Glossary of Expressions in Payments industry


3-D Secure

Protocol for Cardholder authentication in e-Commerce



Application Authentication Cryptogram


Application Blocked Flag


Application Cryptogram

Account Number

A unique sequence of numbers assigned to a cardholder account that identifies the issuer and type of financial transaction card.

Account Parameter

Data provided by the cloud-based payments platform that is used on the mobile device to conduct a Visa payWave transaction at a Visa payWave reader. Account parameters generally consist of a static data component and a dynamic data component.

Account Parameter Replenishment

The operation of providing new values of dynamic data for an account parameter set for a mobile application to use for payments. The operation of generating the data used in replenishment is performed by the cloud-based payments platform.


Automated Clearing House. A regional organization used by member banks to electronically transfer funds between members.


Payment software development company owning BASE24 and Postilion switches.


A licensed member of MasterCard and/or VISA (or its agent) which maintains merchant relationships, receives all bankcard transactions from the merchant, and initiates that data into an interchange system.

Acquiring Bank/Merchant Bank

The bank that does business with merchants enabling them to accept credit cards. A merchant has an account with this bank and each day deposits the value of the day’s credit card sales. Acquirers buy (acquire) the merchant’s sales slips and credit the tickets’ value to the merchant’s account.


Application Definition File


Used to process disputes or discrepancies with other financial institutions.


Application Elementary File


Advanced Encryption Standard.  AES key generation, AES encrypt/decrypt in various AES modes, AES MAC algorithm (CBC, CMAC), AES GCM, AES CCM

Affinity Card

A credit card issued in conjunction with an organization or collective group; for example, profession, alumni, retired persons association. The card issuer often pays the organization a royalty.


Application File Locator


An entity appointed by the Card Issuer to perform specific functions on behalf of the Card Issuer. Some examples of these functions include card processing, Cardholder verification using the 3-D Secure protocol, and Token Service.


Application Identifier


Application Interchange Profile

Alternate PAN

A PAN that is not the same as the primary account number.


Abbreviation for American Express, an organization that issues travel and entertainment cards and acquires transactions.


Ahead of Time (AoT) compilation. Compiling of code at some arbitrary time prior to the need to execute the code.




Alphanumeric Special


American National Standards Institute. A U.S. standards accreditation organization.


Application Protocol Data Unit is the communication unit between a smart card reader and a card. The structure of an APDU is defined by the ISO 7816 standards.
There are two categories of APDUs: command APDUs and response APDUs. As the name implies, the former is sent by the reader to the card: it contains a mandatory 5-byte header and from 0 to up to 255 bytes of data. The latter is sent by the card to the reader: it contains a mandatory 2-byte status word and from 0 to up to 256 bytes of data.


Application Programming Interface
This term is used to specify the format of the message in which different systems communicate over the web service link.


A computer program and associated data that reside on an integrated circuit chip and satisfy a business function. Examples of applications include payment, stored value, and loyalty.

Application Authentication Cryptogram (AAC)

A cryptogram generated by the card for offline and online declined transactions.

Application block

Instructions sent to the card by the issuer, to shut down the selected application on a card to prevent further use of that application. This process does not preclude the use of other applications on the card.


ARPC Response Code


Authorization Response Cryptogram


Authorization Request Cryptogram


Abstract Syntax Notation One. Support of ASN.1, coding and decoding according to the Basic Encoding Rules (BER) or the Distinguished Encoding Rules (DER)

Asymmetric Encryption

Also known as public key cryptography. A cryptographic technique that uses two related transformations, a public transformation (defined by the public key) and a private transformation (defined by the private key). The two transformations have the property that, given the public transformation, it is not computationally feasible to derive the private transformation.
A system based on asymmetric cryptographic techniques can be an encipherment system, a signature system, a combined encipherment and signature system or a key-agreement system. With asymmetric cryptographic techniques, there are four elementary transformations: sign and verify for signature systems, and encipher and decipher for encipherment systems. The signature and the decipherment transformation are kept private by the owning entity, whereas the corresponding verification and encipherment transformations are published. There exist asymmetric cryptosystems (e.g., RSA) where the four elementary functions may be achieved by only two transformations: one private transformation suffices for both signing and decrypting messages, and one public transformation suffices for both verifying and encrypting messages. However, this does not conform to the principle of key separation and, where used, the four elementary transformations and the corresponding keys should be kept separate.


Application Transaction Counter


Automated Teller Machine. An unattended terminal that has electronic capability, accepts PINs, and disburses currency or cheques.

ATM cash disbursement

A cash disbursement obtained at an ATM displaying the Visa, PLUS, or Visa Electron acceptance mark, for which the cardholder’s PIN is accepted.

ATM Interchange Fee

The fee paid to the Acquirer Member by the Issuer Member for an ATM Transaction as established from time to time by a Network.

ATM System

The telecommunications and processing system operated by or on behalf of an Acquirer Member to process a Transactions initiated through the Acquirer Member’s ATMs or Terminals. The ATM System includes all elements of the processing system from the ATM or POB Terminal to the interface with a Switch.


The act of attestation in this standard is the interaction between a verifier (possibly server-based) and a prover (possibly client-based) to determine the current security state/behavior of the prover based on predefined measurements and thresholds provided by the prover.

Attestation System

The set of components that perform attestation processing for the PIN CVM Solution. Its components include the PIN CVM Application attestation component and the back-end attestation component-the latter works in close association with the back-end monitoring system.

Attestation component

An element of the PIN CVM Solution that performs attestation processing.


Application Usage Control


A cryptographic process by which Authentication Tokens are verified to establish the identity of an Account Holder.


The act of ensuring the cardholder has adequate funds available against his or her line of credit. A positive authorization results in an authorization code being generated, and those funds being set aside. The cardholder’s available credit limit is reduced by the authorized amount.

Authorization controls

Information in the chip application enabling the card to act on the issuer’s behalf at the point of transaction. The controls help issuers manage their below-floor-limit exposure to fraud and credit losses. Also known as offline authorization controls.

Authorization request

A merchant’s or acquirer’s request for an authorization.

Authorization Request Cryptogram (ARQC)

The cryptogram generated by the card for transactions requiring online authorization and sent to the issuer in the authorization request. The issuer validates the ARQC during the Online Card Authentication (CAM) process to ensure that the card is authentic and was not created using skimmed data.

Authorization response

The issuer’s reply to an authorization request. Types of authorization responses are: approval, decline, pickup, referral

Authorization Response Cryptogram (ARPC)

A cryptogram generated by the issuer and sent to the card in the authorization response. This cryptogram is the result of the Authorization Request Cryptogram (ARQC) and the Issuer’s authorization response encrypted with the Unique Derivation Key (UDK). It is validated by the card during Issuer Authentication to ensure that the response came from a valid issuer.

Average Ticket

The average size of a merchant bankcard transaction. Generally used in pricing decisions and calculations.


Address Verification Service


Back-end Systems

The set of systems providing the server-side functionality of the PIN CVM Solution. These functionalities include monitoring, attestation and transaction processing. In addition, the back-end systems include the IT environments necessary to support the functionalities of the PIN CVM Solution.

Bank Identification Number (BIN)

A 6-digit number assigned by Visa and used to identify a member or processor for authorization, clearing, or settlement processing.

Bank Routing Number

The first nine digits that appear across the bottom of a personal check; they identify the financial institution.


A financial transaction card (credit, debit, etc.) issued by a financial institution.

BASE I Authorization System

The V.I.P. System component that performs message routing, cardholder and card verification, and related functions such as reporting and file maintenance.


The VisaNet system that provides deferred clearing and settlement services to members.


Payment processing platform owned by ACI.


The accumulation of captured (sale) transactions waiting to be settled. Multiple batches may be settled throughout the day.

Batch Processing

A type of data processing and data communications transmission in which related transactions are grouped together and transmitted for processing, usually by the same computer and under the same application.


Binary Coded Decimal


Base derivation key for DUKPT security operation.


Basic Encoding Rules


BASE Identification Number. See Bank Routing Number.

BIN Controller / Manager

An entity that controls the issuance and allocation of ISO BINs that will be used to issue Payment Tokens according to this specification.

Binary Coded Decimal

A code for representing decimal digits in a binary format.

