REST API

Glossary

3RI Payments

An EMV 3-D Secure request for information. It is an EMVCo term for the EMV 3-D Secure service that can check a BIN without performing a complete authentication.

3-D Secure

Security protocol for online credit card and debit card transactions used by Visa Secure, Mastercard Identity Check, American Express SafeKey, JCB J⁄Secure, Diners Club ProtectBuy, Discover ProtectBuy, China UnionPay, and Elo.

AAV

Account Authentication Value. A unique 32-character transaction token for a 3-D Secure transaction. For Mastercard Identity Check, the AAV is named the UCAF. For Visa Secure, the AAV is named the CAVV.

acquirer

The financial institution that accepts payments for products or services on behalf of a merchant. Also referred to as “acquiring bank.” This bank accepts or acquires transactions that involve a credit card issued by a bank other than itself.

acquirer BIN

An eight-digit number that uniquely identifies the acquiring bank. There is a different acquirer BIN for for every participating acquirer. The Mastercard BIN starts with 5 and the Visa BIN starts with 4.

acquirer processor

Processor that provides credit card processing, settlement, and services to merchant banks.

ACS

Access Control Server. The card-issuing bank’s host for the payer authentication data.

ACS URL

The URL of the Access Control Server of the card-issuing bank that is returned in the response to the request to check enrollment. This is where you send the PAReq so that the customer can be authenticated.

American Express

A globally issued card type that starts with 3 and which is identified as card type 003. These cards participate in a card authentication service (SafeKey) provided by EMV 3-D Secure.

authentication result

Raw data sent by the card issuer that indicates the status of authentication. It is not required to pass this data into the authorization.

authorization

A request sent to the card issuing bank that ensures a cardholder has the funds available on their credit card for a specific purchase. A positive authorization causes an authorization code to be generated and the funds to be held. Following a payer authentication request, the authorization must contain payer authentication-specific fields containing card enrollment details. If these fields are not passed correctly to the bank, it can invalidate the liability shift provided by card authentication. Systemic failure can result in payment card company fines.

Base64

Standard encoding method for data transfer over the Internet.

BIN

Bank Identification Number. The eight-digit number at the beginning of the card that identifies the card issuer.

CAVV

Cardholder Authentication Verification Value. A Base64-encoded string sent back with Visa Secure-enrolled cards that specifically identifies the transaction with the issuing bank and Visa. Standard for collecting and sending AAV data for Visa Secure transactions. See AAV.

CAVV algorithm

A response passed back when the xPARes status is a
Y
or an
A
.

Compra Segura

Trademarked name for the Elo card authentication service.

CVV

Card Verification Value. Security feature for credit cards and debit cards. This feature consists of two values or codes: one that is encoded in the magnetic strip and one that is printed on the card. Usually the CVV is a three-digit number on the back of the card. The CVV for American Express cards is a 4-digit number on the front of the card. CVVs are used as an extra level of validation by issuing banks.

Diners Club

A globally issued card type that starts with a 3 or a 5. Diners Club cards are identified as card type 005. These cards participate in a card authentication service (ProtectBuy) provided by 3-D Secure.

Directory Servers (DS)

The Visa and Mastercard servers that are used to verify enrollment in a card authentication service.

Discover

Primarily, a U.S. card type that starts with a 6. Discover cards are identified as card type 004. These cards participate in a card authentication service (ProtectBuy) provided by 3-D Secure.

ECI (ECI Raw)

The numeric commerce indicator that indicates to the bank the degree of liability shift achieved during payer authentication processing.

E-Commerce Indicator

Alpha character value that indicates the transaction type, such as MOTO or INTERNET.

Elo

A globally issued card type that starts with a 5. Elo cards are identified as card type of 054. These cards participate in a card authentication service (Compra Segura) provided by 3-D Secure.

Enroll

A type of transaction used for verifying whether a card is enrolled in the Mastercard Identity Check or Visa Secure service.

HTTP

Hypertext Transfer Protocol. An application protocol used for data transfer on the Internet.

HTTP POST request

POST is one of the request methods supported by the HTTP protocol. The POST request method is used when the client sends data to the server as part of the request, such as when uploading a file or submitting a completed form.

HTTPS

Hypertext Transfer Protocol combines with SSL/TLS (Secure Sockets Layer/Transport Layer Security) to provide secure encryption of data transferred over the Internet.

J/Secure

The EMV 3-D Secure program of JCB.

issuer

The bank that issues the credit card.

