Payments Glossary

3DS2 is the authentication protocol for card-not-present transactions that shifts fraud chargeback liability from merchant to issuer when authentication succeeds.

Account takeover is fraud where an attacker gains control of a legitimate customer account and exploits the stored payment credentials or account value within it.

Account Updater (Visa VAU / Mastercard ABU) automatically refreshes stored card credentials when a card is reissued, preventing subscription declines from outdated card details.

ACH is the US interbank network for batch bank transfers — ACH debit is the pull payment mechanism for US bank-account recurring billing, governed by Nacha's Operating Rules.

The acquirer is the bank or PSP that processes card payments on behalf of merchants and holds the relationship with card networks.

AML is the legal framework requiring payment businesses to detect, monitor, and report transactions that may represent money laundering or financial crime.

Authorization is the real-time request sent to the card issuer to verify funds availability and approve a transaction before capture.

Authorization rate is the share of payment attempts approved by the issuing bank — the primary metric for payment stack performance.

Cancels an authorization hold before capture, releasing the held funds — distinct from a refund (which returns captured funds) and overlapping with a void.

Bacs Direct Debit is the dominant UK bank-account pull payment mechanism — a mandate-based recurring collection scheme governed by Pay.UK with a fixed three-day settlement cycle.

A BIN is the first 6–8 digits of a payment card number, identifying the issuing bank, card network, card type, and country of issue.

BNPL is a point-of-sale installment credit product — typically 3–6 payments — offering deferred payment with no interest if paid on time.

Capture is the instruction to collect funds from a previously authorised transaction, triggering clearing and settlement.

Card on file is stored card credential (tokenised or vaulted) used for future transactions without re-entry — the foundation of subscriptions, one-click checkout, and MIT billing.

A card scheme is an organization such as Visa or Mastercard that sets the rules, interchange rates, and technical standards governing card payments globally.

Card testing is a fraud attack using automated scripts to validate stolen card numbers via small test transactions before exploiting them for larger fraud.

CNP (Card Not Present) describes transactions — primarily e-commerce — where the physical card is absent, carrying higher fraud rates and interchange than card-present.

CBPR+ is SWIFT's ISO 20022 usage guideline set for cross-border payments on the SWIFT network — narrowing the standard to an interoperable profile; MT coexistence ended 22 November 2025.

Chain analysis is the forensic tracing and risk-scoring of blockchain transactions using graph analysis and address clustering to identify entities and flag illicit fund flows.

A chargeback is a forced transaction reversal initiated by the card issuer on a cardholder's behalf, debiting the merchant and returning funds.

Chargeback ratio is chargebacks received as a percentage of total transactions, with scheme thresholds typically at 0.65–1.0% before fines and monitoring programmes trigger.

Chargeback representment is a merchant's formal dispute of a chargeback, submitted via the acquirer with transaction evidence to reverse the card network's initial ruling.

CE 3.0 is Visa's 2023 framework letting merchants defeat first-party fraud chargebacks by proving a prior undisputed transaction history with the same device or IP.

CoP is the UK's Pay.UK name-check on Faster Payments and CHAPS — Match, Close Match, No Match, or Unavailable — covering ~99% of volume since October 2024 and feeding the APP-fraud liability framework.

A seller account a platform creates and manages inside its payment provider to receive funds and be paid out.

Correspondent banking is an arrangement where one bank holds accounts for another to execute cross-border payments in markets or currencies it doesn't directly access.

Cross-border payments are transactions between parties in different countries, involving currency conversion, correspondent banking, and additional compliance overhead.

CVV/CVC is the 3–4 digit security code on a payment card used to verify physical card possession in CNP transactions — prohibited from storage under PCI DSS.

Decline codes are ISO 8583 response codes from the issuer indicating why a transaction was rejected and whether a retry is appropriate.

A digital wallet stores tokenized payment credentials for card or account-based transactions, eliminating the need to present a physical card or enter card details manually.

Direct debit is a pull payment where the operator initiates a bank account debit against a pre-authorized mandate, without requiring customer action per collection.

A dispute is a cardholder's challenge to a transaction with their issuer, which escalates to a chargeback if the merchant doesn't respond or loses the review.

DCC lets cardholders pay in their home currency at point of sale, with conversion applied by the acquirer at a marked-up rate that generates a rebate to the merchant.

