Start typing to search across all topics
↑↓ navigate ↵ go to section ESC close
Developer Reference

Understanding
Card Payments

A technical guide to card payment infrastructure — from EMV chips and network routing to PCI DSS compliance, fraud scoring, and settlement.

$25T+
Combined Visa + MC volume (FY2024)
1–3s
Typical authorisation round-trip
ISO 8583
Core messaging standard
The 4-party model — how every card transaction works
Cardholder Consumer paying for goods Merchant Card acceptor seller of goods Issuer Cardholder's bank approves/declines Acquirer Merchant's bank routes + settles Card Scheme Visa · Mastercard routing · fraud · settlement rules card presented + goods/services payment receipt auth request 0100 / 0200 interchange (T+1 net settlement — issuer pays acquirer) MDR charged card issued
Sources — $25T+: Visa FY2024 Annual Report (~$15T) + Mastercard FY2024 Annual Report (~$10T) payment volumes combined.  ·  1–3s: EMVCo performance guidelines target <2s; real-world round-trip varies 500ms–3s depending on issuer geography and network conditions.  ·  All figures are industry estimates and may change. This site is an independent educational reference — not affiliated with Visa, Mastercard, or EMVCo.
I'm building a...
E-commerce checkout
Online shop or marketplace
Accept card payments, handle 3DS, fulfil orders via webhooks.
SaaS / subscription
Recurring billing platform
Monthly/annual charges, stored credentials, MIT flows, dunning.
Mobile / digital wallet
In-app payments or Apple / Google Pay
Token provisioning, DPAN/TAVV, in-app auth flows.
Platform / marketplace
Multi-party money movement
Auth + capture, split payments, interchange economics.
Issuer / fintech
Card programme or neobank
ISO 8583, EMV, token lifecycle, PCI DSS, scheme rules.
POS / terminal
In-person payment terminal
EMV L1/L2/L3, ISO 7816, contactless NFC, PCI PTS.
Payment schemes & acquirer
Scheme integration & certification
Acquirer domain cert, card-present flows, DE 22, Field 55.
Dispute management
Chargebacks & dispute processing
Visa & MC reason codes, CE 3.0, monitoring programmes.
Core Concepts
01 — Participants

The Four-Party Model

Cardholder, merchant, acquirer, issuer and the network rails in between.

02 — Authorisation

Auth & Decline Codes

How a 2-character response code decides the fate of every transaction.

03 — Settlement

Clearing & Settlement

Why money doesn't actually move when a card is approved.

04 — Security

EMV, 3DS & Tokenisation

Chip cryptograms, dynamic CVV, and network tokens explained.

05 — Compliance

PCI DSS

The 12 requirements, SAQ levels, and scoping your cardholder data environment.

06 — Fraud

RBA & Fraud Scoring

Risk-based authentication signals, ML scoring, and 3DS2 decision logic.

07 — Economics

Interchange & Scheme Fees

Where the 1.5–3% merchant fee goes and who sets it.

08 — Errors

Declines & Retries

Hard vs soft declines, retry logic, and the do-not-retry list.

09 — Standards

ISO 7812, 7813, 7816 & 14443

The four core ISO standards behind every card swipe, dip, and tap.

10 — Tokenisation

Token Provisioning

How Apple Pay and Google Pay provision tokens — from eligibility check to active DPAN.

11 — Authentication

EMV 3DS 2.2 & 2.3

Frictionless vs challenge flows, decoupled auth, SCA exemptions, and ECI values.

The Four-Party Model
Core concept

Every card payment involves four entities. The cardholder initiates, the merchant accepts, the acquirer processes on behalf of the merchant, and the issuer approves on behalf of the cardholder. Visa/Mastercard are network rails — they don't hold money.