Business Day

A day on which a Federal Reserve Bank to which a Member may send applicable items for presentment is open for business, other than a state bank holiday.


8 bits of data.



Certification Authority


Card Authentication Method

Capture Date

The date on which a transaction is processed by an acquirer.


A consumer device containing the Visa contactless payment application. Note that the consumer device may not be a plastic card, but for the purposes of this specification, the term card is used to represent the consumer device.

Card acceptance device

A device capable of reading and/or processing a magnetic stripe or chip on a card for the purpose of performing a service such as obtaining an authorization or processing a payment.

Card Acceptor

The entity that initiates a payment transaction and presents transaction data to the Acquirer, typically a Merchant

Card Acceptor ID

The identification value for the Card Acceptor.

Card authentication

A means of validating whether a card used in a transaction is the genuine card issued by the issuer.

Card Authentication Method (CAM)

See Online Card Authentication.

Card block

Instructions, sent to the card by the Issuer, which shut down all proprietary and non-proprietary applications that reside on a card to prevent further use of the card.

Card Emulation

A feature of NFC that enables an NFC-enabled device to emulate a contactless chip card.

Card Issuer

1) The financial institution or retailer that authorizes the issuance of a card to a consumer (or another organization), and is liable for the use of the card. The issuer retains full authority over the use of the card by the person to whom the card is issued.
2) Any bank or organization that issues, or causes to be issued, bankcards to those who apply for them.
3) Any organization that uses or issues a personal identification number (PIN).

Card Issuer Access Control Server (ACS)

The Card Issuer’s Agent that provides a 3-D Secure service for ID&V.

Card Metadata

Data about the card data i.e. card art, terms and condition, issuer app data etc.

Card Verification Code (CVC)

A unique value calculated from the data encoded on the magnetic stripe of a MasterCard card, validating card information during the authorization process.

Card Verification Value (CVV)

A unique value calculated from the data encoded on the magnetic stripe of a VISA card, validating card information during the authorization process.


The person to whom a financial transaction card is issued or an additional person authorized to use the card.

Cardholder Data

At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.
See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not stored) as part of a payment transaction.

Cardholder verification

The process of determining that the presenter of the card is the valid cardholder. In this specification referred to as Consumer Verification.

Cardholder Verification Method (CVM)

A method of authenticating a cardholder during a transaction. Common CVMs include signature, PIN and biometrics.

Cash Advance

An amount advanced by a bank teller (or ATM) to a bankcard holder against the cardholder’s line of credit.

Cash Back

An optional feature of a Purchase whereby all or part of the Purchase is returned as cash to the Cardholder.

Cash disbursement

Currency, including travelers cheques, paid to a cardholder using a card.


Cash obtained in conjunction with, and processed as, a purchase transaction.


Cipher Block Chaining


Chip Card Payment Service, the former name for Visa Smart Debit and Visa Smart Credit (VSDC).


Committee Draft


Acronym for ‘cardholder data environment.’ The people, processes and technology that store, process or transmit cardholder data or sensitive authentication data.


Card Risk Management Data Object List


Customer Exclusive Data

Certificate Authority (CA)

A trusted central administration that issues and revokes certificates.


A transaction that is challenged by a cardholder or card issuing bank and is sent back through interchange to the merchant bank for resolution.

Chargeback Period

The number of calendar days (counted from the transaction processing date) during which the issuer has the right to charge the transaction back to the acquirer. The number of days varies according to the type of transaction from 45 to 180 days.

Check Verification

A service provided in which a merchant accesses a national negative file database through their terminal/register to verify or authorize the person has no outstanding bad check complaints at any of the member merchants. This is not a guarantee of payment to the merchant.


A small square of thin semiconductor material, such as silicon, that has been chemically processed to have a specific set of electrical characteristics such as circuits storage, and/or logic elements.

Chip card

A card embedded with a chip that communicates information to a point-of-transaction terminal.


A card acceptance device that is designed and constructed to facilitate the addition of a chip reader/writer.


Card Issuer Action Code


Cryptogram Information Data


Class Byte of the Command Message


Card Life Cycle Data


The collection and delivery to the issuer of a completed transaction record from an acquirer.

Clearing Account

An account at the clearing bank that will receive a member’s credit or debit for net settlement.

Clearing Bank

A bank designated by the member to receive the member’s daily net settlement advisement. The clearing bank will also conduct funds transfer activities with the net settlement bank and maintain the member’s clearing account. This bank may be the member itself.


See plaintext.


A capability that resides in a network.

Cloud-Based Payments

Term used to describe payments that are enabled by accounts that are managed in systems residing in a network rather than in secure hardware solutions inside the mobile device.

Cloud-Based Payments Device Threshold Management Parameters

Parameters defined by the issuer and managed by the mobile application that are used to trigger a request for account parameter replenishment from the mobile application.

Cloud-Based Payments Program

A systems solution residing in a network that provides the functional logic to support a cloud-based payments solution.

Cloud-Based Payments Program Risk Management Parameters

Parameters defined by the issuer and managed by the cloud-based platform that are used to govern the validity of account parameters used for payment, and whether to initiate an account parameter replenishment.


Compressed Numeric

Commercial off-the-shelf (COTS) Device

A mobile device (e.g., smartphone or tablet) that is designed for mass-market distribution, and is not designed specifically for payment processing.


Translation of computer code from one format into another format. Usually used to take human-readable ‘source’ code and transform this into a format that can be executed by a specific platform or execution environment.


The procedure a VISA or MasterCard member may use to resolve a dispute between members when no chargeback reason code applies. The challenging member must prove financial loss due to a violation of MasterCard and/or VISA rules by the other member.


Individual purchasing goods, services, or both.

Consumer Device

Proximity Card (PICC) or other chip-capable device (for example, a cell phone) that is used by consumers to conduct payment.

Consumer Verification

See Cardholder Verification.


A term that is used interchangeably with ‘Visa payWave’ in this document.

Contactless Transaction

A transaction conducted over the contactless interface according to this specification.

Correlatable Data

In the context of this standard, this is data that would facilitate the correlation of a PIN with a separate transaction or database that contains cardholder data such that interception of this data and the entered PIN could reasonably lead to the association of the PIN with its PAN.
Examples might include time and date stamps, device identifying information and loyalty program identifiers.


see Commercial off-the-shelf (COTS) Device

COTS Platform

The hardware of the COTS device.

Counterfeit Card

A plastic card which has been fraudulently printed, embossed or encoded to appear to be a genuine bankcard, but which has not been authorized by MasterCard or VISA or issued by a member. A card originally issued by a member but subsequently altered without the issuer’s knowledge or consent.

Credit Account

An Access Account which provides for the advance of cash, merchandise or other commodity, in the present, in exchange for a promise to pay a definite sum at a future date, usually with interest.

Credit Card

A plastic card with a credit limit used to purchase goods and services and to obtain cash advances on credit for which a cardholder is subsequently billed by the issuer for repayment of the credit extended.

Credit Limit

The maximum amount the cardholder may owe to the issuer on the card account at any time.


Card Risk Management


A numeric value that is the result of data elements entered into an algorithm and then encrypted. Commonly used to validate data integrity.

Cryptographic key

The numeric value entered into a cryptographic algorithm that allows the algorithm to encrypt or decrypt a message.


The art or science of keeping messages secret or secure, or both.


Card Status Information


Card Terminal Verification Results


Card Verification Code


Cardholder Verification Method

CVM List

An issuer-defined list contained within a chip application establishing the hierarchy of methods for verifying the authenticity of a cardholder.


Cryptogram Version Number


Card Verification Results


Card Verification Value



Data Authentication Code

Data authentication

Validation that data stored in the integrated circuit card has not been altered since card issuance. See also Offline Data Authentication.

Data Encryption

The process of transforming processing information to make it unusable to anyone except those possessing special knowledge, usually referred to as a key.

Data Encryption Algorithm (DEA)

An encipherment operation and an inverse decipherment operation in a cryptographic system.

Data Encryption Standard (DES)

Data Encryption Standard (DES) is a widely-used block cipher encryption using a private (secret) key standardized by ANSI in 1981 as ANSI X.3.92. There are 72,000,000,000,000,000 (72 quadrillion) or more possible encryption keys that can be used. For each given message, the key is chosen at random from among this enormous number of keys. Like other private key cryptographic methods, both the sender and the receiver must know and use the same private key.


