Payments Glossary

3DS2 (EMV 3-D Secure 2, also called 3D Secure 2 or simply 3DS2) is the current version of the 3-D Secure authentication protocol used to verify cardholder identity for card-not-present (CNP) transactions — primarily e-commerce. 3DS2 passes up to 150 data elements to the card issuer's risk system, enabling frictionless authentication for low-risk transactions (no cardholder action required) while reserving challenge flows (OTP, biometric) for higher-risk scenarios. Successful 3DS2 authentication shifts fraud chargeback liability from the merchant to the issuer.

An acquirer (or acquiring bank) is a licensed financial institution that processes payment card transactions on behalf of merchants. The acquirer maintains the merchant account, submits authorization requests to card networks, and settles transaction proceeds to the merchant after deducting the merchant discount rate (MDR). Major global acquirers include JPMorgan Chase, Worldpay, Adyen, and Checkout.com. In Southeast Asia, regional acquirers include Bangkok Bank, CIMB, and BDO Unibank.

Anti-Money Laundering (AML) refers to the legal framework, policies, and controls that financial institutions and regulated payment businesses must implement to detect, prevent, and report money laundering and related financial crimes. AML obligations typically include customer due diligence (CDD), transaction monitoring, suspicious activity reporting (SAR), and record-keeping requirements. For payment service providers, AML compliance is a licensing condition and a core operational function.

Authorization is the real-time process by which a card payment is approved or declined by the issuing bank before funds are captured. During authorization, the acquirer sends a request through the card network to the issuer, which checks available funds or credit, applies fraud rules, and returns an approval or decline response — typically within 1–3 seconds. Authorization does not move funds; it places a hold on the cardholder's account pending capture and settlement.

A Bank Identification Number (BIN), also called Issuer Identification Number (IIN), is the first 6–8 digits of a payment card number that identify the issuing bank, card network, card type (credit, debit, prepaid), and geographic market. BINs are used by payment processors to route transactions, apply the correct interchange rate, determine 3DS2 challenge thresholds, and assess fraud risk. BIN intelligence — knowing the characteristics of each BIN range — is a key input to authorization rate optimization and risk management.

Buy Now Pay Later (BNPL) is a short-term credit product that allows consumers to split a purchase into instalments — typically four equal payments over six weeks — at zero interest, with the cost borne by the merchant via a fee of 2–6% of transaction value. Major providers include Klarna, Afterpay (Block), Affirm, and Zip. BNPL drives measurable basket size and conversion uplift for merchants but carries credit loss risk and faces increasing regulatory scrutiny in Australia, the UK, and the US.

A card scheme (also called a card network or payment network) is the organization that sets the rules, standards, and infrastructure for card payment transactions between issuers and acquirers. Global four-party schemes — primarily Visa and Mastercard — do not issue cards or acquire merchants directly but operate the network that connects issuers and acquirers, sets interchange rates, and manages brand and fraud standards. Three-party (closed-loop) schemes such as American Express and Diners Club combine the issuer, network, and acquiring functions.

Card-Not-Present (CNP) refers to payment transactions where the physical card is not presented at the point of sale — primarily e-commerce, phone orders (MOTO), and in-app purchases. CNP transactions carry higher fraud risk than card-present transactions because the merchant cannot verify the physical card or cardholder identity at the point of sale. This elevated risk is reflected in higher interchange rates, additional authentication requirements (3DS2, SCA), and different chargeback liability rules.

A chargeback is a forced reversal of a payment card transaction initiated by a cardholder's bank (issuer), returned to the merchant via the acquiring bank. Chargebacks are triggered when a cardholder disputes a transaction — claiming it was unauthorized, that goods were not received, or that the merchant failed to honor a refund. The merchant loses the transaction amount plus a chargeback fee (typically $20–$100 per incident), and faces account suspension if their chargeback ratio exceeds card network thresholds (1% for Visa, 1.5% for Mastercard).

Correspondent banking is the arrangement by which one bank (the correspondent) provides services to another bank (the respondent) to facilitate cross-border transactions. Most international SWIFT payments route through one or more correspondent banks, each adding settlement time, fees, and potential AML screening delays. Correspondent banking chains for non-G7 corridors typically involve 2–4 intermediaries, contributing to the 1–5 business day settlement windows and $25–45 fee structures that make cross-border B2B payments expensive relative to domestic alternatives.

A dispute is a formal challenge raised by a cardholder or issuer against a completed transaction, initiating a structured process through the card network to reverse or uphold the original charge. Disputes are the formal mechanism underlying chargebacks and include a multi-stage process of representment and arbitration governed by scheme rules. The term 'dispute' is increasingly used by card networks (particularly Visa's Visa Dispute Resolution process) as the overarching label for what was traditionally called a chargeback.