CardholderCustomer with card
MerchantAccepts payment
Acquirer (PSP)Merchant's bank
IssuerCardholder's bank
NetworkVisa / Mastercard rails
MDR (merchant rate)~1.5–3.5%
Interchange (to issuer)~1.0–2.0%
Scheme fee~0.1–0.3%
Acquirer margin~0.2–0.5%
Liability shiftEMV → issuer
Authorisation Response Codes
ISO 8583 Field 39

The issuer returns a 2-character code in Field 39. 00 = Approved. Your integration must handle at minimum: 00, 05, 51, 54, 61, 65.

00APPROVED
05Do Not Honour — hard decline
51Insufficient Funds — soft decline
54Expired Card
61Exceeds Withdrawal Limit
65Exceeds Frequency Limit
14Invalid Card Number
91Issuer Unavailable — retry safe
Clearing & Settlement Timeline
Auth ≠ settlement

Authorisation creates a hold. Clearing is the batch file sent at end-of-day. Settlement is when funds actually move — typically T+1 to T+2 via the scheme's net settlement process.

T+0 (real-time)Auth routed via network
T+0 (real-time)Issuer approves, hold placed
T+0 (end of day)Merchant sends batch clearing
T+1Scheme net settlement calc
T+1 / T+2Funds credited to merchant
T+30–120Chargeback window open
EMV, 3DS & Tokenisation
Dynamic credentials

EMV chips generate a unique ARQC per transaction — replaying captured data is useless. 3DS2 adds issuer auth for e-commerce. Network tokens replace the PAN with a merchant/device-scoped token.

emv_arqc.pseudo
// EMV ARQC generation (simplified)
ARQC = 3DES_MAC(
  ICC_MK,   // card master key
  ATC || UN || amount || terminal_data
)
// 8-byte value, unique per transaction
// Replay → ARPC mismatch → decline
Real PAN4532 0151 1283 0366
Network token4895 5500 1234 5678
Token scopemerchant + device bound
Auto-update on reissueyes — account updater
Interchange & Fee Anatomy
Fee waterfall

The merchant pays the MDR to their acquirer. The acquirer passes interchange to the issuer and a scheme fee to the network. Interchange varies by card type, channel, and region.

Consumer debit (CP)~0.2% + £0.02
Consumer credit (CP)~0.3% (EU regulated)
Premium / World card~1.5–1.8% (non-EU)
Corporate card~2.0–2.5%
CNP surcharge+0.2–0.4%
Refund interchangeReversed on refund
Declines & Retry Logic
Hard vs soft

Hard declines (05, 14, 54, 57) must never be retried. Soft declines (51, 61, 65, 91) may resolve after a delay. Excessive retries on hard declines attract scheme fines.

retry_logic.ts
const HARD_DECLINES = ['05','14','54','57','62','78'];
const RETRY_SAFE   = ['51','61','65','91','96'];

function handleDecline(code: string) {
  if (HARD_DECLINES.includes(code))
    return { retry: false, reason: 'permanent' };
  if (RETRY_SAFE.includes(code))
    return { retry: true, delayMs: 3600_000 };
  return { retry: false, reason: 'unknown' };
}
Transaction Flow

From tap to approval

Full lifecycle of a card-present authorisation, step by step.

Authorisation Path

A card-present transaction traverses five hops in under 2 seconds. Each hop adds latency and can introduce a failure mode. The ARQC cryptogram generated by the chip proves the card is genuine before the 0100 message even reaches the network.

Cardholder tap / insert + PIN POS Terminal ISO 8583 0100 TLS 1.2+ Acquirer merchant bank routing Scheme VisaNet / Banknet fraud + routing Issuer approve / decline ARQC verify ARQC 0100 auth req VisaNet auth req approve/decline 0110 response 0110 response ARQC result 0ms ~1–3 s round-trip 3s
Step 1Chip generates ARQC cryptogram using session key — proves card is genuine
Step 2Terminal builds ISO 8583 0100 with DE 2 (PAN), DE 4 (amount), DE 55 (EMV TLV data)
Step 3Acquirer routes to scheme via leased line / IP; adds DE 32 (Acquirer ID), DE 41 (Terminal ID)
Step 4Scheme runs fraud scoring, BIN lookup, routes 0100 to issuer via hot standby path
Step 5Issuer verifies ARQC, checks balance / velocity rules, returns 0110 with DE 39 response code
Step 6Approval code (DE 38) printed on receipt; chip generates TC (transaction certificate) for settlement
API Concepts

Building on payment APIs

Key patterns, data structures, and gotchas for payment integrations.

