Terms to Know
Also referred to as “acquiring bank,” “acquiring financial institution,” or “merchant acquirer.” An acquirer is an organization licensed as a member of Visa/MasterCard that is in the business of processing credit card transactions for businesses (acceptors) and is always acquiring new merchants for the acceptance of payment cards.
Interestingly enough, many merchants don’t recognize their acquiring bank as the primary provider of their merchant account. Acquiring banks are playing an increasingly hands-off role as the bankcard system evolves. Acquiring banks often enlist the help of third-party independent sales organizations (ISO) and membership service providers (MSP) to conduct and monitor the day-to-day activities of their merchant accounts.
A credit card offered in conjunction with two organizations, one a card issuer and the other a non-financial group with which consumers have an affinity. Universities, sports franchises and non-profit organizations are examples of affinity groups that often offer special discounts or deals for using their credit cards issued in partnership with a major bank.
American Express Company, also known as AmEx, is an American multinational financial services corporation headquartered in Three World Financial Center, Manhattan, New York City, New York, United States. Founded in 1850, it is one of the 30 components of the Dow Jones Industrial Average. The company is best known for its credit card, charge card, and traveler’s cheque businesses. Amex cards account for approximately 24% of the total dollar volume of credit card transactions in the U.S.
See Authorization Code.
An authorization response that is received when a transaction is approved.
Process of verifying identity of an individual, device, or process. Authentication typically occurs through the use of one or more authentication factors such as:
- Something you know, such as a password or passphrase
- Something you have, such as a token device or smart card
- Something you are, such as a biometric
Fraud-protection tools in card-processing equipment, including address verification (AVS) and card code verification (CCV) systems, aid in the authentication process, which is essential in Internet, phone and mail orders where the card is not present. Checking signatures and asking for other forms of ID also aid in authenticating card-present transactions.
Granting of access or other rights to a user, program, or process. For a network, authorization defines what an individual or program can do after successful authentication. For the purposes of a payment card transaction, authorization occurs when a merchant receives transaction approval after the acquirer validates the transaction with the issuer/processor.
Also called, “Approval Code.” A code that an issuer or its authorizing processor provides to indicate approval for an authorization request.
A transaction that is created to reserve an amount against a credit card’s available limit for intended purchases; the actual settlement may occur within three to five days, depending on the card type.
The first six digits of a credit or debit account number. This number is used to identify the card-issuing institution.
The closing (settlement) of all credit-card transactions (batch) for a business day, or other designated time period. Merchants may perform this closeout manually, or the merchant account will be set up to automatically settle a batch of transactions before funds are cleared. See Clearing also.
Visa and MasterCard are not banks and do not issue credit cards or merchant accounts; instead, they act as a custodian and clearing house for their respective card brand. They also function as the governing body of a community of financial institutions, ISOs and MSPs that work together in association to support credit card processing and electronic payments — hence the name, “card associations.” Card Associations govern the members of their associations, including interchange fees and qualification guidelines, act as the arbiter between issuing and acquiring banks, maintain and improve the card network and their brand, and generate profit. Visa uses their VisaNet network to transmit data between association members, and MasterCard uses their Banknet network.
Note that American Express is not a card association; American Express issues credit lines and physical cards on its own without an association of other financial institutions, ISOs and MSPs.
Any association member financial institution, bank, credit union, or company that issues, or causes to be issued, plastic cards to cardholders.
An individual to whom a card is issued, or who is authorized to use an issued card.
A device that is capable of reading the encoding on plastic cards.
Also known as Card Validation Code or Value, or Card Security Code. Refers to either: (1) magnetic-stripe data, or (2) printed security features.
