchants. These payments are usually made using cards or local payment methods that have been optimized for ecommerce.Other types of electronic payments are in-app payments and point-of-sale payments. Merchants usually require a payment service provider to process these payments. 

The electronic paperless transfer of money from one bank account to another, either within a single financial institution or across multiple institutions, via computer-based systems, without the direct intervention of bank staff. EFT transactions are known by a number of names.  The electronic transfer of money from one bank account to another without bank interaction. One of the most widely-used EFT programs is direct deposit, through which payroll is deposited straight into an employee's bank account.

Refers to natively building and incorporating payments processing as an integral part of a business offering or product.

Originally known as EMV, this international standard for credit and debit card payments is based on chip card technology. It was named after the card schemes that founded it, namely Europay, MasterCard, and Visa. EMVCo, a collaboration of financial institutions including Visa, Mastercard, American Express, China Union Pay, JCB, Discover/Diners Club International, and Rupay, now regulates the standard. Additionally, they are the creators of EMV Three-Domain Secure (3DS). The mission of EMVCo is to promote global interoperability and ensure the safety of all online payment transactions.

The technique of scrambling sensitive data automatically in the terminal, site or computer before data is transmitted for security and anti-fraud purposes.

Fees charged to merchants to lease or for maintenance of payment processing equipment.

Floor Limit is the maximum cash value the terminal allows for a transaction when processed offline. An inclusive limit is configured which applies to each individual transaction. Debit cards will typically decline a transaction while most credit cards are configured to approve a relatively small amount offline.

The trading of one currency for another. When a trade occurs, a fee is applied by the financial institutions of the receiving or originating institution.

In payments, this means that there was an attempted transaction made by a criminal. The target of a fraud can either be a merchant or a shopper (depending on the approach of the fraudster).The term that signifies fraud or deception is commonly used in the fintech world to refer to the general category of transactions that result in unjust gains during online payments.

To prevent or restrict the exchange, withdrawal, liquidation, or use of assets or bank accounts. Unlike forfeiture, frozen property, equipment, funds, or other assets remain the property of the natural or legal person(s) that held an interest in them at the time of the freezing and may continue to be administered by third parties. The courts may decide to implement a freeze as a means to protect against flight.

Instated through risk-based authentication performed in the ACS, this feature enables issuers to approve a payment without interacting with the cardholder. As the customer confirms an online purchase, all of their shopping details, including device data, item purchased, and value, are sent to the ACS in order to verify the cardholder's identity using risk-based elements. Since this procedure occurs invisibly, it is considered frictionless.  Customers are guided to the order confirmation page without being informed that their transaction has been screened.

An activity where a customer is trying to gain money back from performed legitimate card payments by claiming fraud and disputing the transactions with fraud reasons.

Any business set up and controlled by another organization. While not necessarily illicit, criminals use front companies to launder money by giving the funds the appearance of legitimate origin. Front companies may subsidize products and services at levels well below market rates or even below manufacturing costs.

The identification and tracking of a user or computer device’s geographical location. Geolocation technology is the foundation for location-positioning services and location-aware apps.

Electronic payments made by consumers via mobile apps and, since they enable users to pay without having to leave an app, they a popular payment type. Payments are made either with cards or alternative payment methods (like digital wallets) and utilise native mobile APIs or web pages optimised for mobile. Also known as mobile payments.
Electronic payments made by shoppers via mobile apps. These payments are usually made with cards or local payment methods, and utilize either native mobile APIs or web pages optimized for mobile (also called as mobile web).

A sales organisation acting as a third party that functions by signing up merchants to accept card payments through a partnership with a payment service provider. An ISO contracts with a member bank to provide merchant or cardholder solicitation. ISO representatives sell businesses payment processing solutions to merchants so they can accept card payments, as well as card readers and payment processing rate contracts for a given acquirer or ISO.An ISO contracts with a member bank to provide merchant or cardholder solicitation. ISO representatives sell businesses payment processing solutions to merchants so they can accept card payments, as well as card readers and payment processing rate contracts for a given acquirer or ISO.

In the context of payments, an EMV credit card with an embedded chip which is used to hold card information. 

Refers to the act of building and incorporating payments processing into an existing business offering or product. This type of payments processing shares data between the business management system and the payments system.

An ISV is an individual or organization that sells software that incorporates a payments strategy or processing as part of its product offering. This type of software is generally associated with an integrated payments approach.

