0-9 | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z
0-9
3-D SECURE
Protocol for Cardholder authentication in e-Commerce
A
AAC
Application Authentication Cryptogram
ABF
Application Blocked Flag
AC
Application Cryptogram
ACCOUNT NUMBER
A unique sequence of numbers assigned to a cardholder account that identifies
the issuer and type of financial transaction card.
ACCOUNT PARAMETER
Data provided by the cloud-based payments platform that is used on the mobile device to conduct a Visa payWave transaction at a Visa payWave reader. Account parameters generally consist of a static data component and a dynamic data component.
ACCOUNT PARAMETER REPLENISHMENT
The operation of providing new values of dynamic data for an account parameter set for a mobile application to use for payments. The operation of generating the data used in replenishment is performed by the cloud-based payments platform.
ACH
Automated Clearing House. A regional organization used by member banks to electronically transfer funds between members.
ACI
Payment software development company owning BASE24 and Postilion switches.
ACQUIRER
A licensed member of MasterCard and/or VISA (or its agent) which maintains merchant relationships, receives all bankcard transactions from the merchant, and initiates that data into an interchange system.
ACQUIRING BANK/MERCHANT BANK
The bank that does business with merchants enabling them to accept credit cards. A merchant has an account with this bank and each day deposits the value of the day’s credit card sales. Acquirers buy (acquire) the merchant’s sales slips and credit the tickets’ value to the merchant’s account.
ADF
Application Definition File
ADJUSTMENTS
Used to process disputes or discrepancies with other financial institutions.
AEF
Application Elementary File
AES
Advanced Encryption Standard. AES key generation, AES encrypt/decrypt in various AES modes, AES MAC algorithm (CBC, CMAC), AES GCM, AES CCM
AFFINITY CARD
A credit card issued in conjunction with an organization or collective group; for example, profession, alumni, retired persons association. The card issuer often pays the organization a royalty.
AFL
Application File Locator
AGENT
An entity appointed by the Card Issuer to perform specific functions on behalf of the Card Issuer. Some examples of these functions include card processing, Cardholder verification using the 3-D Secure protocol, and Token Service.
AID
Application Identifier
AIP
Application Interchange Profile
ALTERNATE PAN
A PAN that is not the same as the primary account number.
AMEX
Abbreviation for American Express, an organization that issues travel and entertainment cards and acquires transactions.
AOT
Ahead of Time (AoT) compilation. Compiling of code at some arbitrary time prior to the need to execute the code.
AN
Alphanumeric
ANS
Alphanumeric Special
ANSI
American National Standards Institute. A U.S. standards accreditation
organization.
APDU
Application Protocol Data Unit is the communication unit between a smart card reader and a card. The structure of an APDU is defined by the ISO 7816 standards.
There are two categories of APDUs: command APDUs and response APDUs. As the name implies, the former is sent by the reader to the card: it contains a mandatory 5-byte header and from 0 to up to 255 bytes of data. The latter is sent by the card to the reader: it contains a mandatory 2-byte status word and from 0 to up to 256 bytes of data.
API
Application Programming Interface This term is used to specify the format of the message in which different systems communicate over the web service link.
APPLICATION
A computer program and associated data that reside on an integrated circuit chip and satisfy a business function. Examples of applications include payment, stored value, and loyalty.
APPLICATION AUTHENTICATION CRYPTOGRAM (AAC)
A cryptogram generated by the card for offline and online declined transactions.
APPLICATION BLOCK
Instructions sent to the card by the issuer, to shut down the selected application on a card to prevent further use of that application. This process does not preclude the use of other applications on the card.
ARC
ARPC Response Code
ARPC
Authorization Response Cryptogram
ARQC
Authorization Request Cryptogram
ASN1
Abstract Syntax Notation One. Support of ASN.1, coding and decoding according to the Basic Encoding Rules (BER) or the Distinguished Encoding Rules (DER)
ASYMMETRIC ENCRYPTION
Also known as public key cryptography. A cryptographic technique that uses two related transformations, a public transformation (defined by the public key) and a private transformation (defined by the private key). The two transformations have the property that, given the public transformation, it is not computationally feasible to derive the private transformation. A system based on asymmetric cryptographic techniques can be an encipherment system, a signature system, a combined encipherment and signature system or a key-agreement system. With asymmetric cryptographic techniques, there are four elementary transformations: sign and verify for signature systems, and encipher and decipher for encipherment systems. The signature and the decipherment transformation are kept private by the owning entity, whereas the corresponding verification and encipherment transformations are published. There exist asymmetric cryptosystems (e.g., RSA) where the four elementary functions may be achieved by only two transformations: one private transformation suffices for both signing and decrypting messages, and one public transformation suffices for both verifying and encrypting messages. However, this does not conform to the principle of key separation and, where used, the four elementary transformations and the corresponding keys should be kept separate.
ATC
Application Transaction Counter
ATM
Automated Teller Machine. An unattended terminal that has electronic capability, accepts PINs, and disburses currency or cheques.
ATM CASH DISBURSEMENT
A cash disbursement obtained at an ATM displaying the Visa, PLUS, or Visa Electron acceptance mark, for which the cardholder’s PIN is accepted.
ATM INTERCHANGE FEE
The fee paid to the Acquirer Member by the Issuer Member for an ATM Transaction as established from time to time by a Network.
ATM SYSTEM
The telecommunications and processing system operated by or on behalf of an Acquirer Member to process a Transactions initiated through the Acquirer Member’s ATMs or Terminals. The ATM System includes all elements of the processing system from the ATM or POB Terminal to the interface with a Switch.
ATTESTATION
The act of attestation in this standard is the interaction between a verifier (possibly server-based) and a prover (possibly client-based) to determine the current security state/behavior of the prover based on predefined measurements and thresholds provided by the prover.
ATTESTATION SYSTEM
The set of components that perform attestation processing for the PIN CVM Solution. Its components include the PIN CVM Application attestation component and the back-end attestation component-the latter works in close association with the back-end monitoring system.
ATTESTATION COMPONENT
An element of the PIN CVM Solution that performs attestation processing.
AUC
Application Usage Control
AUTHENTICATION
A cryptographic process by which Authentication Tokens are verified to establish the identity of an Account Holder.
AUTHORIZATION
The act of ensuring the cardholder has adequate funds available against his or her line of credit. A positive authorization results in an authorization code being generated, and those funds being set aside. The cardholder’s available credit limit is reduced by the authorized amount.
AUTHORIZATION CONTROLS
Information in the chip application enabling the card to act on the issuer’s behalf at the point of transaction. The controls help issuers manage their below-floor-limit exposure to fraud and credit losses. Also known as offline authorization controls.
AUTHORIZATION REQUEST
A merchant’s or acquirer’s request for an authorization.
AUTHORIZATION REQUEST CRYPTOGRAM (ARQC)
The cryptogram generated by the card for transactions requiring online authorization and sent to the issuer in the authorization request. The issuer validates the ARQC during the Online Card Authentication (CAM) process to ensure that the card is authentic and was not created using skimmed data.
AUTHORIZATION RESPONSE
The issuer’s reply to an authorization request. Types of authorization responses are: approval, decline, pickup, referral
AUTHORIZATION RESPONSE CRYPTOGRAM (ARPC)
A cryptogram generated by the issuer and sent to the card in the authorization response. This cryptogram is the result of the Authorization Request Cryptogram (ARQC) and the Issuer’s authorization response encrypted with the Unique Derivation Key (UDK). It is validated by the card during Issuer Authentication to ensure that the response came from a valid issuer.
AVERAGE TICKET
The average size of a merchant bankcard transaction. Generally used in pricing decisions and calculations.
AVS
Address Verification Service
B
BACK-END SYSTEMS
The set of systems providing the server-side functionality of the PIN CVM Solution. These functionalities include monitoring, attestation and transaction processing. In addition, the back-end systems include the IT environments necessary to support the functionalities of the PIN CVM Solution.
BANK IDENTIFICATION NUMBER (BIN)
A 6-digit number assigned by Visa and used to identify a member or processor for authorization, clearing, or settlement processing.
BANK ROUTING NUMBER
The first nine digits that appear across the bottom of a personal check; they identify the financial institution.
BANKCARD
A financial transaction card (credit, debit, etc.) issued by a financial institution.
BASE I AUTHORIZATION SYSTEM
The V.I.P. System component that performs message routing, cardholder and card verification, and related functions such as reporting and file maintenance.
BASE II
The VisaNet system that provides deferred clearing and settlement services to members.
BASE24
Payment processing platform owned by ACI.
BATCH
The accumulation of captured (sale) transactions waiting to be settled. Multiple batches may be settled throughout the day.
BATCH PROCESSING
A type of data processing and data communications transmission in which related transactions are grouped together and transmitted for processing, usually by the same computer and under the same application.
BCD
Binary Coded Decimal
BDK
Base derivation key for DUKPT security operation.
BER
Basic Encoding Rules
BIN
BASE Identification Number. See Bank Routing Number.
BIN CONTROLLER / MANAGER
An entity that controls the issuance and allocation of ISO BINs that will be used to issue Payment Tokens according to this specification.
BINARY CODED DECIMAL
A code for representing decimal digits in a binary format.