An e-Mandate is a digitally authenticated authorization from a customer permitting a merchant to initiate recurring debit transactions from their bank account or card. In India, the RBI's e-Mandate framework (effective October 2021) mandates that all recurring payments above ₹15,000 require Additional Factor Authentication (AFA) for registration, with subsequent debits processed automatically up to the authorized limit. e-Mandates are the Indian equivalent of direct debit mandates in SEPA or ACH pre-authorization in the US.

FX markup is the spread added by a payment service provider, bank, or financial institution above the mid-market exchange rate when converting currencies during international payment settlement. A payment processed in Thai Baht and settled in USD will be converted at a rate that includes an FX markup — often 1–3% above the interbank mid-market rate — that represents additional revenue for the PSP or acquirer. FX markup is often not disclosed as a separate line item, making it one of the most opaque costs in cross-border payments.

An IBAN (International Bank Account Number) is a standardized account identifier used to uniquely identify a bank account across borders, developed by the International Organization for Standardization (ISO) and the European Committee for Banking Standards. An IBAN contains a country code, check digits, and a bank account number in a country-specific format, with total lengths ranging from 15 to 34 characters. IBAN is mandatory for SEPA credit transfers and direct debits and is widely used in European cross-border payment instructions.

Interchange is the fee paid by the acquiring bank (or PSP) to the card-issuing bank on every card transaction, as compensation for credit risk, fraud losses, and cardholder rewards programs. Interchange rates are set by the card networks (Visa, Mastercard) and vary by card type, merchant category code (MCC), transaction type (card-present vs. card-not-present), and geography. In the US, interchange for a standard consumer credit card averages 1.5–2.0% of transaction value. In regulated markets (EU, Australia), interchange is capped — at 0.2% for debit and 0.3% for credit under EU regulations.

An issuer (or issuing bank) is the financial institution that provides payment cards — credit, debit, or prepaid — to consumers and businesses. The issuer authorizes (or declines) individual transactions based on its risk assessment of the cardholder and the transaction, and is responsible for billing the cardholder and collecting payment. Major global issuers include Chase, Bank of America, HSBC, and Citi. In Southeast Asia, prominent issuers include BCA (Indonesia), Kasikorn Bank (Thailand), and DBS (Singapore).

Know Your Business (KYB) is the process of verifying the identity, ownership structure, and legitimacy of a business entity before establishing a commercial relationship. For payment service providers and acquirers, KYB is a regulatory requirement under AML frameworks that involves verifying company registration, identifying ultimate beneficial owners (UBOs), assessing business activity, and conducting ongoing monitoring. KYB is distinct from KYC (which applies to individual consumers) and is generally more complex due to layered corporate structures.

Know Your Customer (KYC) is the process of verifying the identity of individual customers before and during a business relationship. For payment service providers and financial institutions, KYC involves collecting identity documents, verifying them against authoritative sources, screening against sanctions and politically exposed persons (PEP) lists, and assessing the customer's risk profile. KYC is a core AML compliance requirement and a regulatory condition of operating a licensed payment service.

Least-Cost Routing (LCR) is the practice of directing a debit card transaction through the cheapest available payment network rather than the most expensive, where multiple network options exist. Dual-network debit cards (common in Australia, the US, and Canada) carry both a card scheme network (Visa, Mastercard) and a domestic debit network (eftpos in Australia, Interac in Canada, US regional networks). LCR routes transactions to the lower-cost network, typically saving merchants 0.1–0.5% per transaction.

Merchant Discount Rate (MDR) is the total fee a merchant pays to accept a card payment, expressed as a percentage of the transaction value. MDR is composed of interchange (paid to the card-issuing bank), scheme fees (paid to Visa or Mastercard), and the acquiring margin (retained by the payment service provider). For a typical e-commerce transaction in Southeast Asia, MDR ranges from 1.5% to 3.5% depending on the card type, market, and merchant category code.

A Merchant Category Code (MCC) is a four-digit code assigned by card networks to classify a merchant's primary business type. MCCs are used to determine interchange rates, apply spend controls on corporate and consumer cards, generate transaction-level data for issuers and cardholders, and flag transactions for regulatory reporting. The code is set at merchant onboarding and can significantly affect the economics of card acceptance.

The Merchant of Record (MOR) is the legal entity that appears on a customer's payment statement and assumes liability for a transaction — including tax collection, chargebacks, refunds, and regulatory compliance. In platform and marketplace models, the MOR may be the platform itself, a third-party service, or the underlying seller, depending on the arrangement. The MOR structure has significant implications for VAT/GST obligations, card acceptance, and financial licensing.