A transparent fee structure that shows a breakdown of individual fees. There can be a fluctuation in interchange fees, particularly for merchants operating internationally accepting a range of card types. Merchants are charged on a per-transaction basis, meaning that scheme and processing fees remain fixed, but the interchange fee is added on accordingly and is liable to change. 

A fee paid between banks for the acceptance of card-based transactions. Usually for sales or services transactions, it is a fee that a merchant's bank (the acquiring bank) pays a customer's bank (the issuing bank). For cash transactions, the interchange fee is paid from the issuer to the acquirer, often called reverse interchange. A fee that is paid to the issuer by the acquirer for each payment transaction made via a card network. The interchange fee amount is determined by the corresponding card network, as well as the scheme fee.A further fee is then deducted from the total by the acquirer before paying into the merchant's account. Fees that go to the issuing banks. 

Fees charged by a payment processing service for reporting payment processing information directly to the IRS for a given merchant.

Also known as the issuing bank. This is the card network that issues a credit or debit card.A financial intermediary refers to the financial institutions that issue and provide customers with credit cards, debit cards, or other payment cards. For instance, when a bank provides a credit card to a customer, the bank is the "issuer" of that card. Issuers are responsible for regulating aspects such as the usage, acceptance, payments, and security of the cards, and they typically offer support to card users.
An issuer is a legal entity that develops, registers and sells securities to finance its operations. Issuers may be corporations, investment trusts, or domestic or foreign governments. 

An entity directly connected to any of the card networks which transmits authorization, clearing, and settlement messages between acquirers and issuers.

The process of identifying and verifying the identity of your customers. This is required by the payment industry regulations as a prerequisite to allowing individuals or business entities to be paid out. Know Your Customer (KYC) is the process of identifying and verifying the identity of your customers. This is required by the payment industry regulations as a prerequisite to allow individuals or business entities being paid out.

Anti-money laundering policies and procedures of employees of an institution for the purpose of detecting conflicts of interest, money laundering, past criminal activity, and suspicious activity.

Distancing illegal proceeds from their source by creating complex levels of financial transactions designed to disguise the audit trail and provide anonymity.

The risk that lawsuits, adverse judgments or contracts that cannot be enforced may disrupt or harm a financial institution. Banks and financial institutions will be unable to protect themselves from legal risks if they do not practice due diligence in identifying customers and understanding and managing their exposure to money laundering.

Level 2 and Level 3 (L2/L3) data are a Visa and Mastercard feature that can help reduce interchange rates for transactions on corporate and commercial credit cards that meet a set of requirements.

When the liability for chargeback loss is transferred back to the bank from the merchant. This typically occurs during eCommerce transactions in which the cardholder denies making a purchase, as well as fraudulent transactions.

A penalty or fee in a merchant agreement charged by the acquirer in the event an agreement is terminated early by the merchant to recoup costs associated with opening and maintaining the account.

Payment methods that allow merchants to accept ecommerce and in-app payments without use of cards. These methods include bank transfers, direct debit, e-wallets, mobile payments and so on.For merchants that want to sell goods and services globally to shoppers from all over the world, it is important to support local payment methods that are popular in each specific region.

A rewards program offered by a company to customers who frequently make purchases. 

Device that reads card data from the magnetic stripe on the reverse of the card. 

A type of card not present transaction that allows merchants to take orders via telephone, email and even physical letter. Customers provide their card details and merchants enter them into a virtual terminal, which works like a card machine but without the need for a physical card. 

Manual key entry involves manually typing the details from a customer's card into either the POS app or the payment terminal.

Manual key entry involves manually typing the details from a customer's card into either the POS app or the payment terminal.

An ecommerce website or a mobile app that enables third parties (referred to as sub-merchants) to provide their products or services to the users of a platform. Payments are processed through the platform and split between the marketplace and sub-merchant. Examples of online marketplaces are crowdfunding platforms, peer-to-peer marketplaces, ride sharing services, and so on.Marketplaces need to implement sub-merchant onboarding, processing payments, performing KYC verification, and making payouts. An eCommerce website or mobile app that functions as a platform for third partie sellers to sell their products or services to its users. Payments take place on the platform itself rather than at individual sub-merchants’ shops and split between the marketplace and sub-merchant. Amazon, Airbnb and Etsy are all popular examples. 