A collection of data organized and designed for easy access, e.g., a collection of customer names and addresses.

DDA (Off-line Dynamic data authentication)

In case of a terminal and a card supporting the off-line data authentication, terminal chooses what kind of off-line data authentication will be performed. In case of DDA then terminal determine whether the card is genuine or not and whether the data personalized in the card has altered since the personalization through dynamic data encryption (RSA) and passing this value to terminal for authentication with a public certificate.


Directory Definition File


Dynamic Data Object List


The process of redeeming a Payment Token for its associated PAN value based on the Payment Token to PAN mapping stored in the Token Vault. The ability to retrieve a PAN in exchange for its associated Payment Token should be restricted to specifically authorised entities, individuals, applications, or systems.


Data Encryption Algorithm


A charge to a customer’s bankcard account.

Debit Card

Any card that primarily accesses a Deposit Account.

Debit Transaction

A bankcard used to purchase goods and services and to obtain cash, which debits the cardholder’s personal deposit account.

Decline OR Declined

The denial of an Authorization Request by, or on behalf of, an Issuer Member.


The process of transforming ciphertext into cleartext.

Deposit Account

An Access Account, other than a Credit Account, maintained by a Member for processing transactions. Deposit Accounts include checking, NOW, savings, share draft, and such other depository accounts as are legal under Applicable Law.

Deposit Credit

See Credit Deposit.


Data Encryption Standard

DES key

A secret parameter of the Data Encryption Standard algorithm.


Triple DES

Deterministic Random Number Generator (DRNG)

See Pseudo Random Number Generator (PRNG).

Device PAN

A virtual PAN present in the card device and disclosed to the Merchant terminal at the time of transaction.


Dedicated File

DF Name

Dedicated File Name

Digital signature

A cryptogram generated by encrypting a message digest (or hash) with a private key that allows the message content and the sender of the message to be verified.


Draft International Standard

Discount Rate

An amount charged a merchant for processing its daily credit card transactions.


Derivation (DEA) Key


Derivation Key Index


DMZ or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization’s external-facing services to a larger and untrusted network, usually the Internet.
The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN); an external network node only has direct access to equipment in the DMZ, rather than any other part of the network.

Doing Business As (DBA)

Refers to the specific name and location of the merchant establishment where credit card purchases are made.

Double-length DES Key

Two secret 64-bit input parameters each of the Data Encryption Standard algorithm, consisting of 56 bits that must be independent and random, and 8 error-detecting bits set to make the parity of each 8-bit byte of the key odd.


See Device PAN


Digital Signature Algorithm. DSA key generation, DSA signature generation/verification, Diffie-Hellman key establishment, algorithms comply with FIPS 186-2 and 186-4 (see [FIPS186-2] and [FIPS186-4])

Dual Control

A process of using two or more separate entities (usually persons), operating in concert, to protect sensitive functions or information. Each entity is equally responsible for the physical protection of materials involved in vulnerable processes. No single person must be able to access or to use the materials (e.g., cryptographic key).
For manual key generation, conveyance, loading, storage and retrieval, dual control requires split knowledge of the key among the entities. No single person can gain control of a protected item or process. Also see Split Knowledge.


Derived Unique Key Per Transaction (DUKPT) is a key management scheme in which for every transaction, a unique key is used which is derived from a fixed key.

Dynamic Data Authentication (DDA)

A type of Offline Data Authentication where the card generates a cryptographic value using transaction-specific data elements for validation by the terminal to protect against skimming.


Easy Entry

A replication of the magnetic stripe information on the chip to facilitate payment as part of multi-application programs. Easy Entry is not EMV-compliant and is being phased out.


Elliptic Curve Algorithm. Arithmetic operations on points of elliptic curves


Electronic Code Book


Acronym for ‘Elliptic Curve Cryptography.’ Approach to public-key cryptography based on elliptic curves over finite fields.


Elliptic Curve Digital Signature Algorithm. ECDSA key generation, ECDSA signature generation and verification operations, ECDH key agreement, ECIES; algorithms comply with FIPS 186-2 and 186-4 (see [FIPS186-2] and [FIPS186-4])


Electronic Cash Register


The electronic equivalent of a paper check.


EFTlab Financial Message – EFTlab’s BP-Node product’s internal message based on ISO20022 (JSON/XML).

EFTlab Financial Message (EFM)

EFTlab’s BP-Node product’s internal message based on ISO20022 (JSON/XML).

Electronic Banking

A form of banking in which funds are transferred through an exchange of electronic signals between financial institutions, rather than an exchange of cash, checks or other negotiable instruments.

Electronic Bill Payment (E-pay)

An alternative to paper checks for paying bills. Consumers can use PCs, telephones, screen phones or ATMs to send electronic instructions to their bank or bill payment provider to withdraw funds from their accounts and pay merchants. Payments may be made either electronically or by a paper check issued by the bill payment provider.

Electronic Cash Register

An electronic cash register (ECR) is a system designed to enable products to be sold at a retail outlet. Electronic cash registers help large retail outlets track sales, minimize register errors, collect inventory data and much more.

Electronic Check Acceptance or ECA

A system that captures banking information off a paper check and converts it into an electronic item processed through the Automated Clearing House network. With ECA, checks are processed similarly to credit cards, and the paper check is returned to the consumer at the point of sale.

Electronic Commerce (E-commerce)

The transacting of business electronically rather than via paper.

Electronic Funds Transfer (EFT)

A transfer of funds between accounts by electronic means rather than conventional paper-based payment methods. EFT is any financial transaction originating from a telephone or electronic terminal, or from a computer or magnetic tape.


EMV, or EuroPay, MasterCard and Visa, is a microchip-based technology designed to reduce fraud at the point-of-sale. Banks are beginning to issue payment cards with these embedded chips, which also support contactless payments.


A privately owned corporation. The current members of EMVCo are JCB International, American Express, Mastercard, China UnionPay, Discover Financial and Visa Inc.

EMV specifications

Technical specifications developed jointly by Europay International, MasterCard International, and Visa International to create standards and ensure global interoperability for use of chip technology in the payment industry.

EMV Type Cryptogram

A cryptogram that fits into the existing cryptogram field in EMV transaction messages.


The technique of scrambling data automatically in the terminal or computer before data is transmitted for security/anti-fraud purposes.


The IT environment supporting one or more functionalities of the PIN CVM Solution-such as the IT environment hosting the back-end monitoring system.

Execution environment

The set of hardware and software on which a program is executed. This may be provided through hardware alone, include a combination of hardware and software elements, or be virtualized and implemented in software such that the execution environment can be similarly executed on different hardware platforms.

Expired card

A card on which the embossed, encoded, or printed expiration date has passed.



File Control Information


Form Factor Indicator

File Control Information (FCI)

Provided in a card response when the card application is selected (using a SELECT command) by a reader or terminal.

Financial Institution

Any organization in the business of moving, investing or lending money, dealing in financial instruments, or providing financial services. Includes commercial banks, thrifts, federal and state savings banks, saving and loan associations, and credit unions.


Federal Information Processing Standard

Floor limit

A currency amount that Visa has established for single transactions at specific types of merchants, above which online authorization is required.

Form Factor Indicator (FFI)

A field that indicates the form factor of the consumer payment device and the type of contactless interface over which the transaction is conducted.


See Funding PAN

Full screen mode

Where the PIN CVM application that is currently executing is in control of the primary display and input mechanism(s) of the COTS device. A full screen mode may still include display features that are controlled and/or managed by the COTS Operating System, but may not include any display from other applications. It is assumed by this standard that full screen mode mitigates the use of any separately controlled or managed displays or input mechanisms to display prompts for data entry, or capture such data entry.


Refers to the payment to a merchant for his submitted deposits.

Funding PAN

Actual PAN of the cardholder usually embossed on the plastic. TPAN on a card device is associated with the actual PAN.

Funds Transfer System

A wire transfer network, ACH, or other communication system or clearing house or association of banks in which First Data’s Clearing/Funding Bank is a member and through which a payment order by a bank may be transmitted. Includes SWIFT, CHIPS, Fedwire, the National Association of Clearing House Associations, MasterCard and VISA.




Graphical user interface

A user interface that is provided through images and text.


