New Case Study: A U.S. Issuer’s Experience with Visa’s IDX Solution

New Case Study: Visa’s IDX Solution

Read it here
Payments Glossary

An exhaustively curated list of the words and definitions commonly used across the payments ecosystem — including acronyms. These short explanations can provide any merchant with a quick knowledge boost and easy-to-use reference guide.

3DS replay

CardinalCommerce feature designed so that when a merchant sends a transaction for authentication with the EMV® 3DS protocol, if, for any reason, an attempts or an error is returned, Cardinal automatically replays that same transaction with 3DS 1.0 to maximize the chance of a successful authentication.

3DS Requestor Initiated (3RI)

3RI is new to EMV 3DS and provides identification to what type of subsequent transaction requests are occurring. 3DS Requestor Initiated (3RI) is initiated by the 3DS Requestor (usually the merchant) for the purposes of confirming that an account is still valid or for cardholder authentication. For merchants, a 3RI transaction enables the ability to obtain authentication data (CAVV, ECI) in the absence of the cardholder for transactions previously authenticated. For issuers, a 3RI transaction’s prior transaction data improves risk management and provide secondary evaluation on a previously authenticated transaction.

3-D Secure

The name for a group of protocols designed as an additional security layer for online credit and debit card transactions. Each major credit card network has its own versions of 3-D Secure protocols. Authentication occurs prior to authorization and passes data elements based on the consumer session, device fingerprinting, transaction details and more into 3 domains. The domains consist of: 3DS Server (merchant’s 3DS vendor), Directory Server (card network), and an Access Control Server (ACS, issuer vendor or proprietary solution), that ultimately analyze the fraud risk of the transaction and validate the consumer who’s making a purchase. EMV 3DS expands consumer authentication support to non-payment requests, card-on-file additions, 3RI (recurring), in-app and more.

Cardinal is a certified EMVCo vendor supporting three major components: 3DS Server, SDK, and ACS. Cardinal has been providing global authentication services for over two decades!

ACS (Access Control Server)

ACS combines access security, authentication, user, and administrator access and policy control in a centralized identity framework. Card issuers and processors who wish to deploy an authentication strategy for their cardholder community rely on an ACS to support connectivity to a Network Directory Server, load their BIN portfolios, create risk rules based on data, evaluate the risk of a transaction request, and provide an authentication outcome, either Risk Based or Step-Up/Strong Customer Authentication (SCA).

Cardinal’s Visa Consumer Authentication Service is a global ACS product offering available to our issuing and processing clients!

Application Programming Interface (API)

A package of software, tools, documentation, and definitions designed to allow software developers to seamlessly access a software service or application. APIs allow a user to complete an action without leaving your website.

Many of Cardinal’s integration methods for merchants and issuers connect to our products and services using a single or hybrid API-based solution!

American Express SafeKey

American Express’ version of the 3-D Secure protocols that works to reduce online fraud by confirming the card member’s identity with additional information. Learn more about SafeKey here:


When a merchant tries to authenticate a digital transaction and the issuer is not participating in 3DS, or when the ACS is experiencing maintenance or downtime, the transaction is referred to as an attempts. The network directory server will stand in for the issuer in this case.


The process where data elements from a consumer’s online shopping session and transaction request are shared between the merchant and issuer to verify the risk of a transaction and cardholder information in real-time. In simple terms, authentication is the process of verifying that the person making a purchase is who they say they are. Authentication can either happen passively in the background, or if the transaction is perceived to be risky, and issuer can engage with their cardholder to actively authenticate using methods like one-time-passcodes (OTP) or even biometrics.


The process of verifying that a payment card or account has sufficient funds to cover the amount of the transaction. An approval response code is sent to the merchant from the card issuer that verifies availability of credit or funds on the cardholder account.

Bank Identification Number (BIN)

A unique six to nine-digit number to identify processors, acquirers, issuers, and other financial institutions involved in the interchange process. These are the first six to nine digits of the cardholder’s account number, also known as Issuer Identification Number (IIN).