Fees that go to the credit card processors. These fees are negotiable.

The MATCH™ list, also called Terminated Merchant File (TMF), is a list maintained by Mastercard that identifies high-risk merchants or those that have been terminated by another entity within the last five years.

The party selling goods or services to shoppers via an ecommerce website, a mobile app, on a point of sale, or across all three channels. To accept payments made with cards or local payment methods, a merchant must have an acquiring bank account and subscribe to the services available from the payment service provider. Any business that accepts credit or debit cards, or alternative payment methods as a source of payment. A merchant offers goods or services in exchange for payment. In other words, it is an individual or entity that sells products or services, receives payments from customers making purchases, or conducts transactions. Particularly in e-commerce, a business that sells products through a website can also be referred to as a "merchant." Merchants enter into agreements with payment methods or intermediary institutions to facilitate payment transactions and pay commissions to these payment institutions for processing transactions.

A contract between a merchant and a payment service provider and/ or acquirer that enables the merchant to accept cards through them. It contains the merchant's and acquirer's respective rights, duties and warranties with respect to acceptance of the card transactions and matters related to transaction activity.

When the POS app (cash register) has performed product selection and totaled the amount, the order is typically stored in the merchant back-end. The outcome of the payment process will be stored with the order.

The Merchant Category Code (MCC) is a four-digit code that the card networks use to categorize a merchant's business based on what goods or services they offer. It is also referred to as the Card Acceptor Business Code. The acquirer usually assigns each merchant an MCC during onboarding, and populates it for all payments. If the merchant is a sub-merchant, the payment facilitator might assign the MCC instead.

An entity that operates a platform and manages interactions with its sellers (sub-merchants) or suppliers. The MoR performs due diligence by overseeing and controlling all commercial activity on the platform. In this way, the MoR's payment service provider has a relationship with only the MoR itself.
Responsibilities of an MoR include:
Managing all transactions, refunds, cancellations, and disputes.
Providing the first line of customer support for shoppers.
Acting as the final arbiter of financial disputes.
Monitoring to ensure that no illegal, prohibited, or counterfeit products or services are sold.

A software module designed to facilitate 3D Secure verifications to help prevent credit and debit card fraud for 3D Secure v1.0. The component used in EMV 3D Secure version 2 and higher is called 3DS Server.

A solution that connects your platform with the payment processor.

The purchase of goods and services conducted over the Internet with mobile devices. Essentially, mCommerce allows users to access their online shopping platforms of choice without having to use their desktop or laptop. 

The use of a mobile device to pay for goods or services.

Concealing the origins of illegally obtained money, typically by means of transfers involving foreign banks or legitimate businesses.

An element of a financial institution’s anti-money laundering program in which customer activity is reviewed for unusual or suspicious patterns, trends, or outlying transactions that do not fit a normal pattern. Transactions are often monitored using software that weighs the activity against a threshold of what is deemed “normal and expected” for the customer.

National association responsible for developing and enforcing ACH rules and guidelines.

Refers to close-range contactless wireless technologies enabling connectivity between devices, such as for processing mobile payments, when the devices are either touching or within close proximity to one another.

A transaction where there is no owner verification check for a credit card. No CVM payments have a low transaction threshold.

Nonprofit organizations that are not directly linked to the governments of specific countries, and perform a variety of service and humanitarian functions, including bringing citizen concerns to governments, advocating for causes, and encouraging political participation.

A category of 3DS messages that can be used to verify identity outside of the payment ecosystem, allowing wallet providers and issuers to streamline the provisioning and activation of cardholders in a secure manner. Discover more about 3DS2 non-payment authentication.

Fee charged to process and track transaction(s) that have been reversed due to insufficient funds.

A CVM that verifies the cardholder's PIN by encrypting the entered PIN before sending it to the card.Terminals that support this method must also support the less secure Offline plain-text PIN method.

Offline acceptance of payments in situations where no network connection is currently available. Debit cards will typically decline a transaction while most credit cards are configured to approve a relatively small amount offline.

A set of services and technical solutions provided by a payment service provider, which allow a merchant to accept cashless payments across all channels (online, inside a mobile app or on a point of sale).Most PSPs enable merchants to accept payments via specific channels only.  This gives merchants a single reporting dashboard from which to view all purchases made across different channels.

