The acquirer is the party recognized by the network as the financial sponsor for a merchant (typically a regulated financial institution like a bank). The network holds the acquiring processor financially responsible for transactions processed by the merchant and helps ensure that the merchant operates under the rules laid out by the network. Examples: Bank of America Merchant Services, First Data, Wells Fargo, Vantiv, SHAZAM/ITS Inc.
Acquiring Processor
Acquiring Processors are third-party service providers that acquire and process payment transactions for merchants, manage the relationship with the global and regional payment networks on the merchant’s behalf (including interchange qualifying, chargeback disputes and fees to networks and issuers), and manage the transaction database. The acquiring processor connects merchant transactions to payment networks by (1) providing the POS device; and/or (2) securely routing the transaction from the POS device or from the POS payment gateway to the payment network; (3) managing transactions from authorization to clearing to settlement.
Application Authentication Cryptogram (AAC)
A cryptogram generated by the card at the end of offline and online declined transactions.
It can be used to validate the risk management activities for a given transaction.
GLOSSARY OF TERMS
Application Cryptogram (AC)
A cryptogram generated by the card in response to a GENERATE AC command, providing the card decision on the transaction. The AC is used to validate that the card has genuinely generated the response.
The three types of cryptograms are Transaction Certificate (TC), Authorization Request Cryptogram (ARQC), and Application Authentication Cryptogram (AAC). The
creation and validation of the cryptogram enables dynamic authentication.
Application Identifier (AID)
Application Identifiers are data labels that differentiate payment systems and products. The card issuer uses the data label to identify an application on the card or terminal. Cards and terminals use AIDs to determine which applications are mutually supported, as both the card and the terminal must support the same AID to initiate a transaction. Both cards and terminals may support multiple AIDs. An AID consists of two components, a Registered Application Identifier (RID) and a Proprietary Application Identifier Extension (PIX).
Authorization Response Cryptogram (ARPC) Used during online issuer authentication, the ARPC is a cryptogram generated by the issuer and sent in the authorization response back to the terminal. The terminal sends this cryptogram to the card, which allows the card to verify the validity of the issuer response, and go ahead with the transaction. (See ARPCs in action in EMV 101: Behind the Transaction)
Authorization Request Cryptogram (ARQC) This cryptogram is also used during online card authentication.
It is generated by the card and sent to the issuer in the authorization or full financial request. The issuer validates the ARQC to ensure that the card is authentic and card data was not copied from a skimmed card. (See ARQCs in action in EMV 101: Behind the Transaction)
Cardholder Verification Method (CVM)
Different cards use different methods to authenticate that the person presenting the card is the valid cardholder. EMV supports four CVMs: offline Personal Identification Number (PIN) (offline enciphered & plain text), online encrypted PIN, signature verification, and no CVM.
101EMV
35
Certificate
An electronic document binding some pieces of information together, such as a user’s identity and public encryption key.
The digital certificate is used to prove to the data recipient the origin and integrity of the data.
Certificate Authority (CA)
A trusted central administration that issues and revokes certificates and is willing to act as a guarantor for the identities of those to whom it issues certificates and their association with a given key.
Certificate Authority Public Key (CAPK)
In order to support data authentication or offline enciphered PIN, the terminal must store one or more public keys for each RID. When required, the card will supply a CAPK index which is used to identify which of these keys should be used for that transaction.
Contact Chip Card
A chip card is a card that communicates with a reader through a contact plate. The plate must come into contact with a terminal, usually through a chip reader into which the card is inserted. Communication is defined by ISO 7816.
Contactless Chip Card
A chip card that communicates with a reader through a radio frequency interface, usually through a wave or tap of the card on the designated area on the terminal. A contactless chip card will have an antennae embedded in the card’s plastic.
Data Encryption Standard (DES)
Data Encryption Standard is a symmetric-key algorithm for encryption of electronic data.
Dual Interface Chip Card
A chip card that has both contact and contactless interfaces, enabling a payment transaction with either interface.
“Dynamic” vs. “Static”
“Dynamic” data has the ability to change or update. For example, a dynamic card security code changes for each transaction. “Static” or “persistent” data is unchangeable.
For example, the personal account number programmed into a smart chip card cannot be changed after the card is personalized.
Electronically Erasable Programmable Read-Only Memory (EEPROM)
EEPROM is digital memory that can be erased and reused, but does not require electrical power to maintain data.
It is used to store information that will change, such as transaction counters. It is possible to load new data elements and applications into EEPROM after a card has been
issued. Generally after personalization and issuance, limited application data can be updated. This is linked to card security requirements.
EMV Migration Forum (EMF)
The EMV Migration Forum is an independent, cross-industry body created by the Smart Card Alliance to address issues that require broad cooperation and coordination across many constituents in the payments space to promote the efficient, timely, and effective migration to EMV-enabled cards, devices, and terminals in the United States.
EMV (Europay, MasterCard, and Visa)
Developed by Europay, MasterCard, and Visa, EMV refers to a body of specifications set to ensure interoperability between payment chip cards and terminals. Formally known as the EMV Integrated Circuit Card Specifications for Payment Systems and owned by EMVCo.
EMVCo
EMVCo was formed in February of 1999 by Europay
International, MasterCard International, and Visa International to manage, maintain, and enhance integrated circuit card specifications for payment systems. EMVCo is currently, and equally, owned by American Express, Discover, JCB, MasterCard Worldwide, Union Pay and Visa, Inc.