Biometric Authentication

Biometric authentication uses a unique physical component on your body to validate your identity such as a fingerprint scan or facial recognition technology.

Buy online – pickup in store (BOPIS)

Buying online and picking up at the store is a way that consumers can combine online and in-person shopping. During COVID-19, BOPIS has become a more popular way to shop.


CardinalCommerce, a Visa Solution, is a digital authentication provider. At Cardinal, we combine decades of experience, proven technology, and dedicated service to create digital authentication that’s as rewarding and engaging for you as it is for your customers. Our mission is to make authentication a trusted standard for everyone within the digital commerce ecosystem.

Card Brands or Networks

Corporations that connect consumers, businesses, and financial institutions to transact through electronic and contactless payments instead of cash and checks. Popular brands are Visa, Mastercard, American Express and Discover.


A shopper who uses a card issued by a bank to make cashless payments to a merchant. A person or entity that is issued a credit or debit account that is accessed with a card or PAN.

Cardholder Authentication Verification Value (CAVV)

CAVV is a cryptographic value generated by the card issuer using a complex mathematical algorithm, packed with valuable data from the authentication session, that is decrypted by the issuer when the payment moves into authorization. It is generated by the issuer’s ACS. A secure and untampered CAVV indicates transaction wellness.

Cardinal Consumer Authentication

Cardinal’s rules-based Consumer Authentication solution which allow merchants and issuers to authenticate their consumers during digital transactions. Merchants can balance the risk of each transaction with their consumers’ preferences and needs.

Card-not-Present transactions (CNP)

Credit, debit or virtual, or pre-paid card transactions in which the shopper and the card are not physically present, from the merchant’s perspective, at the time of the actual transaction. Examples are ecommerce (digital) or mail/phone order transactions.

Card-Not-Present Fraud

Also known as ecommerce fraud, card-not-present refers to online payments as opposed to presenting a physical card in store. Card-not-present fraud is fraud that occurs in a digital environment.

Card on File

Card details are stored in a consumer account with a merchant or digital wallet provider in order to streamline the checkout process for returning customers. This can be used for one-click payments, pay-per use services, or any recurring payment that does not follow a fixed schedule.


A payment card transaction that is under dispute. This action is initiated by the card issuing financial institution to settle a financial claim between the issuer and acquirer. This claim may be initiated by the issuing financial institution directly or by their consumer, the cardholder, and can result in the transaction being billed back to the merchant. These are not to be confused with refunds for returned goods.

Consumer Authentication

The term used to describe tools intended to verify that the person making the transaction is actually the person authorized to do so, both in-person and not-present transactions of all kinds. Consumer authentication is widely used (outside of 3-D Secure) through many platforms such as logging into a mobile banking application, accessing email accounts, mobile devices, and more. As fraud and account takeovers happen in many different mainstreams, consumer authentication or two-factor authentication is necessary to protect identities and passwords.

Cardinal offers consumer authentication products for acquirers, issuers, merchants, and processors around the globe.

Credit Card Number

AKA PAN (Primary Account Number). The number on the credit, debit, or payment card provided for a given transaction that ties to the cardholder account with the issuer. For any charge or refund transactions against a payment card, this card number must be provided. In the case of refund transactions, the first four and last four digits may be provided in lieu of the full number.

Cross-border payment

When a payment method issued in one country is used to make a purchase from a merchant based in another country. This is also referred to as an “international payment”.

Data Breach

Unintentional release of secure information to an untrusted environment.

Data Only

A solution focused on improving authorization decisions for digital transactions and maximizing speed with the opportunity to help increase approvals and reduce false declines, through a guaranteed frictionless experience.

Cardinal offers Data Only products from Visa and Mastercard.

DSS (Data Security Standard)

PCI-DSS (Payment Card Industry Data Security Standard). Common standards for merchants and third parties resulting from the alignment of Mastercard, Visa, and other card networks with the similar goal of protecting payment card account data wherever it is received or stored.

