A Glossary of Payment Terms

The world of payment processing can be bewildering and esoteric, with its vast range of participants, processes, and industry jargon. This (admittedly incomplete!) glossary is intended to help you untangle its complicated ways and build your knowledge and confidence.

Payment Processing Terms, A-Z

A

Acquirer or Acquiring Bank - the bank used by a merchant to house their bank account, and to act as intermediary into the payment processing system. Most importantly, settles transactions and collects funds for the merchant.

Authorization - the first step in closing a transaction, this confirms for the merchant that a transaction can be closed. The merchant may still not choose to complete the deal (if, for instance, they suspect fraud).

C

Card network - the credit card brands (such as Visa, Mastercard, American Express, etc.) that operate networks that enable issuing and acquiring banks to interact and settle transactions, thus representing the core building block of the electronic payment system.

Chargeback - a reversal of a charge initiated by the consumer lodging a complaint with the card network. This is different from a refund, which is generally a request for reversal initiated by the consumer communicating with the merchant, and generally suggests that fraud has occurred. Merchants whose chargeback rate exceeds 1% of their total number of transactions are subject to significant penalties and increased fees.

Credit card - generally an account granted to a consumer by an issuing bank that provides unsecured credit. Because every transaction executed with a credit card necessarily involves the consumer using the credit of their issuing bank, any portion of spend unpaid at the end of a billing cycle is subject to interest and fees, which is a significant portion of the revenue for the issuing bank’s credit card program.

D

Debit card - generally a card that dips into an existing bank account to access the available funds. Unlike a credit card, transactions generally do not involve the consumer’s use of the issuing bank’s credit, and as such do not create the potential for future interest payments. Due to the nature of the debit card, in the USA federal rules strictly limit the processing fees that card networks can levy.

Decline - during the process of authorizing a card as part of closing a transaction, a merchant may receive a decline, which signals that the transaction cannot be completed. There are a range of possibilities within the broader arena of declines, covering soft declines (e.g. a debit card may have insufficient funds) and hard declines (e.g. the card has been reported stolen).

E

Encryption - the process of translating a piece of sensitive data into a string that no longer resembles the original. While a necessary part of data protection, encryption is considered ‘necessary but insufficient’, as an encrypted string can be easily returned to its original form by any entity that is able to lay its hands on the encryption key.

F

Frictionless payments - payment flows that include as few barriers between the consumer and their completed purchase as possible.

Full-service payment service providers - entities that make it easier for merchants to get started selling by acting as an intermediary to the payment ecosystem. Generally offer a wide range of services, maintain control of customer credit card data, and charge flat fees that can become expensive over time.

G

Gift card - a special-use account that is designed either to be used at just one merchant (often known as store cars), or as part of a program operated by a particular institution and normally administered by a card network (such as airline loyalty cards). While store cards can generally be used only with their issuing merchant, branded cards can generally be used at any outlet that accepts the sponsoring card network, although consumers may enjoy merchant-specific benefits from using the card.

H

High-risk payment provider - by their very nature, some businesses are considered high-risk (for instance, gambling, alcohol, CBD products, etc.). In order for them to successfully accept electronic payments, they work with payment service providers who specialize in high risk businesses, by providing focused security, anti-fraud, and associated services, which reduce the risk of bad transactions and chargebacks.

I

Iframe payment solution - a solution offered by payment gateways that includes a checkout flow that can be seamlessly embedded through an iframe on a merchant's website without increasing PCI scope.

Involuntary churn - a type of churn that occurs when a customer ends their relationship with a merchant passively, or without action. This is often due to a problem with payment, like an expired card, an exceeded card maximum, or hard declines following fraud attempts on a card that the customer may not even know about yet.

Issuing bank - the institution where a consumer holds an account that will be used to complete a transaction with a merchant’s acquiring bank.

M

Merchant category codes - all merchants are required, before acquiring the right to transact digital deals, to identify their business using a merchant category code (MCC). Different MCCs enjoy different benefits and challenges, as they tell the other participants in the payment process about the level of risk - lowest in in-person product sales, highest in high-risk categories like gambling.

Multifactor Authentication (MFA) - an extra layer of security, often added to login processes. MFA is a requirement in PCI DSS 4.0, which mandates that all users must be authenticated using MFA to access the CDE, regardless of their role or location. 

O

One-time-use (privacy) cards - a virtual credit or debit card number that can be used once for a single purchase. Once this purchase is complete, the card number is effectively deactivated and cannot be used again. 

P

Payment Service Provider - middlemen who make it easier for merchants to accept electronic payments. These businesses take away the complexity of everything from PCI-DSS compliance to to connecting to card networks, in return for a fee.

PCI-DSS - the Payment Card Industry Data Security Standard is a set of data protection rules that all participants in the payment process must adhere to. Fundamentally dedicated to protecting consumer cardholder data, PCI-DSS represents both a key security element to, and a major cost center for, the payment processing industry.

T

Tokens - unencryptable strings that represent entries in a database that can be used to retrieve sensitive data. Tokens may be issued by card networks, payment service providers, or third-party tokenization providers. 

Token Requestor ID (TRID) - a unique identifier that allows merchants to request network tokens from token providers and is a prerequisite for enabling network tokenization. Each merchant must obtain their unique TRID before moving forward with network tokenization through the card networks.

Token vault - the data storage location where sensitive tokenized data is stored, and can be exchanged for a token. The owner and operator of the vault is responsible for security, regulatory compliance, and high-availability.

Triangulation fraud - a complicated fraud scheme that occurs, predominantly in ecommerce, between three parties: an unsuspecting customer, a fraudulent seller, and a legitimate merchant. A fraudulent seller steals the credit card information from a customer, then makes a purchase from a merchant, thereby creating a triangulation scheme. 

V

Vaulted Tokens - tokens found within a secured token vault.

Vaultless Tokens - tokens not found within a vault but instead encrypted through what is essentially local encryption. The vendor not only never has the user’s data in plain text, they also cannot use that data for downstream activities (like closing transactions) without interacting with the application at the user’s end.