BUSINESS DAY
A day on which a Federal Reserve Bank to which a Member may send applicable items for presentment is open for business, other than a state bank holiday.
BYTE
8 bits of data.
C
CA
Certification Authority
CAM
Card Authentication Method
CAPTURE DATE
The date on which a transaction is processed by an acquirer.
CARD
A consumer device containing the Visa contactless payment application. Note that the consumer device may not be a plastic card, but for the purposes of this specification, the term card is used to represent the consumer device.
CARD ACCEPTANCE DEVICE
A device capable of reading and/or processing a magnetic stripe or chip on a card for the purpose of performing a service such as obtaining an authorization or processing a payment.
CARD ACCEPTOR
The entity that initiates a payment transaction and presents transaction data to the Acquirer, typically a Merchant
CARD ACCEPTOR ID
The identification value for the Card Acceptor.
CARD AUTHENTICATION
A means of validating whether a card used in a transaction is the genuine card issued by the issuer.
CARD AUTHENTICATION METHOD (CAM)
See Online Card Authentication.
CARD BLOCK
Instructions, sent to the card by the Issuer, which shut down all proprietary and non-proprietary applications that reside on a card to prevent further use of the card.
CARD EMULATION
A feature of NFC that enables an NFC-enabled device to emulate a contactless chip card.
CARD ISSUER
- The financial institution or retailer that authorizes the issuance of a card to a consumer (or another organization), and is liable for the use of the card. The issuer retains full authority over the use of the card by the person to whom the card is issued. 2) Any bank or organization that issues, or causes to be issued, bankcards to those who apply for them. 3) Any organization that uses or issues a personal identification number (PIN).
CARD ISSUER ACCESS CONTROL SERVER (ACS)
The Card Issuer’s Agent that provides a 3-D Secure service for ID&V.
CARD METADATA
Data about the card data i.e. card art, terms and condition, issuer app data etc.
CARD VERIFICATION CODE (CVC)
A unique value calculated from the data encoded on the magnetic stripe of a MasterCard card, validating card information during the authorization process.
CARD VERIFICATION VALUE (CVV)
A unique value calculated from the data encoded on the magnetic stripe of a VISA card, validating card information during the authorization process.
CARDHOLDER
The person to whom a financial transaction card is issued or an additional person authorized to use the card.
CARDHOLDER DATA
At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.
See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not stored) as part of a payment transaction.
CARDHOLDER VERIFICATION
The process of determining that the presenter of the card is the valid cardholder. In this specification referred to as Consumer Verification.
CARDHOLDER VERIFICATION METHOD (CVM)
A method of authenticating a cardholder during a transaction. Common CVMs include signature, PIN and biometrics.
CASH ADVANCE
An amount advanced by a bank teller (or ATM) to a bankcard holder against the cardholder’s line of credit.
CASH BACK
An optional feature of a Purchase whereby all or part of the Purchase is returned as cash to the Cardholder.
CASH DISBURSEMENT
Currency, including travelers cheques, paid to a cardholder using a card.
CASHBACK
Cash obtained in conjunction with, and processed as, a purchase transaction.
CBC
Cipher Block Chaining
CCPS
Chip Card Payment Service, the former name for Visa Smart Debit and Visa Smart Credit (VSDC).
CD
Committee Draft
CDE
Acronym for ‘cardholder data environment.’ The people, processes and technology that store, process or transmit cardholder data or sensitive authentication data.
CDOL
Card Risk Management Data Object List
CED
Customer Exclusive Data
CERTIFICATE AUTHORITY (CA)
A trusted central administration that issues and revokes certificates.
CHARGEBACK
A transaction that is challenged by a cardholder or card issuing bank and is sent back through interchange to the merchant bank for resolution.
CHARGEBACK PERIOD
The number of calendar days (counted from the transaction processing date) during which the issuer has the right to charge the transaction back to the acquirer. The number of days varies according to the type of transaction from 45 to 180 days.
CHECK VERIFICATION
A service provided in which a merchant accesses a national negative file database through their terminal/register to verify or authorize the person has no outstanding bad check complaints at any of the member merchants. This is not a guarantee of payment to the merchant.
CHIP
A small square of thin semiconductor material, such as silicon, that has been chemically processed to have a specific set of electrical characteristics such as circuits storage, and/or logic elements.
CHIP CARD
A card embedded with a chip that communicates information to a point-of-transaction terminal.
CHIP-CAPABLE
A card acceptance device that is designed and constructed to facilitate the addition of a chip reader/writer.
CIAC
Card Issuer Action Code
CID
Cryptogram Information Data
CLA
Class Byte of the Command Message
CLCD
Card Life Cycle Data
CLEARING
The collection and delivery to the issuer of a completed transaction record from an acquirer.
CLEARING ACCOUNT
An account at the clearing bank that will receive a member’s credit or debit for net settlement.
CLEARING BANK
A bank designated by the member to receive the member’s daily net settlement advisement. The clearing bank will also conduct funds transfer activities with the net settlement bank and maintain the member’s clearing account. This bank may be the member itself.
CLEARTEXT
See plaintext.
CLOUD
A capability that resides in a network.
CLOUD-BASED PAYMENTS
Term used to describe payments that are enabled by accounts that are managed in systems residing in a network rather than in secure hardware solutions inside the mobile device.
CLOUD-BASED PAYMENTS DEVICE THRESHOLD MANAGEMENT PARAMETERS
Parameters defined by the issuer and managed by the mobile application that are used to trigger a request for account parameter replenishment from the mobile application.
CLOUD-BASED PAYMENTS PROGRAM
A systems solution residing in a network that provides the functional logic to support a cloud-based payments solution.
CLOUD-BASED PAYMENTS PROGRAM RISK MANAGEMENT PARAMETERS
Parameters defined by the issuer and managed by the cloud-based platform that are used to govern the validity of account parameters used for payment, and whether to initiate an account parameter replenishment.
CN
Compressed Numeric
COMMERCIAL OFF-THE-SHELF (COTS) DEVICE
A mobile device (e.g., smartphone or tablet) that is designed for mass-market distribution, and is not designed specifically for payment processing.
COMPILING
Translation of computer code from one format into another format. Usually used to take human-readable ‘source’ code and transform this into a format that can be executed by a specific platform or execution environment.
COMPLIANCE
The procedure a VISA or MasterCard member may use to resolve a dispute between members when no chargeback reason code applies. The challenging member must prove financial loss due to a violation of MasterCard and/or VISA rules by the other member.
CONSUMER
Individual purchasing goods, services, or both.
CONSUMER DEVICE
Proximity Card (PICC) or other chip-capable device (for example, a cell phone) that is used by consumers to conduct payment.
CONSUMER VERIFICATION
See Cardholder Verification.
CONTACTLESS
A term that is used interchangeably with ‘Visa payWave’ in this document.
CONTACTLESS TRANSACTION
A transaction conducted over the contactless interface according to this specification.
CORRELATABLE DATA
In the context of this standard, this is data that would facilitate the correlation of a PIN with a separate transaction or database that contains cardholder data such that interception of this data and the entered PIN could reasonably lead to the association of the PIN with its PAN. Examples might include time and date stamps, device identifying information and loyalty program identifiers.
COTS
see Commercial off-the-shelf (COTS) Device
COTS PLATFORM
The hardware of the COTS device.
COUNTERFEIT CARD
A plastic card which has been fraudulently printed, embossed or encoded to appear to be a genuine bankcard, but which has not been authorized by MasterCard or VISA or issued by a member. A card originally issued by a member but subsequently altered without the issuer’s knowledge or consent.
CREDIT ACCOUNT
An Access Account which provides for the advance of cash, merchandise or other commodity, in the present, in exchange for a promise to pay a definite sum at a future date, usually with interest.
CREDIT CARD
A plastic card with a credit limit used to purchase goods and services and to obtain cash advances on credit for which a cardholder is subsequently billed by the issuer for repayment of the credit extended.
CREDIT LIMIT
The maximum amount the cardholder may owe to the issuer on the card account at any time.
CRM
Card Risk Management
CRYPTOGRAM
A numeric value that is the result of data elements entered into an algorithm and then encrypted. Commonly used to validate data integrity.
CRYPTOGRAPHIC KEY
The numeric value entered into a cryptographic algorithm that allows the algorithm to encrypt or decrypt a message.
CRYPTOGRAPHY
The art or science of keeping messages secret or secure, or both.
CSI
Card Status Information
CTVR
Card Terminal Verification Results
CVC
Card Verification Code
CVM
Cardholder Verification Method
CVM LIST
An issuer-defined list contained within a chip application establishing the hierarchy of methods for verifying the authenticity of a cardholder.
CVN
Cryptogram Version Number
CVR
Card Verification Results
CVV
Card Verification Value
D
DAC
Data Authentication Code
DATA AUTHENTICATION
Validation that data stored in the integrated circuit card has not been altered since card issuance. See also Offline Data Authentication.
DATA ENCRYPTION
The process of transforming processing information to make it unusable to anyone except those possessing special knowledge, usually referred to as a key.
DATA ENCRYPTION ALGORITHM (DEA)
An encipherment operation and an inverse decipherment operation in a cryptographic system.
