Protocol for Cardholder authentication in e-Commerce
Application Authentication Cryptogram
Application Blocked Flag
A unique sequence of numbers assigned to a cardholder account that identifies the issuer and type of financial transaction card.
Data provided by the cloud-based payments platform that is used on the mobile device to conduct a Visa payWave transaction at a Visa payWave reader. Account parameters generally consist of a static data component and a dynamic data component.
Account Parameter Replenishment
The operation of providing new values of dynamic data for an account parameter set for a mobile application to use for payments. The operation of generating the data used in replenishment is performed by the cloud-based payments platform.
Automated Clearing House. A regional organization used by member banks to electronically transfer funds between members.
Payment software development company owning BASE24 and Postilion switches.
A licensed member of MasterCard and/or VISA (or its agent) which maintains merchant relationships, receives all bankcard transactions from the merchant, and initiates that data into an interchange system.
Acquiring Bank/Merchant Bank
The bank that does business with merchants enabling them to accept credit cards. A merchant has an account with this bank and each day deposits the value of the day's credit card sales. Acquirers buy (acquire) the merchant's sales slips and credit the tickets' value to the merchant's account.
Application Definition File
Used to process disputes or discrepancies with other financial institutions.
Application Elementary File
A credit card issued in conjunction with an organization or collective group; for example, profession, alumni, retired persons association. The card issuer often pays the organization a royalty.
Application File Locator
An entity appointed by the Card Issuer to perform specific functions on behalf of the Card Issuer. Some examples of these functions include card processing, Cardholder verification using the 3-D Secure protocol, and Token Service.
Application Interchange Profile
A PAN that is not the same as the primary account number.
Abbreviation for American Express, an organization that issues travel and entertainment cards and acquires transactions.
American National Standards Institute. A U.S. standards accreditation organization.
Application Protocol Data Unit is the communication unit between a smart card reader and a card. The structure of an APDU is defined by the ISO 7816 standards.
There are two categories of APDUs: command APDUs and response APDUs. As the name implies, the former is sent by the reader to the card: it contains a mandatory 5-byte header and from 0 to up to 255 bytes of data. The latter is sent by the card to the reader: it contains a mandatory 2-byte status word and from 0 to up to 256 bytes of data.
Application Programming Interface
A computer program and associated data that reside on an integrated circuit chip and satisfy a business function. Examples of applications include payment, stored value, and loyalty.
Application Authentication Cryptogram (AAC)
A cryptogram generated by the card for offline and online declined transactions.
Instructions sent to the card by the issuer, to shut down the selected application on a card to prevent further use of that application. This process does not preclude the use of other applications on the card.
ARPC Response Code
Authorization Response Cryptogram
Authorization Request Cryptogram
Abstract Syntax Notation
Application Transaction Counter
Automated Teller Machine. An unattended terminal that has electronic capability, accepts PINs, and disburses currency or cheques.
ATM cash disbursement
A cash disbursement obtained at an ATM displaying the Visa, PLUS, or Visa Electron acceptance mark, for which the cardholder's PIN is accepted.
ATM Interchange Fee
The fee paid to the Acquirer Member by the Issuer Member for an ATM Transaction as established from time to time by a Network.
The telecommunications and processing system operated by or on behalf of an Acquirer Member to process a Transactions initiated through the Acquirer Member's ATMs or Terminals. The ATM System includes all elements of the processing system from the ATM or POB Terminal to the interface with a Switch.
Application Usage Control
A cryptographic process by which Authentication Tokens are verified to establish the identity of an Account Holder.
The act of ensuring the cardholder has adequate funds available against his or her line of credit. A positive authorization results in an authorization code being generated, and those funds being set aside. The cardholder's available credit limit is reduced by the authorized amount.
Information in the chip application enabling the card to act on the issuer's behalf at the point of transaction. The controls help issuers manage their below-floor-limit exposure to fraud and credit losses. Also known as offline authorization controls.
A merchant's or acquirer's request for an authorization.
Authorization Request Cryptogram (ARQC)
The cryptogram generated by the card for transactions requiring online authorization and sent to the issuer in the authorization request. The issuer validates the ARQC during the Online Card Authentication (CAM) process to ensure that the card is authentic and was not created using skimmed data.
The issuer's reply to an authorization request. Types of authorization responses are: approval, decline, pickup, referral
Authorization Response Cryptogram (ARPC)
A cryptogram generated by the issuer and sent to the card in the authorization response. This cryptogram is the result of the Authorization Request Cryptogram (ARQC) and the Issuer's authorization response encrypted with the Unique Derivation Key (UDK). It is validated by the card during Issuer Authentication to ensure that the response came from a valid issuer.
The average size of a merchant bankcard transaction. Generally used in pricing decisions and calculations.
Address Verification Service
Bank Identification Number (BIN)
A 6-digit number assigned by Visa and used to identify a member or processor for authorization, clearing, or settlement processing.
Bank Routing Number
The first nine digits that appear across the bottom of a personal check; they identify the financial institution.
A financial transaction card (credit, debit, etc.) issued by a financial institution.
BASE I Authorization System
The V.I.P. System component that performs message routing, cardholder and card verification, and related functions such as reporting and file maintenance.
The VisaNet system that provides deferred clearing and settlement services to members.
Payment processing platform owned by ACI.
The accumulation of captured (sale) transactions waiting to be settled. Multiple batches may be settled throughout the day.
A type of data processing and data communications transmission in which related transactions are grouped together and transmitted for processing, usually by the same computer and under the same application.
Binary Coded Decimal
Base derivation key for DUKPT security operation.
Basic Encoding Rules
BASE Identification Number. See Bank Routing Number.
BIN Controller / Manager
An entity that controls the issuance and allocation of ISO BINs that will be used to issue Payment Tokens according to this specification.
Binary Coded Decimal
A code for representing decimal digits in a binary format.