- Data element on a card’s magnetic stripe that uses secure cryptographic processes to protect data integrity on the stripe, and reveals any alteration or counterfeiting. Referred to as CAV, CVC, CVV, or CSC depending on payment card brand. The following list provides the terms for each card brand:
- CAV – Card Authentication Value (JCB payment cards)
- CVC – Card Validation Code (MasterCard payment cards)
- CVV – Card Verification Value (Visa and Discover payment cards)
- CSC – Card Security Code (American Express)
- For Discover, JCB, MasterCard, and Visa payment cards, the second type of card verification value or code is the rightmost three-digit value printed in the signature panel area on the back of the card. For American Express payment cards, the code is a four-digit non-embossed number printed above the embossed primary account number on the face of the payment cards. The code is uniquely associated with each individual piece of plastic and ties the primary account number to the plastic.
A payment card that requires a full payment of the charge each billing cycle by the statement due date. Unlike credit cards, which give borrowers a revolving line of credit that can be accessed and paid down over time, charge cards do not allow balances to be carried forward and do not charge an interest rate. American Express began as a charge card and continues to offer these types of products (like the Green, Gold and Platinum American Express cards) in addition to general use credit cards.
A transaction returned through interchange by an issuer to an acquirer. A transaction may be returned because it was non-compliant with the association rules and regulations or because a cardholder disputed the transaction.
The process by which the acquirer sends purchase information to the card network which in turn sends it to the issuing institution. The issuer then prepares the information for the card member’s statement.
Compensating controls may be considered when an organization cannot meet a PCI DSS requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls.
Compensating controls must: (1) Meet the intent and rigor of the original PCI DSS requirement; (2) Provide a similar level of defense as the original PCI DSS requirement; (3) Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and (4) Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.
Also referred to as “data compromise,” or “data breach.” Intrusion into a computer system where unauthorized disclosure/theft, modification, or destruction of cardholder data is suspected.
All smart cards contain embedded integrated circuits, which is a microchip inside the card that’s programmed to work with only a specific scanner. Contact smart cards require cardholders to actually insert the card for identification purposes. Conversely, contactless (RFID) smart cards only require the cardholder to be near the scanner for reading.
All smart cards contain embedded integrated circuits, which is a microchip inside the card that’s programmed to work with only a specific scanner. Contact smart cards require cardholders to actually insert the card for identification purposes. Conversely, contactless smart cards, which are commonly known as RFID (radio frequency ID), only require the cardholder to be near the scanner for reading. With a contactless card, the antenna around the embedded chip is visible on the card.
A company that catalogs and sells information regarding the payment behavior of consumers and issues credit reports with related information. The three major national credit bureaus are Experian, Equifax and TransUnion.
A plastic payment card that is accepted by merchants worldwide with an encoded magnetic stripe on the back and/or an encoded chip (EMV cards) that can be read at the point of sale. Credit Cards offer card members the ability to pay balances over time by applying an interest rate to outstanding balances.
A charge to a customer’s bankcard account. A transaction, such as a check, automated teller machine (ATM) withdrawal or point-of-sale (POS) debit purchase that debits a demand deposit account.
A type of payment card used for transactions carrying one of the major association brands that is linked directly to a customer’s bank deposit account. ATM and some point of sale transactions require input of a four digit personal identification number, while other transaction may require a customer’s signature. Debit card transactions don’t involve credit, but rather transfer money directly from the customer’s checking account to pay for the product or service involved.
Also called the “discount rate.” The fee paid by merchants to credit card processors as a fee associated with accepting general use credit cards (like Visa, MasterCard, American Express and Discover Card). Typically this fee runs between 1% and 3%, depending on the nature of the transaction.
Newest of the payment card brands, began in 1986. Company now has over 50 million card members, but is the smallest of the four payments brands in terms of market share. Discover Card’s payments networks: Discover Network and PULSE: together processed more than 3 billion transactions in 2006. Discover Network connects millions of merchant and cash access locations throughout the U.S., Canada, Mexico, Central America and the Caribbean. PULSE serves more than 4,400 financial institutions and includes nearly 260,000 ATMs, as well as POS terminals nationwide.
A late addition to the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, designed to reduce swipe fees charged to merchants by financial institutions, and thereby reducing merchant costs (and so, by extension, costs to consumers). The Durbin Amendment is a highly debated change to the processing system, with many detractors suggesting its emphasis on interchange fees—without addressing other fees that can be added to transactions—as ultimately ineffective or even raising the costs of handling electronic transactions.
