Glossary
This page provides a list of terms relating to 3D Secure 1 and 2, some are not used elsewhere in this documentation but are included for completeness of the subject area. Familiarise yourself with them now or refer back to this page when you come across an unfamiliar word, phrase or acronym.
| Term | Acronym | Definition |
|---|---|---|
| 2-F Authentication | A generic functionality, which allows for strong authentication of any transaction, commercial or otherwise, for example, strong authentication of users when they login to an Internet banking site or when they authorise funds transfer to a third party. 2-F authentication requires two independent ways to establish identity and privileges as opposed to traditional password authentication, which requires only one 'factor' (knowledge of a password). | |
| 3‑D Secure 3D Secure 3D Secure 1 3D Secure 2 | 3DS 3DS1 3DS2 | A payer authentication standard (3D Secure 1 (3DS1)) introduced by Visa (Verified by Visa) and subsequently adopted by Mastercard (Mastercard SecureCode and Mastercard SecureCode), JCB (JCB J/Secure), American Express (SafeKey) and Diners Club International / Discover (ProtectBuy) designed to reduce online credit card fraud and chargeback. The 3DS standard provides an additional layer of protection in card-not-present credit card transactions for the three domains involved: Issuer domain of the card issuing bank, the Interoperability domain of the card scheme's infrastructure and the Acquirer domain of the merchants. The second version of the standard, 3D Secure 2 (3DS2) (EMV 3-D Secure protocol), is facilitated by EMVCo, a six member consortium comprised of American Express, Discover, JCB, Mastercard, UnionPay and Visa. It creates a frictionless payment experience for cardholders by facilitating a richer cardholder data exchange, allowing risk-based authentication by issuers for low risk transactions, instead of authentication challenges to the cardholder, such that most authentication activity will be invisible to the cardholder. 3DS2 also supports authentication of app-based transactions on mobile and other consumer connected devices, and cardholder verification for non-payment transactions, such as adding a payment card to a digital wallet. |
| 3DS Client | The consumer-facing component, such as a browser-based or mobile app online shopping site, which facilitates consumer interaction with the 3DS Requestor for initiation of the EMV 3-D Secure protocol. | |
| 3DS Integrator | An EMV 3-D Secure participant that facilitates and integrates the 3DS Requestor Environment, and optionally facilitates integration between the Merchant and the Acquirer. | |
| 3-D Secure Provider | An entity such as American Express, Diners Club International, Discover, JCB, Mastercard or Visa, which provides interoperability services for issuers and merchants who participate in the authentication process. The 3-D Secure provider is normally in charge of managing the directory server, managing the authentication history server and issuing the digital certificates required for participation in the authentication scheme. | |
| 3DS Requestor | The initiator of the EMV 3-D Secure Authentication Request, known as the AReq message. For example, this may be a merchant or a digital wallet requesting authentication within a purchase flow. | |
| 3DS Requestor App | An App on a Consumer Device that can process a 3-D Secure transaction through the use of a 3DS SDK. The 3DS Requestor App is enabled through integration with the 3DS SDK. | |
| 3DS Requestor Environment | This describes the 3DS Requestor controlled components of the Merchant / Acquirer domain, which are typically facilitated by the 3DS Integrator. These components include the 3DS Requestor App, 3DS SDK, and 3DS Server. Implementation of the 3DS Requestor Environment will vary as defined by the 3DS Integrator. | |
| Three Domain Secure Software Development Kit | 3DS SDK | 3-D Secure Software Development Kit. A component that is incorporated into the 3DS Requestor App. The 3DS SDK performs functions related to 3-D Secure on behalf of the 3DS Server. |
| 3DS Requestor Initiated | 3RI | 3-D Secure transaction initiated by the 3DS Requestor for the purpose of confirming an account is still valid. The main use case being recurrent transactions (TV subscriptions, utility bill payments, etc.) where the merchant wants perform a Non-Payment transaction to verify that a subscription user still has a valid form of payment. |
| 3DS Server | Refers to the 3DS Integrator's server or systems that handle online transactions and facilitate communication between the 3DS Requestor and the Directory Server. | |
| 3-D Secure | 3DS | Three Domain Secure. An eCommerce authentication protocol that for version 2 onwards enables the secure processing of payment, non-payment and account confirmation card transactions. |
| Access Control Server | ACS | A component that operates in the Issuer Domain, which verifies whether authentication is available for a card number and device type, and authenticates specific Cardholders. |
| Accountholder Authentication Value | AAV | A value providing proof of cardholder authentication, which is generated by the issuer's access control server for each transaction. The AAV is passed by the merchant to the acquirer and then by the acquirer to the issuer through the UCAF field. |
| Acquirer | A financial institution that has a relationship with a merchant and processes payment transactions for that merchant. | |
| ActiveAccess | GPayments' access control server for card issuers and service providers. | |