An e-mandate is a digital standing authorization from a payer allowing a merchant or biller to initiate recurring direct debit collections from their bank account.

eGIRO is Singapore's API-based digital mandate system for recurring SGD bank account debits — the modern replacement for paper GIRO forms, live since 2021.

Embedded finance is the integration of financial products (payments, lending, insurance) directly into non-financial platforms via BaaS and payment facilitator infrastructure.

EMV is the global chip card standard that generates a unique cryptographic code per transaction, making card cloning at point of sale effectively impossible.

The FATF Travel Rule requires VASPs to transmit originator and beneficiary identity data alongside virtual asset transfers above defined thresholds.

Friendly fraud is when a cardholder disputes a legitimate transaction they made and received, either deliberately or because they didn't recognise the charge.

FX markup is the margin a PSP charges above the interbank exchange rate when converting currencies in cross-border transactions, on top of any stated FX fee.

An IBAN is a standardized account identifier used across Europe and parts of APAC to route bank transfers precisely and reduce payment failures.

Increases an existing authorization hold without a new authorization, for cases where the final amount grows after the initial auth (hotels, rideshare, tabs, fuel).

Interchange is the per-transaction fee paid by the acquirer to the card issuer, set by card networks and the largest single component of MDR.

Interchange-plus pricing passes interchange and scheme fees through at cost with a transparent, fixed acquirer margin on top, making total card acceptance costs variable but itemised.

ISO 20022 is the XML-based international financial messaging standard used by SWIFT, SEPA, and modern payment rails — replacing legacy MT formats with structured, rich data that survives every hop.

The issuer is the bank or financial institution that provides a payment card to a consumer and is responsible for authorization and fraud liability.

KYB is the regulatory due diligence process payment providers use to verify a merchant's identity, ownership structure, and business legitimacy before onboarding.

KYC is the regulatory requirement for payment businesses to verify the identity of individuals before providing financial services or processing payments.

Least-cost routing automatically selects the lowest-cost network path for debit transactions — typically routing via a domestic network instead of Visa or Mastercard.

MiCA is the EU's regulatory framework for crypto-asset issuers and service providers — operators must check stablecoin authorisation status before offering it to EU users.

The acquiring account a payment facilitator holds and boards its sub-merchants under, through which all their transactions flow.

MDR is the total percentage fee a merchant pays per card transaction, comprising interchange paid to the issuer, scheme fees, and the acquirer's margin.

An MCC is a four-digit code assigned by card networks to classify a merchant's business type, directly determining interchange rates and card acceptance rules.

A Merchant of Record is the entity legally responsible for a sale — owning tax collection, refund liability, compliance, and the card network relationship.

A Merchant-Initiated Transaction is a charge triggered by the merchant against stored card credentials without the cardholder present — used for subscriptions, instalments, and usage billing.

MPC splits a private key into distributed shares that sign transactions cooperatively, so the full key is never assembled in any single location.

Multi-sig requires M of N designated key-holders to sign a transaction on-chain before it executes, enforced by smart contract logic.

Netting consolidates multiple payment obligations between counterparties into a single net amount, reducing settlement volume and liquidity requirements.

A network token is a payment credential issued by Visa or Mastercard that replaces the card number for storage and transactions, reducing fraud exposure.

The OFAC SDN List is the US Treasury sanctions list of blocked persons and entities, including crypto wallet addresses, against which US persons cannot transact.

Open banking is a regulatory framework requiring banks to share customer account data and payment initiation access with licensed third parties via secure APIs.

A PAN is the full card number on a payment card — classified as sensitive data under PCI DSS and replaced by tokens in most modern payment flows.

A partial authorization is an issuer approval for less than the requested transaction amount — common on prepaid cards and requiring split tender or decline handling.

A payment facilitator aggregates sub-merchants under its own acquiring agreement, handling onboarding, risk management, and settlement on their behalf.

A payment gateway is the technology layer that encrypts and routes card transaction data between a merchant's checkout and the acquiring bank or PSP.

Payment orchestration intelligently routes transactions across multiple PSPs, acquirers, and payment methods to optimize authorization rates and reduce acceptance cost.

PCI DSS is the card-industry security standard mandating specific controls for any entity that stores, processes, or transmits cardholder data.

Pix Automático is Brazil's bank-native recurring debit feature on the Pix rail — enabling scheduled pulls from customer accounts with near-zero MDR and no card expiry risk.