DATA ENCRYPTION STANDARD (DES)
Data Encryption Standard (DES) is a widely-used block cipher encryption using a private (secret) key standardized by ANSI in 1981 as ANSI X.3.92. There are 72,000,000,000,000,000 (72 quadrillion) or more possible encryption keys that can be used. For each given message, the key is chosen at random from among this enormous number of keys. Like other private key cryptographic methods, both the sender and the receiver must know and use the same private key.
DATABASE
A collection of data organized and designed for easy access, e.g., a collection of customer names and addresses.
DDA (OFF-LINE DYNAMIC DATA AUTHENTICATION)
In case of a terminal and a card supporting the off-line data authentication, terminal chooses what kind of off-line data authentication will be performed. In case of DDA then terminal determine whether the card is genuine or not and whether the data personalized in the card has altered since the personalization through dynamic data encryption (RSA) and passing this value to terminal for authentication with a public certificate.
DDF
Directory Definition File
DDOL
Dynamic Data Object List
DE-TOKENISATION
The process of redeeming a Payment Token for its associated PAN value based on the Payment Token to PAN mapping stored in the Token Vault. The ability to retrieve a PAN in exchange for its associated Payment Token should be restricted to specifically authorised entities, individuals, applications, or systems.
DEA
Data Encryption Algorithm
DEBIT
A charge to a customer’s bankcard account.
DEBIT CARD
Any card that primarily accesses a Deposit Account.
DEBIT TRANSACTION
A bankcard used to purchase goods and services and to obtain cash, which debits the cardholder’s personal deposit account.
DECLINE OR DECLINED
The denial of an Authorization Request by, or on behalf of, an Issuer Member.
DECRYPTION
The process of transforming ciphertext into cleartext.
DEPOSIT ACCOUNT
An Access Account, other than a Credit Account, maintained by a Member for processing transactions. Deposit Accounts include checking, NOW, savings, share draft, and such other depository accounts as are legal under Applicable Law.
DEPOSIT CREDIT
See Credit Deposit.
DES
Data Encryption Standard
DES KEY
A secret parameter of the Data Encryption Standard algorithm.
DES3
Triple DES
DETERMINISTIC RANDOM NUMBER GENERATOR (DRNG)
See Pseudo Random Number Generator (PRNG).
DEVICE PAN
A virtual PAN present in the card device and disclosed to the Merchant terminal at the time of transaction.
DF
Dedicated File
DF NAME
Dedicated File Name
DIGITAL SIGNATURE
A cryptogram generated by encrypting a message digest (or hash) with a private key that allows the message content and the sender of the message to be verified.
DIS
Draft International Standard
DISCOUNT RATE
An amount charged a merchant for processing its daily credit card transactions.
DK
Derivation (DEA) Key
DKI
Derivation Key Index
DMZ
DMZ or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization’s external-facing services to a larger and untrusted network, usually the Internet.
The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN); an external network node only has direct access to equipment in the DMZ, rather than any other part of the network.
DOING BUSINESS AS (DBA)
Refers to the specific name and location of the merchant establishment where credit card purchases are made.
DOUBLE-LENGTH DES KEY
Two secret 64-bit input parameters each of the Data Encryption Standard algorithm, consisting of 56 bits that must be independent and random, and 8 error-detecting bits set to make the parity of each 8-bit byte of the key odd.
DPAN
See Device PAN
DSA
Digital Signature Algorithm. DSA key generation, DSA signature generation/verification, Diffie-Hellman key establishment, algorithms comply with FIPS 186-2 and 186-4 (see [#FIPS186-2] and [#FIPS186-4])
DUAL CONTROL
A process of using two or more separate entities (usually persons), operating in concert, to protect sensitive functions or information. Each entity is equally responsible for the physical protection of materials involved in vulnerable processes. No single person must be able to access or to use the materials (e.g., cryptographic key).
For manual key generation, conveyance, loading, storage and retrieval, dual control requires split knowledge of the key among the entities. No single person can gain control of a protected item or process. Also see Split Knowledge.
DUKPT
Derived Unique Key Per Transaction (DUKPT) is a key management scheme in which for every transaction, a unique key is used which is derived from a fixed key.
DYNAMIC DATA AUTHENTICATION (DDA)
A type of Offline Data Authentication where the card generates a cryptographic value using transaction-specific data elements for validation by the terminal to protect against skimming.
E
EASY ENTRY
A replication of the magnetic stripe information on the chip to facilitate payment as part of multi-application programs. Easy Entry is not EMV-compliant and is being phased out.
ECA
Elliptic Curve Algorithm. Arithmetic operations on points of elliptic curves
ECB
Electronic Code Book
ECC
Acronym for ‘Elliptic Curve Cryptography.’ Approach to public-key cryptography based on elliptic curves over finite fields.
ECDSA
Elliptic Curve Digital Signature Algorithm. ECDSA key generation, ECDSA signature generation and verification operations, ECDH key agreement, ECIES; algorithms comply with FIPS 186-2 and 186-4 (see [#FIPS186-2] and [#FIPS186-4])
ECR
Electronic Cash Register
E-CHECK
The electronic equivalent of a paper check.
EFM
EFTlab Financial Message – EFTlab’s BP-Node product’s internal message based on ISO20022 (JSON/XML).
EFTLAB FINANCIAL MESSAGE (EFM)
EFTlab’s BP-Node product’s internal message based on ISO20022 (JSON/XML).
ELECTRONIC BANKING
A form of banking in which funds are transferred through an exchange of electronic signals between financial institutions, rather than an exchange of cash, checks or other negotiable instruments.
ELECTRONIC BILL PAYMENT (E-PAY)
An alternative to paper checks for paying bills. Consumers can use PCs, telephones, screen phones or ATMs to send electronic instructions to their bank or bill payment provider to withdraw funds from their accounts and pay merchants. Payments may be made either electronically or by a paper check issued by the bill payment provider.
ELECTRONIC CASH REGISTER
An electronic cash register (ECR) is a system designed to enable products to be sold at a retail outlet. Electronic cash registers help large retail outlets track sales, minimize register errors, collect inventory data and much more.
ELECTRONIC CHECK ACCEPTANCE OR ECA
A system that captures banking information off a paper check and converts it into an electronic item processed through the Automated Clearing House network. With ECA, checks are processed similarly to credit cards, and the paper check is returned to the consumer at the point of sale.
ELECTRONIC COMMERCE (E-COMMERCE)
The transacting of business electronically rather than via paper.
ELECTRONIC FUNDS TRANSFER (EFT)
A transfer of funds between accounts by electronic means rather than conventional paper-based payment methods. EFT is any financial transaction originating from a telephone or electronic terminal, or from a computer or magnetic tape.
EMV
EMV, or EuroPay, MasterCard and Visa, is a microchip-based technology designed to reduce fraud at the point-of-sale. Banks are beginning to issue payment cards with these embedded chips, which also support contactless payments.
EMVCO
A privately owned corporation. The current members of EMVCo are JCB International, American Express, Mastercard, China UnionPay, Discover Financial
and Visa Inc.
EMV SPECIFICATIONS
Technical specifications developed jointly by Europay International, MasterCard International, and Visa International to create standards and ensure global interoperability for use of chip technology in the payment industry.
EMV TYPE CRYPTOGRAM
A cryptogram that fits into the existing cryptogram field in EMV transaction messages.
ENCRYPTION
The technique of scrambling data automatically in the terminal or computer before data is transmitted for security/anti-fraud purposes.
ENVIRONMENT
The IT environment supporting one or more functionalities of the PIN CVM Solution-such as the IT environment hosting the back-end monitoring system.
EXECUTION ENVIRONMENT
The set of hardware and software on which a program is executed. This may be provided through hardware alone, include a combination of hardware and software elements, or be virtualized and implemented in software such that the execution environment can be similarly executed on different hardware platforms.
EXPIRED CARD
A card on which the embossed, encoded, or printed expiration date has passed.
F
FCI
File Control Information
FFI
Form Factor Indicator
FILE CONTROL INFORMATION (FCI)
Provided in a card response when the card application is selected (using a SELECT command) by a reader or terminal.
FINANCIAL INSTITUTION
Any organization in the business of moving, investing or lending money, dealing in financial instruments, or providing financial services. Includes commercial banks, thrifts, federal and state savings banks, saving and loan associations, and credit unions.
FIPS
Federal Information Processing Standard
FLOOR LIMIT
A currency amount that Visa has established for single transactions at specific types of merchants, above which online authorization is required.
FORM FACTOR INDICATOR (FFI)
A field that indicates the form factor of the consumer payment device and the type of contactless interface over which the transaction is conducted.
FPAN
See Funding PAN
FULL SCREEN MODE
Where the PIN CVM application that is currently executing is in control of the primary display and input mechanism(s) of the COTS device. A full screen mode may still include display features that are controlled and/or managed by the COTS Operating System, but may not include any display from other applications. It is assumed by this standard that full screen mode mitigates the use of any separately controlled or managed displays or input mechanisms to display prompts for data entry, or capture such data entry.
FUNDING
Refers to the payment to a merchant for his submitted deposits.
FUNDING PAN
Actual PAN of the cardholder usually embossed on the plastic. TPAN on a card device is associated with the actual PAN.
FUNDS TRANSFER SYSTEM
A wire transfer network, ACH, or other communication system or clearing house or association of banks in which First Data’s Clearing/Funding Bank is a member and through which a payment order by a bank may be transmitted. Includes SWIFT, CHIPS, Fedwire, the National Association of Clearing House Associations, MasterCard and VISA.