JCB

Japan Credit Bureau. A globally issued card type that starts with a 3. JCB cards are identified as a card type of 007. These cards participate in a card authentication service (J/Secure) provided by EMV 3-D Secure.

Maestro.

A card brand owned by Mastercard that includes several debit card BINs within the U.K. and in Europe. Merchants who accept Maestro cards online are required to use SecureCode, Mastercard’s card authentication service. Maestro cards are identified as 024 and 042 card types. Note that many international Maestro cards are not set up for online acceptance and cannot be used even if they participate in a Mastercard Identity Check authentication program.

Mastercard

A globally issued card that includes credit and debit cards. These cards start with a 5. These cards are identified as card type 002 for both credit and debit cards. These cards participate in a card authentication service (Mastercard Identity Check) provided by 3-D Secure.

Mastercard Identity Check

Trademarked name for Mastercard’s payer authentication service.

MD

Merchant-defined Data that is posted as a hidden field to the ACS URL. You can use this data to identify the transaction on its return. This data is used to match the response from the card-issuing bank to a customer’s specific order. Although payment card companies recommend that you use the XID, you can also use data such as an order number. This field is required, but including a value is optional. The value has no meaning for the bank, and is returned to the merchant as is.

Merchant ID

Data that must be uploaded for the Mastercard and Visa card authentication process for each participating merchant. The Merchant ID is usually the bank account number or it contains the bank account number. The data is stored on the Directory Servers to identify the merchant during the enrollment check.

MPI

Merchant Plug-In. The software used to connect to Directory Servers and to decrypt the PARes.

PAN

Primary Account Number. Another term for the credit card number.

PAReq

Payer Authentication Request. Digitally signed Base64-encoded payer authentication request message, containing a unique transaction ID, that a merchant sends to the card-issuing bank. Send this data without alteration or decoding. Note that the field name has a lowercase “a” (PaReq), whereas the message name has an uppercase “A” (PAReq).

PARes

Payer Authentication Response. A compressed, Base64-encoded response from the card-issuing bank. This data is passed for validation.

PARes status

Payer Authentication Response status. One-character length status passed back by Visa and Mastercard that is required data for Asia, Middle East, and Africa Gateway authorizations.

processor

Financial entity that processes payments. Also see acquiring processor.

ProofXML

This field contains the VEReq and VERes for merchant storage. Merchants can use this data for future chargeback repudiation.

ProtectBuy

Trademarked name for the Diners Club and Discover card authentication services.

request ID

A 22- or 23-digit number that uniquely identifies each transaction. Merchants should store this number for future reference.

risk-based authentication

Risk-based authentication is provided by the card-issuing bank. The card-issuing bank gathers a cardholder’s transaction data or leverages what data they have to silently authenticate the cardholder based on the perceived degree of risk. They base their risk assessment on factors such as cardholder spending habits, order or product velocity, the device IP address, order amount, and so on.

SafeKey

Trademarked name for the American Express card authentication service. (AESK)

SCMP API

A legacy name-value pair API that was superseded by the Simple Order API.

Simple Order API

An API, which provides three ways to access services: name-value pair (NVP), XML, and SOAP.

TermURL

Termination URL on a merchant’s website where the card-issuing bank posts the payer authentication response (PARes) message.

UCAF

Universal Cardholder Authentication Field. A Base64-encoded string sent back with Mastercard Identity Check-enrolled cards specifically identifying the transaction with the issuing bank and Mastercard. Standard for collecting and sending AAV data for Mastercard Identity Check transactions. See AAV.

UCAF collection indicator

Value of
1
or
2
that indicates whether a Mastercard cardholder has authenticated themselves or not.

validate

A service that decodes and decrypts the PARes to determine success. The validate service returns the needed values for authorization.

VEReq

Verify Enrollment Request. Request sent to the Directory Servers to verify that a card is enrolled in a card authentication service.

VERes

Verify Enrollment Response. Response from the Directory Servers to the VEReq.

VERes enrolled

Verify Enrollment Response enrolled. One-character length status passed back by Visa and Mastercard that is required data for Asia, Middle East, and Africa Gateway authorizations.

Visa

A globally issued card that includes credit and debit cards. These cards start with a 4. These cards are identified as card type 001 for both credit and debit cards. These cards participate in a card authentication service (Visa Secure) provided by EMV 3-D Secure.

Visa Secure

(VbV) Trademarked name for Visa’s card authentication service.

XID

String used by both Visa and Mastercard, which identifies a specific transaction on the Directory Servers. This string value should remain consistent throughout a transaction’s history.