Glossary

This page provides a list of glossary terms used in this guide.

  • AAV/CAVV
    Accountholder Authentication Value (AAV) and Cardholder Authentication Verification Value (CAVV) are cryptographic values returned by the Access Control Server (ACS) or Card Scheme to the Merchant after a successful cardholder authentication. The merchant includes this value in the authorisation message sent to the issuer.
  • Access Control Server (ACS)
    A system used to manage the 3D Secure authentication service for the issuer (BIN sponsor). During an authentication session, the ACS communicates with the Card Scheme and Thredd systems, and may also interact with the cardholder, by providing Challenge screens.
  • Accountholder Authentication Value (AAV)
    Unique 32-character transaction token for a Mastercard 3D Secure transaction. For Mastercard Identity Check, the AAV is named the UCAF.
  • Acquirer
    The merchant acquirer or bank that offers the merchant a trading account, to enable the merchant to take payments in store or online from cardholders.
  • Authentication
    Process to verify the identity of a cardholder.
  • Authorisation
    Process that seeks approval for a payment transaction. The process starts when a merchant requests approval for a card payment by sending a request to the card issuer (BIN sponsor) to check that the card is valid, and that the requested authorisation amount is available on the card.
  • Authorisation Request Message (AReq)
    The initial message in the 3-D Secure authentication flow. The 3DS Server forms the AReq message when requesting authentication of the Cardholder. It can contain Cardholder, payment, and Device information for the transaction. There is only one AReq message per authentication.
  • Authorisation Response Message (ARes)
    The Issuer’s ACS response to the AReq message. It can indicate that the Cardholder has been authenticated, or that further Cardholder interaction is required to complete the authentication. There is only one ARes message per transaction.
  • Biometrics
    Biometrics are body measurements and calculations related to human characteristics that are unique to each person (such as face, eyes, voice and fingerprints). Biometrics authentication is used as a form of identification and access control.
  • Business identifier (BID)
    A business ID, which is unique to each Visa business customer.
  • Card Scheme (payment network)
    Card scheme or payment network, such as Mastercard or Visa, responsible for managing transactions over the network and for arbitration of any disputes.
  • Cardholder
    Consumer, employee cardholder or account holder who is provided with a card to enable them to make purchases.
  • Cardholder Authentication Verification Value (CAVV)
    For Visa Secure transactions, a CAVV is generated by the issuer's (BIN sponsor) Access Control Server (ACS). The CAVV provides evidence that cardholder authentication occurred or that the merchant attempted authentication. A CAVV is unique for each authentication transaction.
  • Cardinal Commerce
    3D Secure service provider.
  • Cards API
    The Thredd Cards API are REST-based API that enable you to create and manage the cards in your card programme using JSON messages.
  • EHI
    The External Host Interface (EHI) is a Thredd system that enables Thredd clients to receive and respond to real-time transaction data as well as financial messages.
  • EMV 3DS Global Consumer Screen Template Guide
    A PDF guide for configuration of the 3D Secure Authentication Service screens shown to cardholders during a 3D Secure session.
  • EMVCo
    EMVCo is a technical body which manages and evolves EMV Specifications and supporting programmes that enable card-based payment products to work together seamlessly and securely worldwide.
  • Fraud Liability Protection
    3D Secure transactions provide the online merchant with fraud liability protection.
  • Frictionless Authentication
    When a transaction is approved without requiring any manual input from the cardholder.
  • ICA
    The Interbank Card Association (ICA) number is a four-digit number assigned by Mastercard that identifies an issuing bank. An ICA can have multiple BINs associated with it.
  • In-App
    Purchase or activity made or available from within a particular app on a mobile device, without the need to visit a separate online site.
  • Issuer (BIN sponsor)
    Financial organisation and card scheme member, licensed by the scheme to issue cards and process transactions using the scheme’s network.