One-time passwords is a system that provides a mechanism for logging on to a network or service with a password that is unique and valid for only one login session or transaction. This protects online bank accounts, enterprise networks, and other systems that contain sensitive information, from certain types of identity fraud by making sure that a stored username and password cannot be used more than once.

A payment solution that allows customers to make a payment without entering their full card and address information, simplifying the purchasing process for return customers. With the customer’s consent, all details are stored after an initial purchase so they only have to enter their CVC/CVV to complete the order.

Where the entered PIN is sent online to the card issuer for verification. The entered PIN is encrypted before it is sent. Online PIN is used when the specific card scheme (payment method) and specific card support it.

The risk of direct or indirect loss of operations due to inadequate or failed internal processes, people or systems, or as a result of external events. Public perception that a bank is not able to manage its operational risk effectively can disrupt or harm the business of the bank.

The ODFI acts as the interface between the Federal Reserve or ACH network and the originator of the transaction.

The risk of direct or indirect loss of operations due to inadequate or failed internal processes, people or systems, or as a result of external events. Public perception that a bank is not able to manage its operational risk effectively can disrupt or harm the business of the bank.

Out of band (OOB) authentication is the protection authentication mechanism that requires two distinct signals from two distinct separate channels or networks. In a business environment, an OOB satisfies security requirements by generating a request for secondary verification.

Capture payments with an amount that is higher than the authorised amount.Card schemes usually allow overcapture only for a certain percentage and only for specific types of businesses.An alternative is to adjust the authorised amount before capture.

A payment functionality that allows merchants to send a simple, secure payment link to customers, usually via email or text, in order to receive payments. Payment links are generated by a merchant’s PSP in their back-office and then sent off to customers. When customers click on the link, they’re redirected to a secure payment page where the payment amount is predefined. 

Though this is a relatively broad term, pay outs are generally understood to be a large sum of money paid out in one go to an individual or business entity.

Consists of all the organisations which store, process and transmit cardholder data, most notably for debit cards and credit cards

An information security standard for organisations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud.

Fees associated with maintaining PCI compliance, including but not limited to: audit fees, external security assessment fees, infrastructure hosting fees (if cloud-based), and consulting fees (if needed in the absence of a formal compliance officer).

The governing body that’s responsible for administering the PCI Standard.

A service provider for merchants who want to accept payments online or physically. A payment facilitator is an entity that is authorized to onboard merchants to an acquirer's platform and receive settlement funds for them on behalf of an acquirer. Payfacs are a type of aggregator merchant. Payment facilitators can perform all the of the following actions:
- Onboard merchants on behalf of an acquirer.
-  Merchants onboarded by a payfac are called "sub-merchants".
- Process transactions for sub-merchants with the card schemes.
- Receive settlement funds from the acquirer and pay out sub-merchants.

A payment gateway is the technology that securely transmits payment data between all the parties involved in the transaction flow. It operates as an encrypted and secure channel which passes the consumer’s payment details from the transaction device to the acquiring bank for authorisation and approval. Once approval has been granted from both the issuer and the acquirer, the payment gateway sends back verification to the merchant. Read our comprehensive explanation of payment gateways and how they work here. It is a service that helps merchants to initiate online, in-app and in-person payments. It is not directly involved in the money flow; typically, it is a web server to which a merchant's website or a POS system is connected. A payment gateway can be provided by a bank, or can exist as a separate service that connects to one or more payment processors. When a consumer uses a credit or debit card, the payment gateway securely transmits the data to the payment processor for transaction authorisation, ensuring that the information provided is sufficient to complete the payment.

Fees charged by the gateway for the authorization, capture, and or processing of transactions.

The legal foundation for the creation of an EU-wide single market for payments. The PSD aims at establishing a modern and comprehensive set of rules applicable to all payment services in the European Union. The latest update, PSD2, came in 2018 with the aim of creating a more transparent online payments ecosystem for consumers in the EU. 

A type of payment service directive. Since banks are no longer the only entity with access to their customers' data. PSD2 permits bank customers to grant third parties access to their account information and the authority to manage their finances. For instance, Facebook could be used to make payments directly from customers' bank accounts.

A company that provides comprehensive payment services to merchants. For merchants, partnering with a PSP is a more convenient and cost-efficient way of processing payments than having to deal with different contracts across various organisations and institutions. 