Cardinal is PCI-DSS Level 1 certified


Transactions that are not approved are marked as declined. These transactions may not be captured and submitted for settlement. When a transaction is declined, the cardholder may opt to choose another form of payment to complete their order or contact their card issuer for more details related to the declined payment.

Digital Wallets

Digital wallets allow consumers to shop online and pay using a wallet system rather than entering a credit card for each purchase. Wallets allow consumers to store their card account details safely and securely and provide an alternative way to shop remotely. Wallets typically use a username and PIN or other security device to authenticate the buyer.

Examples of digital wallets are PayPal, Google Pay, Apple Pay, Samsung Pay and more


Internet-originated transactions. Also, the use of the internet for commercial purposes such as banking, shopping, or purchases of financial services and products.

ECI (Ecommerce Indicator)

An indicator flag for all transactions that are generated via ecommerce. This flag is intended to identify all ecommerce transactions to the banking network. It is a decimal 2-digit value passed in authorization messages.

3-D Secure programs use ECI values to indicate if the transaction was authenticated, attempted to be authenticated, or not authenticated.

EBA (European Banking Authority)

The EBA is an independent EU Authority which works to ensure effective and consistent prudential regulation and supervision across the European banking sector.

Cardinal works with European issuers and merchants to offer 3-D Secure services which help comply with the Second Payment Services Directive (PSD2) requirement for Strong Consumer Authentication (SCA) on all remote commerce transactions. (Unless the transaction is out of scope or an exemption applies).

For more information on PSD2 SCA, please refer to the EBA website:

EEA (European Economic Area)

Consists of the Member States of the European Union (EU) and three countries of the European Free Trade Association (EFTA) – Iceland, Liechtenstein, and Norway, plus the UK.


A method of coding data, using an algorithm, to protect it from unauthorized access by scrambling sensitive data automatically in the terminal or computer before it is transmitted. There are many types of data encryption, and they are the basis of network security.

Cardinal frequently encrypts data to manage sensitive cardholder data and process payment transactions via 3-D Secure, Data Only, and other solutions.


Referring to PSD2 SCA, an exemption allows a transaction to take place without adhering to the strong consumer authentication requirement. Examples of exemptions under PSD2 SCA include: low value (below 30€), whitelisting/trusted beneficiaries, transaction risk analysis, and secure corporate payments.

Fintech (like Cardinal)

Fintech is the integration of technology into offerings by financial services companies in order to improve their use and delivery to consumers. Fintech is about innovating and bringing solutions to the banking, lending, and capital markets.


The crime of using dishonest methods to take something of value from another person or entity. Fraudsters dupe and deceive consumers to commit fraud (steal their identity or credentials).

Friendly Fraud

Friendly fraud is the term used when a consumer (or someone close to them with access to their credit card) makes a purchase and then initiates a chargeback (saying that they did not make the purchase and/or did not receive the goods or services).


The middleman between an ecommerce website and the payment processor that receives the payment from the consumer. Once a consumer uses their credit or debit card, the payment gateway sends the data securely to the payment processor to authorize the transaction and make sure the data entered is enough to finalize payment. Gateways may offer other services such as address verification, CVV2 validation, and fraud prevention services.

Cardinal’s sister company, CyberSource (also a Visa solution), is one of the largest gateway providers around the globe.


A person who uses computers to gain unauthorized access to data, or a person who seeks and exploits weaknesses in a computer system or network.


The domestic and international systems operated by Visa® and Mastercard®. The interchange is used for authorization, settlement, and the passing through of interchange and other fees, as well as other monetary and non-monetary information related to bank card activities.

Interchange Fees

Fee paid (percentage of each transaction) by the acquirer to card issuing banks. Covers cost of fraud, accounts paying off monthly balances, etc. Mastercard and Visa have multiple interchange fees, based on card type, merchant type, and market data requirements that cover the risk of loss and the cost of processing the transaction.