G
GPO
GET PROCESSING OPTIONS command
GRAPHICAL USER INTERFACE
A user interface that is provided through images and text.
GUI
Graphical user interface
H
HANDSET
Another term for a mobile device, usually a mobile phone handset.
HARDWARE SECURITY MODULE (HSM)
A secure module used to store cryptographic keys and perform cryptographic functions.
HASH
A (mathematical) function that is a non-secret algorithm, which takes any arbitrary-length message as input and produces a fixed-length hash result. Approved hash functions satisfy the following properties: a) One-way – It is computationally infeasible to find any input that maps to any pre-specified output. b) Collision-resistant – It is computationally infeasible to find any two distinct inputs (e.g., messages) that map to the same output. It may be used to reduce a potentially long message into a ‘hash value’ or ‘message digest’ that is sufficiently compact to be input into a digital-signature algorithm. A ‘good’ hash is such that the results of applying the function to a (large) set of values in a given domain will be evenly (and randomly) distributed over a smaller range.
HCE
See Host Card Emulation OR Hardware Crypto Engine. functions to access the hardware crypto accelerator chip built into some of the CryptoServer models
HEX
Hexadecimal
HHMMSS
Hours, Minutes, Seconds
HASH-BASED MESSAGE AUTHENTICATION CODE (HMAC)
A message authentication code that is produced using hash algorithms rather than a symmetric cryptographic algorithm. Defined in FIPS 198-1.
HOST CARD EMULATION (HCE)
Term used to describe mobile device capability in which the card emulation ability for NFC is provided through a software-based solution rather than a hardware secure element.
HOST DATA CAPTURE SYSTEM
An acquirer authorization system that retains authorized transactions for settlement without notification from the terminal that the transaction was
completed.
HSM
A hardware security module manages secured keys, message validation and PIN authentication cryptoprocesses. Also provides strong authentication to access critical keys for payments applications.
I
IAD
Issuer Application Data
IARC
Issuer Authentication Response Code
IC
Integrated Circuit
ICC
Integrated Circuit Card
ID
Identifier
IDENTIFICATION AND VERIFICATION (ID&V)
A valid method through which an entity may successfully validate the Cardholder and the Cardholder’s account in order to establish a confidence level for Payment Token to PAN / Cardholder binding (eg. Account verification message, Risk score based on assessment of the PAN, Use of one time password by the Card Issuer or its Agent to verify the Cardholder)
IDN
ICC Dynamic Number
IEC
International Electrotechnical Commission
IFD
Interface Device
IIN
See Bank Routing Number.
IMK
Issuer Master Keys
IMKDAC
Issuer Master Keys for Data Authentication Code
INITIAL CHAINING VECTOR
The input data applied to the first data block in a Triple DES encryption process
INS
Instruction
INTEGRATED CIRCUIT CARD (ICC)
See chip card.
INTEGRATED CIRCUIT CHIP
See chip.
INTEGRITY
Ensuring consistency of data; in particular, preventing unauthorized and undetected creation, alteration, or destruction of data.
INTERCHANGE
The domestic and international systems operated by VISA and MasterCard for authorization, settlement and the passing through of interchange and other fees, as well as other monetary and non-monetary information related to bankcard activities.
INTERCHANGE FEE
Fees paid by the acquirer to the issuer to compensate for transaction-related costs. VISA and MasterCard establish interchange fee rates.
INTERNATIONAL ORGANISATION FOR STANDARDISATION (ISO)
The specialized international agency that establishes and publishes international technical standards.
INTEROPERABILITY
The ability of all card acceptance devices and terminals to accept and read all chip cards that are properly programmed.
ISO
International Organization for Standardization
ISSUER
A Visa customer that issues Visa or Electron cards, or proprietary cards bearing the PLUS or Visa Electron Symbol.
ISSUER ACTION CODES (IACS)
Card-based rules which the terminal uses to determine whether a transaction should be declined offline, sent online for an authorization, or declined if online is not available.
ISSUER AUTHENTICATION
Validation of the issuer by the card to ensure the integrity of the authorization response. See Authorization Response Cryptogram (ARPC).
ISSUER/ISSUING BANK
The financial institution (a licensed member of MasterCard or VISA) which holds contractual agreements with and issues cards to cardholders.
J
JAPANESE CREDIT BUREAU (JCB)
Issuers of the JCB card.
JUST-IN-TIME (JIT) COMPILATION
Compiling of code immediately prior to the execution of that code.
K
KEY AGREEMENT
A key-establishment protocol for establishing a shared secret key between entities in such a way that neither of them can predetermine the value of that key. That is, the secret key is a function of information contributed by two or more participants.
KEY CHECK VALUE (KCV)
A value used to identify a key without revealing any bits of the actual key itself. Check values are computed by encrypting an all-zero block using the key or component as the encryption key, using the leftmost n-bits of the result; where n is at most 24 bits (6 hexadecimal digits/3 bytes TDEA and 5 bytes AES). This method may be used for TDEA. TDEA may optionally use, and AES uses a technique where the KCV is calculated by MACing an all-zero block using the CMAC algorithm as specified in ISO 9797-1 (see also NIST SP 800-38B). The check value will be the leftmost n-bits of the result, where n is at most 40 bits (10 hexadecimal digits). The block cipher used in the CMAC function is the same as the block cipher of the key itself. A TDEA key or a component of a TDEA key will be MAC’d using the TDEA block cipher, while a 128-bit AES key or component will be MAC’d using the AES-128 block cipher. Also known as Key verification check (KVC).
KEY GENERATION
The creation of a new key for subsequent use. Creation of a cryptographic key either from a random number generator or through a one-way process utilizing another cryptographic key.
KEY INSTALLATION
Loading of a key that is protected with white-box cryptography, usually embedded within an application.
KEY LOADING
Process by which a key is manually or electronically transferred into a secure cryptographic device.
KEY MANAGEMENT
The handling of cryptographic keys and other related security parameters during the entire life cycle of the keys, including their generation, storage, distribution, entry and use, deletion or destruction, and archiving.
KEY VARIANT
A new key formed by a process (which need not be secret) with the original key, such that one or more of the non-parity bits of the new key differ from the corresponding bits of the original key.
KEY WRAPPING
A format for storage and transmission of symmetric cryptographic keys that embeds metadata about the key type and use, as well as providing cryptographic authentication across the encrypted key and this metadata to ensure that the key
and its purpose cannot be altered.
KSN
Key Serial Number identifies key used for DUKPT security processing and actual cryptographic operation counter.
L
LATC
Last online Application Transaction Counter
LC
Exact length of data sent by the Terminal Application Layer (TAL) in a Case 3 or 4 command
LCM
Least Common Multiple
LCM
See Lifecycle Management
LCOLL
Lower Consecutive Offline Limit
LD
Length of the plaintext data in the Command Data Field
LDD
Length of the ICC Dynamic Data
LE
Maximum length of data expected by the TAL in response to a Case 2 or 4 command
LIFECYCLE MANAGEMENT
A process of managing the token lifecycle. This includes resuming, suspending, deleting or updating any RPAN data.
LIMITED USE KEY
A cryptographic key that is only valid for a certain duration of time.
LRC
Longitudinal Redundancy Check
LUHN DIGIT CHECK
Is a simple checksum formula used to validate a variety of identification numbers, such as credit card numbers, IMEI numbers.
M
M OF N
An m-of-n scheme is a component or share allocation scheme where m is the number of shares or components necessary to form the key, and n is the number of the total set of shares or components related to the key. Management of the shares or components must be sufficient to ensure that no one person can gain access to enough of the item to form the key alone.
MAC
In cryptography, an acronym for ‘Message Authentication Code’. A small piece of information used to authenticate a message.
MAGNETIC INFORMATION CHARACTER RECOGNITION (MICR)
Imprinted banking numbers (routing/transit number, checking account number, check number) at the bottom of the check.
MAGNETIC STRIPE
The stripe on the back of the card that contains the magnetically coded account information necessary to complete a non-chip electronic transaction.
MAGNETIC STRIPE IMAGE
The minimum chip payment service data replicating information in the magnetic stripe required to process a transaction that is compliant with EMV.
MANDATE
Recurring specification update from VISA or MasterCard.
MANDATORY ACCESS CONTROL
Access control by which the operating system constrains the ability of a process or thread to access or perform an operation on objects or targets such as files, directories, TCP/UDP ports, shared memory segments, IO devices, etc., though an authorization rule enforced by the operating system kernel.
MANUAL KEY LOADING
Loading of a cryptographic key using two or more full-length components or use m of n shares, entered directly through a secure physical mechanism.
MAN-IN-THE-MIDDLE (MITM) ATTACK
An attack method where a malicious third party interposes between two other communicating parties and modifies the data sent between them.
MAP
Mobile Application Platform.
MASTER DERIVATION KEYS (MDK)
Master DES keys stored in the issuer host system. These keys are used to generate Unique Derivation Keys (UDKs) for personalization, to validate ARQCs, and to generate ARPCs.
MCI
MasterCard International
MDK
Master Derivation Key
MEMBER
A financial institution which is a member of VISA USA and/or MasterCard International. A member is licensed to issue cards to cardholders and/or accept merchant drafts.