A day on which a Federal Reserve Bank to which a Member may send applicable items for presentment is open for business, other than a state bank holiday.
8 bits of data.
Card Authentication Method
The date on which a transaction is processed by an acquirer.
A consumer device containing the Visa contactless payment application. Note that the consumer device may not be a plastic card, but for the purposes of this specification, the term card is used to represent the consumer device.
Card acceptance device
A device capable of reading and/or processing a magnetic stripe or chip on a card for the purpose of performing a service such as obtaining an authorization or processing a payment.
The entity that initiates a payment transaction and presents transaction data to the Acquirer, typically a Merchant
Card Acceptor ID
The identification value for the Card Acceptor.
A means of validating whether a card used in a transaction is the genuine card issued by the issuer.
Card Authentication Method (CAM)
See Online Card Authentication.
Instructions, sent to the card by the Issuer, which shut down all proprietary and non-proprietary applications that reside on a card to prevent further use of the card.
A feature of NFC that enables an NFC-enabled device to emulate a contactless chip card.
1) The financial institution or retailer that authorizes the issuance of a card to a consumer (or another organization), and is liable for the use of the card. The issuer retains full authority over the use of the card by the person to whom the card is issued.
2) Any bank or organization that issues, or causes to be issued, bankcards to those who apply for them.
3) Any organization that uses or issues a personal identification number (PIN).
Card Issuer Access Control Server (ACS)
The Card Issuer's Agent that provides a 3-D Secure service for ID&V.
Card Verification Code (CVC)
A unique value calculated from the data encoded on the magnetic stripe of a MasterCard card, validating card information during the authorization process.
Card Verification Value (CVV)
A unique value calculated from the data encoded on the magnetic stripe of a VISA card, validating card information during the authorization process.
The person to whom a financial transaction card is issued or an additional person authorized to use the card.
The process of determining that the presenter of the card is the valid cardholder. In this specification referred to as Consumer Verification.
Cardholder Verification Method (CVM)
A method used to confirm the identity of a cardholder.
An amount advanced by a bank teller (or ATM) to a bankcard holder against the cardholder's line of credit.
An optional feature of a Purchase whereby all or part of the Purchase is returned as cash to the Cardholder.
Currency, including travelers cheques, paid to a cardholder using a card.
Cash obtained in conjunction with, and processed as, a purchase transaction.
Cipher Block Chaining
Chip Card Payment Service, the former name for Visa Smart Debit and Visa Smart Credit (VSDC).
Card Risk Management Data Object List
Customer Exclusive Data
Certificate Authority (CA)
A trusted central administration that issues and revokes certificates.
A transaction that is challenged by a cardholder or card issuing bank and is sent back through interchange to the merchant bank for resolution.
The number of calendar days (counted from the transaction processing date) during which the issuer has the right to charge the transaction back to the acquirer. The number of days varies according to the type of transaction from 45 to 180 days.
A service provided in which a merchant accesses a national negative file database through their terminal/register to verify or authorize the person has no outstanding bad check complaints at any of the member merchants. This is not a guarantee of payment to the merchant.
A small square of thin semiconductor material, such as silicon, that has been chemically processed to have a specific set of electrical characteristics such as circuits storage, and/or logic elements.
A card embedded with a chip that communicates information to a point-of-transaction terminal.
A card acceptance device that is designed and constructed to facilitate the addition of a chip reader/writer.
Card Issuer Action Code
Cryptogram Information Data
Class Byte of the Command Message
Card Life Cycle Data
The collection and delivery to the issuer of a completed transaction record from an acquirer.
An account at the clearing bank that will receive a member's credit or debit for net settlement.
A bank designated by the member to receive the member's daily net settlement advisement. The clearing bank will also conduct funds transfer activities with the net settlement bank and maintain the member's clearing account. This bank may be the member itself.
A capability that resides in a network.
Term used to describe payments that are enabled by accounts that are managed in systems residing in a network rather than in secure hardware solutions inside the mobile device.
Cloud-Based Payments Device Threshold Management Parameters
Parameters defined by the issuer and managed by the mobile application that are used to trigger a request for account parameter replenishment from the mobile application.
Cloud-Based Payments Program
A systems solution residing in a network that provides the functional logic to support a cloud-based payments solution.
Cloud-Based Payments Program Risk Management Parameters
Parameters defined by the issuer and managed by the cloud-based platform that are used to govern the validity of account parameters used for payment, and whether to initiate an account parameter replenishment.
The procedure a VISA or MasterCard member may use to resolve a dispute between members when no chargeback reason code applies. The challenging member must prove financial loss due to a violation of MasterCard and/or VISA rules by the other member.
Proximity Card (PICC) or other chip-capable device (for example, a cell phone) that is used by consumers to conduct payment.
See Cardholder Verification.
A term that is used interchangeably with 'Visa payWave' in this document.
A transaction conducted over the contactless interface according to this specification.
A plastic card which has been fraudulently printed, embossed or encoded to appear to be a genuine bankcard, but which has not been authorized by MasterCard or VISA or issued by a member. A card originally issued by a member but subsequently altered without the issuer's knowledge or consent.
An Access Account which provides for the advance of cash, merchandise or other commodity, in the present, in exchange for a promise to pay a definite sum at a future date, usually with interest.
A plastic card with a credit limit used to purchase goods and services and to obtain cash advances on credit for which a cardholder is subsequently billed by the issuer for repayment of the credit extended.
The maximum amount the cardholder may owe to the issuer on the card account at any time.
Card Risk Management
A numeric value that is the result of data elements entered into an algorithm and then encrypted. Commonly used to validate data integrity.
The numeric value entered into a cryptographic algorithm that allows the algorithm to encrypt or decrypt a message.
The art or science of keeping messages secret or secure, or both.
Card Status Information
Card Terminal Verification Results
Card Verification Code
Cardholder Verification Method
An issuer-defined list contained within a chip application establishing the hierarchy of methods for verifying the authenticity of a cardholder.