A device that communicates with a shopper's card at the point of sale. Usually, a card is tapped, dipped (inserted), or swiped at a payment terminal. The terminal then prompts the shopper to enter a PIN or sign (depending on the country, card type, and the transaction amount). It is sometimes referred to as a Pin Entry Device (PED). The terminal accepts an API request to start a transaction. The terminal displays the amount charged to the shopper and allows printing of a receipt. It will also offer DCC if applicable. The receipt is sent with this data and you can see it in the Customer Area.

Being PCI DSS-compliant means that you meet all applicable requirements of the current Payment Card Industry Data Security Standard (PCI DSS) on a continuous basis. PCI DSS was created by major card networks to increase safety of cardholder data and reduce the risk of fraud. All organizations that deal with payment card processing must be PCI-compliant, which means fulfilling very strict requirements on securing cardholder data. This way their PCI DSS-compliance scope can be significantly reduced.

Used by the merchant to bypass the PIN entry for the shopper. This option should only be used when the merchant trusts the shopper.A cardholder is expected to know the PIN for the card issued. Comparing the signature as well as the cardholder name with some form of identification is recommended when bypassing PIN entry.

The physical disposal of proceeds derived from illegal activity into the financial system.

Verifies the cardholder's PIN by sending the unencrypted PIN to the card. This is commonly used by cards that can't support the more secure Offline enciphered PIN. (PosEntryMode ICC only).

A point-of-sale solution allows a shopper to make a cashless in-person payment in a merchant's shop or other physical location. This payment is made using cards, NFC wallets (like Apple Pay), QR code wallets (like Alipay), or prepaid and gift cards.Often the terms POS app and cash register are used to denote the software collecting point-of-sale payments.

The means by which the card number (PAN) is propagated to the payment terminal. For example, Keyed, Swiped, NFC.

Electronic payments made by shoppers via POS systems to buy products or services from merchants at a physical location (for example, a store or a ticketing booth). These payments are usually made with cards (swipe, ICC, or contactless). Other types of electronic payments include online payments (ecommerce) and in-app payments, which are based on similar infrastructure and usually require a payment service provider for merchants to automate and maintain these payments. 

An encryption standard established by the PCI SSC. It stipulates that cardholder information is encrypted immediately at the POS. ‘Point-to-point’ means that data is encrypted on its journey between the terminal and the acquirer and ‘encryption’ is the process of converting that data into something unintelligible to potential data breaches. Secures card data that is being communicated from point A to point B. 

An application used at the point of sale that allows product selection and that calculates the total amount to be charged from a cardholder. Additional functionality can include loyalty handling, stock keeping, and so on. This term is often used interchangeably with cash register.The POS app can run on a physical machine, or can be hosted in combination with an interface for the staff or customer (in kiosks). The POS app is part of a POS system that includes hardware components like a receipt printer, barcode scanner, cash drawer, and payment terminals.

“Specified unlawful activities” whose proceeds, if involved in the subject transaction, can give rise to prosecution for money laundering. Most anti-money laundering laws contain a wide definition or listing of such underlying crimes. Predicate crimes are sometimes defined as felonies or “all offenses in the criminal code.”

The process of authorising and reserving funds for a transaction – ensuring the card is valid and the cardholder has sufficient open-to-buy funds to cover the purchase amount and reserving the funds for completion (post-authorisation).

The card identifier found on payment cards. For most debit cards, this tends to be the 16-digit number that’s printed on the card. The first six digits of it are called the Bank Identification Number (BIN).

Legacy name, reading the Primary Account Number (PAN) from the Magnetic Stripe Reader (MSR) was quick compared to Manual Keyed Entry (MKE).

A real-time payments standard that allows individuals or businesses to instantly transmit funds to a specific card on a given card network. Funds are generally available immediately up to a specified limit based on use case, and funds settle at the time they appear in the account, meaning there is no liability for funds availability.

An institution qualified to receive ACH entries.

The process in which incoming and outgoing funds are matched.

A payment model whereby a customer authorises a merchant to automatically pull funds from their account at regular intervals on an ongoing basis. Most commonly used with subscription services, recurring payments require the secure storage of payment details to create a token after the first transaction that merchants can use for all future transactions.

When a shopper cancels the purchase of a product or service, after they have paid. When the merchant makes the refund, the funds are sent back from the acquirer to the issuer. If an authorised payment hasn't been captured yet, a merchant can cancel the payment; in other cases a refund is possible.If a merchant refuses to make a refund, a shopper can ask their issuer to make a chargeback. In some cases, a merchant is allowed to dispute a chargeback.Refunds are also referred to as a modification, because they modify the state of an authorised payment request.

