Glossary
3RI Payments
An EMV 3-D Secure request for information. It is an EMVCo term for the EMV
3-D Secure service that can check a BIN without performing a complete
authentication.
3-D Secure
Security protocol for online credit card and debit card
transactions used by Visa Secure, Mastercard Identity Check, American
Express SafeKey, JCB J⁄Secure, Diners Club ProtectBuy, Discover
ProtectBuy, China UnionPay, and Elo.
AAV
Account Authentication Value. A unique 32-character transaction token for a
3-D Secure transaction. For Mastercard Identity Check, the AAV is named the
UCAF. For Visa Secure, the AAV is named the CAVV.
acquirer
The financial institution that accepts payments for
products or services on behalf of a merchant. Also referred to as
“acquiring bank.” This bank accepts or acquires transactions that
involve a credit card issued by a bank other than itself.
acquirer BIN
An eight-digit number that uniquely identifies the acquiring bank. There
is a different acquirer BIN for for every participating acquirer. The
Mastercard BIN starts with 5 and the Visa BIN starts with 4.
acquirer processor
Processor that provides credit card processing, settlement, and services to merchant banks.
ACS
Access Control Server. The card-issuing bank’s host for the
payer authentication data.
ACS URL
The URL of the Access Control Server of the card-issuing bank that is returned
in the response to the request to check enrollment. This is where you send
the PAReq so that the customer can be authenticated.
American Express
A globally issued card type that starts with 3 and which is identified as card type
003. These cards participate in a card authentication service (SafeKey) provided by
EMV 3-D Secure.
authentication result
Raw data sent by the card issuer that indicates the status of authentication. It is not required to pass this data into the authorization.
Base64
Standard encoding method for data transfer over the Internet.
BIN
Bank Identification Number. The eight-digit number at the beginning of the card that identifies the card issuer.
CAVV
Cardholder Authentication Verification Value. A Base64-encoded string sent back with Visa
Secure-enrolled cards that specifically identifies the transaction with
the issuing bank and Visa. Standard for collecting and sending AAV data
for Visa Secure transactions. See AAV.
CAVV algorithm
A response passed back when the xPARes status is a
Y
or an
A
.Compra Segura
Trademarked name for the Elo card authentication service.
CVV
Card Verification Value. Security feature for credit cards
and debit cards. This feature consists of two values or codes: one that
is encoded in the magnetic strip and one that is printed on the card.
Usually the CVV is a three-digit number on the back of the card. The CVV
for American Express cards is a 4-digit number on the front of the card.
CVVs are used as an extra level of validation by issuing banks.
Diners Club
A globally issued card type that starts with a 3 or a 5. Diners Club cards are
identified as card type 005. These cards participate in a card authentication
service (ProtectBuy) provided by 3-D Secure.
Directory Servers (DS)
The Visa and Mastercard servers that are used to verify
enrollment in a card authentication service.
Discover
Primarily, a U.S. card type that starts with a 6. Discover cards are identified as
card type 004. These cards participate in a card authentication service (ProtectBuy)
provided by 3-D Secure.
ECI (ECI Raw)
The numeric commerce indicator that indicates to the bank
the degree of liability shift achieved during payer authentication
processing.
E-Commerce Indicator
Alpha character value that indicates the transaction type,
such as MOTO or INTERNET.
Elo
A globally issued card type that starts with a 5. Elo cards are identified as card
type of 054. These cards participate in a card authentication service (Compra
Segura) provided by 3-D Secure.
Enroll
A type of transaction used for verifying whether a
card is enrolled in the Mastercard Identity Check or Visa Secure service.
HTTP
Hypertext Transfer Protocol. An application protocol used
for data transfer on the Internet.
HTTP POST request
POST is one of the request methods supported by the HTTP protocol. The POST
request method is used when the client sends data to the server as part of
the request, such as when uploading a file or submitting a completed
form.
HTTPS
Hypertext Transfer Protocol combines with SSL/TLS (Secure Sockets
Layer/Transport Layer Security) to provide secure encryption of data
transferred over the Internet.
J/Secure
The EMV 3-D Secure program of JCB.
issuer
The bank that issues the credit card.
JCB
Japan Credit Bureau. A globally issued card type that starts with a 3. JCB cards are
identified as a card type of 007. These cards participate in a card authentication
service (J/Secure) provided by EMV 3-D Secure.
Maestro.