Cryptogram Version Number
Card Verification Results
Card Verification Value
Data Authentication Code
Validation that data stored in the integrated circuit card has not been altered since card issuance. See also Offline Data Authentication.
The process of transforming processing information to make it unusable to anyone except those possessing special knowledge, usually referred to as a key.
Data Encryption Algorithm (DEA)
An encipherment operation and an inverse decipherment operation in a cryptographic system.
Data Encryption Standard (DES)
Data Encryption Standard (DES) is a widely-used block cipher encryption using a private (secret) key standardized by ANSI in 1981 as ANSI X.3.92. There are 72,000,000,000,000,000 (72 quadrillion) or more possible encryption keys that can be used. For each given message, the key is chosen at random from among this enormous number of keys. Like other private key cryptographic methods, both the sender and the receiver must know and use the same private key.
A collection of data organized and designed for easy access, e.g., a collection of customer names and addresses.
DDA (Off-line Dynamic data authentication)
In case of a terminal and a card supporting the off-line data authentication, terminal chooses what kind of off-line data authentication will be performed. In case of DDA then terminal determine whether the card is genuine or not and whether the data personalized in the card has altered since the personalization through dynamic data encryption (RSA) and passing this value to terminal for authentication with a public certificate.
Directory Definition File
Dynamic Data Object List
The process of redeeming a Payment Token for its associated PAN value based on the Payment Token to PAN mapping stored in the Token Vault. The ability to retrieve a PAN in exchange for its associated Payment Token should be restricted to specifically authorised entities, individuals, applications, or systems.
Data Encryption Algorithm
A charge to a customer's bankcard account.
Any card that primarily accesses a Deposit Account.
A bankcard used to purchase goods and services and to obtain cash, which debits the cardholder's personal deposit account.
Decline OR Declined
The denial of an Authorization Request by, or on behalf of, an Issuer Member.
The process of transforming ciphertext into cleartext.
An Access Account, other than a Credit Account, maintained by a Member for processing transactions. Deposit Accounts include checking, NOW, savings, share draft, and such other depository accounts as are legal under Applicable Law.
See Credit Deposit.
Data Encryption Standard
A secret parameter of the Data Encryption Standard algorithm.
Dedicated File Name
A cryptogram generated by encrypting a message digest (or hash) with a private key that allows the message content and the sender of the message to be verified.
Draft International Standard
An amount charged a merchant for processing its daily credit card transactions.
Derivation (DEA) Key
Derivation Key Index
DMZ or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external-facing services to a larger and untrusted network, usually the Internet.
The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external network node only has direct access to equipment in the DMZ, rather than any other part of the network.
Doing Business As (DBA)
Refers to the specific name and location of the merchant establishment where credit card purchases are made.
Double-length DES Key
Two secret 64-bit input parameters each of the Data Encryption Standard algorithm, consisting of 56 bits that must be independent and random, and 8 error-detecting bits set to make the parity of each 8-bit byte of the key odd.
Derived Unique Key Per Transaction (DUKPT) is a key management scheme in which for every transaction, a unique key is used which is derived from a fixed key.
Dynamic Data Authentication (DDA)
A type of Offline Data Authentication where the card generates a cryptographic value using transaction-specific data elements for validation by the terminal to protect against skimming.
A replication of the magnetic stripe information on the chip to facilitate payment as part of multi-application programs. Easy Entry is not EMV-compliant and is being phased out.
Electronic Code Book
Electronic Cash Register
The electronic equivalent of a paper check.
A form of banking in which funds are transferred through an exchange of electronic signals between financial institutions, rather than an exchange of cash, checks or other negotiable instruments.
Electronic Bill Payment (E-pay)
An alternative to paper checks for paying bills. Consumers can use PCs, telephones, screen phones or ATMs to send electronic instructions to their bank or bill payment provider to withdraw funds from their accounts and pay merchants. Payments may be made either electronically or by a paper check issued by the bill payment provider.
Electronic Cash Register
An electronic cash register (ECR) is a system designed to enable products to be sold at a retail outlet. Electronic cash registers help large retail outlets track sales, minimize register errors, collect inventory data and much more.
Electronic Check Acceptance or ECA
A system that captures banking information off a paper check and converts it into an electronic item processed through the Automated Clearing House network. With ECA, checks are processed similarly to credit cards, and the paper check is returned to the consumer at the point of sale.
Electronic Commerce (E-commerce)
The transacting of business electronically rather than via paper.
Electronic Funds Transfer (EFT)
A transfer of funds between accounts by electronic means rather than conventional paper-based payment methods. EFT is any financial transaction originating from a telephone or electronic terminal, or from a computer or magnetic tape.
EMV, or EuroPay, MasterCard and Visa, is a microchip-based technology designed to reduce fraud at the point-of-sale. Banks are beginning to issue payment cards with these embedded chips, which also support contactless payments.
Technical specifications developed jointly by Europay International, MasterCard International, and Visa International to create standards and ensure global interoperability for use of chip technology in the payment industry.
EMV Type Cryptogram
A cryptogram that fits into the existing cryptogram field in EMV transaction messages.
The technique of scrambling data automatically in the terminal or computer before data is transmitted for security/anti-fraud purposes.
A card on which the embossed, encoded, or printed expiration date has passed.
File Control Information
Form Factor Indicator
File Control Information (FCI)
Provided in a card response when the card application is selected (using a SELECT command) by a reader or terminal.
Any organization in the business of moving, investing or lending money, dealing in financial instruments, or providing financial services. Includes commercial banks, thrifts, federal and state savings banks, saving and loan associations, and credit unions.
A currency amount that Visa has established for single transactions at specific types of merchants, above which online authorization is required.
Form Factor Indicator (FFI)
A field that indicates the form factor of the consumer payment device and the type of contactless interface over which the transaction is conducted.
Refers to the payment to a merchant for his submitted deposits.