MERCHANT
A retailer, or any other person, firm, or corporation that, according to a Merchant Agreement, agrees to accept credit cards, debit cards, or both, when properly presented.
MERCHANT ACQUIRER
A member that has entered into an agreement with a merchant to accept deposits generated by bankcard transactions; also called the acquirer or acquiring bank.
MERCHANT AGREEMENT
The written contract between merchant and acquirer who detail their respective rights, responsibilities and warranties.
MERCHANT CATEGORY CODE (MCC)
A code designating the principal trade, profession, or line of business in which a merchant is engaged.
MERCHANT NUMBER
A number that numerically identifies each merchant to the merchant processor for accounting and billing purposes.
MERCHANTS
Merchants that accept Visa payWave payment transactions at their point-of-sale.
MESSAGE AUTHENTICATION CODE (MAC)
A digital code generated using a cryptographic algorithm which establishes that the contents of a message have not been changed and that the message was generated by an authorized entity.
MF
Master File
MICR NUMBER METHOD
A check authorization procedure that uses the bank routing/transit numbers, checking account numbers and check number encoded along the bottom of the check.
MIGS
MasterCard Internet Gateway Service – is a payment gateway system that allows banks to accept card not present (CNP) transactions. MIGS is PCI-DSS-compliant and is typically branded and priced by the acquiring bank. It is used to interconnect online merchants to their acquiring banks through standards-compliant technology and API (Virtual Payment Client). This payment gateway provides support for services such as “MasterCard SecureCode”, “Verified by Visa” and “JCB J/Secure”.
MK
Master Key
MKAC
ICC Master Key Application Cryptogram
MKIDN
ICC Master Key for ICC Dynamic Number generation
MKSMC
ICC Master Key for Secure Messaging for Confidentiality
MKSMI
ICC Master Key for Secure Messaging for Integrity
MOBILE APPLICATION
A software application resident on the mobile device that consumers use to interact with their mobile device to access a product or a service. For cloud-based payments, mobile applications typically include, but are not necessarily limited to, mobile banking applications or mobile wallet applications.
MOBILE APPLICATION PLATFORM
A server-based system that provides for the management of capabilities and services to mobile applications. For cloud-based payments, mobile application platforms may be, but are not necessarily limited to, existing mobile banking platforms or mobile wallet platforms.
MOBILE DEVICE
A portable electronic device with wide area communication capabilities that can be enabled with Visa payWave functionality. Mobile devices include mobile handsets, handhelds, smartphones, and other consumer electronic devices, such as suitably equipped PDAs.
MSD
Magnetic Stripe Data
MULTI-APPLICATION
The presence of multiple applications on a chip card (for example, payment, loyalty, and identification).
N
N/A
Not Applicable
NCA
Length of the Certification Authority Public Key Modulus
NEAR-FIELD COMMUNICATION (NFC)
A short-range contactless proximity technology based on ISO/IEC 18092, which provides for ISO/IEC 14443-compatible communications.
NET PAYMENT
Payment to the merchant for sales drafts less credits minus the appropriate discount fee.
NET REVENUE
Discount income less interchange expense.
NET SETTLEMENT
The settlement, through an actual transfer of funds, of the net effect of a series of financial transactions involving customers of two or more banks.
NFC
Near field communication is a set of standards derived from EMV to establish radio communication between account data holding device (ICC card, mobile) and a payment device (POS) by touching them together or bringing them into close proximity, usually no more than a few centimeters.
NI
Length of the Issuer Public Key Modulus
NIBBLE
The four most significant or least significant bits of a byte of data.
NIC
Length of the ICC Public Key Modulus
NON-BANK
In a payment system, a financial institution not offering retail banking services.
NPE
ICC PIN Encipherment Public Key Modulus
NRNG
A random number generator that has access to an entropy source and (when working properly) produces output numbers (or bit strings) that have full entropy. Sometimes called a True Random Number (or Bit) Generator. Contrast with a deterministic random number generator (DRNG).
O
OBFUSCATION
Protection applied to a process or data through increasing the complexity of interpreting that data. For the purposes of this standard, ‘obfuscation’ refers to ‘code obfuscation,’ where computational processes have been applied to increase the complexity of a code set to reduce the ability to reverse-engineer that code.
OFFLINE APPROVAL
A transaction that is positively completed at the point of transaction between the card and terminal without an authorization request to the issuer.
OFFLINE AUTHORIZATION
A method of processing a transaction without sending the transaction online to the issuer for authorization.
OFFLINE DATA AUTHENTICATION
A process whereby the card is validated at the point of transaction using RSA public key technology to protect against counterfeit or skimming. VIS includes two forms: Static Data Authentication (SDA) and Dynamic Data Authentication (DDA).
OFFLINE DECLINE
A transaction that is negatively completed at the point of transaction between the card and terminal without an authorization request to the issuer.
OFFLINE PAYMENT TRANSACTION
In an offline EMV transaction, the card and terminal communicate and use issuer-defined risk parameters that are set in the card to determine whether the transaction can be authorized. Offline transactions are used when terminals do not have online connectivity-e.g., at a ticket kiosk-or in countries where telecommunications costs are high.
OFFLINE PIN
A PIN value stored on the card that is validated at the point of transaction between the card and the terminal.
OFFLINE PIN VERIFICATION
The process whereby a cardholder-entered PIN is passed to the card for comparison to a PIN value stored secretly on the card.
OFFLINE-CAPABLE
A card acceptance device that is able to perform offline approvals.
OFFLINE-ONLY TERMINAL
A card acceptance device that is not capable of sending transactions online for issuer authorization.
OLCTA
Offline Cumulative Transaction Amount
ONE TIME PASSWORD
An OTP is sent to the cardholder in order to verify him/her while provisioning the card on the device. It will be sent by Issuer in most cases.
ONLINE AUTHORIZATION
A method of requesting an authorization through a communications network other than voice to an issuer or issuer representative.
ONLINE CARD AUTHENTICATION (CAM)
Validation of the card by the issuer to protect against data manipulation and skimming. See Authorization Request Cryptogram (ARQC).
ONLINE PIN VERIFICATION
A method of PIN verification where the PIN entered by the cardholder into the terminal PIN pad is DES-encrypted and included in the online authorization request message sent to the issuer.
ONLINE-CAPABLE TERMINAL
A card acceptance device that is able to send transactions online to the issuer for authorization.
OPERATING SYSTEM (OS)
System software that manages the underlying hardware and software resources and provides common services for programs. Common operating systems in a COTS environment include, but are not limited to, Android and iOS.
ORIGINATOR
A financial institution that initiates a wire transfer or automated clearing house (ACH) payment.
OTP
See One Time Password
OUTLET
One location of a chain.
OVER THE AIR (OTA)
A method of distributing new software updates to mobile devices or provisioning handsets with the necessary settings with which to access services.
P
P1
Parameter 1
P2
Parameter 2
PAN
Primary Account Number
PAPER
Sales slips, credit slips, cash disbursement slips and other obligations indicating use of a card or a card account. Also referred to as ‘media’.
PASSCODE
A secret string of characters (usually numeric) used for consumer authentication to gain access to mobile applications on the mobile device. Consumers use the keypad of their mobile device to authenticate themselves.
PAYMENT APPLICATION DATA SECURITY STANDARD (PA DSS)
The global security standard created by the Payment Card Industry Security Standards Council (PCI SSC) to provide the definitive data standard for software vendors that develop payment applications.
PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)
A proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.
PAYMENT GATEWAY
An e-commerce application service provider service that authorizes payments for e-businesses, online retailers, or traditional brick and mortar businesses. It is equivalent to a physical point of sale terminal located in most retail outlets.
PAYMENT PROCESSOR
An entity that provides payment processing services for Acquirers and / or Issuers. A Payment Processor may in addition to processing provide operational, reporting and other services for the Acquirer or Card Issuer.
PAYMENT NETWORK
An electronic payment system used to accept, transmit, or process transactions made by payment cards for money, goods, or services, and to transfer information and funds among Issuers, Acquirers, Payment Processors, Merchants, and
Cardholders.
PAYMENT SYSTEM
A set of instructions and procedures used for the transfer of ownership and settlement of obligations arising from the exchange of goods and services.
PAYMENT TOKEN
Payment Tokens can take on a variety of formats across the payments industry. For this specification, the term Payment Token refers to a surrogate value for a PAN that is a 13 to 19-digit numeric value that must pass basic validation rules of an account number, including the Luhn check digit. Payment Tokens are generated within a BIN range that has been designated as a Token BIN Range and flagged accordingly in all appropriate BIN tables. Payment Tokens must not have the same value as or conflict with a real PAN.
PCA
Certification Authority Public Key
PCI DSS
The Data Security Standard published and maintained by the Payment Card Industry Security Standards Council. PCI DSS provides a baseline of technical and operational requirements designed to protect account data.
PCI PIN
A PCI standard that contains a complete set of requirements for the secure management, processing and transmission of personal identification number (PIN) data during online and offline payment card transaction processing at ATMs and attended and unattended point-of-sale (POS) terminals.
PDOL
Processing Options Data Object List
PERSONALIZATION
The process of populating a card with the application data that makes it ready for use.