Simply, an amount of money that is sent in outstanding payment for goods or services.

Part of the chargeback process. Representment occurs when the merchant does not agree with the customer's clams and will not accept the chargeback.

The potential that adverse publicity regarding a financial institution’s business practices and associations, whether accurate or not, will cause a loss of confidence in the integrity of the institution. Banks and other financial institutions are especially vulnerable to reputational risk because they can become a vehicle for, or a victim of, illegal activities perpetrated by customers.

Fee charged when a customer or the customer's issuing bank requests a copy of a sales draft. Credit card processors charge a nominal fee to process the request.

A set of services and techniques to analyze and assign a risk score to each payment transaction. Filtering high-risk transactions allows merchants to minimize the number of fraudulent payments and therefore maximize the revenue. 

The assessment of the varying risks associated with different types of businesses, clients, accounts, and transactions in order to maximize the effectiveness of an anti-money laundering program.

An authentication and authorisation technology that uses a variety of user-provided factors. This includes evaluating the user's behaviour, devices, and other variables to determine if they pose a threat. If the user fails to meet a set standard, they will be urged to provide additional verification information. This could be the answer to a security question or a biometric element. 

To prohibit the transfer, conversion, disposition, or movement of funds or other assets on the basis of an action initiated by a competent authority or a court under a freezing mechanism. However, unlike a freeze, a seizure allows the competent authority to take control of specified funds or other assets. The seized assets remain the property of the person(s) or entity(ies) that held an interest in them at the time of the seizure, although the competent authority will often take over possession, administration, or management of the seized assets.

An authentication and authorisation technology that uses a variety of user-provided factors. This includes evaluating the user's behaviour, devices, and other variables to determine if they pose a threat. If the user fails to meet a set standard, they will be urged to provide additional verification information. This could be the answer to a security question or a biometric element. Explore the topic of risk-based authentication.

An integration that allows two servers/systems to correspond to each other. Businesses using direct integration must follow PCI DSS level 1 compliance requirements. Also known as direct integration.

The process where a merchant’s processed card transactions are settled as payments to the merchant’s bank account. The exact timeframe of a settlement varies depending on the merchant’s agreement with their PSP. A collection of transactions that are batched together in a settlement to pay out the merchant.

A customer who buys goods or services from a merchant. In this glossary it is assumed that a shopper makes a cashless payment, which means that they use either cards or local payment methods to pay.

A user interface for customers to easily add products to a virtual shopping cart in an online store, much like a physical brick-and-mortar cart. It provides a virtual space for your customers to hold the products they’ll purchase.

Depending on the Merchant's business model the accepted POS Entry Modes and CVM's can be configured to only consist of a subset of the above.

The process of embedding your entire shopping experience into a social media platform, effectively turning a social profile like an Instagram account into a shop. Not only can customers browse through a merchant’s shop and view their goods and services, but they can also add to cart and pay for their purchase without leaving the social media app or website. 

A collection of software development tools in one installable package – a ‘kit’. An example in the world of payments is an in-app payments SDK, which supports payments on mobile devices by embedding a card entry form in a mobile application.

A government-maintained list of codes identifying and classifying business types from which MCC codes used by card networks are derived.

Fees for statement services.

A payment card with a monetary value that is stored on the card itself, instead of in a bank account. Examples are gift cards and prepaid cards. Some stored-value cards can be reused by transferring money to it, others are disposable cards that can't be reloaded.

A merchant who is onboarded to an acquirer through a payment facilitator. The payment facilitator processes all of the sub-merchant's transactions.

Recurring payments that occur on a fixed schedule. Popular examples of subscription payments are music and TV streaming services.If a recurring payment does not follow a fixed schedule, it is a Card on File (CoF) payment or an Unscheduled Card on File (UCoF) payment.

An extra fee charged by a merchant when receiving a payment by cheque, credit card, charge card or debit card (but not cash) which at least covers the cost to the merchant of accepting that means of payment, such as the merchant service fee imposed by a credit card company. Retailers generally incur higher costs when consumers choose to pay by credit card due to higher merchant service fees compared to traditional payment methods such as cash.