Funds Transfer System
A wire transfer network, ACH, or other communication system or clearing house or association of banks in which First Data's Clearing/Funding Bank is a member and through which a payment order by a bank may be transmitted. Includes SWIFT, CHIPS, Fedwire, the National Association of Clearing House Associations, MasterCard and VISA.
GET PROCESSING OPTIONS command
Another term for a mobile device, usually a mobile phone handset.
Hardware Security Module (HSM)
A secure module used to store cryptographic keys and perform cryptographic functions.
The result of a non-cryptographic operation, which produces a unique value from a data stream.
See Host Card Emulation
Hours, Minutes, Seconds
Host Card Emulation (HCE)
Term used to describe mobile device capability in which the card emulation ability for NFC is provided through a software-based solution rather than a hardware secure element.
Host data capture system
An acquirer authorization system that retains authorized transactions for settlement without notification from the terminal that the transaction was completed.
A hardware security module manages secured keys, message validation and PIN authentication cryptoprocesses. Also provides strong authentication to access critical keys for payments applications.
Issuer Application Data
Issuer Authentication Response Code
Integrated Circuit Card
Identification and Verification (ID&V)
A valid method through which an entity may successfully validate the Cardholder and the Cardholder's account in order to establish a confidence level for Payment Token to PAN / Cardholder binding (eg. Account verification message, Risk score based on assessment of the PAN, Use of one time password by the Card Issuer or its Agent to verify the Cardholder)
ICC Dynamic Number
International Electrotechnical Commission
See Bank Routing Number.
Issuer Master Keys
Issuer Master Keys for Data Authentication Code
Initial Chaining Vector
The input data applied to the first data block in a Triple DES encryption process
Integrated Circuit Card (ICC)
See chip card.
Integrated Circuit Chip
The domestic and international systems operated by VISA and MasterCard for authorization, settlement and the passing through of interchange and other fees, as well as other monetary and non-monetary information related to bankcard activities.
Fees paid by the acquirer to the issuer to compensate for transaction-related costs. VISA and MasterCard establish interchange fee rates.
International Organisation for Standardisation (ISO)
The specialized international agency that establishes and publishes international technical standards.
The ability of all card acceptance devices and terminals to accept and read all chip cards that are properly programmed.
International Organization for Standardization
A Visa customer that issues Visa or Electron cards, or proprietary cards bearing the PLUS or Visa Electron Symbol.
Issuer Action Codes (IACs)
Card-based rules which the terminal uses to determine whether a transaction should be declined offline, sent online for an authorization, or declined if online is not available.
Validation of the issuer by the card to ensure the integrity of the authorization response. See Authorization Response Cryptogram (ARPC).
The financial institution (a licensed member of MasterCard or VISA) which holds contractual agreements with and issues cards to cardholders.
Japanese Credit Bureau (JCB)
Issuers of the JCB card.
The creation of a new key for subsequent use.
The handling of cryptographic keys and other related security parameters during the entire life cycle of the keys, including their generation, storage, distribution, entry and use, deletion or destruction, and archiving.
Key Serial Number identifies key used for DUKPT security processing and actual cryptographic operation counter.
Last online Application Transaction Counter
Exact length of data sent by the Terminal Application Layer (TAL) in a Case 3 or 4 command
Least Common Multiple
Lower Consecutive Offline Limit
Length of the plaintext data in the Command Data Field
Length of the ICC Dynamic Data
Maximum length of data expected by the TAL in response to a Case 2 or 4 command
Limited Use Key
A cryptographic key that is only valid for a certain duration of time.
Longitudinal Redundancy Check
Luhn digit check
Is a simple checksum formula used to validate a variety of identification numbers, such as credit card numbers, IMEI numbers.
Message Authentication Code
Magnetic Information Character Recognition (MICR)
Imprinted banking numbers (routing/transit number, checking account number, check number) at the bottom of the check.
The stripe on the back of the card that contains the magnetically coded account information necessary to complete a non-chip electronic transaction.
Magnetic Stripe Image
The minimum chip payment service data replicating information in the magnetic stripe required to process a transaction that is compliant with EMV.
Recurring specification update from VISA or MasterCard.
Mobile Application Platform.
Master Derivation Keys (MDK)
Master DES keys stored in the issuer host system. These keys are used to generate Unique Derivation Keys (UDKs) for personalization, to validate ARQCs, and to generate ARPCs.
Master Derivation Key
A financial institution which is a member of VISA USA and/or MasterCard International. A member is licensed to issue cards to cardholders and/or accept merchant drafts.
A retailer, or any other person, firm, or corporation that, according to a Merchant Agreement, agrees to accept credit cards, debit cards, or both, when properly presented.
A member that has entered into an agreement with a merchant to accept deposits generated by bankcard transactions; also called the acquirer or acquiring bank.
The written contract between merchant and acquirer who detail their respective rights, responsibilities and warranties.
Merchant Category Code (MCC)
A code designating the principal trade, profession, or line of business in which a merchant is engaged.
A number that numerically identifies each merchant to the merchant processor for accounting and billing purposes.
Merchants that accept Visa payWave payment transactions at their point-of-sale.
Message authentication code (MAC)
A digital code generated using a cryptographic algorithm which establishes that the contents of a message have not been changed and that the message was generated by an authorized entity.
MICR Number Method
A check authorization procedure that uses the bank routing/transit numbers, checking account numbers and check number encoded along the bottom of the check.
MasterCard Internet Gateway Service - is a payment gateway system that allows banks to accept card not present (CNP) transactions. MIGS is PCI-DSS-compliant and is typically branded and priced by the acquiring bank. It is used to interconnect online merchants to their acquiring banks through standards-compliant technology and API (Virtual Payment Client). This payment gateway provides support for services such as "MasterCard SecureCode", "Verified by Visa" and "JCB J/Secure".