Internet of Things (IoT)

This term refers to the interconnection of everyday devices (also called “smart devices”), embedded with computer chips and sensors, via the Internet. Smart speakers, wearable devices and smart appliances are examples of IoT devices.

3-D Secure is expanding to support authentication services within these connected devices.


Any American Express, Discover, Mastercard or Visa member, or a commercial organization that establishes and maintains consumer and business credit lines that are accessed through the use of a card. (Also public and private companies and financial institutions that offer card-accessed lines of credit to consumers and businesses).

Issuing bank

The bank that holds the customer’s credit or debit card account. The issuing bank settles funds to the acquiring bank for payment to the merchant and bills the cardholder for transactions at a later date.

Liability shift or liability protection

The liability for chargebacks resulting from fraudulent transactions moves from the merchant to the issuing financial institution when the merchant has authenticated the transaction. Without Consumer Authentication, merchants are liable for chargebacks. Merchants using EMV 3-D Secure when authenticating transactions receive liability protection.

Mastercard Identity Check

This is an EMV 3-D Secure program offered by Mastercard to increase security and reduce fraud on ecommerce purchases. The merchant’s website interfaces with a 3DS Server to connect to the Mastercard program and Directory Server to obtain the specified fields at the time of purchase. The authentication value results are then submitted with the authorization request to verify that this is an authentic cardholder purchase.

Mastercard Identity Check Insights

Mastercard’s Data Only method for enhanced data sharing with a guaranteed frictionless experience for the cardholder while using EMV 3DS rails to influence approvals with a card issuer.

MCC or SIC Codes

Special numbers assigned by the card companies to Seller types for identification and tracking purposes. Mastercard uses MCC (Merchant Category Code), while Visa uses SIC (Standard Industry Codes).


Also see Retailer. In ecommerce terms, any person or business that accepts credit or debit cards, alternative payment methods, or digital wallets as a source of payment for ecommerce. Merchant is the party that offers goods for sale or provides services in exchange for payment.

Merchant Identification Number (MID)

A number each merchant is provided under the card acceptance agreement with their acquiring bank(s), which is unique to that merchant. The merchant account also reconciles authorizations, captures, and settlement processes, along with interchange fees and rates, for the cost of business.

Merchant-Initiated Transaction (MIT)

Merchant-Initiated Transactions are transactions where the buyer is not present, and as the name suggests, the merchant initiates the transaction. MITs can be at fixed or variable intervals and of fixed or variable amounts. They can be set as installments, recurring transactions and more, but are mainly used in the travel and hospitality sector. The key with MITs is that there is an agreement between the consumer and the merchant that once set up, allows the merchant to initiate subsequent payments.

MIT transactions are supported in EMV 3-D Secure under 3RI for recurring transactions for support of the agreement, tying subsequent transactions back to the initial consumer purchase and authentication session.

Merchant Plug-In (MPI) /3DS Server

A software module used to provide an interface between a software service and merchants’ payment processing software. Some examples are the 3-D Secure protocols. The software also verifies issuers’ digital signatures in the authentication responses returned to the merchant.

Merchant Service Provider (MSP)

Provides a merchant with an account, processing, and report tools to enable that merchant to process online transactions. Each transaction is facilitated by the MSP on behalf of the merchant.

Mobile Commerce

Business that is conducted on the internet with mobile phones or other wireless hand-held devices.

Mobile Payments

Using a mobile phone to pay for a wide range of services, both digital and hard goods. Mobile payments can be made using direct operator billing (or WAP billing) allows the charges to be added to the user’s mobile bill. Mobile payments can also be made using a payment card or mobile wallet.

One-Time Passcode (OTP)

A passcode that is only good for one login session or transaction. OTPs avoid shortcomings associated with static passwords in that they are not vulnerable to replay attacks. A potential fraudster using a one-time passcode that has previously been used will not be able to abuse it, since it will no longer be valid.