PHYSICAL UNCLONABLE FUNCTION (PUF)
An intrinsic value or transformation that can be provided by a system that is a function of some physical process, such that it cannot be replicated or altered.
PI
Issuer Public Key
PIC
ICC Public Key
PICC
Proximity IC Card. Synonym with the consumer device in Book D of [EMV CL]
PIN (PERSONAL IDENTIFICATION NUMBER)
The confidential individual number or code used by a cardholder to authenticate card ownership for ATM or POS terminal transactions.
PIN AUTHORIZATION REQUEST
A procedure enabling the issuer to validate cardholder identity by comparing the PIN to the account numbers.
PIN BLOCK
Defined formats used for offline and online PIN processing and transmission, as defined in ISO 9564 Part 1.
PIN CVM APPLICATION
All parts of the code, regardless of execution environment, that are installed and executed on the merchant COTS device for the purposes of accepting and processing the cardholder’s PIN The client-side monitor and/or a payment application may be incorporated into the PIN CVM Application or may be a separate application.
PIN CVM SOLUTION (THE SOLUTION)
The set of components and processes that support the entry of PIN data in to a COTS device. At a minimum, The Solution includes SCRP, PIN CVM Application and the back-end systems and environments that perform attestation, monitoring and payment and online PIN processing.
PIN PAD
A Tamper Resistant Security Module that enables a Cardholder to enter his or her PIN at a Terminal.
PIN VERIFICATION
A procedure utilized by or on behalf of the Issuer Participant to verify the identification of the Cardholder as a result of the use of the PIN upon receipt of a Transaction request.
PIX
Proprietary Application Identifier Extension
PLAINTEXT
Data in its original unencrypted form.
POINT OF SALE (POS)
The point of sale (POS) or point of purchase (POP) is the time and place where a retail transaction is completed. At the point of sale, the merchant would calculate the amount owed by the customer and indicate the amount, and may prepare an invoice for the customer (which may be a cash register printout), and indicate the options for the customer to make payment. It is also the point at which a customer makes a payment to the merchant in exchange for goods or after provision of a service. After receiving payment, the merchant may issue a receipt for the transaction, which is usually printed, but is increasingly being dispensed with or sent electronically. (source: Wikipedia)
POINT OF TRANSACTION (POT)
The physical location where a merchant or acquirer (in a face-to-face environment) or an unattended terminal (in an unattended environment) completes a transaction.
POINT-OF-SALE SYSTEM
An electronic system that accepts financial data at or near a retail selling location and transmits that data to a computer or authorization network for reporting activity, authorization and transaction logging.
POINT-OF-TRANSACTION TERMINAL
A device used at the point of transaction that has a corresponding point-of-transaction capability. See also Card Acceptance Device.
POS
Point of Service
POS TERMINAL
A device placed in a merchant location that is connected to the bank’s system or authorization service provider via telephone lines and is designed to authorize, record and forward data by electronic means for each sale.
POSTILION
Payment processing platform formally owned by Mosaic, S1 and currently by ACI.
POST-ISSUANCE UPDATE
A command sent by the issuer through the terminal via an authorization response to update the electronically stored contents of a chip card.
PPSE
Proximity Payment Systems Environment
PREPAID CARDS
A reloadable or non-reloadable debit card that allows the holder to only spend up to the amount that has been pre-deposited into the account.
PRIMARY ACCOUNT NUMBER (PAN)
A variable length, 13 to 19-digits, ISO 7812-compliant account number that is generated within account ranges associated with a BIN by a Card Issuer.
PRIVATE KEY
As part of an asymmetric cryptographic system, the key that is kept secret and known only to the owner.
A cryptographic key used with a public-key cryptographic algorithm that is uniquely associated with an entity and is not made public.
In the case of an asymmetric signature system, the private key defines the signature transformation. In the case of an asymmetric encipherment system, the private key defines the decipherment transformation.
PROCESSING HOST SYSTEM
Term used to describe the system used by an issuer to authorize payment
transactions.
PROCESSOR
An organization that is connected to VISANet and or Banknet and provides authorization and/or clearing and settlement services on behalf of a member.
PROXIMITY
In this document, refers to contactless technology as described in [EMV CL].
PROXIMITY PAYMENT SYSTEM ENVIRONMENT (PPSE)
The purpose of the Proximity Payment System Environment is to inform the contactless payment terminal of the types of payment products that are available on the card or mobile device that is presented to the terminal. The payment terminal uses this information to determine if a payment is possible.
PSE
Payment System Environment
PSEUDO RANDOM NUMBER GENERATOR (PRNG)
A deterministic algorithm to generate a sequence of numbers with little or no discernible pattern in the numbers, except for broad statistical properties.
PSN
Application PAN Sequence Number
PTC
PIN Try Counter
PTL
PIN Try Limit
PUBLIC KEY
As part of an asymmetric cryptographic system, the key known to all parties.
A cryptographic key used with a public-key cryptographic algorithm that is uniquely associated with an entity and may be made public.
In the case of an asymmetric signature system, the public key defines the verification transformation. In the case of an asymmetric encipherment system, the public key defines the encipherment transformation. A key that is ‘publicly known’ is not necessarily globally available. The key may only be available to all members of a pre-specified group.
PUBLIC KEY CRYPTOGRAPHY
See Asymmetric Encryption.
PUBLIC KEY CRYPTOGRAPHIC ALGORITHM
A cryptographic algorithm that allows the secure exchange of information, but does not require a shared secret key, through the use of two related keys—a public key which may be distributed in the clear and a private key which is kept secret.
PUBLIC KEY PAIR
The two mathematically related keys, a public key and a private key which, when used with the appropriate public key cryptographic algorithm, can allow the secure exchange of information, without the secure exchange of a secret.
PURCHASE TRANSACTION
A retail purchase of goods or services; a point-of-sale transaction.
PVV
PIN Verification Value
Q
QUASI-CASH TRANSACTION
A transaction representing a merchant’s sale of items, such as gaming chips or money orders, that are directly convertible to cash.
QVSDC
quick Visa Smart Debit/Credit
QVSDC PATH
For transactions conducted over the contactless interface, the qVSDC Path is an application path taken by the card which results in card behavior defined for qVSDC. This path is taken for contactless transactions where the card and reader both support qVSDC.
R
RANDOM NUMBER GENERATOR (RNG)
The process of generating values with a high level of entropy and that satisfy various qualifications, using cryptographic and hardware-based ‘noise’ mechanisms. This results in a value in a set that has equal probability of being selected from the total population of possibilities, hence unpredictable.
RANDOM SELECTION
An EMV online-capable terminal function that allows for the selection of transactions for online processing. Part of Terminal Risk Management.
READER
The merchant device communicating with the card/Mobile Application.
REAL PAN
Actual PAN of the cardholder usually embossed on the plastic. TPAN on a card device is associated with the actual PAN.
REASON CODE
A code used to provide additional information to the receiving clearing member regarding the nature of a chargeback, subsequent presentment, fee collection, funds disbursement, or request for a source document.
RECEIPT
A hard copy description of the transaction that took place at the point-of-sale, containing at minimum: date, merchant name/location, primary account number, type of account accessed, amount, reference number, and an action code.
RECURRING TRANSACTION
A transaction charged to the cardholder (with prior permission) on a periodic basis for recurring goods and services, i.e., health club memberships, book-of-the-month clubs, etc.
REFERENCE NUMBER
A twenty-three (23) position number assigned by the acquiring member and used to identify a transaction.
REFERRAL RESPONSE
An authorization response where the merchant or acquirer is instructed to contact the issuer for further instructions before completing the transaction.
REMITTANCE INFORMATION
Information required by the biller to post customer bill payments effectively.
REPLAY ATTACK
A replay attack (also known as playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed.
REQUESTED TOKEN ASSURANCE LEVEL / ASSIGNED TOKEN ASSURANCE LEVEL
The Requested Token Assurance Level is requested from the Token Service Provider by the Token Requestor. Requested Token Assurance Level is a field included in the Token Request. The Assigned Token Assurance Level is the actual value assigned by the Token Service Provider as the result of the ID&V process and is provided back to the Token Requestor in response to the Token Request.
REVERSAL
A BASE II or online financial transaction used to negate or cancel a transaction that has been sent through interchange.
RFU
Reserved for Future Use (see next table)
RID
Registered Application Provider Identifier
RIP
Reset Internal Parameters
ROM (READ-ONLY MEMORY)
Permanent memory that cannot be changed once it is created. It is used to store chip operating systems and permanent data.
RPAN
See Real PAN
RSA (RIVEST, SHAMIR, ADLEMAN)
A public key cryptosystem developed by Rivest, Shamir, and Adleman, used for data encryption and authentication.
S
SALES DRAFT
Paper documentation of a transaction. Also called a sales slip, charge slip or hard copy.
SCA
Certification Authority Private Key
SDA (OFF-LINE STATIC DATA AUTHENTICATION)
In case of a terminal and a card supporting the off-line data authentication, terminal chooses what kind of off-line data authentication will be performed. In case of SDA then terminal determine whether the card is genuine or not by passing its internal checksum data encrypted (RSA) to terminal for authentication with a public certificate.
SECRET KEY
A key that is used in a symmetric cryptographic algorithm (that is, DES), and cannot be disclosed publicly without compromising the security of the system. This is not the same as the private key in a public/private key pair.