Graphical user interface



Another term for a mobile device, usually a mobile phone handset.

Hardware Security Module (HSM)

A secure module used to store cryptographic keys and perform cryptographic functions.


A (mathematical) function that is a non-secret algorithm, which takes any arbitrary-length message as input and produces a fixed-length hash result.
Approved hash functions satisfy the following properties:
a) One-way – It is computationally infeasible to find any input that maps to any pre-specified output.
b) Collision-resistant – It is computationally infeasible to find any two distinct inputs (e.g., messages) that map to the same output.
It may be used to reduce a potentially long message into a ‘hash value’ or ‘message digest’ that is sufficiently compact to be input into a digital-signature algorithm. A ‘good’ hash is such that the results of applying the function to a (large) set of values in a given domain will be evenly (and randomly) distributed over a smaller range.


See Host Card Emulation OR Hardware Crypto Engine. functions to access the hardware crypto accelerator chip built into some of the CryptoServer models




Hours, Minutes, Seconds

Hash-based message authentication code (HMAC)

A message authentication code that is produced using hash algorithms rather than a symmetric cryptographic algorithm. Defined in FIPS 198-1.

Host Card Emulation (HCE)

Term used to describe mobile device capability in which the card emulation ability for NFC is provided through a software-based solution rather than a hardware secure element.

Host data capture system

An acquirer authorization system that retains authorized transactions for settlement without notification from the terminal that the transaction was completed.


A hardware security module manages secured keys, message validation and PIN authentication cryptoprocesses. Also provides strong authentication to access critical keys for payments applications.



Issuer Application Data


Issuer Authentication Response Code


Integrated Circuit


Integrated Circuit Card



Identification and Verification (ID&V)

A valid method through which an entity may successfully validate the Cardholder and the Cardholder’s account in order to establish a confidence level for Payment Token to PAN / Cardholder binding (eg. Account verification message, Risk score based on assessment of the PAN, Use of one time password by the Card Issuer or its Agent to verify the Cardholder)


ICC Dynamic Number


International Electrotechnical Commission


Interface Device


See Bank Routing Number.


Issuer Master Keys


Issuer Master Keys for Data Authentication Code

Initial Chaining Vector

The input data applied to the first data block in a Triple DES encryption process



Integrated Circuit Card (ICC)

See chip card.

Integrated Circuit Chip

See chip.


Ensuring consistency of data; in particular, preventing unauthorized and undetected creation, alteration, or destruction of data.


The domestic and international systems operated by VISA and MasterCard for authorization, settlement and the passing through of interchange and other fees, as well as other monetary and non-monetary information related to bankcard activities.

Interchange Fee

Fees paid by the acquirer to the issuer to compensate for transaction-related costs. VISA and MasterCard establish interchange fee rates.

International Organisation for Standardisation (ISO)

The specialized international agency that establishes and publishes international technical standards.


The ability of all card acceptance devices and terminals to accept and read all chip cards that are properly programmed.


International Organization for Standardization


A Visa customer that issues Visa or Electron cards, or proprietary cards bearing the PLUS or Visa Electron Symbol.

Issuer Action Codes (IACs)

Card-based rules which the terminal uses to determine whether a transaction should be declined offline, sent online for an authorization, or declined if online is not available.

Issuer Authentication

Validation of the issuer by the card to ensure the integrity of the authorization response. See Authorization Response Cryptogram (ARPC).

Issuer/Issuing Bank

The financial institution (a licensed member of MasterCard or VISA) which holds contractual agreements with and issues cards to cardholders.


Japanese Credit Bureau (JCB)

Issuers of the JCB card.

Just-in-time (JIT) compilation

Compiling of code immediately prior to the execution of that code.


Key agreement

A key-establishment protocol for establishing a shared secret key between entities in such a way that neither of them can predetermine the value of that key. That is, the secret key is a function of information contributed by two or more participants.

Key Check Value (KCV)

A value used to identify a key without revealing any bits of the actual key itself. Check values are computed by encrypting an all-zero block using the key or component as the encryption key, using the leftmost n-bits of the result; where n is at most 24 bits (6 hexadecimal digits/3 bytes TDEA and 5 bytes AES). This method may be used for TDEA. TDEA may optionally use, and AES uses a technique where the KCV is calculated by MACing an all-zero block using the CMAC algorithm as specified in ISO 9797-1 (see also NIST SP 800-38B). The check value will be the leftmost n-bits of the result, where n is at most 40 bits (10 hexadecimal digits). The block cipher used in the CMAC function is the same as the block cipher of the key itself. A TDEA key or a component of a TDEA key will be MAC’d using the TDEA block cipher, while a 128-bit AES key or component will be MAC’d using the AES-128 block cipher. Also known as Key verification check (KVC).

Key generation

The creation of a new key for subsequent use.
Creation of a cryptographic key either from a random number generator or through a one-way process utilizing another cryptographic key.

Key installation

Loading of a key that is protected with white-box cryptography, usually embedded within an application.

Key loading

Process by which a key is manually or electronically transferred into a secure cryptographic device.

Key management

The handling of cryptographic keys and other related security parameters during the entire life cycle of the keys, including their generation, storage, distribution, entry and use, deletion or destruction, and archiving.

Key variant

A new key formed by a process (which need not be secret) with the original key, such that one or more of the non-parity bits of the new key differ from the corresponding bits of the original key.

Key wrapping

A format for storage and transmission of symmetric cryptographic keys that embeds metadata about the key type and use, as well as providing cryptographic authentication across the encrypted key and this metadata to ensure that the key and its purpose cannot be altered.


Key Serial Number identifies key used for DUKPT security processing and actual cryptographic operation counter.



Last online Application Transaction Counter


Exact length of data sent by the Terminal Application Layer (TAL) in a Case 3 or 4 command


Least Common Multiple


See Lifecycle Management


Lower Consecutive Offline Limit


Length of the plaintext data in the Command Data Field


Length of the ICC Dynamic Data


Maximum length of data expected by the TAL in response to a Case 2 or 4 command

Lifecycle Management

A process of managing the token lifecycle. This includes resuming, suspending, deleting or updating any RPAN data.

Limited Use Key

A cryptographic key that is only valid for a certain duration of time.


Longitudinal Redundancy Check

Luhn digit check

Is a simple checksum formula used to validate a variety of identification numbers, such as credit card numbers, IMEI numbers.


M of N

An m-of-n scheme is a component or share allocation scheme where m is the number of shares or components necessary to form the key, and n is the number of the total set of shares or components related to the key.
Management of the shares or components must be sufficient to ensure that no one person can gain access to enough of the item to form the key alone.


In cryptography, an acronym for ‘Message Authentication Code’. A small piece of information used to authenticate a message.

Magnetic Information Character Recognition (MICR)

Imprinted banking numbers (routing/transit number, checking account number, check number) at the bottom of the check.

Magnetic Stripe

The stripe on the back of the card that contains the magnetically coded account information necessary to complete a non-chip electronic transaction.

Magnetic Stripe Image

The minimum chip payment service data replicating information in the magnetic stripe required to process a transaction that is compliant with EMV.


Recurring specification update from VISA or MasterCard.

Mandatory access control

Access control by which the operating system constrains the ability of a process or thread to access or perform an operation on objects or targets such as files, directories, TCP/UDP ports, shared memory segments, IO devices, etc., though an authorization rule enforced by the operating system kernel.

Manual key loading

Loading of a cryptographic key using two or more full-length components or use m of n shares, entered directly through a secure physical mechanism.

Man-in-the-middle (MITM) attack

An attack method where a malicious third party interposes between two other communicating parties and modifies the data sent between them.


Mobile Application Platform.

Master Derivation Keys (MDK)

Master DES keys stored in the issuer host system. These keys are used to generate Unique Derivation Keys (UDKs) for personalization, to validate ARQCs, and to generate ARPCs.


MasterCard International


Master Derivation Key


A financial institution which is a member of VISA USA and/or MasterCard International. A member is licensed to issue cards to cardholders and/or accept merchant drafts.


A retailer, or any other person, firm, or corporation that, according to a Merchant Agreement, agrees to accept credit cards, debit cards, or both, when properly presented.