ICC Master Key Application Cryptogram
ICC Master Key for ICC Dynamic Number generation
ICC Master Key for Secure Messaging for Confidentiality
ICC Master Key for Secure Messaging for Integrity
A software application resident on the mobile device that consumers use to interact with their mobile device to access a product or a service. For cloud-based payments, mobile applications typically include, but are not necessarily limited to, mobile banking applications or mobile wallet applications.
Mobile Application Platform
A server-based system that provides for the management of capabilities and services to mobile applications. For cloud-based payments, mobile application platforms may be, but are not necessarily limited to, existing mobile banking platforms or mobile wallet platforms.
A portable electronic device with wide area communication capabilities that can be enabled with Visa payWave functionality. Mobile devices include mobile handsets, handhelds, smartphones, and other consumer electronic devices, such as suitably equipped PDAs.
Magnetic Stripe Data
The presence of multiple applications on a chip card (for example, payment, loyalty, and identification).
Length of the Certification Authority Public Key Modulus
Near-Field Communication (NFC)
A short-range contactless proximity technology based on ISO/IEC 18092, which provides for ISO/IEC 14443-compatible communications.
Payment to the merchant for sales drafts less credits minus the appropriate discount fee.
Discount income less interchange expense.
The settlement, through an actual transfer of funds, of the net effect of a series of financial transactions involving customers of two or more banks.
Near field communication is a set of standards derived from EMV to establish radio communication between account data holding device (ICC card, mobile) and a payment device (POS) by touching them together or bringing them into close proximity, usually no more than a few centimeters.
Length of the Issuer Public Key Modulus
The four most significant or least significant bits of a byte of data.
Length of the ICC Public Key Modulus
In a payment system, a financial institution not offering retail banking services.
ICC PIN Encipherment Public Key Modulus
A transaction that is positively completed at the point of transaction between the card and terminal without an authorization request to the issuer.
A method of processing a transaction without sending the transaction online to the issuer for authorization.
Offline Data Authentication
A process whereby the card is validated at the point of transaction using RSA public key technology to protect against counterfeit or skimming. VIS includes two forms: Static Data Authentication (SDA) and Dynamic Data Authentication (DDA).
A transaction that is negatively completed at the point of transaction between the card and terminal without an authorization request to the issuer.
A PIN value stored on the card that is validated at the point of transaction between the card and the terminal.
Offline PIN verification
The process whereby a cardholder-entered PIN is passed to the card for comparison to a PIN value stored secretly on the card.
A card acceptance device that is able to perform offline approvals.
A card acceptance device that is not capable of sending transactions online for issuer authorization.
Offline Cumulative Transaction Amount
A method of requesting an authorization through a communications network other than voice to an issuer or issuer representative.
Online Card Authentication (CAM)
Validation of the card by the issuer to protect against data manipulation and skimming. See Authorization Request Cryptogram (ARQC).
A method of PIN verification where the PIN entered by the cardholder into the terminal PIN pad is DES-encrypted and included in the online authorization request message sent to the issuer.
A card acceptance device that is able to send transactions online to the issuer for authorization.
A financial institution that initiates a wire transfer or automated clearing house (ACH) payment.
One location of a chain.
Over the Air (OTA)
A method of distributing new software updates to mobile devices or provisioning handsets with the necessary settings with which to access services.
Primary Account Number
Sales slips, credit slips, cash disbursement slips and other obligations indicating use of a card or a card account. Also referred to as 'media'.
A secret string of characters (usually numeric) used for consumer authentication to gain access to mobile applications on the mobile device. Consumers use the keypad of their mobile device to authenticate themselves.
Payment Application Data Security Standard (PA DSS)
The global security standard created by the Payment Card Industry Security Standards Council (PCI SSC) to provide the definitive data standard for software vendors that develop payment applications.
Payment Card Industry Data Security Standard (PCI DSS)
A proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.
An e-commerce application service provider service that authorizes payments for e-businesses, online retailers, or traditional brick and mortar businesses. It is equivalent to a physical point of sale terminal located in most retail outlets.
An entity that provides payment processing services for Acquirers and / or Issuers. A Payment Processor may in addition to processing provide operational, reporting and other services for the Acquirer or Card Issuer.
An electronic payment system used to accept, transmit, or process transactions made by payment cards for money, goods, or services, and to transfer information and funds among Issuers, Acquirers, Payment Processors, Merchants, and Cardholders.
A set of instructions and procedures used for the transfer of ownership and settlement of obligations arising from the exchange of goods and services.
Payment Tokens can take on a variety of formats across the payments industry. For this specification, the term Payment Token refers to a surrogate value for a PAN that is a 13 to 19-digit numeric value that must pass basic validation rules of an account number, including the Luhn check digit. Payment Tokens are generated within a BIN range that has been designated as a Token BIN Range and flagged accordingly in all appropriate BIN tables. Payment Tokens must not have the same value as or conflict with a real PAN.
Certification Authority Public Key
Processing Options Data Object List
The process of populating a card with the application data that makes it ready for use.
Issuer Public Key
ICC Public Key
Proximity IC Card. Synonym with the consumer device in Book D of [EMV CL]
PIN (Personal Identification Number)
The confidential individual number or code used by a cardholder to authenticate card ownership for ATM or POS terminal transactions.
PIN Authorization Request
A procedure enabling the issuer to validate cardholder identity by comparing the PIN to the account numbers.
A Tamper Resistant Security Module that enables a Cardholder to enter his or her PIN at a Terminal.
A procedure utilized by or on behalf of the Issuer Participant to verify the identification of the Cardholder as a result of the use of the PIN upon receipt of a Transaction request.
Proprietary Application Identifier Extension
Data in its original unencrypted form.
