An XML-based protocol used to better authenticate online credit card and debit card transactions. The protocol ties the financial authorization of the transaction to an online authentication of the cardholder's identity. The authentication is based on a three domain model: the Acquirer Domain (the Acquiring bank and the merchant that are charging the card), the Issuer Domain (the Issuing bank of the cardholder), and the Interoperability Domain (the system provided by the Card Association to support the protocol). Hence 3-D. A transaction using 3-D Secure redirects to the website of the cardholder's Issuing bank to authorize the transaction. The Issuing bank authenticates the cardholder's identity by requiring the entry of a password tied to the credit card. Visa offers the protocol under the name Verified by Visa, MasterCard as MasterCard SecureCode, and JCB International as J/Secure.

Acquiring Bank:

A card association member bank or financial institution that accepts credit card payments on behalf of a merchant. Also referred to as an Acquirer because the member bank accepts or acquires payments from credit cards that are issued by other member banks (Issuing banks or Issuers).

Address Verification System:

A system that verifies the numeric portions of a cardholder's billing address. Also called AVS. The numbers in the street address and the zip code are compared to the street address and zip code on file with the cardholders issuing bank. AVS can return a variety of responses that are organized into AVS Codes. For example, Visa AVS Code Y means that the street address and the 5 digit zip code provided match what the issuer has on file. Visa AVS Code X means the street address and the 9 digit zip code provided match, while Code Z means the street address does not match but the 5 digit zip does, and Code R means the system is unavailable. In declines due to AVS failure, the authorization will stay on the cardholder's account until the issuing bank removes it. Sometimes the authorization amount may be subtracted from the cardholder's available balance and an online statement may show the held funds as an actual charge. These authorizations can remain on a cardholder's account for up to 7 days or more. For this reason, merchants should avoid using $1.00 charges to verify accounts, and instead use AVS only authorizations.

API Gateway:

A point-of-sale system used to accept electronic payments on a website. API stands for Application Programming Interface. This is a set of protocols provided in order to build applications. Gateway is short for Payment Gateway. The term API is commonly used to distinguish this type of point-of-sale from other Payment Gateways, like a Secure Payment Page, the difference being that the API allows the Gateway to interface with the merchant's shopping cart software and this allows the transaction to take place within the shopping cart and without the cardholder having to leave the merchant's website to pay.

Card Not Present:

A credit card transaction when the card is not swiped through a point-of-sale terminal and the merchant does not obtain a sales draft signed by the cardholder. Also referred to as CNP, keyed, or MoTo, for Mail Order / Telephone Order. Transactions through an internet or ecommerce merchant account are considered to be Card Not Present. Merchant service providers charge higher rates and fees for Card Not Present credit card processing because the transactions are assumed to carry a higher risk of chargeback for fraud or cardholder dissatisfaction. There is higher risk of fraud because in the Card Not Present environment it is more difficult to connect the cardholder to the sale. When the card is swiped and a sales draft is signed, it is easier for the merchant to validate that the card and the cardholder were present at the time of the sale and that the cardholder did in fact authorize the purchase. There is a higher risk of cardholder disputes for dissatisfaction with the merchant's product or service because when the cardholder is signing a sales draft and leaving with the product in hand, they are less able to hold the merchant liable for deceptive practices or failure to make delivery.


A return of funds by the cardholder's issuing bank. It reverses a previous authorization and settlement of funds from a cardholder's line of credit or bank account balance. US Federal Reserve Regulations afford this right of reversal to US credit card and debit cardholders. Card Association and bank network rules also provide this right to cardholders in the United States and internationally. Cardholders can initiate chargebacks for a variety of reasons: fraudulent use of the card, unauthorized use, unauthorized or unrecognized charges, failure to deliver, dissatisfaction with products or services, and for an extended period of time after the sale, from 3 months to 2 years.

Chargeback Reason Code:

A number used by issuing banks to identify the reason for a chargeback. Each card brand uses a different system of reason codes. Reason codes provide the rational behind the chargeback (technical, clerical, cardholder dissatisfaction, fraud, etc.) and the required media that the merchant and acquiring bank must provide in order to dispute the chargeback.


The information that appears in a cardholder's billing statement to clearly identify the source of a credit or debit card transaction. The acquiring bank provides merchants with data fields with character limits that allow the merchant to provide identifiers and contact information. Operating with a descriptor that is both clear and easy to identify and that allows the cardholder to quickly get into contact with the merchant is a key component of successful merchant credit card processing. Some examples of descriptors are: Unique, Soft, and Member Help Site or Member Support URL.

Discount Rate:

A percentage of each sale that is charged to a merchant by a merchant service provider as a fee for processing a credit or debit card transaction. The discount rate is a mark up of the interchange fee that an acquirer or acquiring bank pays to an issuing bank or credit card issuer as a fee for processing a credit or debit card transaction. The issuing bank deducts the interchange fee from the settlement amount sent to the acquiring bank. The acquirer then passes this fee plus a mark up (discount rate) onto the merchant and deducts it from the settlement of the credit or debit card transaction.


A fee that an acquirer or acquiring bank pays to an issuing bank or credit card issuer as a fee for processing a credit or debit card transaction. The issuing bank deducts the interchange fee from the settlement amount sent to the acquiring bank. The amount of the interchange fee is set collectively by the members of the card associations, both issuing and acquiring banks. Interchange is the largest component of the fee charged to a merchant for processing a credit or debit card sale.

Payment Card Industry Compliance:

A certification process that validates that a merchant or merchant service provider is operating under and adhering to the standards of the PCI DSS. Also referred to as PCI Compliance. Compliance is certified by Qualified Security Assessors who have been themselves certified by the PCI SSC.

Payment Card Industry Data Security Standard:

A security standard for technical and operational requirements for processing credit card payments. Also referred to as PCI Data Security Standard or PCI DSS.

Payment Card Industry Security Standards Council:

An independent body originally formed by Visa, MasterCard, American Express, Discover, and JCB to formulate and manage the continuing development of the Payment Card Industry Data Security Standard. Also referred to as PCI Security Standards Council or PCI SSC.

Payment Gateway:

A point-of-sale system used to accept electronic payments on a website. Also referred to as a Gateway. Payment Gateways securely transfer credit card data from the merchant or the merchant's shopping cart to the acquirer or acquiring bank or Front End Processor. Many Payment Gateways also have a feature called a Virtual Terminal that allows the merchant to key in credit card data from phone or mail order credit card transactions.

Recurring Billing :

The practice of charging a cardholder each month for a membership, subscription, or service. Also referred to as Rebilling or Rebills. Many payment gateways and merchant service providers offer automated recurring billing features and services that allow merchants to process recurring credit card transactions for membership and subscription sales without having to retain sensitive cardholder data.

Retrieval Request:

A request from a cardholder's Issuer or Issuing Bank to a merchant's Acquirer or Acquiring Bank for specific details of a credit card transaction between the two parties. Retrieval Requests can occur for many different reasons, such as a cardholder dispute, a processing error at the point-of-sale, or an inquiry into suspected fraud. The Acquirer is usually asked to provide information such as cardholder name, card number, date of the transaction, transaction amount, authorization number, merchant name, merchant location, and cardholder signature (if available).