> For the complete documentation index, see [llms.txt](https://doc.ecomm.api.tietoevry.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://doc.ecomm.api.tietoevry.com/e-commerce-payment-gateway/knowledge-base/glossary.md).

# Glossary

<button type="button" class="button primary" data-action="ask" data-icon="gitbook-assistant">Ask a question…</button>

### Access Control Server (ACS) <a href="#access-control-server-acs" id="access-control-server-acs"></a>

A component within the 3D Secure ecosystem, typically operated by the card issuer, that verifies the cardholder’s identity during authentication. The ACS may trigger a challenge flow and returns the final authentication result to support transaction authorization.

### Acquirer (Acquiring Bank)

A financial institution that processes card payments on behalf of a merchant and receives funds from the cardholder’s issuing bank. To accept card payments, an acquirer must be licensed by the relevant card networks and either operate its own payment processing infrastructure or partner with a payment processor.

### Acquirer Reference Number (ARN)&#x20;

A unique identifier assigned to a card transaction as it moves from the merchant’s acquiring bank through the card network to the cardholder’s issuing bank. The ARN is used to trace and track payments or refunds. Both merchants and cardholders’ banks can use the ARN to investigate transaction status or confirm settlement details.

### Aggregator Merchant&#x20;

An intermediary that enables merchants to accept payments through a shared relationship with an acquirer. Instead of contracting directly with the acquirer, merchants work with the aggregator, which may manage merchant onboarding, transaction processing under a shared or aggregated account, and settlement or payout distribution to merchants.

Common types of aggregator merchants include:

* Bill payment providers
* Digital wallet operators
* Marketplaces
* Payment facilitators (PayFacs)

### Application Programming Interface (API)

A set of tools, protocols, and definitions that enables software applications to communicate and integrate with each other. APIs can take various forms, including web APIs, SDKs, libraries, and frameworks, depending on the technology and use case.

In the payments industry, APIs are commonly provided by payment gateways, processors, acquirers, and other service providers to enable secure payment processing, transaction management, and related financial operations.

### Authentication

The process of verifying the identity of the person initiating a transaction to confirm they are the legitimate account holder. Authentication is separate from authorization and may involve methods such as 3D Secure, PIN verification, one-time passcodes, or biometric checks.

### Authentication Response (ARes)

&#x20;A message returned by the Directory Server or Access Control Server (ACS) during a 3D Secure 2 authentication flow. The ARes communicates the outcome of the authentication request, such as successful authentication, authentication failure, or whether a challenge is required to continue the process.

### Authentication Request (AReq)

The initial message sent in a 3D Secure 2 authentication flow. It includes transaction, device, and browser information used by the issuer or ACS to assess transaction risk and determine whether authentication can proceed frictionlessly or requires a shopper challenge.

### Authorization&#x20;

The process in which a card issuer verifies a payment request and reserves the required funds for a transaction. During authorization, the payment details are validated, risk and fraud checks may be performed, and the issuer approves or declines the transaction.

In ecommerce, in-app, and point-of-sale payments, authorization is typically initiated through a payment gateway API and processed through the payment network between the acquirer and issuer.

An authorized payment is not yet completed until it is captured. Before capture, the merchant may choose to cancel the authorization, for example due to fraud concerns or order changes. Authorizations remain valid only for a limited period and expire automatically if they are neither captured nor cancelled within the allowed timeframe.

### Bank Identification Number (BIN)

The first six to eight digits of a payment card number, used to identify the card issuer and card network. A BIN, also known as an Issuer Identification Number (IIN), helps determine which financial institution issued the card and which payment network it belongs to.

Because BINs may contain either six or eight digits, systems should rely on payment API response data or official card network BIN ranges when implementing BIN-based business logic.

A BIN can typically be used to identify:

* The card network
* The issuing financial institution

A BIN alone cannot reliably determine:

* The card type (for example, credit or debit)
* The country or region where the card was issued

### Cancel a Payment

The process of voiding an authorized payment before it has been captured. A merchant may cancel a payment for reasons such as suspected fraud, inventory issues, or customer request. When a payment is cancelled, the reserved funds are released back to the cardholder.

Payments that have already been captured cannot be cancelled. In such cases, the merchant must issue a refund to return the funds to the shopper. Captures, cancellations, and refunds are collectively referred to as payment modifications, as they change the state of an authorized payment transaction.