| ActiveDevice | GPayments' device agnostic two-factor authentication component. | |
| ActiveMerchant | GPayments' payment authentication platform (merchant plug-in) for merchants. | |
| ActiveServer | GPayments' 3DS Server for payment processors and merchants (see 3DS Server). | |
| Attempts | Used in the EMV 3DS specification to indicate the process by which proof of an authentication attempt is generated when payment authentication is not available. Support for Attempts is determined by each DS. | |
| Authentication | In the context of 3-D Secure, the process of confirming that the person making an eCcommerce transaction is entitled to use the payment card. | |
| Authentication Device | A physical device capable of generating a token to be used in the verification of a user's identity. | |
| Authentication Request Message | AReq | An EMV 3-D Secure message sent by the 3DS Server, via the DS, to the ACS to initiate the authentication process. |
| Authentication Response Message | ARes | An EMV 3-D Secure message returned by the ACS, via the DS, in response to an Authentication Request message. |
| Authentication Token | An unpredictable piece of information generated by an authentication device, which is used to verify the identity of a user. The term token may sometimes be used to refer to the physical device that generated the token as well. | |
| Authentication Value | AV | A cryptographic value generated by the ACS to provide a way, during authorisation processing, for the authorisation system to validate the integrity of the authentication result. The AV algorithm is defined by each Payment System. |
| Authorisation | A process by which an Issuer, or a processor on the Issuer's behalf, approves a transaction for payment. | |
| Authorisation System | The systems and services through which a Payment System delivers online financial processing, authorisation, clearing, and settlement services to Issuers and Acquirers. | |
| Bank Identification Number | BIN | The first six digits of a payment card account number that uniquely identifies the issuing financial institution. Also referred to as an Issuer Identification Number (IIN) in ISO 7812. |
| BankNet | Mastercard's proprietary payment network. | |
| Base64 | Encoding applied to the Authentication Value data element as defined in RFC 2045. | |
| Base64 URL | Encoding applied to the 3DS Method Data, Device Information and the CReq/CRes messages as defined in RFC 7515. | |
| Card | Card is synonymous with the account of a payment card, in the EMV 3-D Secure Protocol and Core Functions Specification. | |
| Certificate Authority | CA | |
| Cardholder | An individual to whom a card is issued or who is authorised to use that card. | |
| Cardholder Activation During Shopping | A 3D-Secure 1 process by which cardholders can enrol with the authentication system at the time of making a purchase at a participating merchant eCommerce website. | |
| Centralised Authentication and Authorisation Service | CAAS | A remote ACS, see Access Control Server. |
| Challenge | The process where the ACS is in communication with the 3DS Client to obtain additional information through Cardholder interaction. | |
| Challenge Flow | A 3-D Secure flow that involves Cardholder interaction as defined in the EMV 3-D Secure Protocol and Core Functions Specification. | |
| Challenge Request Message | CReq | An EMV 3-D Secure message sent by the 3DS SDK or 3DS Server where additional information is sent from the Cardholder to the ACS to support the authentication process. |
| Challenge Response Message | CRes | The ACS response to the CReq message. It can indicate the result of the Cardholder authentication or, in the case of an App-based model, also signal that further Cardholder interaction is required to complete the authentication. |
| Chip Card | A card with an on-board integrated circuit chip. | |
| Consumer Device | Device used by a Cardholder such as a smartphone, laptop, or tablet that the Cardholder uses to conduct payment activities including authentication and purchase. | |
| Cryptography | A process that encrypts information for the purpose of protecting it. Information is decrypted when required. | |
| Device | see Authentication Device. | |
| Device Channel | Indicates the channel from which the transaction originated. Either: • App-based (01-APP) • Browser-based (02-BRW) • 3DS Requestor Initiated (03-3RI) | |
| Device Information | Data provided by the Consumer Device that is used in the authentication process. | |
| Directory Server | DS | A server component operated in the Interoperability Domain; it performs a number of functions that include: authenticating the 3DS Server, routing messages between the 3DS Server and the ACS, and validating the 3DS Server, the 3DS SDK, and the 3DS Requestor. |
| Directory Server Certificate Authority | DS CA or CA DS | A component that operates in the Interoperability Domain; generates and Certificate Authority (DS distributes selected digital certificates to components participating in 3-D Secure. Typically, the Payment System to which the DS is connected operates the CA. |
| Directory Server ID (directoryServerID) | Registered Application Provider Identifier (RID) that is unique to the Payment System. RIDs are defined by the ISO 7816-5 standard. | |
| Electronic Commerce Indicator | ECI | Payment System-specific value provided by the ACS to indicate the results of the attempt to authenticate the Cardholder. |
| Digital Signature | Equivalent of the physical signature in the digital world. Digital signatures can verify the identity of owner of a piece of information or a document in the digital world. | |