Point of Sale (POS)
The point of sale (POS) or point of purchase (POP) is the time and place where a retail transaction is completed. At the point of sale, the merchant would calculate the amount owed by the customer and indicate the amount, and may prepare an invoice for the customer (which may be a cash register printout), and indicate the options for the customer to make payment. It is also the point at which a customer makes a payment to the merchant in exchange for goods or after provision of a service. After receiving payment, the merchant may issue a receipt for the transaction, which is usually printed, but is increasingly being dispensed with or sent electronically. (source: Wikipedia)
Point of transaction (POT)
The physical location where a merchant or acquirer (in a face-to-face environment) or an unattended terminal (in an unattended environment) completes a transaction.
An electronic system that accepts financial data at or near a retail selling location and transmits that data to a computer or authorization network for reporting activity, authorization and transaction logging.
A device used at the point of transaction that has a corresponding point-of-transaction capability. See also Card Acceptance Device.
Point of Service
A device placed in a merchant location that is connected to the bank's system or authorization service provider via telephone lines and is designed to authorize, record and forward data by electronic means for each sale.
Payment processing platform formally owned by Mosaic, S1 and currently by ACI.
A command sent by the issuer through the terminal via an authorization response to update the electronically stored contents of a chip card.
Proximity Payment Systems Environment
A reloadable or non-reloadable debit card that allows the holder to only spend up to the amount that has been pre-deposited into the account.
Primary Account Number (PAN)
A variable length, 13 to 19-digits, ISO 7812-compliant account number that is generated within account ranges associated with a BIN by a Card Issuer.
As part of an asymmetric cryptographic system, the key that is kept secret and known only to the owner.
Processing Host System
Term used to describe the system used by an issuer to authorize payment transactions.
An organization that is connected to VISANet and or Banknet and provides authorization and/or clearing and settlement services on behalf of a member.
In this document, refers to contactless technology as described in [EMV CL].
Proximity Payment System Environment (PPSE)
The purpose of the Proximity Payment System Environment is to inform the contactless payment terminal of the types of payment products that are available on the card or mobile device that is presented to the terminal. The payment terminal uses this information to determine if a payment is possible.
Payment System Environment
Application PAN Sequence Number
PIN Try Counter
PIN Try Limit
As part of an asymmetric cryptographic system, the key known to all parties.
Public key cryptographic algorithm
A cryptographic algorithm that allows the secure exchange of information, but does not require a shared secret key, through the use of two related keys—a public key which may be distributed in the clear and a private key which is kept secret.
Public key pair
The two mathematically related keys, a public key and a private key which, when used with the appropriate public key cryptographic algorithm, can allow the secure exchange of information, without the secure exchange of a secret.
A retail purchase of goods or services; a point-of-sale transaction.
PIN Verification Value
A transaction representing a merchant's sale of items, such as gaming chips or money orders, that are directly convertible to cash.
quick Visa Smart Debit/Credit
For transactions conducted over the contactless interface, the qVSDC Path is an application path taken by the card which results in card behavior defined for qVSDC. This path is taken for contactless transactions where the card and reader both support qVSDC.
An EMV online-capable terminal function that allows for the selection of transactions for online processing. Part of Terminal Risk Management.
The merchant device communicating with the card/Mobile Application.
A code used to provide additional information to the receiving clearing member regarding the nature of a chargeback, subsequent presentment, fee collection, funds disbursement, or request for a source document.
A hard copy description of the transaction that took place at the point-of-sale, containing at minimum: date, merchant name/location, primary account number, type of account accessed, amount, reference number, and an action code.
A transaction charged to the cardholder (with prior permission) on a periodic basis for recurring goods and services, i.e., health club memberships, book-of-the-month clubs, etc.
A twenty-three (23) position number assigned by the acquiring member and used to identify a transaction.
An authorization response where the merchant or acquirer is instructed to contact the issuer for further instructions before completing the transaction.
Information required by the biller to post customer bill payments effectively.
Requested Token Assurance Level / Assigned Token Assurance Level
The Requested Token Assurance Level is requested from the Token Service Provider by the Token Requestor. Requested Token Assurance Level is a field included in the Token Request. The Assigned Token Assurance Level is the actual value assigned by the Token Service Provider as the result of the ID&V process and is provided back to the Token Requestor in response to the Token Request.
A BASE II or online financial transaction used to negate or cancel a transaction that has been sent through interchange.
Reserved for Future Use (see next table)
Registered Application Provider Identifier
Reset Internal Parameters
ROM (Read-Only Memory)
Permanent memory that cannot be changed once it is created. It is used to store chip operating systems and permanent data.
RSA (Rivest, Shamir, Adleman)
A public key cryptosystem developed by Rivest, Shamir, and Adleman, used for data encryption and authentication.
Paper documentation of a transaction. Also called a sales slip, charge slip or hard copy.
Certification Authority Private Key
SDA (Off-line Static data authentication)
In case of a terminal and a card supporting the off-line data authentication, terminal chooses what kind of off-line data authentication will be performed. In case of SDA then terminal determine whether the card is genuine or not by passing its internal checksum data encrypted (RSA) to terminal for authentication with a public certificate.
A key that is used in a symmetric cryptographic algorithm (that is, DES), and cannot be disclosed publicly without compromising the security of the system. This is not the same as the private key in a public/private key pair.
A tamper-resistant module capable of hosting mobile device applications in a secure manner. A hardware-secure chip-based solution that is resident in the mobile device, either as an integrated component or as a removable component such as a Universal Integrated Circuit Card (UICC) Subscriber Identity Module (SIM) card or a memory card solution.
A process that enables messages to be sent from one entity to another, and protects against unauthorized modification or viewing.
Security Compliance Review
A review that is based on an approved checklist and that is performed by a Member's or Processor's Approved Auditor to verify the Member's or the Processor's compliance with these Rules.
A temporary cryptographic key computed in volatile memory and not valid after a session is ended.
As the sales transaction value moves from the merchant to the acquiring bank to the issuer, each party buys and sells the sales ticket. Settlement is what occurs when the acquiring bank and the issuer exchange data or funds during that function.
A document issued to the merchant, indicating the sales and credit activity, billing information, discount fee and chargebacks (if any) occurring during a particular time frame (one week, one month).