SECURE BOOT
See Trusted Boot
SECURE CARD READER – PIN (SCRP)
A physical card reader that has been assessed compliant to the PCI PTS SCRP Approval Class and is listed on the PTS approval website.
SECURE CHANNEL
A cryptographically protected connection between two processing elements.
SECURE CRYPTOGRAPHIC DEVICE (SCD)
A physically and logically protected hardware device that provides a secure set of cryptographic services. It includes the set of hardware, firmware, software, or some combination thereof that implements cryptographic logic, cryptographic processes, or both, including cryptographic algorithms. Examples include ANSI X9.24 part 1 or ISO 13491.
SECURE ELEMENT
A tamper-resistant module capable of hosting mobile device applications in a secure manner. A hardware-secure chip-based solution that is resident in the mobile device, either as an integrated component or as a removable component such as a Universal Integrated Circuit Card (UICC) Subscriber Identity Module (SIM) card or a memory card solution.
SECURE MESSAGING
A process that enables messages to be sent from one entity to another, and protects against unauthorized modification or viewing.
SECURE READING AND EXCHANGE OF DATA (SRED)
Module 4 of the PCI PTS POI Standard, detailing the requirements for devices that protect account data.
SECURITY COMPLIANCE REVIEW
A review that is based on an approved checklist and that is performed by a Member’s or Processor’s Approved Auditor to verify the Member’s or the Processor’s compliance with these Rules.
SENSITIVE AUTHENTICATION DATA
Security-related information-including but not limited to card validation codes/values, full track data (from the magnetic stripe or equivalent on a chip), PINs and PIN blocks-used to authenticate cardholders and/or authorize payment card transactions.
SENSITIVE DATA
Sensitive data is cryptographic materials-e.g., keys, certificates, cardholder PINs or cardholder data.
SESSION KEY
A temporary cryptographic key computed in volatile memory and not valid after a session is ended.
SETTLEMENT
As the sales transaction value moves from the merchant to the acquiring bank to the issuer, each party buys and sells the sales ticket. Settlement is what occurs when the acquiring bank and the issuer exchange data or funds during that function.
SETTLEMENT STATEMENT
A document issued to the merchant, indicating the sales and credit activity, billing information, discount fee and chargebacks (if any) occurring during a particular time frame (one week, one month).
SFI
Short File Identifier
SHA
Secure Hash Algorithm
SHOPPING CART SOFTWARE
Shopping cart software allows the cardholder to select items from an online store and place them in a virtual shopping basket or shopping cart. The shopping cart remembers which items are selected while the cardholder views other items within the virtual storefront, keeps a running total, and may calculate taxes and shipping. The items in the shopping cart are eventually ordered if the cardholder chooses.
SI
Issuer Private Key
SIC
ICC Private Key
SINGLE MESSAGE SYSTEM
A component of the V.I.P. System that processes Online Financial and Deferred Clearing transactions.
SK
Session Key
SKAC
Session Key Application Cryptogram
SM
Secure Messaging
SMART CARD
A plastic card resembling traditional credit or debit cards that contains a computer chip; the chip is capable of storing significantly more information than a magnetic stripe.
SOFTWARE PROTECTION MECHANISMS
Methods and implementations used to prevent the reverse engineering and modification of software. See Obfuscation and White-box cryptography as examples of commonly used software protection mechanisms.
SPLIT KNOWLEDGE
A condition under which two or more entities separately have key components or key shares that individually convey no knowledge of the resultant cryptographic key. The information needed to perform a process such as key formation is split among two or more people. No individual has enough information to gain knowledge of any part of the actual key that is formed.
STAN (SYSTEM TRACE AUDIT NUMBER)
Unique number identifying a payment transaction through the whole or part of the payment system. In ISO8583-like dialects usually as data element DE11.
START UP KIT
Supplies shipped to new merchants including sales slips, credit slips, batch header tickets, return envelopes, VISA/MasterCard decals, merchant plastics, imprinter slugs and instructional materials.
STATIC DATA AUTHENTICATION (SDA)
A type of Offline Data Authentication where the terminal validates a cryptographic value placed on the card during personalization. This validation protects against some types of counterfeit, but does not protect against skimming.
STATUS WORD
SW1 and SW2, collectively.
SUBMISSION
The process of sending batch deposits to Merchant Services for processing. This may be done electronically or by mail.
SUPPORT DOCUMENTATION
The forms necessary to effect a chargeback processing cycle, and any additional material to uphold a dispute.
SW1
Status byte 1
SW1 SW2
Status Byte One and Status Byte Two
SW2
Status byte 2
SYMMETRIC ENCRYPTION
A cryptographic key that is used in symmetric cryptographic algorithms. The same symmetric key that is used for encryption is also used for decryption. Also known as ‘secret key.’
T
TAMPER-DETECTION
The automatic determination by a cryptographic module that an attempt has been made to compromise the security of the module.
TAMPER-RESISTANT SECURITY MODULE (TRSM)
Usualy a HSM.
TAMPER-RESPONSIVE
A characteristic that provides an active response to the detection of an attack, thereby preventing a success.
TC
Transaction Certificate
TCMP
Transaction Capture Multi-Payment (TCMP) is a payment messages format for transmissions between the terminal and RBS WorldPay Host. This host interface is designed to operate in a terminal-capture or host-capture environment.
T-DES
Triple DES. An algorithm specified in ISO/IEC 18033-3: Information technology – Security techniques – Encryption algorithms – Part 3: Block ciphers. (PIN)
TDOL
Transaction Certificate Data Object List
TEE
Trusted Execution Environment
TELEPHONE BILL PAYMENT
A service that permits a customer to pay bills electronically. The customer gives a corporation the authority to debit his or her account for a specific amount or within a specified range of amounts.
TERMINAL ACTION CODES (TACS)
Visa-defined rules in the terminal which the terminal uses to determine whether a transaction should be declined offline, sent online for an authorization, or declined if online is not available.
TEST REQUIREMENTS (TR)
Requirements that dictate the set of tests that must be performed to confirm compliance with a specific standard.
THE SOLUTION
See PIN CVM Solution
THIRD-PARTY PROCESSING
Processing of transactions by service providers acting under contract to card issuers or acquirers. First Data is a third-party processor.
TLV
Tag Length Value
TOKEN
An implementation of an alternate PAN that may include additional features associated with tokenization.
TOKEN ASSURANCE LEVEL
A value that allows the Token Service Provider to indicate the confidence level of the Payment Token to PAN / Cardholder binding. It is determined as a result of the type of Identification and Verification (ID&V) performed and the entity that performed it. It may also be influenced by additional factors such as the Token Location.
The Token Assurance Level is set when issuing a Payment Token and may be updated if additional ID&V is performed. The Token Assurance Level value is defined by the Token Service Provider.
TOKEN BIN
A specific BIN or range within a BIN that has been designated only for the purpose of issuing Payment Tokens and is flagged accordingly in BIN tables.
TOKEN BIN RANGE
A unique identifier that consists of the leading 6 to 12 digits of the Token BIN. The Token BIN Range may be designed to carry the same attributes as the associated Card Issuer card range and will be included in the BIN routing table distributed to the participating Acquirers and Merchants to support routing decisions.
TOKEN CRYPTOGRAM
A cryptogram generated using the Payment Token and additional transaction data to create a transaction-unique value. The calculation and format may vary by use case.
TOKEN DOMAIN
The types of transactions for which a Payment Token may be used. Token Domains may be channel-specific (e.g. NFC only), Merchant-specific, digital wallet-specific, or a combination of any of the above.
TOKEN DOMAIN RESTRICTION CONTROLS
A set of parameters established as part of Payment Token issuance by the Token Service Provider that will allow for enforcing appropriate usage of the Payment Token in payment transactions. Some examples of the controls are: Use of the Payment Token with particular presentment modes, such as contactless or e-commerce; Use of the Payment Token at a particular Merchant that can be uniquely identified; Verification of the presence of a Token Cryptogram that is unique to each transaction
TOKEN EXPIRY DATE
The expiration date of the Payment Token that is generated by and maintained in the Token Vault and is passed in the PAN Expiry Date field during transaction processing to ensure interoperability and minimise the impact of Tokenisation implementation. The Token Expiry Date is a 4-digit numeric value that is consistent with the ISO 8583 format.
TOKEN INTEROPERABILITY
The process to ensure that the processing and exchanging of transactions between parties through existing interoperable capabilities is preserved when using Payment Tokens with new fields and field values that are defined in this specification.
TOKEN ISSUANCE
The process by where a Payment Token is created and delivered to a Token Requestor. Payment Tokens may be issued for multiple use or for single Use.
TOKEN LOCATION
An indication of the intended mode of storage for a Payment Token and any related data, provided by a Token Requestor when requesting a Payment Token from a Token Service Provider.
The security of this location may influence the Token Assurance Level that can be assigned to a Payment Token. Due diligence of the security provided by Token Requestors is the responsibility of each Token Service Provider and assignation of a location type to each Token Requestor will be at the discretion of each Token Service Provider.
TOKEN PAN
A virtual PAN present in the card device and disclosed to the Merchant terminal at the time of transaction.