Merchant Acquirer

A member that has entered into an agreement with a merchant to accept deposits generated by bankcard transactions; also called the acquirer or acquiring bank.

Merchant Agreement

The written contract between merchant and acquirer who detail their respective rights, responsibilities and warranties.

Merchant Category Code (MCC)

A code designating the principal trade, profession, or line of business in which a merchant is engaged.

Merchant Number

A number that numerically identifies each merchant to the merchant processor for accounting and billing purposes.


Merchants that accept Visa payWave payment transactions at their point-of-sale.

Message authentication code (MAC)

A digital code generated using a cryptographic algorithm which establishes that the contents of a message have not been changed and that the message was generated by an authorized entity.


Master File

MICR Number Method

A check authorization procedure that uses the bank routing/transit numbers, checking account numbers and check number encoded along the bottom of the check.


MasterCard Internet Gateway Service – is a payment gateway system that allows banks to accept card not present (CNP) transactions. MIGS is PCI-DSS-compliant and is typically branded and priced by the acquiring bank. It is used to interconnect online merchants to their acquiring banks through standards-compliant technology and API (Virtual Payment Client). This payment gateway provides support for services such as “MasterCard SecureCode”, “Verified by Visa” and “JCB J/Secure”.


Master Key


ICC Master Key Application Cryptogram


ICC Master Key for ICC Dynamic Number generation


ICC Master Key for Secure Messaging for Confidentiality


ICC Master Key for Secure Messaging for Integrity

Mobile Application

A software application resident on the mobile device that consumers use to interact with their mobile device to access a product or a service. For cloud-based payments, mobile applications typically include, but are not necessarily limited to, mobile banking applications or mobile wallet applications.

Mobile Application Platform

A server-based system that provides for the management of capabilities and services to mobile applications. For cloud-based payments, mobile application platforms may be, but are not necessarily limited to, existing mobile banking platforms or mobile wallet platforms.

Mobile Device

A portable electronic device with wide area communication capabilities that can be enabled with Visa payWave functionality. Mobile devices include mobile handsets, handhelds, smartphones, and other consumer electronic devices, such as suitably equipped PDAs.


Magnetic Stripe Data


The presence of multiple applications on a chip card (for example, payment, loyalty, and identification).



Not Applicable


Length of the Certification Authority Public Key Modulus

Near-Field Communication (NFC)

A short-range contactless proximity technology based on ISO/IEC 18092, which provides for ISO/IEC 14443-compatible communications.

Net Payment

Payment to the merchant for sales drafts less credits minus the appropriate discount fee.

Net Revenue

Discount income less interchange expense.

Net Settlement

The settlement, through an actual transfer of funds, of the net effect of a series of financial transactions involving customers of two or more banks.


Near field communication is a set of standards derived from EMV to establish radio communication between account data holding device (ICC card, mobile) and a payment device (POS) by touching them together or bringing them into close proximity, usually no more than a few centimeters.


Length of the Issuer Public Key Modulus


The four most significant or least significant bits of a byte of data.


Length of the ICC Public Key Modulus


In a payment system, a financial institution not offering retail banking services.


ICC PIN Encipherment Public Key Modulus


A random number generator that has access to an entropy source and (when working properly) produces output numbers (or bit strings) that have full entropy. Sometimes called a True Random Number (or Bit) Generator.
Contrast with a deterministic random number generator (DRNG).



Protection applied to a process or data through increasing the complexity of interpreting that data. For the purposes of this standard, ‘obfuscation’ refers to ‘code obfuscation,’ where computational processes have been applied to increase the complexity of a code set to reduce the ability to reverse-engineer that code.

Offline approval

A transaction that is positively completed at the point of transaction between the card and terminal without an authorization request to the issuer.

Offline authorization

A method of processing a transaction without sending the transaction online to the issuer for authorization.

Offline Data Authentication

A process whereby the card is validated at the point of transaction using RSA public key technology to protect against counterfeit or skimming. VIS includes two forms: Static Data Authentication (SDA) and Dynamic Data Authentication (DDA).

Offline decline

A transaction that is negatively completed at the point of transaction between the card and terminal without an authorization request to the issuer.

Offline Payment Transaction

In an offline EMV transaction, the card and terminal communicate and use issuer-defined risk parameters that are set in the card to determine whether the transaction can be authorized. Offline transactions are used when terminals do not have online connectivity-e.g., at a ticket kiosk-or in countries where telecommunications costs are high.

Offline PIN

A PIN value stored on the card that is validated at the point of transaction between the card and the terminal.

Offline PIN verification

The process whereby a cardholder-entered PIN is passed to the card for comparison to a PIN value stored secretly on the card.


A card acceptance device that is able to perform offline approvals.

Offline-only terminal

A card acceptance device that is not capable of sending transactions online for issuer authorization.


Offline Cumulative Transaction Amount

One Time Password

An OTP is sent to the cardholder in order to verify him/her while provisioning the card on the device. It will be sent by Issuer in most cases.

Online authorization

A method of requesting an authorization through a communications network other than voice to an issuer or issuer representative.

Online Card Authentication (CAM)

Validation of the card by the issuer to protect against data manipulation and skimming. See Authorization Request Cryptogram (ARQC).

Online PIN verification

A method of PIN verification where the PIN entered by the cardholder into the terminal PIN pad is DES-encrypted and included in the online authorization request message sent to the issuer.

Online-capable terminal

A card acceptance device that is able to send transactions online to the issuer for authorization.

Operating system (OS)

System software that manages the underlying hardware and software resources and provides common services for programs. Common operating systems in a COTS environment include, but are not limited to, Android and iOS.


A financial institution that initiates a wire transfer or automated clearing house (ACH) payment.


See One Time Password


One location of a chain.

Over the Air (OTA)

A method of distributing new software updates to mobile devices or provisioning handsets with the necessary settings with which to access services.



Parameter 1


Parameter 2


Primary Account Number


Sales slips, credit slips, cash disbursement slips and other obligations indicating use of a card or a card account. Also referred to as ‘media’.


A secret string of characters (usually numeric) used for consumer authentication to gain access to mobile applications on the mobile device. Consumers use the keypad of their mobile device to authenticate themselves.

Payment Application Data Security Standard (PA DSS)

The global security standard created by the Payment Card Industry Security Standards Council (PCI SSC) to provide the definitive data standard for software vendors that develop payment applications.

Payment Card Industry Data Security Standard (PCI DSS)

A proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.

Payment Gateway

An e-commerce application service provider service that authorizes payments for e-businesses, online retailers, or traditional brick and mortar businesses. It is equivalent to a physical point of sale terminal located in most retail outlets.

Payment Processor

An entity that provides payment processing services for Acquirers and / or Issuers. A Payment Processor may in addition to processing provide operational, reporting and other services for the Acquirer or Card Issuer.

Payment Network

An electronic payment system used to accept, transmit, or process transactions made by payment cards for money, goods, or services, and to transfer information and funds among Issuers, Acquirers, Payment Processors, Merchants, and Cardholders.

Payment System

A set of instructions and procedures used for the transfer of ownership and settlement of obligations arising from the exchange of goods and services.

Payment Token

Payment Tokens can take on a variety of formats across the payments industry. For this specification, the term Payment Token refers to a surrogate value for a PAN that is a 13 to 19-digit numeric value that must pass basic validation rules of an account number, including the Luhn check digit. Payment Tokens are generated within a BIN range that has been designated as a Token BIN Range and flagged accordingly in all appropriate BIN tables. Payment Tokens must not have the same value as or conflict with a real PAN.


Certification Authority Public Key


The Data Security Standard published and maintained by the Payment Card Industry Security Standards Council. PCI DSS provides a baseline of technical and operational requirements designed to protect account data.


A PCI standard that contains a complete set of requirements for the secure management, processing and transmission of personal identification number (PIN) data during online and offline payment card transaction processing at ATMs and attended and unattended point-of-sale (POS) terminals.


Processing Options Data Object List


The process of populating a card with the application data that makes it ready for use.

Physical Unclonable Function (PUF)

An intrinsic value or transformation that can be provided by a system that is a function of some physical process, such that it cannot be replicated or altered.


Issuer Public Key


ICC Public Key


Proximity IC Card. Synonym with the consumer device in Book D of [EMV CL]

PIN (Personal Identification Number)

The confidential individual number or code used by a cardholder to authenticate card ownership for ATM or POS terminal transactions.