Short File Identifier
Secure Hash Algorithm
Shopping Cart Software
Shopping cart software allows the cardholder to select items from an online store and place them in a virtual shopping basket or shopping cart. The shopping cart remembers which items are selected while the cardholder views other items within the virtual storefront, keeps a running total, and may calculate taxes and shipping. The items in the shopping cart are eventually ordered if the cardholder chooses.
Issuer Private Key
ICC Private Key
Single Message System
A component of the V.I.P. System that processes Online Financial and Deferred Clearing transactions.
Session Key Application Cryptogram
A plastic card resembling traditional credit or debit cards that contains a computer chip; the chip is capable of storing significantly more information than a magnetic stripe.
STAN (System Trace Audit Number)
Unique number identifying a payment transaction through the whole or part of the payment system. In ISO8583-like dialects usually as data element DE11.
Start Up Kit
Supplies shipped to new merchants including sales slips, credit slips, batch header tickets, return envelopes, VISA/MasterCard decals, merchant plastics, imprinter slugs and instructional materials.
Static Data Authentication (SDA)
A type of Offline Data Authentication where the terminal validates a cryptographic value placed on the card during personalization. This validation protects against some types of counterfeit, but does not protect against skimming.
SW1 and SW2, collectively.
The process of sending batch deposits to Merchant Services for processing. This may be done electronically or by mail.
The forms necessary to effect a chargeback processing cycle, and any additional material to uphold a dispute.
Status byte 1
Status Byte One and Status Byte Two
Status byte 2
Tamper-resistant security module (TRSM)
Usualy a HSM.
Transaction Capture Multi-Payment (TCMP) is a payment messages format for transmissions between the terminal and RBS WorldPay Host. This host interface is designed to operate in a terminal-capture or host-capture environment.
Transaction Certificate Data Object List
Trusted Execution Environment
Telephone Bill Payment
A service that permits a customer to pay bills electronically. The customer gives a corporation the authority to debit his or her account for a specific amount or within a specified range of amounts.
Terminal Action Codes (TACs)
Visa-defined rules in the terminal which the terminal uses to determine whether a transaction should be declined offline, sent online for an authorization, or declined if online is not available.
Processing of transactions by service providers acting under contract to card issuers or acquirers. First Data is a third-party processor.
Tag Length Value
An implementation of an alternate PAN that may include additional features associated with tokenization.
Token Assurance Level
A value that allows the Token Service Provider to indicate the confidence level of the Payment Token to PAN / Cardholder binding. It is determined as a result of the type of Identification and Verification (ID&V) performed and the entity that performed it. It may also be influenced by additional factors such as the Token Location.
The Token Assurance Level is set when issuing a Payment Token and may be updated if additional ID&V is performed. The Token Assurance Level value is defined by the Token Service Provider.
A specific BIN or range within a BIN that has been designated only for the purpose of issuing Payment Tokens and is flagged accordingly in BIN tables.
Token BIN Range
A unique identifier that consists of the leading 6 to 12 digits of the Token BIN. The Token BIN Range may be designed to carry the same attributes as the associated Card Issuer card range and will be included in the BIN routing table distributed to the participating Acquirers and Merchants to support routing decisions.
A cryptogram generated using the Payment Token and additional transaction data to create a transaction-unique value. The calculation and format may vary by use case.
The types of transactions for which a Payment Token may be used. Token Domains may be channel-specific (e.g. NFC only), Merchant-specific, digital wallet-specific, or a combination of any of the above.
Token Domain Restriction Controls
A set of parameters established as part of Payment Token issuance by the Token Service Provider that will allow for enforcing appropriate usage of the Payment Token in payment transactions. Some examples of the controls are: Use of the Payment Token with particular presentment modes, such as contactless or e-commerce; Use of the Payment Token at a particular Merchant that can be uniquely identified; Verification of the presence of a Token Cryptogram that is unique to each transaction
Token Expiry Date
The expiration date of the Payment Token that is generated by and maintained in the Token Vault and is passed in the PAN Expiry Date field during transaction processing to ensure interoperability and minimise the impact of Tokenisation implementation. The Token Expiry Date is a 4-digit numeric value that is consistent with the ISO 8583 format.
The process to ensure that the processing and exchanging of transactions between parties through existing interoperable capabilities is preserved when using Payment Tokens with new fields and field values that are defined in this specification.
The process by where a Payment Token is created and delivered to a Token Requestor. Payment Tokens may be issued for multiple use or for single Use.
An indication of the intended mode of storage for a Payment Token and any related data, provided by a Token Requestor when requesting a Payment Token from a Token Service Provider.
The security of this location may influence the Token Assurance Level that can be assigned to a Payment Token. Due diligence of the security provided by Token Requestors is the responsibility of each Token Service Provider and assignation of a location type to each Token Requestor will be at the discretion of each Token Service Provider.
Token Presentment Mode
The mode through which a Payment Token is presented for payment. This information will resolve to an existing field called Point of sale (POS) Entry Mode as defined in ISO 8583 messages and that will be enhanced to include new potential values as part of this specification. Each Payment Network will define and publish any new POS Entry Mode values as part of its existing message specifications and customer notification procedures. In addition to supporting existing values for contactless, new values may be defined, if not already in existence, by participating Payment Networks for: Server initiated (Card-on-file use case); Scan (Optical)
Transaction processing in which a Payment Token is present in lieu of the PAN and is processed from the point of interaction through to the Payment Network and Token Service Provider’s Vault for De-Tokenisation in order to allow for transaction completion. Token Processing may span payment processes that include authorisation, capture, clearing, and exception processing.
The act of delivering the Payment Token and related values, potentially including one or more secret keys for cryptogram generation, to the Token Location.
Token Reference ID
A value used as a substitute for the Payment Token that does not expose information about the Payment Token or the PAN that the Payment Token replaces.