### Capture (Clearing and Settlement)&#x20;

The process of completing an authorized payment by transferring the reserved funds from the shopper’s account to the merchant. Once a payment is captured, the transaction proceeds to clearing and settlement between the financial institutions involved.

By default, many payment systems capture payments automatically immediately after authorization. However, some payment methods support separate authorization and capture flows, allowing merchants to:

* Delay capture for a defined period
* Capture payments manually through an API or management portal
* Perform partial captures
* Cancel an authorization before capture occurs

### Card Networks (Card Schemes)

Organizations that provide the infrastructure and operating rules required for card-based payment processing. Card networks connect issuers, acquirers, merchants, and payment processors to enable secure authorization, clearing, and settlement of card transactions.

For a payment to be processed, both the issuing bank and acquiring bank must participate in the same card network as the payment card being used.

Common card networks include:

* Visa
* Mastercard
* American Express
* China UnionPay

### Card Not Present (CNP)

A payment transaction in which the shopper’s physical payment card is not presented to the merchant at the time of purchase. Common examples of CNP transactions include ecommerce payments, in-app purchases, and mail order/telephone order (MOTO) transactions.

Because the card cannot be physically verified, CNP transactions are more susceptible to fraud. To reduce fraud risk, merchants commonly use additional security measures such as 3D Secure authentication and Address Verification System (AVS) checks.

### Card Number (PAN)

The unique number assigned to a payment card, such as a credit, debit, or prepaid card, used to identify the card during payment transactions. The full card number is known as the Primary Account Number (PAN).

The first six to eight digits of the PAN represent the Bank Identification Number (BIN), which identifies the card issuer and card network.

In card-not-present transactions, the PAN is typically used together with a card security code (such as CVV or CVC) to help verify the payment.

### Card on File (CoF)

A payment setup in which a shopper’s card details are securely stored to support faster and more convenient future transactions. Card-on-file payments are commonly used for one-click checkouts, pay-per-use services, and recurring payments that do not follow a fixed schedule.

Recurring payments made on a predefined schedule are typically referred to as subscriptions.

Merchants may store card details directly only if they meet the required PCI DSS compliance level, such as PCI Level 1 or Level 2 certification.

### Card Security Code (CVC, CVV, CID)

A 3- or 4-digit security code printed on a payment card and used primarily for card-not-present transactions to help verify that the shopper is in possession of the card.

Different card networks use different terms for the security code:

* Visa – Card Verification Value (CVV, CVV2)
* Mastercard – Card Validation Code (CVC, CVC2)
* American Express and Discover – Card Identification Number (CID)

Card security codes are classified as Sensitive Authentication Data (SAD) and are subject to strict PCI DSS compliance requirements regarding storage and handling.

### Cardholder

An individual or entity authorized to use a payment card issued by a financial institution to make cashless transactions with merchants.

### Cardholder Verification Method (CVM)

A security mechanism used to verify that the person using a payment card or other payment instrument is the legitimate cardholder. Common CVMs include PIN entry, signature verification, biometric authentication, and 3D Secure authentication.

### Cards

Payment cards issued by financial institutions that enable shoppers to make cashless transactions in stores, online, or within mobile applications. Cards can be debit, credit, or prepaid, and are typically operated through card networks such as Visa or Mastercard.

Cards are commonly used for purchases and cash withdrawals, and may also be linked to digital wallets or other payment solutions.

A payment card typically includes:

* A card number (PAN) that uniquely identifies the card
* An expiry date
* The cardholder’s name
* A card security code (such as CVV or CVC) used to help verify card-not-present transactions, including ecommerce and in-app payments

### Challenge Request (CReq)

A message sent from the cardholder’s device to the issuer’s Access Control Server (ACS) during a 3D Secure 2 challenge flow. The CReq contains the information required for the ACS to initiate and display the authentication challenge to the cardholder.

### Challenge Response (CRes)

A message sent from the Access Control Server (ACS) to the cardholder’s device after a 3D Secure 2 challenge has been completed or failed. The CRes contains the final challenge result, including the transaction status (`transStatus`), indicating whether the authentication was successful, unsuccessful, or could not be completed.

### Chargeback

A process in which a cardholder requests their issuing bank to reverse a payment made to a merchant. Chargebacks are commonly initiated when the shopper disputes a transaction, for example due to fraud, non-delivery of goods or services, or dissatisfaction after a refund request was denied.