Electronic Benefits Transfer. A U.S. system that provides a way for state governments to disburse financial and other benefits via plastic debit cards. Typically the benefits comprise food and cash.
The process of obfuscating information via specific cryptographic keys. The use of encryption protects valuable card data information against unauthorized disclosure, as encryption renders card information unintelligible to those who attempt to intercept the card data while in transit.
An amount that Visa and MasterCard have established for single transactions at specific types of merchant outlets and branches, above which additional authorization is required.
A security alert placed on a credit card account or credit bureau listing by either the customer of the issuer when a fraudulent account activity is either experienced or suspected (also known as a credit freeze).
A transaction unauthorized by the cardholder of a bankcard. Such transactions are categorized as lost, stolen, not received, issued on a fraudulent application, counterfeit, fraudulent processing of transactions, account takeover or other fraudulent conditions as defined by the card company or the member company.
The process of the acquirer paying the merchant, after the acquirer receives payment from the issuing institution.
Also called a payment gateway. A secure portal that enables an electronic POS system to transmit credit card information to a payment processor for authorization and settlement.
The Apriva Gateway provides APIs, SDKs and web services to securely integrate mobile, web, traditional and unattended POS solutions to more than 30 payment processors.
A general use credit card (that can be used anywhere that accepts credit cards) or private label retail card (that is only redeemable at the store from which it was purchased) that has prepaid value on it and can be given as a gift.
Synonymous with the Discount Rate, this is a fee paid by an acquirer to an issuer for transactions entered into interchange. The interchange fee is a percentage applied, according to Visa/MasterCard regulations, to the dollar value of each transaction (typically between 1% and 3%, depending on the type of transaction).
Any association member financial institution, bank, credit union or company that issues, or causes to be issued, plastic cards to cardholders.
A stripe of magnetic information that is affixed to the back of a plastic credit or debit card. This stripe contains customer and account information that is required to complete electronic financial transactions. The physical and magnetic characteristics of this stripe are specified in the International Organization for Standardization standards 7810, 7811 and 7813.
Also referred to as “track data.” Data encoded in the magnetic stripe or chip used for authentication and/or authorization during payment transactions. Can be the magnetic stripe image on a chip or the data on the track 1 and/or track 2 portion of the magnetic stripe.
A transaction where a cardholder orders goods or services from a merchant by telephone, mail or other means of telecommunication, and where neither the card nor the cardholder is present at the merchant outlet.
MasterCard is a global bank card payments brand and network that provides its services to banks and merchants as follows:
- Franchisor: Through the thousands of financial institutions that are MasterCard’s customers, the company markets a strong portfolio of brands and products worldwide, including MasterCard, Maestro®, Cirrus® and MasterCard® PayPass™. With these, MasterCard offers a network of more than 24 million acceptance locations around the world and, in many cases, guarantees payment through its system. (It does not, however, issue cards, set annual fees, determine annual percentage rates on cards, or solicit merchants to accept cards. MasterCard’s customers, a myriad of financial institutions worldwide, manage the relationships with their cardholders and with merchants.)
- Processor: MasterCard’s processing enables efficient commerce on a global scale.
A member that signs a MasterCard merchant agreement or disburses currency to a MasterCard cardholder in a cash disbursement, and directly or indirectly enters the resulting transaction receipt into interchange.
A member that issues MasterCard cards.
A person or company selling products or services to consumers, contracted with a merchant bank or ISO to originate credit card, debit card, stored value, and/or EBT transactions.
Bank that has a merchant agreement with a merchant to accept (acquire) deposits generated by bankcard transactions.
This number is generated by a processor/acquirer and is specific to each individual merchant location. This number helps to identify the merchant during processing of daily transactions, rejects, adjustments, charge-backs, end-of-month processing fees, and more
A set of standards for smartphones and similar devices to establish radio-communication with each other by touching them together or bringing them into proximity, usually no more than a few inches. NFC devices can be used in contactless payment systems, similar to those currently used in credit cards and electronic ticket smartcards, and allow mobile payment to supplement these systems.