| Enrolment | A cardholder must pass an initial online authentication procedure in 3D-Secure 1, which is verified by the Issuer prior to gaining eligibility for participation in American Express SafeKey, Diners Club International ProtectBuy, JCB J/Secure, Mastercard SecureCode or Verified by Visa authentication. | |
| Frictionless | Used to describe the authentication process when it is achieved without Cardholder interaction. | |
| Frictionless Flow | A 3-D Secure flow that does not involve Cardholder interaction as defined in EMVCo Core Spec Section 2.5.1. | |
| Issuer | A financial institution that provides cardholders with credit cards. | |
| J/Secure | JCB's standard for cardholder authentication, based on 3-D Secure. | |
| Message Authentication Code | MAC | |
| Mastercard SecureCode / Identity Check | Mastercard's payer authentication brand, which includes SPA Algorithm for the Mastercard Implementation of 3-D Secure, SPA and chip card authentication program (CAP). | |
| Mastercard 3-D Secure | The SPA Algorithm for the Mastercard Implementation of 3‑D Secure that provides a browser authentication experience to the cardholder (see also 3-D Secure). | |
| Mastercard Identity Check | see Mastercard SecureCode / Identity Check. | |
| Merchant | Entity that contracts with an Acquirer to accept payments made using payment cards. Merchants manage the Cardholder online shopping experience by obtaining the card number and then transfers control to the 3DS Server, which conducts payment authentication. | |
| Merchant Plug-in (MPI) | A software module which can be integrated into a merchant's eCommerce website or run as a managed service on behalf of a number of merchants to provide 3‑D Secure authentication. | |
| Non-Payment Authentication | NPA | . |
| One-Time Passcode | OTP | A passcode that is valid for one login session or transaction only, on a computer system or other digital device. |
| Out-of-Band | OOB | A Challenge activity that is completed outside of, but in parallel to, the 3-D Secure flow. The final Challenge Request is not used to carry the data to be checked by the ACS but signals only that the authentication has been completed. ACS authentication methods or implementations are not defined by the 3-D Secure specification. |
| Payer Authentication Request | PAReq | Message sent from the MPI to the Access Control Server at the cardholder's issuer via the cardholder browser. |
| Payer Authentication Response | PARes | A digitally signed message sent from the Access Control Server to the Merchant Plug-in which communicates whether the cardholder authentication was successful or not. |
| Payment Gateway | A software system provided by an acquirer or a third party which accepts transactions from the Internet and transfers them to a payment network such as BankNet or VisaNet. | |
| Preparation Request Message | PReq | 3-D Secure message sent from the 3DS Server to the DS to request the ACS and DS Protocol Versions that correspond to the DS card ranges as well as an optional 3DS Method URL to update the 3DS Server’s internal storage information. |
| Preparation Response Message | PRes | Response to the PReq message that contains the DS Card Ranges, active Protocol Versions for the ACS and DS and 3DS Method URL so that updates can be made to the 3DS Server’s internal storage. |
| Proof or authentication attempt | Refer to Attempts. | |
| ProtectBuy | Diners Club International and Discover standard for cardholder authentication, based on 3-D Secure. | |
| Registered Application Provider Identifier | RID | Registered Application Provider Identifier (RID) is unique to a Payment System. RIDs are defined by the ISO 7816-5 Standard and are issued by the ISO/IEC 7816-5 Registration Authority. RIDs are 5 bytes. |
| Results Request Message | RReq | Message sent by the ACS via the DS to transmit the results of the authentication transaction to the 3DS Server. |
| Results Response Message | RRes | Message sent by the 3DS Server to the ACS via the DS to acknowledge receipt of the Results Request message. |
| Risk-Based Authentication | RBA | During risk-based authentication, the rich cardholder data exchanged in AReq is taken into account to determine the risk profile associated with that transaction. The complexity of the challenge is then decided based on the risk profile. |
| SafeKey | American Express standard for cardholder authentication, based on 3-D Secure. | |
| Secure Payment Application (SPA) | Mastercard's payer authentication standard designed to reduce online credit card fraud and chargeback using a client-side applet. Also known as Mastercard's PC Authentication Program, Mastercard SecureCode, Mastercard SPA and SPA. | |
| Secure Sockets Layer (SSL) | A protocol designed to maintain the integrity and confidentiality of communication over the Internet. | |
| SecureCode | see Mastercard SecureCode / Identity Check. | |
| Token: | see Authentication Token. | |
| Two Factor Authentication | see 2-F Authentication | |
| Uniform Resource Locator (URL) | Address system for locating unique sites on the Internet. | |
| Universal Cardholder Authentication Field (UCAF) | Data element 48 sub element 43 as defined in Mastercard BankNet to carry authentication data. Mastercard SecureCode uses this element to transport AAV from the acquirer to the issuer. | |
| Verified by Visa | VbV | A payer authentication standard introduced by Visa (see 3‑D Secure). |
| VisaNet | Visa's proprietary payment network. | |
| Visa Secure | A program developed by Visa to make online payments more secure through 3-D Secure 2. |