The process in which a Token Requestor requests a Payment Token from the Token Service Provider. As a consequence of this action, ID&V may be performed using a Token Request Indicator to show that the ID&V mechanism being used is for the purpose of a Token Request, rather than for some other purpose.
Token Request Indicator
A value used to indicate that an authentication / verification message is related to a Token Request. It is optionally passed to the Card Issuer as part of the Identification and Verification (ID&V) API to inform the Card Issuer of the reason that the account status check is being performed.
An entity that is seeking to implement Tokenisation according to this specification and initiate requests that PANs be Tokenised by submitting Token Requests to the Token Service Provider. Each Token Requestor will be registered and identified uniquely by the Token Service Provider within the Tokenisation system.
Token Requestor Registration
A Token Service Provider function that formally processes Token Requestor applications to participate in the Token Service programme. The Token Service Provider may collect information pertaining to the nature of the requestor and relevant use of Payment Tokens to validate and formally approve the Token Requestor and establish appropriate Token Domain Restriction Controls. Successfully registered Token Requestors will be assigned a Token Requestor ID that will also be entered and maintained within the Token Vault.
A system comprised of the key functions that facilitate generation and issuance of Payment Tokens from the Token BINs, and maintain the established mapping of Payment Tokens to PAN when requested by the Token Requestor. It also includes the capability to establish the Token Assurance Level to indicate the confidence level of the Payment Token to PAN / Cardholder binding. The service also provides the capability to support Token Processing of payment transactions submitted using Payment Tokens by de-tokenising the Payment Token to obtain the actual PAN.
Token Service Provider
An entity that provides a Token Service comprised of the Token Vault and related processing. The Token Service Provider will have the ability to set aside licensed ISO BINS as Token BINs to issue Payment Tokens for the PANs that are submitted according to this specification.
A repository, implemented by a Tokenisation systém that maintains the established Payment Token to PAN mapping. This repository is referred to as the Token Vault. The Token Vault may also maintain other attributes of the Token Requestor that are determined at the time of registration and that may be used by the Token Service Provider to apply domain restrictions or other controls during transaction processing.
A process by which the Primary Account Number (PAN) is replaced with a surrogate value called a Payment Token. Tokenisation may be undertaken to enhance transaction efficiency, improve transaction security, increase service transparency, or to provide a method for third-party enablement.
Track 1 was introduced by the International Air Transport Association (IATA) and describes format of credit card magnetic stripe data for financial transactions, i.e., credit and debit cards and stores more information than Track 2 as cardholder's name, account number and other discretionary data. This track is sometimes used by the airlines when securing reservations with a credit card.
Track 2 was introduced by the American Banking Association (ABA) and is currently most commonly used, though credit card companies have been pushing for everyone to move to Track 1. The ABA designed the specifications of this track and all world banks must abide by it. It contains the cardholder's account, encrypted PIN, plus other discretionary data.
Track 3 is virtually unused by the major worldwide networks, and often isn't even physically present on the card by virtue of a narrower magnetic stripe.
Any event that causes a change in an organization's financial position or net worth, resulting from normal activity. Advance of funds, purchase of goods at a retailer or when a borrower activates a revolving line of credit. Activities affecting a deposit account carried out at the request of the account owner. One example of a transaction is the process that takes place when a cardholder makes a purchase with a credit card.
The actual date on which a transaction occurs. Used in recording and tracking transactions.
Service costs charged to a merchant on a per-transaction basis.
The data encryption algorithm used with a double-length DES key.
Terminal Risk Management (EMV transactions). May include checking whether the value of the transaction exceeds the terminal floor limit and other treshold values.
Transaction Status Information
Terminal Transaction Qualifiers
Terminal Verification Results
Upper Consecutive Off-line Limit
Short for Universal Commerce, UCommerce is the intersection of online, kiosk, and in-store payment enablement, incorporating social media and near-field communications. With UCommerce, the mobile device is at the center of the user experience.
Unique Derivation Key
Unique Derivation Key A
Unique Derivation Key B
Unique Derivation Key
A card-unique double-length DES key derived from a master key and used in online card authentication.
Coordinated Universal Time
VisaNet Integrated Payment System, the online processing component of VisaNet.
Visa Contactless Payment Specification
A transaction conducted over the contactless interface in compliance with this specification.
Visa Integrated Circuit Card Specification
An AID using the Visa Registered Application Provider Identifier (RID, 'A0 00 00 00 03') that has a Proprietary Application Identifier Extension (PIX) assigned by Visa International. Visa PIXs: '1010' – Visa Debit and Visa Credit, '2010' – Visa Electron, '3010' – Interlink, '8010' – PLUS, Regional AIDs using the reserved range of Visa assigned PIXs are permitted.
Visa Certificate Authority (CA)
A Visa-approved organization certified to issue certificates to participants in a Visa payment service.
Visa Contactless Payment Specification (VCPS)
A Visa specification defining requirements for conducting a payment transaction over a contactless interface.
Visa Low-value Payment (VLP)
VLP is a feature of VSDC designed to provide an optional source of pre-authorized spending power that is reserved for rapid processing of offline low-value payments.
A contactless payment technology feature that allows cardholders to wave their card, mobile device, or other form factors in front of contactless payment terminals without the need to physically swipe or insert the card into a point-of-sale device.
Visa internal staff that issuers or acquirers may contact for questions and assistance with implementation tasks and testing.
Visa Smart Debit and Visa Smart Credit (VSDC)
The Visa service offerings for chip-based debit and credit programs. These services, based on EMV and VIS specifications, are supported by VisaNet processing, as well as by Visa rules and regulations.
The systems and services, including the V.I.P. and BASE II systems, through which Visa delivers online financial processing, authorization, clearing, and settlement services to members.
Year, hour, counter: Y right-most digit of the year (0 – 9), HHHH Number of hours in digits since start of the year (0001 – 8784), CC Counter (00 – 99)
Zentraler Kreditausschuss (ZKA)
An industry association of the German banking industry.