Payment Card Industry.
Adherence to the industry-mandated security standards (PCI DSS and PA-DSS) that apply to all businesses that handle, process or store credit or debit cards. Businesses much meet the set requirements of the standards in order to be deemed “PCI compliant.”
All merchants fall under four categories of PCI compliance (Level 1, Level 2, Level 3 and Level 4), depending on the number of transactions they process each year, and whether those transactions are performed from a brick and mortar location or over the Internet. Each merchant must meet the compliance requirements for their PCI compliance level.
The initial point where data is read from a card. An electronic transaction-acceptance product, a POI consists of hardware and software and is hosted in acceptance equipment to enable a cardholder to perform a card transaction. The POI may be attended or unattended. POI transactions are typically integrated circuit (chip) and/or magnetic-stripe card-based payment transactions.
A location where credit card transactions are performed with the cardholder present, such as a retail store. The card is read magnetically, and the cardholder’s signature is obtained as insurance against the transaction. EMV transactions additionally use a PIN and cryptographic algorithms to provide authentication of the card to the POS system.
Security process that ensures cardholder data is protected from card swipe all the way through to the host. The valuable cardholder data is encrypted prior to performing an electronic payment transaction, making it useless to potential theft,
Completion, or settlement, of a sale in which Pre-Authorization has occurred. At this point, the cardholder’s issuing institution would remove the authorization hold and release funds for payment to the merchant.
The process of updating individual cardholder account balances to reflect merchandise sales, instant cash, cash advances, adjustments, payments and any other charges or credits.
A conditional offer of credit from a credit card issuer based on a pre-qualification of the individual’s credit from an abbreviated credit bureau report. Upon acceptance of such an offer, the issuer makes a credit decision (usually after obtaining more detailed credit information) and assigns an annual percentage rate based on the most up to date credit profile of the customer.
Also called an Authorization Hold, pre-authorization occurs when the cardholder’s issuing institution immediately authorizes a credit card transaction but holds the funds as unavailable from the merchant until he or she officially clears (settles) or reverses (cancels) the transaction. This allows for changes in the sale amount that might occur between the time of authorization and settlement, as in hotel stays where last-minute phone calls or room service use could affect the amount of the final bill after checkout.
The number that is embossed and/or encoded on a plastic card that identifies the issuer and the particular cardholder account.
The date on which the transaction is processed by the acquiring bank.
A company that handles all or some of the functions of a credit or debit transaction, ranging from providing terminals to managing back-end settlement.
A document that records when a transaction took place at the point of sale (POS). The receipt contains a description of the transaction, which usually includes the date, the merchant name/location, the primary account number, the amount and the reference number. Rece
Also known as Retrieval Reference Number or RRN. The unique number assigned to each monetary transaction in a descriptive billing system. Each reference number is printed on the monthly statement to aid in retrieval of the document, should it be questioned by the cardholder.
The creation of a credit to a cardholder account, usually as a result of a product return or to correct an error.
Under Reg Z, credit card issuers are required to disclose the terms and conditions to potential and existing cardholders at the point of account opening and at regular intervals. Upon soliciting and opening new credit card accounts, credit card issuers must generally disclose key information relevant to the costs of using the card, including the applicable interest rate that will be assessed on any outstanding balances and several key fees or other charges that may apply, such as the fee for making a late payment. In addition, issuers must provide consumers with an initial disclosure statement, which is usually a component of the issuer’s card member agreement, before the first transaction is made with a card. The card member agreement is the governing document for the account and provides more comprehensive information about a card’s terms and conditions than would be provided as part of the application or a solicitation letter.
A merchant that provides goods and/or services in the retail industry, but that is not a mail/phone merchant, a recurring services merchant or a travel and entertainment (T&E) merchant.