Netting is the process of consolidating multiple payment obligations between parties into a single net payment, reducing the number and value of individual settlements. In payments, netting is used by card networks, PSPs, and clearing houses to calculate the net position of each participant across all transactions in a given cycle, then settle only the net amount owed rather than gross bilateral flows. Netting significantly reduces liquidity requirements and systemic settlement risk.

A network token is a payment credential issued by a card network (Visa Token Service / VTS, or Mastercard Digital Enablement Service / MDES) as a substitute for a card's Primary Account Number (PAN). Unlike PSP-proprietary tokens, network tokens are portable across acquirers and PSPs, survive card reissues, and carry richer transaction context that improves issuer authorisation rates. Network tokenisation typically delivers 2–4% authorisation rate uplift versus raw PAN submission.

Open banking is a regulatory and technical framework that requires banks to share customer account data and, in more advanced implementations, allow third parties to initiate payments directly from bank accounts. In the EU/UK, open banking is governed by PSD2/PSD3. Payment Initiation Service Providers (PISPs) use open banking APIs to offer account-to-account payment alternatives to card payments, at near-zero MDR for merchants. Consumer adoption remains concentrated in bill payments, government services, and regulated sectors where cards are restricted.

A Payment Facilitator (PayFac) is a company registered with card networks that can onboard sub-merchants under its own master merchant account, enabling those sub-merchants to accept card payments without each obtaining their own merchant account. PayFacs assume underwriting risk for their sub-merchants and are responsible for compliance, dispute management, and funding. Stripe, Square, and PayPal operate as PayFacs. Platforms can also become their own PayFac through direct registration with Visa and Mastercard.

A payment gateway is the technology layer that securely transmits payment data between a merchant's checkout and the payment processing network. The gateway encrypts sensitive card data (PAN, CVV, expiry) at the point of entry, routes authorization requests to the appropriate acquirer, and returns the authorization response to the merchant. Gateways may be standalone (like Stripe.js or Adyen's Web Components) or bundled with full PSP services. Modern gateways handle tokenization, 3DS2 authentication orchestration, and multi-method payment routing in addition to basic data transmission.

Payment orchestration is the centralized management of multiple payment service providers, acquirers, and payment methods through a single integration layer. An orchestration platform routes individual transactions to the optimal processor based on rules — minimizing cost, maximizing authorization rates, or optimizing for geographic coverage. Leading orchestration platforms include Primer, Spreedly, Paydock, and Gr4vy. Orchestration is particularly valuable for merchants operating across multiple geographies or with volumes large enough to benefit from multi-acquirer strategies.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards established by the PCI Security Standards Council (founded by Visa, Mastercard, Amex, Discover, and JCB) that govern how organizations store, process, and transmit cardholder data. Compliance is mandatory for any entity that handles card data. PCI DSS compliance is assessed annually (for larger merchants) or via self-assessment questionnaire (SAQ) for smaller merchants. Non-compliance can result in fines of $5,000–$100,000 per month from card networks and acquirers.

A pre-authorization (pre-auth) is a temporary hold placed on a cardholder's funds by the issuing bank at the merchant's request, without an immediate transfer of funds. The hold reserves the authorized amount against the customer's available credit or balance, giving the merchant assurance that funds are available. The merchant subsequently submits a capture request — for the final amount — to trigger actual settlement. Pre-authorizations are standard in hotels, car rentals, fuel pumps, and any context where the final transaction amount is unknown at the time of initial card interaction.

PSD2 (Payment Services Directive 2) is the EU regulatory framework governing payment services across the European Economic Area, replacing PSD1 in 2018. It introduced Strong Customer Authentication (SCA) for electronic payments, mandated open banking access through standardized APIs, and expanded the licensing framework for third-party providers (TPPs) including account information service providers (AISPs) and payment initiation service providers (PISPs). PSD2 fundamentally restructured the competitive dynamics between banks, PSPs, and fintech companies in Europe.

A Payment Service Provider (PSP) is a company that enables merchants to accept electronic payments by providing the technical infrastructure, payment processing, and banking connections needed to route, authorize, and settle transactions. PSPs act as intermediaries between merchants, card networks, and acquiring banks. Examples include Stripe, Adyen, PayPal, Checkout.com, and regional players like 2C2P (Southeast Asia) and Paymob (Middle East/Africa).

A real-time rail (also called an instant payment system) is a payment infrastructure that settles transactions between bank accounts in seconds, 24/7, with immediate finality. Major examples include Pix (Brazil), UPI (India), Faster Payments (UK), SEPA Instant (EU), NPP/PayID (Australia), RTP and FedNow (US), and PromptPay (Thailand). Real-time rails typically operate at zero or near-zero merchant cost, making them structural competitors to card payments for domestic transactions.