Once a chargeback is raised, the merchant may have the opportunity to dispute it by submitting supporting evidence and documentation through the acquiring bank or payment processor. The final decision is typically made according to the rules of the relevant card network.

### Dispute

The process by which a merchant contests a chargeback initiated by a shopper through their issuing bank. Disputes typically arise after a captured payment has been challenged and the merchant believes the transaction was valid.

To dispute a chargeback, the merchant must provide supporting evidence, such as proof of delivery, transaction records, or service confirmation, to the acquiring bank or payment service provider. The evidence is then reviewed according to the rules of the relevant payment method or card network to determine the final outcome.

### Dual Message System (DMS)

A payment transaction processing model commonly used for credit card payments, where authorization and settlement occur in two separate steps.

The first message performs real-time authorization, verifying the transaction and reserving the funds on the cardholder’s account. The second message, sent later as part of the clearing and settlement process, finalizes the transaction and transfers the funds to the merchant.

### Dynamic Currency Conversion (DCC)

&#x20;A service that allows shoppers to pay in their card’s billing currency when making purchases in a foreign currency.

When DCC is available and enabled on the payment terminal, the shopper is offered the choice to convert the transaction amount into their preferred currency before completing the payment. The terminal displays the applicable exchange rate and converted amount, enabling the shopper to make an informed decision.

The shopper can either accept or decline the DCC offer:

* If accepted, the transaction is processed in the shopper’s card currency and the conversion details are typically included on the receipt.
* If declined, the transaction is processed in the merchant’s local currency.

DCC helps shoppers immediately understand the total amount being charged in a familiar currency.

### Ecommerce Payments (Online Payments)

Payments made by shoppers through digital commerce channels such as websites, online stores, or social platforms for goods or services provided by merchants. These transactions are typically completed using payment cards or local payment methods designed for online use.

Ecommerce payments are a type of electronic payment and are distinct from in-app payments and point-of-sale (POS) payments. Merchants commonly use a payment service provider (PSP) to securely process and manage these transactions.

### In-App Payments (Mobile Payments)

Electronic payments made by shoppers within mobile applications using payment cards, digital wallets, or local payment methods. These payments are typically processed through native mobile payment APIs or mobile-optimized web interfaces.

In-app payments are one form of electronic payment and share similar infrastructure with ecommerce and point-of-sale payments. Merchants commonly rely on payment service providers (PSPs) to securely process, manage, and maintain these payment flows.

### Interchange Fee

A fee paid by the acquiring bank to the issuing bank for processing a card payment transaction through a card network. The interchange fee is typically set by the relevant card network and varies depending on factors such as card type, transaction method, and merchant category.

In addition to interchange fees, card networks may apply separate scheme or network fees. The acquirer then combines these costs with its own service fees before settling the remaining funds to the merchant.

### Issuer (Issuing Bank)

A financial institution that provides payment cards to shoppers for making cashless transactions online, in mobile applications, or at physical stores. To issue cards, the issuer must participate in one or more card networks or card issuing services.

The issuer is responsible for verifying transactions, authenticating the cardholder when required, and approving or declining payment authorizations.

In some payment contexts, the term issuer may also refer more broadly to the shopper’s bank, even when no physical card is involved, to distinguish it from the merchant’s bank or acquiring institution.

### Know Your Customer (KYC)

The process of identifying and verifying the identity of customers or businesses before providing financial or payment services. KYC procedures are required by financial regulations to help prevent fraud, money laundering, terrorism financing, and other illegal activities.

In the payments industry, KYC is commonly required before merchants, individuals, or business entities can receive payouts or access payment processing services.

### Mail Order/Telephone Order (MOTO)

A type of card-not-present (CNP) transaction in which payment details are provided to the merchant by mail, fax, or telephone rather than through an online checkout flow.

In MOTO transactions, shoppers typically communicate their card information directly to a call center agent or submit it using paper forms or vouchers. Because the card and cardholder are not physically present, MOTO payments generally carry a higher fraud risk and may be subject to additional compliance and security requirements.

### Marketplace

An ecommerce platform or mobile application that allows third-party sellers or service providers (sub-merchants) to offer products or services to customers through a shared platform. Payments are typically processed by the marketplace and then distributed between the platform operator and the participating sub-merchants.