GlobalPlatform
A cross-industry membership organization created to advance standards for multiple application smart card growth. A major goal of GlobalPlatform is the definition of specifications and infrastructure for multi-application smart cards, including cards, terminals and back-end host systems. The GlobalPlatform Specifications are based on the Open Platform Specifications, which were donated to the consortium by Visa.
International Standards Organization (ISO) The ISO is a global institution that maintains over 13,000 international standards for business, government and society.
101EMV
37
Issuer
Issuers are the entities that issue payment cards to customers and perform many activities that could include, but are not limited to, the following list. It is important to note that the issuer may choose to outsource some, or all, of these activities:
• Cardholder customer service
• Data preparation
• Configuration set-up
• Fulfillment of personalized chip card, with all paper inserts;
preparation for mailing to customer
• Define card profile, including risk parameters
• Receive and manage card records and keys to form a personalization record
• Generate personalization script
• Key management activities for EMV, CVV/CVC, and PINs between card manufacturer and personalization bureau and between issuer and personalization bureau.
Issuer Action Codes (IACs)
IACs are codes placed on the card by the issuer during card personalization. These codes indicate the issuer’s preferences for approving transactions offline, declining transactions offline, and sending transactions online to the issuer based on the risk management performed.
Issuing Processor
Issuing processors facilitate card issuance activities on behalf of an issuer, such as process payment transactions, card enrollment, preparing and sending the card personalization information to the card vendor, and maintaining the cardholder database. The issuer processor may provide other ancillary services as well (e.g., web front-end administrative and cardholder account management applications, customer service, settlement and clearing, chargeback processing)
Liability Shift
When card fraud occurs, one party involved in the transaction (the cardholder, merchant, issuer, processor, etc.) is found liable, or at fault. A liability shift is a change in the rules that guide which party is liable for card fraud, should it occur. Each brand defines the rules around their liability structure.
Magnetic Stripe Card
These plastic payment cards use a band of magnetic material to store data. Data is stored by modifying the magnetism of magnetic particles on the magnetic material, which is read by
“swiping” the magnetic stripe through a mag stripe reader.
101EMV
Near Field Communication (NFC)
NFC is a standards-based wireless communication technology that allows data to be exchanged two ways between devices that are a few centimeters apart. NFC-enabled mobile phones incorporate smart chips (called secure elements) that allow the phones to securely store the payment application and consumer account information and to use the information as a
“virtual payment card”.
“Offline” vs. “Online”
In the context of an EMV transaction, “offline” refers to actions and processes that are performed by the card’s chip and the point of sale terminal alone, using applications stored on one/
both devices. An “online” action or process includes data that is sent out to other computers managed by payment processors, issuers, or card brands.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is a framework developed by the Payment Card Industry Security Standards Council for developing a robust payment card data security process — including prevention, detection and appropriate reaction to security incidents.
Payment Network
A payment network provides POS and ATM services for credit, debit, ATM and prepaid card issuers and corresponding transaction acquirers. It establishes participation requirements, operating rules and technical specifications under a common brand(s) for the purpose of receiving, routing, securing authorization for, settling and reporting domestic and international payment transactions. Each payment network determines the types of transactions, payment devices and terminals that are permitted in its respective network.
Personalization
Personalization is the process by which the elements specific to the issuer and cardholder are added to the payment card’s magnetic stripe and/or chip.
Personal Account Number (PAN)
Often referred to as the primary account number, or the bank card number. The PAN is often embossed onto the front or back of a credit or debit card. The PAN is commonly 16 digits, but can be up to 19 digits in length.
39
Personal Identification Number (PIN)
A PIN is an alphanumeric code of 4 to 12 characters that is used to identify cardholders at a customer-activated PIN pad. PINs can be verified “online” or “offline”. Online PIN verification occurs when the PIN is securely transmitted to an issuer’s authorization system during a transaction, with that authorization confirming whether or not the entered PIN is correct. Offline PIN verification occurs between the chip and the POS terminal.
Point of Sale (POS)
A point of sale terminal is a machine where card-present credit transactions occur. POS terminals come in many varieties, and are often embedded into automated vending machines.
Random Access Memory (RAM)
RAM is a direct-access form of computer storage. When data is required to perform a computational task it is moved into RAM for the duration of the task.
Read Only Memory (ROM)
ROM is permanent memory that cannot be changed once it is programmed. It is used to store chip operating systems and permanent data.
“Static” vs. “Dynamic”
“Static” or “persistent” data is unchangeable. For example, the personal account number programmed into a smart chip card cannot be changed after the card is personalized. “Dynamic”
data has the ability to change or update. For example, a dynamic card security code changes for each transaction.
Transaction Certificate (TC)
TCs are cryptograms generated by the card at the end of all approved transactions. The cryptogram is the result of card, terminal, and transaction data encrypted by a DES key. The TC provides information about the actual steps and processes executed by the card, terminal, and merchant during a given transaction and can be used during dispute processing.
Triple DES (TDES, 3DES)
TDES is a sophisticated implementation of DES, in which the procedure for encryption is the same but repeated three times.
First, the DES key is broken into three sub keys. Then the data is encrypted with the first key, decrypted with the second key and encrypted again with the third key. Triple DES (sometimes abbreviated TDES or 3DES) offers much stronger encryption than DES.
CONNECT WITH US EVERYWHERE