A card brand owned by Mastercard that includes several debit card BINs within the U.K. and in
Europe. Merchants who accept Maestro cards online are required to use
SecureCode, Mastercard’s card authentication service. Maestro cards are
identified as 024 and 042 card types. Note that many international
Maestro cards are not set up for online acceptance and cannot be used
even if they participate in a Mastercard Identity Check authentication
program.
Mastercard
A globally issued card that includes credit and debit cards. These cards start with a
5. These cards are identified as card type 002 for both credit and debit cards.
These cards participate in a card authentication service (Mastercard Identity Check)
provided by 3-D Secure.
Mastercard Identity Check
Trademarked name for Mastercard’s payer authentication service.
MD
Merchant-defined Data that is posted as a hidden field to
the ACS URL. You can use this data
to identify the transaction on its return. This data is used to match
the response from the card-issuing bank to a customer’s specific order.
Although payment card companies recommend that you use the XID, you can also use data
such as an order number. This field is required, but including a value
is optional. The value has no meaning for the bank, and is returned to
the merchant as is.
Merchant ID
Data that must be uploaded for the Mastercard and Visa card
authentication process for each participating merchant. The Merchant ID
is usually the bank account number or it contains the bank account
number. The data is stored on the Directory Servers to identify
the merchant during the enrollment check.
MPI
Merchant Plug-In. The software used to connect to Directory Servers and to decrypt the PARes.
PAN
Primary Account Number. Another term for the credit card number.
PAReq
Payer Authentication Request. Digitally signed
Base64-encoded payer authentication request message, containing a unique
transaction ID, that a merchant sends to the card-issuing bank. Send
this data without alteration or decoding. Note that the field name has a
lowercase “a” (PaReq), whereas the message name has an uppercase “A”
(PAReq).
PARes
Payer Authentication Response. A compressed, Base64-encoded response from the card-issuing bank.
This data is passed for validation.
PARes status
Payer Authentication Response status. One-character length
status passed back by Visa and Mastercard that is required data for
Asia, Middle East, and Africa Gateway authorizations.
processor
Financial entity that processes payments. Also see acquiring processor.
ProofXML
This field contains the VEReq and VERes for merchant storage.
Merchants can use this data for future chargeback repudiation.
ProtectBuy
Trademarked name for the Diners Club and Discover card
authentication services.
request ID
A 22- or 23-digit number that uniquely identifies each
transaction. Merchants should store this number for
future reference.
risk-based authentication
Risk-based authentication is provided by the card-issuing bank. The card-issuing
bank gathers a cardholder’s transaction data or leverages what data they
have to silently authenticate the cardholder based on the perceived degree
of risk. They base their risk assessment on factors such as cardholder
spending habits, order or product velocity, the device IP address, order
amount, and so on.
SafeKey
Trademarked name for the American Express card authentication service. (AESK)
SCMP API
A legacy name-value pair API that was superseded by the Simple Order API.
Simple Order API
An API, which provides three ways to access services: name-value pair (NVP), XML, and SOAP.
TermURL
Termination URL on a merchant’s website where the
card-issuing bank posts the payer authentication response (PARes)
message.
UCAF
Universal Cardholder Authentication Field. A Base64-encoded string sent back
with Mastercard Identity Check-enrolled cards specifically identifying the
transaction with the issuing bank and Mastercard. Standard for collecting
and sending AAV data for Mastercard Identity Check transactions. See
AAV.
UCAF collection indicator
Value of
1
or 2
that indicates whether a Mastercard cardholder
has authenticated themselves or not.validate
A service that decodes and decrypts the PARes to determine success. The validate service returns the needed values for authorization.
VEReq
Verify Enrollment Request. Request sent to the Directory Servers to verify that a card is enrolled in a card authentication service.
VERes
Verify Enrollment Response. Response from the Directory Servers to the VEReq.
VERes enrolled
Verify Enrollment Response enrolled. One-character length
status passed back by Visa and Mastercard that is required data for
Asia, Middle East, and Africa Gateway authorizations.
Visa
A globally issued card that includes credit and debit cards. These cards start with a
4. These cards are identified as card type 001 for both credit and debit cards.
These cards participate in a card authentication service (Visa Secure) provided by
EMV 3-D Secure.
Visa Secure
(VbV) Trademarked name for Visa’s card authentication service.
XID
String used by both Visa and Mastercard, which identifies a specific transaction
on the Directory Servers. This string value should remain consistent
throughout a transaction’s history.