Glossary

An EMV 3-D Secure request for information. It is an EMVCo term for the EMV 3-D Secure service that can check a BIN without performing a complete authentication.

Security protocol for online credit card and debit card transactions used by Visa Secure, Mastercard Identity Check, American Express SafeKey, JCB J⁄Secure, Diners Club ProtectBuy, Discover ProtectBuy, China UnionPay, and Elo.

Account Authentication Value. A unique 32-character transaction token for a 3-D Secure transaction. For Mastercard Identity Check, the AAV is named the UCAF. For Visa Secure, the AAV is named the CAVV.

The financial institution that accepts payments for products or services on behalf of a merchant. Also referred to as “acquiring bank.” This bank accepts or acquires transactions that involve a credit card issued by a bank other than itself.

An eight-digit number that uniquely identifies the acquiring bank. There is a different acquirer BIN for for every participating acquirer. The Mastercard BIN starts with 5 and the Visa BIN starts with 4.

Processor that provides credit card processing, settlement, and services to merchant banks.

Access Control Server. The card-issuing bank’s host for the payer authentication data.

The URL of the Access Control Server of the card-issuing bank that is returned in the response to the request to check enrollment. This is where you send the PAReq so that the customer can be authenticated.

A globally issued card type that starts with 3 and which is identified as card type 003. These cards participate in a card authentication service (SafeKey) provided by EMV 3-D Secure.

Raw data sent by the card issuer that indicates the status of authentication. It is not required to pass this data into the authorization.

A request sent to the card issuing bank that ensures a cardholder has the funds available on their credit card for a specific purchase. A positive authorization causes an authorization code to be generated and the funds to be held. Following a payer authentication request, the authorization must contain payer authentication-specific fields containing card enrollment details. If these fields are not passed correctly to the bank, it can invalidate the liability shift provided by card authentication. Systemic failure can result in payment card company fines.

Standard encoding method for data transfer over the Internet.

Bank Identification Number. The eight-digit number at the beginning of the card that identifies the card issuer.

Cardholder Authentication Verification Value. A Base64-encoded string sent back with Visa Secure-enrolled cards that specifically identifies the transaction with the issuing bank and Visa. Standard for collecting and sending AAV data for Visa Secure transactions. See AAV.

A response passed back when the xPARes status is a

Y

or an

A

.

Trademarked name for the Elo card authentication service.

Card Verification Value. Security feature for credit cards and debit cards. This feature consists of two values or codes: one that is encoded in the magnetic strip and one that is printed on the card. Usually the CVV is a three-digit number on the back of the card. The CVV for American Express cards is a 4-digit number on the front of the card. CVVs are used as an extra level of validation by issuing banks.

A globally issued card type that starts with a 3 or a 5. Diners Club cards are identified as card type 005. These cards participate in a card authentication service (ProtectBuy) provided by 3-D Secure.

The Visa and Mastercard servers that are used to verify enrollment in a card authentication service.

Primarily, a U.S. card type that starts with a 6. Discover cards are identified as card type 004. These cards participate in a card authentication service (ProtectBuy) provided by 3-D Secure.

The numeric commerce indicator that indicates to the bank the degree of liability shift achieved during payer authentication processing.

Alpha character value that indicates the transaction type, such as MOTO or INTERNET.

A globally issued card type that starts with a 5. Elo cards are identified as card type of 054. These cards participate in a card authentication service (Compra Segura) provided by 3-D Secure.

A type of transaction used for verifying whether a card is enrolled in the Mastercard Identity Check or Visa Secure service.

Hypertext Transfer Protocol. An application protocol used for data transfer on the Internet.

POST is one of the request methods supported by the HTTP protocol. The POST request method is used when the client sends data to the server as part of the request, such as when uploading a file or submitting a completed form.

Hypertext Transfer Protocol combines with SSL/TLS (Secure Sockets Layer/Transport Layer Security) to provide secure encryption of data transferred over the Internet.

The EMV 3-D Secure program of JCB.

The bank that issues the credit card.