PIN Authorization Request

A procedure enabling the issuer to validate cardholder identity by comparing the PIN to the account numbers.

PIN block

Defined formats used for offline and online PIN processing and transmission, as defined in ISO 9564 Part 1.

PIN CVM Application

All parts of the code, regardless of execution environment, that are installed and executed on the merchant COTS device for the purposes of accepting and processing the cardholder’s PIN The client-side monitor and/or a payment application may be incorporated into the PIN CVM Application or may be a separate application.

PIN CVM Solution (The Solution)

The set of components and processes that support the entry of PIN data in to a COTS device. At a minimum, The Solution includes SCRP, PIN CVM Application and the back-end systems and environments that perform attestation, monitoring and payment and online PIN processing.


A Tamper Resistant Security Module that enables a Cardholder to enter his or her PIN at a Terminal.

PIN Verification

A procedure utilized by or on behalf of the Issuer Participant to verify the identification of the Cardholder as a result of the use of the PIN upon receipt of a Transaction request.


Proprietary Application Identifier Extension


Data in its original unencrypted form.

Point of Sale (POS)

The point of sale (POS) or point of purchase (POP) is the time and place where a retail transaction is completed. At the point of sale, the merchant would calculate the amount owed by the customer and indicate the amount, and may prepare an invoice for the customer (which may be a cash register printout), and indicate the options for the customer to make payment. It is also the point at which a customer makes a payment to the merchant in exchange for goods or after provision of a service. After receiving payment, the merchant may issue a receipt for the transaction, which is usually printed, but is increasingly being dispensed with or sent electronically. (source: Wikipedia)

Point of transaction (POT)

The physical location where a merchant or acquirer (in a face-to-face environment) or an unattended terminal (in an unattended environment) completes a transaction.

Point-of-Sale System

An electronic system that accepts financial data at or near a retail selling location and transmits that data to a computer or authorization network for reporting activity, authorization and transaction logging.

Point-of-transaction terminal

A device used at the point of transaction that has a corresponding point-of-transaction capability. See also Card Acceptance Device.


Point of Service

POS Terminal

A device placed in a merchant location that is connected to the bank’s system or authorization service provider via telephone lines and is designed to authorize, record and forward data by electronic means for each sale.


Payment processing platform formally owned by Mosaic, S1 and currently by ACI.

Post-issuance update

A command sent by the issuer through the terminal via an authorization response to update the electronically stored contents of a chip card.


Proximity Payment Systems Environment

Prepaid Cards

A reloadable or non-reloadable debit card that allows the holder to only spend up to the amount that has been pre-deposited into the account.

Primary Account Number (PAN)

A variable length, 13 to 19-digits, ISO 7812-compliant account number that is generated within account ranges associated with a BIN by a Card Issuer.

Private key

As part of an asymmetric cryptographic system, the key that is kept secret and known only to the owner.
A cryptographic key used with a public-key cryptographic algorithm that is uniquely associated with an entity and is not made public.
In the case of an asymmetric signature system, the private key defines the signature transformation. In the case of an asymmetric encipherment system, the private key defines the decipherment transformation.

Processing Host System

Term used to describe the system used by an issuer to authorize payment transactions.


An organization that is connected to VISANet and or Banknet and provides authorization and/or clearing and settlement services on behalf of a member.


In this document, refers to contactless technology as described in [EMV CL].

Proximity Payment System Environment (PPSE)

The purpose of the Proximity Payment System Environment is to inform the contactless payment terminal of the types of payment products that are available on the card or mobile device that is presented to the terminal. The payment terminal uses this information to determine if a payment is possible.


Payment System Environment

Pseudo Random Number Generator (PRNG)

A deterministic algorithm to generate a sequence of numbers with little or no discernible pattern in the numbers, except for broad statistical properties.


Application PAN Sequence Number


PIN Try Counter


PIN Try Limit

Public key

As part of an asymmetric cryptographic system, the key known to all parties.
A cryptographic key used with a public-key cryptographic algorithm that is uniquely associated with an entity and may be made public.
In the case of an asymmetric signature system, the public key defines the verification transformation. In the case of an asymmetric encipherment system, the public key defines the encipherment transformation. A key that is ‘publicly known’ is not necessarily globally available. The key may only be available to all members of a pre-specified group.

Public key cryptography

See Asymmetric Encryption.

Public key cryptographic algorithm

A cryptographic algorithm that allows the secure exchange of information, but does not require a shared secret key, through the use of two related keys—a public key which may be distributed in the clear and a private key which is kept secret.

Public key pair

The two mathematically related keys, a public key and a private key which, when used with the appropriate public key cryptographic algorithm, can allow the secure exchange of information, without the secure exchange of a secret.

Purchase transaction

A retail purchase of goods or services; a point-of-sale transaction.


PIN Verification Value


Quasi-cash transaction

A transaction representing a merchant’s sale of items, such as gaming chips or money orders, that are directly convertible to cash.


quick Visa Smart Debit/Credit

qVSDC Path

For transactions conducted over the contactless interface, the qVSDC Path is an application path taken by the card which results in card behavior defined for qVSDC. This path is taken for contactless transactions where the card and reader both support qVSDC.


Random Number Generator (RNG)

The process of generating values with a high level of entropy and that satisfy various qualifications, using cryptographic and hardware-based ‘noise’ mechanisms. This results in a value in a set that has equal probability of being selected from the total population of possibilities, hence unpredictable.

Random selection

An EMV online-capable terminal function that allows for the selection of transactions for online processing. Part of Terminal Risk Management.


The merchant device communicating with the card/Mobile Application.

Real PAN

Actual PAN of the cardholder usually embossed on the plastic. TPAN on a card device is associated with the actual PAN.

Reason Code

A code used to provide additional information to the receiving clearing member regarding the nature of a chargeback, subsequent presentment, fee collection, funds disbursement, or request for a source document.


A hard copy description of the transaction that took place at the point-of-sale, containing at minimum: date, merchant name/location, primary account number, type of account accessed, amount, reference number, and an action code.

Recurring Transaction

A transaction charged to the cardholder (with prior permission) on a periodic basis for recurring goods and services, i.e., health club memberships, book-of-the-month clubs, etc.

Reference Number

A twenty-three (23) position number assigned by the acquiring member and used to identify a transaction.

Referral response

An authorization response where the merchant or acquirer is instructed to contact the issuer for further instructions before completing the transaction.

Remittance Information

Information required by the biller to post customer bill payments effectively.

Replay attack

A replay attack (also known as playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed.

Requested Token Assurance Level / Assigned Token Assurance Level

The Requested Token Assurance Level is requested from the Token Service Provider by the Token Requestor. Requested Token Assurance Level is a field included in the Token Request. The Assigned Token Assurance Level is the actual value assigned by the Token Service Provider as the result of the ID&V process and is provided back to the Token Requestor in response to the Token Request.


A BASE II or online financial transaction used to negate or cancel a transaction that has been sent through interchange.


Reserved for Future Use (see next table)


Registered Application Provider Identifier


Reset Internal Parameters

ROM (Read-Only Memory)

Permanent memory that cannot be changed once it is created. It is used to store chip operating systems and permanent data.


See Real PAN

RSA (Rivest, Shamir, Adleman)

A public key cryptosystem developed by Rivest, Shamir, and Adleman, used for data encryption and authentication.


Sales Draft

Paper documentation of a transaction. Also called a sales slip, charge slip or hard copy.


Certification Authority Private Key

SDA (Off-line Static data authentication)

In case of a terminal and a card supporting the off-line data authentication, terminal chooses what kind of off-line data authentication will be performed. In case of SDA then terminal determine whether the card is genuine or not by passing its internal checksum data encrypted (RSA) to terminal for authentication with a public certificate.

Secret key

A key that is used in a symmetric cryptographic algorithm (that is, DES), and cannot be disclosed publicly without compromising the security of the system. This is not the same as the private key in a public/private key pair.

Secure Boot

See Trusted Boot

Secure card reader – PIN (SCRP)

A physical card reader that has been assessed compliant to the PCI PTS SCRP Approval Class and is listed on the PTS approval website.

Secure channel

A cryptographically protected connection between two processing elements.