Online Payments

The process of exchanging money electronically to pay for goods or services, using the internet, computer networks and digital stored value systems

One-leg out transaction

Payment transactions where one of the PSPs (either of the payer or the payee) is based outside of the EU for purposes of SCA requirements regarding PSD2 and two-factor authentication. One-leg out transactions are not subject to the SCA requirement.

Primary Account Number (PAN)

A numerical code, usually up to 16 digits, which uniquely identifies a cardholder’s account when the account is opened. The first six to nine numbers identify the card network and issuer, the next set of digits signifies the cardholder, and the remaining digits are used for security purposes.

Payment Amount

The amount of a transaction submitted for authorization. This is the amount authorized against the specified payment method.

Payment Gateway

An internet-based service that transports credit card information from a computer terminal or website to a credit card processor, where it can be verified.

Payment Method

The form of payment provided against a transaction. In the case of payment of credit or debit card charges or refunds, the payment method reflects the type of payment or card. All transactions entered through the system must contain a valid payment method.

Payment Card Industry Data Security Standards (PCI DSS)

Common standards for merchants and third parties resulting from the alignment of American Express, Mastercard, Visa and other card associations with the similar goal of protecting payment card account data wherever it is received or stored.

Cardinal is PCI-DSS Level 1 certified for all our services offered to merchants and issuers globally.

Point of Sale (POS)

The merchant location where a transaction originates between a cardholder and a merchant with the card and cardholder present. Typically, the card chip card is inserted into the reader, held over the terminal for “tap to pay” contactless payments, or the magnetic stripe is swiped.


A member, Mastercard and/or Visa, or a Mastercard/ Visa approved non-member, acting as the agent of a member, that provides authorization, clearing, or settlement services for merchants and members. Processors must have a sponsoring bank to gain access to interchange networks and provide for the settlement of funds. A business entity that receives a Monetary Destination file for clearing purposes.


European Banking Authority’s (EBA) 2nd Payment Service Directive that initiated in early 2017. PSD2 is designed to drive payment innovation through open banking and data security. Strong Customer Authentication (SCA) is a requirement of PSD2 that is coming into practice in early 2021.

Payment Service Provider (PSP)

Company that provides merchants the online services to accept electronic payments by a variety of payment methods including credit card, debit card, bank transfer, and others. PSPs can connect to financial institutions and card and payment networks and manage relationships with them as a service to merchants.

Recurring Billing Transaction

A recurring billing transaction indicates that a similar transaction is submitted multiple times over a period of time. This flag is sent to the processor during authorization indicating that this is a recurring billing transaction.


Protection from harm. In ecommerce terms, security is ensuring that transactions are not open to fraud. In ecommerce systems, security protocols protect the consumer, the merchant, and the bank from hackers and fraudsters.

Seller or Online Seller

An individual or business that sells products or services and can accept payment for products and services via a seller account. Also known as a merchant.


A computer system that provides services to other computer systems over a network. Can be in the form of hardware or software. Performs coordination functions, administration, and access functions.

Shopping Cart

Software that allows visitors to an internet site to buy from that merchant. A shopping cart houses all sellable goods and services offered by the merchant and controls available inventory count. Carts also assist in the checkout process, collecting consumer billing, shipping and payment, and may also store consumer cards on file for an online consumer account with the merchant. Shopping carts connect to the merchant’s gateway, acquiring bank, and payment processor to help facilitate the consumer purchase.

Standard Industry Codes (SIC)

Special numbers assigned by the card networks to seller types for identification and tracking purposes. Mastercard uses MCC (Seller Category Code), while Visa uses SIC (Standard Industry Codes).


Tokenization keeps a customer’s card data safe when processing a payment. It is data security technology that substitutes non-sensitive random numerical sequences for sensitive credit card data in the transaction process so it can be passed over the internet without exposing the data to fraudsters. Tokenization decreases a merchant’s security risk in the event of a data breech for stored cards because the token can be stored instead.