Irregular or questionable customer behavior or activity that may be related to a money laundering or other criminal offense, or to the financing of terrorist activity. May also refer to a transaction that is inconsistent with a customer’s known legitimate business, personal activities, or the normal level of activity for that kind of business or account.

A government filing required by reporting entities that includes a financial institution’s account of a questionable transaction. Many jurisdictions require financial institutions to report suspicious transactions to relevant government authorities.

A device which interfaces with payment cards to make read and transmit data for an electronic funds payment and purchase from a merchant. A terminal typically refers to a hardware device in the face to face environment or a “virtual” terminal or gateway utilised by eCommerce merchants to accept payment for goods or services sold online.

The individual identification number provided to a merchant by a credit card processor. A TID can be used to identify the source of a transaction.

The right to end an existing payment processing contract.

An international agreement which enables the extension of the European Union's single market to member states of the European Free Trade Association. Founded in 1994, it includes EU countries and also Iceland, Liechtenstein and Norway.

A financial regulatory body that is based in the United Kingdom, but operates independently of the UK government. Its role includes protecting consumers, keeping the industry stable, and promoting healthy competition between financial service providers.

Simply, the process by which sensitive data – e.g., passwords, card details, health information – are replaced by a non-sensitive equivalent, also known as a token. A token has no value on its own. It’s only useful because it represents something bigger, like a customer’s PAN. Encryption of payment card data into a 'token' - a hashed version of the card that uses encryption to ensure that personal card information cannot be accessed while it is stored on file or in transmission to process a transaction. This technology allows 'card on file' processing without enormous risk to the cardholder and the entire payment card network. Tokenization is governed by the PCI standard and requires certification and audit of any provider of the service prior to its use.

In the payments industry, the term "transaction" is used to indicate exchanging of a specified amount of funds from a shopper for purchasing products or services from a merchant, or for fulfilling any other obligations between the two parties.Funds are usually transferred by means of card payments or local payment methods (bank transfers, e-wallets, mobile payments, etc.). Tx is a commonly used abbreviation to denote a financial transaction.

The act of a potential eCommerce customer abandoning their purchases/shopping cart during the payment phase of the checkout process. This typically occurs when a customer forgets the additional 3-D Secure verification requirement or when the page does not display correctly on a mobile device.

A type of multi-factor authentication that verifies the claimed identities of users. The method authenticates the transaction using two of the three factors:

The process of evaluating all potential risks that are associated with a merchant account, ensuring that the merchant meets all requirements, in terms of finances and business model, to keep their business running smoothly and handle issues like chargebacks and refunds. In payment processing, the underwriting process begins with the initial application process.

An unscheduled card-on-file payment is a type of recurring payment that's used for transactions that occur on a non-fixed schedule and/or have variable amounts. For example, automatic top-ups when a cardholder's balance drops below a certain amount. A recurring payment that occurs on a fixed schedule is referred to as a subscription. If a merchant is PCI-Compliant at Level 1/Level 2, they can store card details by themselves. 

The mode of interaction between a user and a computer system. A good UI provides a ‘user-friendly’ experience, meaning the way that a user interacts with the software or hardware is natural and intuitive.

Also known as Goods and Services Tax (GST), a type of consumption tax assessed on the value added to goods and services. It applies to the majority of goods and services that are bought and sold for use or consumption in the UK, the EU, the US and several other countries globally.

A web-based payment application provided by PSP’s. It works almost exactly like a virtual card machine but, instead of swiping a customer’s card, data is manually entered into the system. It’s the technology that enables MOTO payments and we covered it in this article.

A global online system that processes money transfers. It provides domestic and international processing of credit, debit, prepaid, and commercial payment products, among other capabilities.

The reversal of a current transaction that has been authorised but not settled. Settled transactions require processing of a credit in order to be reversed.

A transaction that is canceled before it settles through a customer's credit or debit card.

Webhooks are HTTP callbacks sent to an endpoint on your server. They inform you about authorised, captured and modified payments, as well as other events.
You can use webhooks to automate business processes, for example order management or downloading reports for accounting.

A near real-time transfer of funds between bank accounts. This feature is limited for bank to bank or intrabank transfers.

A zero-value auth is an authorisation request with a value of 0 (EUR/USD/etc.). This is used to either store details or obtain shopper details to be able to look up previous purchases or other details from the merchant database. Zero-value auth is used for example when submitting a BIN or a card verification request.