Secure cryptographic device (SCD)

A physically and logically protected hardware device that provides a secure set of cryptographic services. It includes the set of hardware, firmware, software, or some combination thereof that implements cryptographic logic, cryptographic processes, or both, including cryptographic algorithms. Examples include ANSI X9.24 part 1 or ISO 13491.

Secure Element

A tamper-resistant module capable of hosting mobile device applications in a secure manner. A hardware-secure chip-based solution that is resident in the mobile device, either as an integrated component or as a removable component such as a Universal Integrated Circuit Card (UICC) Subscriber Identity Module (SIM) card or a memory card solution.

Secure messaging

A process that enables messages to be sent from one entity to another, and protects against unauthorized modification or viewing.

Secure reading and exchange of data (SRED)

Module 4 of the PCI PTS POI Standard, detailing the requirements for devices that protect account data.

Security Compliance Review

A review that is based on an approved checklist and that is performed by a Member’s or Processor’s Approved Auditor to verify the Member’s or the Processor’s compliance with these Rules.

Sensitive Authentication Data

Security-related information-including but not limited to card validation codes/values, full track data (from the magnetic stripe or equivalent on a chip), PINs and PIN blocks-used to authenticate cardholders and/or authorize payment card transactions.

Sensitive Data

Sensitive data is cryptographic materials-e.g., keys, certificates, cardholder PINs or cardholder data.

Session key

A temporary cryptographic key computed in volatile memory and not valid after a session is ended.


As the sales transaction value moves from the merchant to the acquiring bank to the issuer, each party buys and sells the sales ticket. Settlement is what occurs when the acquiring bank and the issuer exchange data or funds during that function.

Settlement Statement

A document issued to the merchant, indicating the sales and credit activity, billing information, discount fee and chargebacks (if any) occurring during a particular time frame (one week, one month).


Short File Identifier


Secure Hash Algorithm

Shopping Cart Software

Shopping cart software allows the cardholder to select items from an online store and place them in a virtual shopping basket or shopping cart. The shopping cart remembers which items are selected while the cardholder views other items within the virtual storefront, keeps a running total, and may calculate taxes and shipping. The items in the shopping cart are eventually ordered if the cardholder chooses.


Issuer Private Key


ICC Private Key

Single Message System

A component of the V.I.P. System that processes Online Financial and Deferred Clearing transactions.


Session Key


Session Key Application Cryptogram


Secure Messaging

Smart Card

A plastic card resembling traditional credit or debit cards that contains a computer chip; the chip is capable of storing significantly more information than a magnetic stripe.

Software Protection Mechanisms

Methods and implementations used to prevent the reverse engineering and modification of software. See Obfuscation and White-box cryptography as examples of commonly used software protection mechanisms.

Split Knowledge

A condition under which two or more entities separately have key components or key shares that individually convey no knowledge of the resultant cryptographic key. The information needed to perform a process such as key formation is split among two or more people. No individual has enough information to gain knowledge of any part of the actual key that is formed.

STAN (System Trace Audit Number)

Unique number identifying a payment transaction through the whole or part of the payment system. In ISO8583-like dialects usually as data element DE11.

Start Up Kit

Supplies shipped to new merchants including sales slips, credit slips, batch header tickets, return envelopes, VISA/MasterCard decals, merchant plastics, imprinter slugs and instructional materials.

Static Data Authentication (SDA)

A type of Offline Data Authentication where the terminal validates a cryptographic value placed on the card during personalization. This validation protects against some types of counterfeit, but does not protect against skimming.

Status Word

SW1 and SW2, collectively.


The process of sending batch deposits to Merchant Services for processing. This may be done electronically or by mail.

Support Documentation

The forms necessary to effect a chargeback processing cycle, and any additional material to uphold a dispute.


Status byte 1


Status Byte One and Status Byte Two


Status byte 2

Symmetric encryption

A cryptographic key that is used in symmetric cryptographic algorithms. The same symmetric key that is used for encryption is also used for decryption. Also known as ‘secret key.’



The automatic determination by a cryptographic module that an attempt has been made to compromise the security of the module.

Tamper-resistant security module (TRSM)

Usualy a HSM.


A characteristic that provides an active response to the detection of an attack, thereby preventing a success.


Transaction Certificate


Transaction Capture Multi-Payment (TCMP) is a payment messages format for transmissions between the terminal and RBS WorldPay Host. This host interface is designed to operate in a terminal-capture or host-capture environment.


Triple DES. An algorithm specified in ISO/IEC 18033-3: Information technology – Security techniques – Encryption algorithms – Part 3: Block ciphers. (PIN)


Transaction Certificate Data Object List


Trusted Execution Environment

Telephone Bill Payment

A service that permits a customer to pay bills electronically. The customer gives a corporation the authority to debit his or her account for a specific amount or within a specified range of amounts.

Terminal Action Codes (TACs)

Visa-defined rules in the terminal which the terminal uses to determine whether a transaction should be declined offline, sent online for an authorization, or declined if online is not available.

Test Requirements (TR)

Requirements that dictate the set of tests that must be performed to confirm compliance with a specific standard.

The Solution

See PIN CVM Solution

Third-Party Processing

Processing of transactions by service providers acting under contract to card issuers or acquirers. First Data is a third-party processor.


Tag Length Value


An implementation of an alternate PAN that may include additional features associated with tokenization.

Token Assurance Level

A value that allows the Token Service Provider to indicate the confidence level of the Payment Token to PAN / Cardholder binding. It is determined as a result of the type of Identification and Verification (ID&V) performed and the entity that performed it. It may also be influenced by additional factors such as the Token Location.
The Token Assurance Level is set when issuing a Payment Token and may be updated if additional ID&V is performed. The Token Assurance Level value is defined by the Token Service Provider.

Token BIN

A specific BIN or range within a BIN that has been designated only for the purpose of issuing Payment Tokens and is flagged accordingly in BIN tables.

Token BIN Range

A unique identifier that consists of the leading 6 to 12 digits of the Token BIN. The Token BIN Range may be designed to carry the same attributes as the associated Card Issuer card range and will be included in the BIN routing table distributed to the participating Acquirers and Merchants to support routing decisions.

Token Cryptogram

A cryptogram generated using the Payment Token and additional transaction data to create a transaction-unique value. The calculation and format may vary by use case.

Token Domain

The types of transactions for which a Payment Token may be used. Token Domains may be channel-specific (e.g. NFC only), Merchant-specific, digital wallet-specific, or a combination of any of the above.

Token Domain Restriction Controls

A set of parameters established as part of Payment Token issuance by the Token Service Provider that will allow for enforcing appropriate usage of the Payment Token in payment transactions. Some examples of the controls are: Use of the Payment Token with particular presentment modes, such as contactless or e-commerce; Use of the Payment Token at a particular Merchant that can be uniquely identified; Verification of the presence of a Token Cryptogram that is unique to each transaction

Token Expiry Date

The expiration date of the Payment Token that is generated by and maintained in the Token Vault and is passed in the PAN Expiry Date field during transaction processing to ensure interoperability and minimise the impact of Tokenisation implementation. The Token Expiry Date is a 4-digit numeric value that is consistent with the ISO 8583 format.

Token Interoperability

The process to ensure that the processing and exchanging of transactions between parties through existing interoperable capabilities is preserved when using Payment Tokens with new fields and field values that are defined in this specification.

Token Issuance

The process by where a Payment Token is created and delivered to a Token Requestor. Payment Tokens may be issued for multiple use or for single Use.

Token Location

An indication of the intended mode of storage for a Payment Token and any related data, provided by a Token Requestor when requesting a Payment Token from a Token Service Provider.
The security of this location may influence the Token Assurance Level that can be assigned to a Payment Token. Due diligence of the security provided by Token Requestors is the responsibility of each Token Service Provider and assignation of a location type to each Token Requestor will be at the discretion of each Token Service Provider.

Token PAN

A virtual PAN present in the card device and disclosed to the Merchant terminal at the time of transaction.