  • Knowledge Based Authentication (KBA)
    Authentication method used in e-commerce transactions where the cardholder is asked to verify their identity by providing the answer to a question such as ‘What is your mother’s maiden name?’ or ‘What is the name of your favourite pet? KBA may be combined with OTP SMS.
  • Merchant
    The shop or store providing a product or service that the cardholder is purchasing. A merchant must have a merchant account, provided by their acquirer, in order to trade. Physical stores use a terminal or card reader to request authorisation for transactions. Online sites provide an online shopping basket and use a payment service provider to process their payments.
  • One Time Password (OTP)
    A passcode that is valid for a single use only. During an authentication session (where the authentication type is OTP SMS), the cardholder must enter this OTP to authenticate.
  • Out-Of-Band (OOB) Authentication
    A type of two-factor authentication that requires a secondary verification method through a separate communication channel. Both Biometric and In-App authentication methods are out of band.
  • PAN
    The card’s 16-digit primary account number (PAN) that is typically embossed on a physical card.
  • PCI Compliance
    The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organisations that handle credit cards from the major Card Schemes (payment networks). All merchants who handle customer card data must be compliant with this standard. See: https://www.pcisecuritystandards.org/pci_security
  • Preparation Request Message (PReq)
    Message sent from the 3DS Server to the Directory Server (DS) to request information about the Protocol Version Number(s) supported by available ACSs and the DS and if one exists, any corresponding 3DS Method URL. This message is not part of the 3-D Secure authentication message flow.
  • Preparation Response Message (PRes)
    The Directory Server (DS) response to the PReq message. The 3DS Server can use the PRes message to cache information about the Protocol Version(s) supported by available ACSs and the DS, and if one exists, about the corresponding 3DS Method URL. This message is not part of the 3-D Secure authentication message flow.
  • Product Setup Form (PSF)
    A spreadsheet that provides details of your Thredd account setup. The details are used to configure your Thredd account.
  • Program Manager
    A Thredd client who manages a card program. The Program Manager can create branded cards, load funds, and provide other card or banking services to their end customers.
  • Public Token
    The Thredd 9-digit token is a unique reference for the PAN. This is used between Thredd and clients to remove the need for Thredd clients to hold actual PANs.
  • Realtime Data Exchange (RDX)
    3D Secure real-time API call to enroll a card in 3D Secure
  • Risk-Based Authentication (RBA)
    The authentication decision is based on the risk rules configured for the service (i.e., rules you have configured in the Cardinal Portal).
  • Risk-Based Authentication (RBA) /Transaction Risk Analysis (TRA)
    The authentication decision is based on the risk rules configured for the service (i.e., rules you have configured in the Apata Portal).
  • Second Payment Services Directive (PSD2)
    PSD2 is a European regulation for electronic payment services. It seeks to make payments more secure, boost innovation and help banking services adapt to new technologies. The regulations are available here: https://ec.europa.eu/info/law/payment-services-psd-2-directive-eu-2015-2366_en
  • SFTP
    Secure File Transfer Protocol provides a means of transferring files to a secure server.
  • Smart Client
    Smart Client is Thredd's legacy user interface for managing your account on the Thredd Thredd Platform. Smart Client is installed as a desktop application and requires a secure connection to Thredd systems in order to be able to access your account.
  • Soft Decline
    An issuer (BIN sponsor) can use a soft decline if they receive a request from a merchant to authorise a payment, but they want to use authentication first. The cardholder will be prompted to retry the transaction with authentication. The transaction could still decline on the second attempt for other reasons (e.g., perceived fraud risk, insufficient funds).
  • Strong Customer Authentication (SCA)
    Authentication which is a combination of two factors of identification at checkout. Examples include something they know (such as a password or PIN), something they get (such as an OTP in a mobile phone or other device) or something they are (such as their fingerprint).
  • Thredd API
    The Thredd API consists of web services that use SOAP and the Cards API based on REST.
  • Thredd Portal
    Thredd Portal is Thredd's new web application for managing your cards and transactions on the Thredd Platform.