Payment reconciliation is the process of matching transaction records across different systems — the merchant's order management system, the PSP's settlement reports, and the merchant's bank account — to verify that all transactions are accounted for, fees are correctly calculated, and settlement amounts match expectations. Reconciliation is a critical operational control: discrepancies can indicate processing errors, unreported chargebacks, incorrect fee application, or fraud. For high-volume merchants, automated reconciliation tooling is essential; manual reconciliation becomes infeasible above a few hundred transactions per day.

A rolling reserve is a percentage of a merchant's processed transaction volume withheld by an acquirer or PSP as collateral against future chargebacks, refunds, or fraud losses. The withheld funds are typically held for a defined period (commonly 90–180 days) before being released back to the merchant on a rolling basis. Rolling reserves are most common for high-risk merchants, newly onboarded businesses, and those operating in chargeback-prone verticals.

Scheme fees are charges levied by card networks (Visa, Mastercard, Amex) on acquirers and issuers for access to their payment rails, brand licensing, and transaction processing services. Unlike interchange — which flows from acquirer to issuer — scheme fees flow to the network itself. They are passed through to merchants as part of MDR and have grown significantly as networks expand their fee schedules.

Settlement is the process by which funds from card transactions are transferred from the acquirer to the merchant's bank account, after netting out fees (MDR, chargeback reserves, and other deductions). Settlement typically occurs on a T+1 or T+2 basis (1–2 business days after the transaction), though some PSPs offer same-day or instant settlement for a fee, and some hold funds for longer under reserve arrangements. The settlement period and holdback terms are among the most commercially significant clauses in a PSP contract.

A soft decline is an issuer rejection of a card transaction for a reason that may be temporary or addressable — such as 'do not honour', 'insufficient funds', or 'transaction not permitted' — as opposed to a hard decline (account closed, card reported stolen) where re-attempting is futile. Soft declines represent the majority of recoverable authorisation failures. Intelligent retry strategies — with timing calibrated to decline reason code — can recover 20–40% of soft-declined transactions.

A stablecoin is a cryptocurrency designed to maintain a stable value by pegging to a reference asset — typically the US dollar. USDC (Circle) and USDT (Tether) are the two dominant dollar-pegged stablecoins, with combined market caps exceeding $150B. In B2B payments, stablecoins are used as settlement instruments for cross-border corridors where correspondent banking is slow or expensive, with USDC preferred for enterprise use due to its fully-reserved, independently-attested structure.

Strong Customer Authentication (SCA) is a regulatory requirement under the EU's PSD2 directive that mandates multi-factor authentication for electronic payments. SCA requires at least two of three factors: something the customer knows (PIN, password), something the customer possesses (phone, card), and something the customer is (biometric). Exemptions exist for low-value transactions, trusted beneficiaries, and low-risk transactions assessed via transaction risk analysis (TRA).

Surcharging is the practice of passing card acceptance costs directly to the customer by adding a fee to the transaction amount when a customer pays by card. Surcharging is legally permitted in some jurisdictions (Australia, most US states) and prohibited in others (UK, EU member states, many US states). Where permitted, card network rules cap surcharges at the merchant's actual cost of acceptance and require disclosure at point of sale.

A Third-Party Provider (TPP) is a regulated entity licensed under PSD2 to access bank account data or initiate payments on behalf of customers, using open banking APIs provided by account-servicing payment service providers (ASPSPs — typically banks). TPPs break into two sub-categories: Account Information Service Providers (AISPs), which read account data, and Payment Initiation Service Providers (PISPs), which initiate payments from accounts. TPPs access bank infrastructure without needing to become a bank themselves, enabling a new class of fintech products built on direct account access.

Payment tokenization is the process of replacing sensitive card data (the 16-digit primary account number, or PAN) with a non-sensitive placeholder value called a token. Tokens can be stored and transmitted without exposing the actual card number, reducing PCI DSS scope and fraud risk. There are two main forms: network tokenization (tokens issued by Visa or Mastercard, tied to a device or merchant) and PSP/gateway tokenization (tokens issued by the payment processor, valid only within their system). Network tokens have been shown to improve authorization rates by 2–4% compared to raw PAN transactions.

A velocity check is a fraud detection control that counts the frequency of a specific attribute (card number, email address, IP address, device fingerprint) within a defined time window and flags or blocks transactions when the count exceeds a threshold. Velocity checks are among the most operationally simple and effective fraud controls, targeting the rapid reuse of compromised credentials that characterizes carding attacks, account takeover attempts, and brute-force enumeration of card details.

A Virtual IBAN (vIBAN) is a unique bank account identifier assigned to a specific payer or purpose, which routes incoming funds to a master account held by a payment provider or bank. Virtual IBANs allow businesses to receive and reconcile payments in multiple currencies without opening separate bank accounts in each jurisdiction. They are widely used for B2B collections, marketplace payins, and cross-border treasury operations.