The process of a merchant reversing (canceling) a pre-authorized transaction. Similar to a chargeback, with the difference that merchant’s initiate a reversal, while customers initiate chargebacks.
Retrieval reference number. See Reference Number also.
Acronym for “Self-Assessment Questionnaire.” Tool used by any entity to validate its own compliance with the PCI DSS.
Named for the then-chairman of the Senate Banking Committee that passed landmark consumer protection legislation (Senator Charles Schumer, D – NY) this standardized disclosure “box” features relatively consistent terms and conditions for credit card offers. Specific terms and conditions such as purchase and cash advance interest rates, annual fees and rate calculation methods are required to be spelled out for consumers in conjunction with all new account solicitations.
Three-digit or four-digit value in the magnetic-stripe that follows the expiration date of the payment card on the track data. It is used for various things such as defining service attributes, differentiating between international and national interchange, or identifying usage restrictions.
Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded.
The reporting of settlement amounts owed by one member to another, or to a card issuing concern, as a result of clearing. Settlement is the actual buying and selling of transactions between the merchants, processors and acquirers; along with the card-issuing entities.
A bank, including a correspondent or intermediary bank, that is both located in the country where a member’s settlement currency is the local currency, and is authorized to execute settlement of interchange on behalf of the member or the member’s bank.
Also referred to as “chip card” or “IC card (integrated circuit card).” A type of payment card that has integrated circuits embedded within. The circuits, also referred to as the “chip,” contain payment card data including but not limited to data equivalent to the magnetic-stripe data.
A floor limit that varies by merchant type. This refers to a currency limit on transactions, above which authorization requests are required.
A floor limit that varies by merchant type. This refers to a currency limit on transactions, above which authorization requests are required.
Acronym for “Terminal Access Controller Access Control System.” Remote authentication protocol commonly used in networks that communicates between a remote access server and an authentication server to determine user access rights to the network. This authentication method may be used with a token, smart card, etc., to provide two-factor authentication.
A rewards earning calculation that is typically disclosed as “up to” a certain percentage cash back. Various spending tiers earn increasing percentage rewards, up to the maximum amount advertised. For example, a reward offer advertised as up to 1% cash back could involve 0.25% for the first $1,000 in spending, 0.50% for the next $1,000 and 1.0% for all spending > $2,000.
(1) Any agreement between two or more parties that establishes a legal obligation. (2) The act of carrying out such an obligation. (3) All activities affecting a deposit account that are performed at the request of the account holder. (4) All events that cause some change in the assets, liabilities or net worth of a business. (5) An action between a cardholder and a merchant or a cardholder and a member that results in activity on the cardholder account.
A unique 15-character value that VISA assigns to each transaction and returns to the acquirer in the authorization response. VISA uses this value to maintain an audit trail throughout the life cycle of the transaction and all related transactions, such as reversals, adjustments, confirmations and charge-backs.
A provision allowing issuers to increase card members’ interest rates for adverse financial actions such as when cardholders failed to make timely payments to other creditors, like other credit card issuers, utilities, car lenders, landlords or mortgage lenders.
Credit card that is not secured by collateral. Customers qualify for unsecured credit cards based on their credit history, their financial strength and their earnings potential.
A unique 4-character value that VISA includes as part of the CPS/ATM program in each authorization response. This code ensures that key authorization fields are preserved in the clearing or settlement record.
A virtual terminal is web-browser-based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.
Visa USA is one of the nation’s leading payment brands, backed by a secure payments network. Visa links more than 13,300 financial institutions, 6.9 million merchant acceptance locations and 520 million cards.
A member that issues Visa Cards.
A merchant that displays the Visa symbol and accepts all Visa cards.
An approval response that is obtained through interactive communication between an issuer and an acquirer, their authorizing processors or stand-in processing or through telephone, facsimile or telex communications. A transaction can then be run with the authorization code obtained via voice authorization.
A deletion of the transaction information.
Nullifies (nullified) a transaction that has been recorded for settlement, but has not yet been settled. This removes the transaction from the batch of transactions to be settled.