Token Presentment Mode

The mode through which a Payment Token is presented for payment. This information will resolve to an existing field called Point of sale (POS) Entry Mode as defined in ISO 8583 messages and that will be enhanced to include new potential values as part of this specification. Each Payment Network will define and publish any new POS Entry Mode values as part of its existing message specifications and customer notification procedures. In addition to supporting existing values for contactless, new values may be defined, if not already in existence, by participating Payment Networks for: Server initiated (Card-on-file use case); Scan (Optical)

Token Processing

Transaction processing in which a Payment Token is present in lieu of the PAN and is processed from the point of interaction through to the Payment Network and Token Service Provider’s Vault for De-Tokenisation in order to allow for transaction completion. Token Processing may span payment processes that include authorisation, capture, clearing, and exception processing.

Token Provisioning

The act of delivering the Payment Token and related values, potentially including one or more secret keys for cryptogram generation, to the Token Location.

Token Reference ID

A value used as a substitute for the Payment Token that does not expose information about the Payment Token or the PAN that the Payment Token replaces.

Token Request

The process in which a Token Requestor requests a Payment Token from the Token Service Provider. As a consequence of this action, ID&V may be performed using a Token Request Indicator to show that the ID&V mechanism being used is for the purpose of a Token Request, rather than for some other purpose.

Token Request Indicator

A value used to indicate that an authentication / verification message is related to a Token Request. It is optionally passed to the Card Issuer as part of the Identification and Verification (ID&V) API to inform the Card Issuer of the reason that the account status check is being performed.

Token Requestor

An entity that is seeking to implement Tokenisation according to this specification and initiate requests that PANs be Tokenised by submitting Token Requests to the Token Service Provider. Each Token Requestor will be registered and identified uniquely by the Token Service Provider within the Tokenisation system.

Token Requestor Registration

A Token Service Provider function that formally processes Token Requestor applications to participate in the Token Service programme. The Token Service Provider may collect information pertaining to the nature of the requestor and relevant use of Payment Tokens to validate and formally approve the Token Requestor and establish appropriate Token Domain Restriction Controls. Successfully registered Token Requestors will be assigned a Token Requestor ID that will also be entered and maintained within the Token Vault.

Token Service

A system comprised of the key functions that facilitate generation and issuance of Payment Tokens from the Token BINs, and maintain the established mapping of Payment Tokens to PAN when requested by the Token Requestor. It also includes the capability to establish the Token Assurance Level to indicate the confidence level of the Payment Token to PAN / Cardholder binding. The service also provides the capability to support Token Processing of payment transactions submitted using Payment Tokens by de-tokenising the Payment Token to obtain the actual PAN.

Token Service Provider

An entity that provides a Token Service comprised of the Token Vault and related processing. The Token Service Provider will have the ability to set aside licensed ISO BINS as Token BINs to issue Payment Tokens for the PANs that are submitted according to this specification.
An entity or software responsible for creating, managing and detokenizing the Token PANs into Real PANs.

Token Vault (TV)

A repository, implemented by a Tokenisation system that maintains the established Payment Token to PAN mapping. This repository is referred to as the Token Vault. The Token Vault may also maintain other attributes of the Token Requestor that are determined at the time of registration and that may be used by the Token Service Provider to apply domain restrictions or other controls during transaction processing.
Token information database.


A process by which the Primary Account Number (PAN) is replaced with a surrogate value called a Payment Token. Tokenisation may be undertaken to enhance transaction efficiency, improve transaction security, increase service transparency, or to provide a method for third-party enablement.
A process of creating a virtual PAN or Token PAN on a card device (Mobile, Touch pad etc.) associated with the Real PAN (RPAN) of the cardholder that facilitates hiding of real PAN at the point of sale.


See Token PAN

Track 1

Track 1 was introduced by the International Air Transport Association (IATA) and describes format of credit card magnetic stripe data for financial transactions, i.e., credit and debit cards and stores more information than Track 2 as cardholder’s name, account number and other discretionary data. This track is sometimes used by the airlines when securing reservations with a credit card.

Track 2

Track 2 was introduced by the American Banking Association (ABA) and is currently most commonly used, though credit card companies have been pushing for everyone to move to Track 1. The ABA designed the specifications of this track and all world banks must abide by it. It contains the cardholder’s account, encrypted PIN, plus other discretionary data.

Track 3

Track 3 is virtually unused by the major worldwide networks, and often isn’t even physically present on the card by virtue of a narrower magnetic stripe.


Any event that causes a change in an organization’s financial position or net worth, resulting from normal activity. Advance of funds, purchase of goods at a retailer or when a borrower activates a revolving line of credit. Activities affecting a deposit account carried out at the request of the account owner. One example of a transaction is the process that takes place when a cardholder makes a purchase with a credit card.

Transaction Date

The actual date on which a transaction occurs. Used in recording and tracking transactions.

Transaction Fees

Service costs charged to a merchant on a per-transaction basis.

Triple DES

The data encryption algorithm used with a double-length DES key.


Terminal Risk Management (EMV transactions). May include checking whether the value of the transaction exceeds the terminal floor limit and other treshold values.

True Random Number Generator (TRNG)

A device that generates random numbers from a physical process, such as a Physical Unclonable Function, rather than a deterministic algorithm.

Trusted Boot

A cryptographic process where the bootloader verifies the integrity of all components (e.g., kernel objects) loaded during operating system start-up process, before loading. Also known as Verified Boot and Secure Boot (e.g., Google or Apple).

Trusted Execution Environment (TEE)

A Trusted Execution Environment provides security features such as isolated execution environment for Trusted Applications (‘Trustlets’). It protects security assets from general software attacks, defines safeguards as to data and functions that a program can access and resists a set of defined threats.


Transaction Status Information


See Token Service Provider


Terminal Transaction Qualifiers


Terminal Verification Results



Upper Consecutive Off-line Limit


Short for Universal Commerce, UCommerce is the intersection of online, kiosk, and in-store payment enablement, incorporating social media and near-field communications. With UCommerce, the mobile device is at the center of the user experience.


Unique Derivation Key


Unique Derivation Key A


Unique Derivation Key B


User interface (UI). The set of the human-machine interfaces that allows for interaction between a person and a computerized system.

Unique Derivation Key

A card-unique double-length DES key derived from a master key and used in online card authentication.


Coordinated Universal Time


V.I.P. System

VisaNet Integrated Payment System, the online processing component of VisaNet.


Visa Contactless Payment Specification

VCPS Transaction

A transaction conducted over the contactless interface in compliance with this specification.


Visa Integrated Circuit Card Specification

Visa AID

An AID using the Visa Registered Application Provider Identifier (RID, ‘A0 00 00 00 03’) that has a Proprietary Application Identifier Extension (PIX) assigned by Visa International. Visa PIXs: ‘1010’ – Visa Debit and Visa Credit, ‘2010’ – Visa Electron, ‘3010’ – Interlink, ‘8010’ – PLUS, Regional AIDs using the reserved range of Visa assigned PIXs are permitted.

Visa Certificate Authority (CA)

A Visa-approved organization certified to issue certificates to participants in a Visa payment service.

Visa Contactless Payment Specification (VCPS)

A Visa specification defining requirements for conducting a payment transaction over a contactless interface.

Visa Low-value Payment (VLP)

VLP is a feature of VSDC designed to provide an optional source of pre-authorized spending power that is reserved for rapid processing of offline low-value payments.

Visa payWave

A contactless payment technology feature that allows cardholders to wave their card, mobile device, or other form factors in front of contactless payment terminals without the need to physically swipe or insert the card into a point-of-sale device.

Visa representative

Visa internal staff that issuers or acquirers may contact for questions and assistance with implementation tasks and testing.

Visa Smart Debit and Visa Smart Credit (VSDC)

The Visa service offerings for chip-based debit and credit programs. These services, based on EMV and VIS specifications, are supported by VisaNet processing, as well as by Visa rules and regulations.


The systems and services, including the V.I.P. and BASE II systems, through which Visa delivers online financial processing, authorization, clearing, and settlement services to members.


White-box cryptography

A method used to obfuscate a cryptographic algorithm and key with the intent that the determination of the key value is computationally complex.




Year, hour, counter: Y right-most digit of the year (0 – 9), HHHH Number of hours in digits since start of the year (0001 – 8784), CC Counter (00 – 99)


Zentraler Kreditausschuss (ZKA)

An industry association of the German banking industry.

Haven’t you found what you’ve been looking for? Something not clear or wrong? Please let This email address is being protected from spambots. You need JavaScript enabled to view it.