Common examples of marketplaces include:

* Crowdfunding platforms
* Peer-to-peer marketplaces
* Ride-sharing services
* Service booking platforms

Marketplaces are generally responsible for onboarding sub-merchants, processing payments, performing Know Your Customer (KYC) checks, and managing payouts in compliance with financial regulations.

### Merchant

A business or organization that sells goods or services to shoppers through channels such as ecommerce websites, mobile applications, physical point-of-sale terminals, or a combination of these.

To accept payments made with cards or local payment methods, a merchant typically requires a relationship with an acquiring bank and access to payment processing services provided by a payment service provider (PSP).

### Merchant Category Code <a href="#merchant-category-code" id="merchant-category-code"></a>

A four-digit code used to classify merchants based on the type of goods or services they provide. MCCs are used by card networks, issuers, and acquirers for purposes such as interchange fee calculation, risk assessment, reporting, and rewards eligibility.

Although Merchant Category Codes are standardized by the International Organization for Standardization (ISO), individual card networks may define or interpret MCCs differently within their own schemes and processing rules.

* [Visa's merchant data standards](https://usa.visa.com/content/dam/VCOM/download/merchants/visa-merchant-data-standards-manual.pdf).
* [Mastercard's reference booklet](https://www.mastercard.us/en-us/business/overview/support/rules.html).

### Offline PIN

A cardholder verification method (CVM) in which the shopper’s PIN is validated directly by the chip on the payment card, without requiring a real-time connection to the issuing bank.

Offline PIN verification is commonly used in EMV chip card transactions and can help support payment acceptance in environments with limited or unavailable network connectivity.

### Offline Transaction

A payment transaction processed without an active network connection to the issuer or payment processor at the time of purchase. In offline transactions, the payment terminal relies on predefined card and terminal rules to decide whether to approve or decline the transaction locally.

Debit cards typically require online authorization and are more likely to decline offline transactions, while credit cards may allow limited offline approvals for smaller transaction amounts.

### Omnichannel Payment Solution

A unified payment platform that enables merchants to accept and manage cashless payments consistently across multiple sales channels, including ecommerce websites, mobile applications, and physical point-of-sale (POS) locations.

An omnichannel solution helps provide a seamless shopper experience by connecting payment data, reporting, and customer interactions across all channels within a single payment ecosystem. Unlike many payment service providers that focus on only one or two channels, omnichannel providers support integrated payment processing across online and in-store environments.

### One-Click Payments

A payment method that streamlines checkout for returning shoppers by securely storing their payment and billing details after an initial transaction. For subsequent purchases, shoppers can complete the payment with minimal input, typically by entering only their card security code (CVC/CVV).

One-click payments maintain full card authorization for each transaction and may still include security measures such as card security code validation and 3D Secure authentication when applicable.

A key advantage of one-click payments is improved checkout convenience while preserving strong payment authentication. A limitation is that the shopper must still be present to provide the card security code for each transaction.

### Online PIN

A cardholder verification method (CVM) in which the shopper’s PIN is securely transmitted and verified in real time by the card issuer during the authorization process. The PIN is encrypted before being sent to the issuing bank for validation.

Online PIN verification is supported only when the specific card network and payment card are configured to allow it. It is commonly used in debit card and EMV chip transactions.

### Payment Facilitator (PayFac)

A type of aggregator merchant that enables businesses to accept payments without establishing a direct relationship with an acquiring bank. A payment facilitator is authorized by an acquirer to onboard and manage merchants, known as sub-merchants, under its own payment infrastructure.

A PayFac typically performs the following functions:

* Onboards sub-merchants on behalf of the acquirer
* Processes payment transactions with card networks for sub-merchants
* Receives settlement funds from the acquirer
* Distributes payouts to sub-merchants

Payment facilitators simplify merchant onboarding and payment acceptance, but they also assume primary responsibility for transaction risk, regulatory compliance, and oversight of their sub-merchants.

### Payment Gateway

A technology service that enables merchants to initiate and manage electronic payments across online, in-app, and in-person channels. A payment gateway securely transmits payment data between the merchant, payment processor, acquiring bank, and other participants involved in the transaction flow.

Although a payment gateway facilitates payment communication and authorization requests, it does not directly handle the transfer of funds. Payment gateways are commonly integrated with ecommerce platforms, mobile applications, and point-of-sale systems.

A payment gateway may be provided by a bank or operated as an independent service connected to one or more payment processors.