TOKEN PRESENTMENT MODE
The mode through which a Payment Token is presented for payment. This information will resolve to an existing field called Point of sale (POS) Entry Mode as defined in ISO 8583 messages and that will be enhanced to include new potential values as part of this specification. Each Payment Network will define and publish any new POS Entry Mode values as part of its existing message specifications and customer notification procedures. In addition to supporting existing values for contactless, new values may be defined, if not already in existence, by participating Payment Networks for: Server initiated (Card-on-file use case); Scan (Optical)
TOKEN PROCESSING
Transaction processing in which a Payment Token is present in lieu of the PAN and is processed from the point of interaction through to the Payment Network and Token Service Provider’s Vault for De-Tokenisation in order to allow for transaction completion. Token Processing may span payment processes that include authorisation, capture, clearing, and exception processing.
TOKEN PROVISIONING
The act of delivering the Payment Token and related values, potentially including one or more secret keys for cryptogram generation, to the Token Location.
TOKEN REFERENCE ID
A value used as a substitute for the Payment Token that does not expose information about the Payment Token or the PAN that the Payment Token replaces.
TOKEN REQUEST
The process in which a Token Requestor requests a Payment Token from the Token Service Provider. As a consequence of this action, ID&V may be performed using a Token Request Indicator to show that the ID&V mechanism being used is for the purpose of a Token Request, rather than for some other purpose.
TOKEN REQUEST INDICATOR
A value used to indicate that an authentication / verification message is related to a Token Request. It is optionally passed to the Card Issuer as part of the Identification and Verification (ID&V) API to inform the Card Issuer of the reason that the account status check is being performed.
TOKEN REQUESTOR
An entity that is seeking to implement Tokenisation according to this specification and initiate requests that PANs be Tokenised by submitting Token Requests to the Token Service Provider. Each Token Requestor will be registered and identified uniquely by the Token Service Provider within the Tokenisation system.
TOKEN REQUESTOR REGISTRATION
A Token Service Provider function that formally processes Token Requestor applications to participate in the Token Service programme. The Token Service Provider may collect information pertaining to the nature of the requestor and relevant use of Payment Tokens to validate and formally approve the Token Requestor and establish appropriate Token Domain Restriction Controls. Successfully registered Token Requestors will be assigned a Token Requestor ID that will also be entered and maintained within the Token Vault.
TOKEN SERVICE
A system comprised of the key functions that facilitate generation and issuance of Payment Tokens from the Token BINs, and maintain the established mapping of Payment Tokens to PAN when requested by the Token Requestor. It also includes the capability to establish the Token Assurance Level to indicate the confidence level of the Payment Token to PAN / Cardholder binding. The service also provides the capability to support Token Processing of payment transactions submitted using Payment Tokens by de-tokenising the Payment Token to obtain the actual PAN.
TOKEN SERVICE PROVIDER
An entity that provides a Token Service comprised of the Token Vault and related processing. The Token Service Provider will have the ability to set aside
licensed ISO BINS as Token BINs to issue Payment Tokens for the PANs that are submitted according to this specification.
An entity or software responsible for creating, managing and detokenizing the Token PANs into Real PANs.
TOKEN VAULT (TV)
A repository, implemented by a Tokenisation system that maintains the established Payment Token to PAN mapping. This repository is referred to as the Token Vault. The Token Vault may also maintain other attributes of the Token Requestor that are determined at the time of registration and that may be used by the Token Service Provider to apply domain restrictions or other controls during transaction processing. Token information database.
TOKENISATION
A process by which the Primary Account Number (PAN) is replaced with a surrogate value called a Payment Token. Tokenisation may be undertaken to enhance transaction efficiency, improve transaction security, increase service transparency, or to provide a method for third-party enablement. A process of creating a virtual PAN or Token PAN on a card device (Mobile, Touch pad etc.) associated with the Real PAN (RPAN) of the cardholder that facilitates hiding of real PAN at the point of sale.
TPAN
See Token PAN
TRACK 1
Track 1 was introduced by the International Air Transport Association (IATA) and describes format of credit card magnetic stripe data for financial transactions, i.e., credit and debit cards and stores more information than Track 2 as cardholder’s name, account number and other discretionary data. This track is sometimes used by the airlines when securing reservations with a credit card.
TRACK 2
Track 2 was introduced by the American Banking Association (ABA) and is currently most commonly used, though credit card companies have been pushing for everyone to move to Track 1. The ABA designed the specifications of this track and all world banks must abide by it. It contains the cardholder’s account, encrypted PIN, plus other discretionary data.
TRACK 3
Track 3 is virtually unused by the major worldwide networks, and often isn’t even physically present on the card by virtue of a narrower magnetic stripe.
TRANSACTION
Any event that causes a change in an organization’s financial position or net worth, resulting from normal activity. Advance of funds, purchase of goods at a retailer or when a borrower activates a revolving line of credit. Activities affecting a deposit account carried out at the request of the account owner. One example of a transaction is the process that takes place when a cardholder makes a purchase with a credit card.
TRANSACTION DATE
The actual date on which a transaction occurs. Used in recording and tracking
transactions.
TRANSACTION FEES
Service costs charged to a merchant on a per-transaction basis.
TRIPLE DES
The data encryption algorithm used with a double-length DES key.
TRM
Terminal Risk Management (EMV transactions). May include checking whether the value of the transaction exceeds the terminal floor limit and other treshold values.
TRUE RANDOM NUMBER GENERATOR (TRNG)
A device that generates random numbers from a physical process, such as a Physical Unclonable Function, rather than a deterministic algorithm.
TRUSTED BOOT
A cryptographic process where the bootloader verifies the integrity of all components (e.g., kernel objects) loaded during operating system start-up process, before loading. Also known as Verified Boot and Secure Boot (e.g., Google or Apple).
TRUSTED EXECUTION ENVIRONMENT (TEE)
A Trusted Execution Environment provides security features such as isolated execution environment for Trusted Applications (‘Trustlets’). It protects security assets from general software attacks, defines safeguards as to data and functions that a program can access and resists a set of defined threats.
TSI
Transaction Status Information
TSP
See Token Service Provider
TTQ
Terminal Transaction Qualifiers
TVR
Terminal Verification Results
U
UCOLL
Upper Consecutive Off-line Limit
UCOMMERCE
Short for Universal Commerce, UCommerce is the intersection of online, kiosk, and in-store payment enablement, incorporating social media and near-field communications. With UCommerce, the mobile device is at the center of the user experience.
UDK
Unique Derivation Key
UDKA
Unique Derivation Key A
UDKB
Unique Derivation Key B
UI
User interface (UI). The set of the human-machine interfaces that allows for interaction between a person and a computerized system.
UNIQUE DERIVATION KEY
A card-unique double-length DES key derived from a master key and used in online card authentication.
UTC
Coordinated Universal Time
V
V.I.P. SYSTEM
VisaNet Integrated Payment System, the online processing component of VisaNet.
VCPS
Visa Contactless Payment Specification
VCPS TRANSACTION
A transaction conducted over the contactless interface in compliance with this
specification.
VIS
Visa Integrated Circuit Card Specification
VISA AID
An AID using the Visa Registered Application Provider Identifier (RID, ‘A0 00 00 00 03’) that has a Proprietary Application Identifier Extension (PIX) assigned by Visa International. Visa PIXs: ‘1010’ – Visa Debit and Visa Credit, ‘2010’ – Visa Electron, ‘3010’ – Interlink, ‘8010’ – PLUS, Regional AIDs using the reserved range of Visa assigned PIXs are permitted.
VISA CERTIFICATE AUTHORITY (CA)
A Visa-approved organization certified to issue certificates to participants in a Visa payment service.
VISA CONTACTLESS PAYMENT SPECIFICATION (VCPS)
A Visa specification defining requirements for conducting a payment transaction over a contactless interface.
VISA LOW-VALUE PAYMENT (VLP)
VLP is a feature of VSDC designed to provide an optional source of pre-authorized spending power that is reserved for rapid processing of offline low-value payments.
VISA PAYWAVE
A contactless payment technology feature that allows cardholders to wave their card, mobile device, or other form factors in front of contactless payment terminals without the need to physically swipe or insert the card into a point-of-sale device.
VISA REPRESENTATIVE
Visa internal staff that issuers or acquirers may contact for questions and assistance with implementation tasks and testing.
VISA SMART DEBIT AND VISA SMART CREDIT (VSDC)
The Visa service offerings for chip-based debit and credit programs. These services, based on EMV and VIS specifications, are supported by VisaNet processing, as well as by Visa rules and regulations.
VISANET
The systems and services, including the V.I.P. and BASE II systems, through which Visa delivers online financial processing, authorization, clearing, and settlement services to members.
W
WHITE-BOX CRYPTOGRAPHY
A method used to obfuscate a cryptographic algorithm and key with the intent that the determination of the key value is computationally complex.
X
Y
YHHHHCC
Year, hour, counter: Y right-most digit of the year (0 – 9), HHHH Number of hours in digits since start of the year (0001 – 8784), CC Counter (00 – 99)
Z
ZENTRALER KREDITAUSSCHUSS (ZKA)
An industry association of the German banking industry.
Haven’t you found what you’ve been looking for? Something not clear or wrong? Please let This email address is being protected from spambots. You need JavaScript enabled to view it.