Transaction ID (Trans ID)

Each transaction within the system is assigned a unique transaction ID. This ID may be used to sort or identify specific transactions within the system.


Transactions are initiated between a merchant and a consumer for the sale or rental of goods or services.

Unauthorized Transaction

Any sale or agreement for which a cardholder does not provide his/her specific authorization. (This should not be confused with the failure to receive an authorization response from the Issuer).


Global payments technology company working to enable consumers, businesses, banks, and governments to use digital currency.

Cardinal became a Visa solution company in February 2017 after being privately owned for over 20 years.

Visa Secure

This is an EMV 3-D Secure program offered by Visa to increase security and reduce fraud on internet-initiated purchases. The merchant’s website interfaces with a 3DS Server to connect to the Visa program and Directory Server to obtain the specified fields at the time of purchase. The authentication value results are then submitted with the authorization request to verify that it is an authentic cardholder purchase.


Digital wallets allow consumers to shop online and pay using a wallet system, rather than entering a credit card for each purchase. Wallets typically use a username and PIN or other security device to authenticate the buyer. They store consumer cards on file, so that transmission of the card details from the wallet to the merchant happens safely and securely.

Examples of wallets include: PayPal, Google Pay, Samsung Pay, and each card network’s secure remote commerce wallet as well. (Visa, Mastercard, American Express, Discover).

Related news + trends

  • Case Studies

    An Australian Issuer’s Journey from SMS OTP-Only to Risk-Based Authentication Using VCAS

    Do you want to reduce fraud, challenges and cart abandonment in your online transactions? See how this Australian issuer accomplished that by incorporating Risk-Based Authentication.

    read more
  • Case Studies

    Risk-Based Authentication: How a Peruvian issuer reduced ecommerce friction for their cardholders

    See how a Peruvian issuer used risk-based authentication for their digital transactions, resulting in fewer challenges while keeping their fraud rate at an acceptable level.

    read more
  • Case Studies

    A U.S. Issuer’s Experience with Visa’s IDX Solution

    See how a large US issuer incorporated authentication data into their authorization flow with Visa’s Intelligent Data Exchange, resulting in more authorizations and less fraud and false positives.

    read more
  • Industry News

    The Sunset of EMV 3DS 2.1

    EMV® 3DS 2.1 is being sunset by Visa, Mastercard, American Express, Discover, and JCB in 2024. Once the sunset happens, merchants, acquirers, and issuers will not be able to authenticate EMV 3DS 2.1
    transactions through these networks.

    read more
  • Industry News

    Up with approvals, down with fraud

    With Cardinal Consumer Authentication (CCA), merchants can experience an increase in approvals and decrease in fraud, while helping to deliver a better customer experience.

    read more
  • Industry News

    How to prepare now for an early, double-digit growth ecommerce season

    It’s halfway to the most wonderful time of the year! With the season starting earlier – and double-digit ecommerce growth expected – now’s the time to dot your i’s and cross your t’s so don’t miss out on your slice of the pie.

    read more
  • Industry News

    Optimize EMV 3DS with Method URL

    One of the best things you can do to get the full benefits of authentication is to optimize EMV® 3-D Secure to its fullest. This means providing priority data elements in an authentication request, invoking Method URL, and allowing it to complete collection of device data.

    read more
  • Industry News

    Understanding ECI values – An important step in your authentication strategy

    The Electronic Commerce Indicator (ECI) is a value returned by the Directory Server and ACS indicating the outcome of authentication requested on transactions for EMV® 3-D Secure.

    read more
  • Industry News

    March 14 and what it means to European merchants

    As of March 14, 2020, Visa is mandating issuers in the European Economic Area (EEA) need to be live with EMV® 3DS v2.1.

    read more
  • Industry News

    Take charge of your chargebacks with EMV 3-D Secure

    The dreaded chargeback. You’ve just come off a successful holiday season and the chargebacks start rolling in.

    read more