Japan Credit Bureau. A globally issued card type that starts with a 3. JCB cards are identified as a card type of 007. These cards participate in a card authentication service (J/Secure) provided by EMV 3-D Secure.

A card brand owned by Mastercard that includes several debit card BINs within the U.K. and in Europe. Merchants who accept Maestro cards online are required to use SecureCode, Mastercard’s card authentication service. Maestro cards are identified as 024 and 042 card types. Note that many international Maestro cards are not set up for online acceptance and cannot be used even if they participate in a Mastercard Identity Check authentication program.

A globally issued card that includes credit and debit cards. These cards start with a 5. These cards are identified as card type 002 for both credit and debit cards. These cards participate in a card authentication service (Mastercard Identity Check) provided by 3-D Secure.

Trademarked name for Mastercard’s payer authentication service.

Merchant-defined Data that is posted as a hidden field to the ACS URL. You can use this data to identify the transaction on its return. This data is used to match the response from the card-issuing bank to a customer’s specific order. Although payment card companies recommend that you use the XID, you can also use data such as an order number. This field is required, but including a value is optional. The value has no meaning for the bank, and is returned to the merchant as is.

Data that must be uploaded for the Mastercard and Visa card authentication process for each participating merchant. The Merchant ID is usually the bank account number or it contains the bank account number. The data is stored on the Directory Servers to identify the merchant during the enrollment check.

Merchant Plug-In. The software used to connect to Directory Servers and to decrypt the PARes.

Primary Account Number. Another term for the credit card number.

Payer Authentication Request. Digitally signed Base64-encoded payer authentication request message, containing a unique transaction ID, that a merchant sends to the card-issuing bank. Send this data without alteration or decoding. Note that the field name has a lowercase “a” (PaReq), whereas the message name has an uppercase “A” (PAReq).

Payer Authentication Response. A compressed, Base64-encoded response from the card-issuing bank. This data is passed for validation.

Payer Authentication Response status. One-character length status passed back by Visa and Mastercard that is required data for Asia, Middle East, and Africa Gateway authorizations.

Financial entity that processes payments. Also see acquiring processor.

This field contains the VEReq and VERes for merchant storage. Merchants can use this data for future chargeback repudiation.

Trademarked name for the Diners Club and Discover card authentication services.

A 22- or 23-digit number that uniquely identifies each transaction. Merchants should store this number for future reference.

Risk-based authentication is provided by the card-issuing bank. The card-issuing bank gathers a cardholder’s transaction data or leverages what data they have to silently authenticate the cardholder based on the perceived degree of risk. They base their risk assessment on factors such as cardholder spending habits, order or product velocity, the device IP address, order amount, and so on.

Trademarked name for the American Express card authentication service. (AESK)

A legacy name-value pair API that was superseded by the Simple Order API.

An API, which provides three ways to access services: name-value pair (NVP), XML, and SOAP.

Termination URL on a merchant’s website where the card-issuing bank posts the payer authentication response (PARes) message.

Universal Cardholder Authentication Field. A Base64-encoded string sent back with Mastercard Identity Check-enrolled cards specifically identifying the transaction with the issuing bank and Mastercard. Standard for collecting and sending AAV data for Mastercard Identity Check transactions. See AAV.

Value of

1

or

2

that indicates whether a Mastercard cardholder has authenticated themselves or not.

A service that decodes and decrypts the PARes to determine success. The validate service returns the needed values for authorization.

Verify Enrollment Request. Request sent to the Directory Servers to verify that a card is enrolled in a card authentication service.

Verify Enrollment Response. Response from the Directory Servers to the VEReq.

Verify Enrollment Response enrolled. One-character length status passed back by Visa and Mastercard that is required data for Asia, Middle East, and Africa Gateway authorizations.

A globally issued card that includes credit and debit cards. These cards start with a 4. These cards are identified as card type 001 for both credit and debit cards. These cards participate in a card authentication service (Visa Secure) provided by EMV 3-D Secure.

(VbV) Trademarked name for Visa’s card authentication service.

String used by both Visa and Mastercard, which identifies a specific transaction on the Directory Servers. This string value should remain consistent throughout a transaction’s history.