A pre-authorization is a temporary hold placed on cardholder funds before the final transaction amount is confirmed, common in hotels, car rentals, and fuel.

PSD2 is the EU directive that mandates Strong Customer Authentication for online payments and requires banks to grant API access to licensed third-party providers.

PSD3 is the EU's update to PSD2, sharpening open banking, adjusting SCA rules, and improving non-bank payment access — provisionally agreed in late 2025 and not yet in force, with application expected around 2028.

A PSP is a company that provides merchants with the technology and banking connections needed to accept electronic payments across cards, wallets, and bank transfers.

A qualified custodian is a regulated entity authorised to hold digital assets on behalf of clients, subject to capital, segregation, and oversight requirements.

A real-time rail is a national payment infrastructure settling bank transfers instantly and 24/7 — such as UPI in India, PIX in Brazil, or Faster Payments in the UK.

Reconciliation is the process of matching payment records across a merchant's internal systems, PSP statements, and bank settlements to identify and resolve discrepancies.

A recurring payment is a pre-authorised repeating charge against a stored payment credential, with operational mechanics that differ significantly between card and bank rails.

A rolling reserve is a percentage of merchant settlements withheld by a PSP for a defined period as a buffer against chargebacks and financial exposure.

Scheme fees are charges levied by card networks (Visa, Mastercard) on acquirers and issuers for network access, typically 0.10–0.25% of transaction value.

SEPA is the EU's unified payment infrastructure covering 36 countries — standardising euro bank transfers via Credit Transfer, Instant, and Direct Debit schemes.

Settlement is the transfer of transaction funds from the acquirer to the merchant's bank account, typically occurring 1–3 business days after capture.

A soft decline is an authorization failure where the issuer signals the transaction can be retried — typically due to insufficient funds, a temporary flag, or SCA required.

A single buyer payment divided across multiple recipients — platform and sellers — at settlement.

A stablecoin is a cryptocurrency pegged to a fiat currency — typically USD — designed to hold price stability, used increasingly for cross-border B2B settlement.

SCA is the EU regulatory requirement for two-factor authentication on electronic payments, implemented primarily via 3DS2 for card-not-present transactions.

A business that accepts card payments under a payment facilitator's master merchant account instead of holding its own merchant account.

Surcharging is adding a fee to card transactions to recover acceptance costs, subject to card network rules and local regulations that vary significantly by market.

A SAR is a mandatory confidential regulatory filing submitted to a financial intelligence unit when suspicious transactions suggest money laundering or financial crime.

SWIFT is the global interbank messaging network used to transmit cross-border payment instructions — it moves messages, not money, across 11,000+ institutions in 200+ countries.

Synthetic identity fraud combines a real SSN with fabricated personal data to create a fictitious consumer identity used to bust out credit lines.

A TPP is a licensed entity under PSD2 that accesses bank accounts via open banking APIs to initiate payments (PISP) or retrieve account information (AISP).

A tokenised deposit is a bank deposit represented as a blockchain token, issued directly by the chartered bank and retaining deposit insurance and regulatory protections.

Tokenization replaces sensitive card data with a non-sensitive token for storage and processing, reducing PCI DSS scope and limiting fraud from data breaches.

UETR is the 36-character UUID set at payment origination and carried unchanged through every SWIFT correspondent hop — the single reference to quote when tracing a payment or raising a bank enquiry.

UPI AutoPay is NPCI's mandate-based recurring debit framework for UPI — enabling scheduled collections from bank accounts without per-transaction authentication up to ₹15,000.

VAMP is Visa's April 2025 unified acquirer monitoring framework that consolidates dispute and fraud ratios into a single threshold metric managed at the acquirer level.

VRP is the open banking mechanism for recurring pull payments — a customer-authorised standing consent allowing variable amount collections at near-zero MDR.

A velocity check is a fraud control that flags or blocks a card or account when transaction frequency or volume exceeds a defined threshold within a time window.

VoP is the EU's EPC scheme checking a payee's name against the IBAN before a SEPA credit transfer — Match, Close Match, No Match, or Verification Not Possible — mandatory in the euro area since 9 Oct 2025.

A virtual IBAN is a unique account number mapped to a master account, used to reconcile incoming payments by giving each payer a dedicated reference.

A void cancels an authorized transaction before capture, releasing the hold without any funds movement — the correct alternative to a refund pre-settlement.