### Payment Processor

A financial technology service that facilitates payment transactions by connecting the merchant, acquiring bank, issuing bank, and payment networks. The payment processor manages the technical flow of payment data, including authorization requests, transaction routing, and settlement processing.

Payment processors typically receive payment details from a payment gateway and communicate with the relevant financial institutions to approve or decline transactions on behalf of the merchant.

### Payment Service Provider (PSP)

A company that provides merchants with integrated payment services by combining the capabilities of a payment gateway and a payment processor. A PSP can connect merchants to multiple acquiring banks, card networks, and alternative payment methods through a single integration.

In addition to payment processing, a PSP may also offer services such as fraud prevention, risk management, reporting, tokenization, and settlement management. Some PSPs also operate as acquirers.

Using a PSP is often more convenient and cost-effective for merchants than maintaining separate relationships with multiple gateways, processors, and acquiring banks.

### Payment Services Directive Two (PSD2)

A European Union regulation governing payment services and payment service providers within the European Economic Area (EEA). PSD2 was introduced to improve payment security, increase competition, and encourage innovation in the payments industry.

One of the key requirements of PSD2 is Strong Customer Authentication (SCA), which mandates additional verification steps for many electronic payments to reduce fraud. PSD2 also enables regulated third-party providers to securely access customer account information and initiate payments with the customer’s consent.

### PCI Compliance

The state of meeting the requirements of the Payment Card Industry Data Security Standard (PCI DSS), a security standard established by major card networks to protect cardholder data and reduce payment fraud.

Any organization that stores, processes, or transmits payment card information must comply with PCI DSS requirements on an ongoing basis. These requirements cover areas such as data security, encryption, access control, vulnerability management, and monitoring.

Merchants that cannot fully manage PCI DSS obligations internally may reduce their compliance scope by using encrypted payment collection methods or outsourcing card data handling to a PCI-compliant payment service provider (PSP).

### Single Message System (SMS)

A payment transaction processing model, commonly used by PIN debit networks, in which authorization and clearing/settlement are performed within a single message exchange.

In an SMS transaction, funds are typically debited from the cardholder’s account immediately after successful authorization. Because authorization and settlement occur together, there is generally no separate capture step or opportunity for later modification of the transaction.

### Strong Customer Authentication (SCA)

A security requirement introduced under PSD2 and related European payment regulations to enhance the security of electronic payments and online banking transactions.

SCA requires multi-factor authentication using at least two of the following independent factors:

* Possession – something the shopper has (for example, a mobile phone or hardware token)
* Knowledge – something the shopper knows (for example, a password or PIN)
* Inherence – something the shopper is (for example, a fingerprint or facial recognition)

For example, a shopper may be required to enter a one-time code sent to their phone together with a password or biometric verification to complete a payment securely.

### Sub-Merchant

A merchant that accepts payments through a payment facilitator (PayFac) rather than establishing a direct relationship with an acquiring bank. The payment facilitator manages the onboarding process and processes payment transactions on behalf of the sub-merchant.

### Subscriptions

Recurring payments charged automatically on a fixed and predefined schedule, typically for ongoing access to products or services. Common examples include streaming platforms, software subscriptions, and membership services.

Subscription payments differ from Card on File (CoF) or Unscheduled Card on File (UCoF) payments, which do not follow a fixed billing schedule or amount.

### Tokenization

The process of replacing sensitive payment data, such as a card number, with a non-sensitive substitute value known as a token. The token has no exploitable meaning outside the specific payment environment but can be used to reference the original data securely when needed.

In the payments industry, tokenization is commonly used to protect cardholder data, reduce fraud risk, and minimize PCI DSS compliance scope. Tokens can also support recurring payments, one-click payments, and card-on-file payment flows without exposing the original card details.

When combined with technologies such as client-side encryption, tokenization helps merchants securely transmit shopper payment data to a payment service provider (PSP).

### Two-Factor Authentication (2FA) / One-Time Password (OTP)

A security process that requires two separate authentication factors to verify a user’s identity. This approach strengthens account and payment security by combining multiple forms of verification.

A one-time password (OTP) is a common second authentication factor based on possession. It is a temporary code, typically delivered via SMS, email, or an authentication app, and used together with another factor such as a password, PIN, or biometric verification.

2FA is commonly used to support Strong Customer Authentication (SCA) requirements for online payments and banking transactions.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://doc.ecomm.api.tietoevry.com/e-commerce-payment-gateway/knowledge-base/glossary.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.