Idempotency
Rule #1

Always pass an Idempotency-Key on every mutation. The server stores the response for 24h and returns the same result on duplicate requests — critical for network timeout recovery.

create_payment_intent.ts
const intent = await stripe.paymentIntents.create({
  amount:   1500,           // always minor units (pence, cents)
  currency: 'gbp',
  payment_method_types: ['card'],
  capture_method: 'manual',  // auth-only, capture later
  metadata: { order_id: 'ord_abc123' },
}, {
  idempotencyKey: uuid(),   // critical for retry safety
});
// Status: created → requires_payment_method → processing → succeeded
Webhook Event Handling
webhook_handler.ts
async function handleWebhook(req: Request) {
  // 1. Verify signature FIRST
  const event = stripe.webhooks.constructEvent(
    req.body, req.headers['stripe-signature'], WEBHOOK_SECRET
  );
  // 2. Handle idempotently — events can arrive >1×
  if (await alreadyProcessed(event.id)) return 200;

  switch (event.type) {
    case 'payment_intent.succeeded':
      await fulfillOrder(event.data.object); break;
    case 'charge.dispute.created':
      await escalateChargeback(event.data.object); break;
  }
  return 200; // ACK immediately, process async
}
Network Tokens
PAN → Token

Network tokenisation replaces the PAN with a merchant/device-scoped token. Card updates (expiry, reissue) propagate automatically. Reduces PCI DSS scope.

Real PAN4532 0151 1283 0366
Network token4895 5500 1234 5678
Token scopemerchant + device bound
TRID40010030273
TAVV (cryptogram)dynamic per-auth value
Auto-update on reissueyes — account updater
Token Provisioning

How tokens get into digital wallets

The end-to-end lifecycle of a network token — from a consumer adding a card to Apple Pay or Google Pay, through issuer authentication, to the token being active and ready to transact.

Token provisioning vs token use

There are two distinct token flows developers often conflate. Provisioning is what happens when a consumer adds their card to a wallet — a token is created and bound to that device. Transacting is what happens at payment time — the token plus a dynamic cryptogram (TAVV) is used instead of the PAN. This page covers provisioning. The transaction flow is covered in the Tx Flow tab.

Participants in token provisioning
Cardholder Initiates enrolment Completes ID&V Token Requestor Apple / Google Merchant CoF Token Service Provider (TSP) Visa VTS / MC MDES Generates DPAN ID&V Service OTP / biometric push notification Card Network Visa / Mastercard Routes by TRID Issuer Approves token Stores DPAN↔PAN Acts via wallet app TRID identifies them Holds token vault Issuer-controlled Settlement routing Final gatekeeper
Cardholder
Initiates by adding their card to Apple Pay, Google Pay, Samsung Pay, or a merchant app.
Wallet Provider (TRID)
Apple Pay, Google Pay, Samsung Pay. Each has a unique Token Requestor ID (TRID) assigned by the scheme. Sends the provisioning request to the Token Service Provider.
Token Service Provider
Visa Token Service (VTS) or Mastercard Digital Enablement Service (MDES). Orchestrates the provisioning, creates the token, and manages its lifecycle.
Issuer
The cardholder's bank. Called by the TSP to verify the card is eligible, authenticate the cardholder, and approve or decline the provisioning request.
PCI & Compliance

Compliance framework for card payment systems

PCI DSS, SAQ levels, sensitive data rules, and EMV terminal certification — the full compliance picture for anyone building on or within card payment infrastructure.

Scope first

PCI DSS scope is determined by your Cardholder Data Environment (CDE) — any system that stores, processes, or transmits PAN, SAD, or CVV. Reduce scope aggressively: use network tokens and hosted fields so raw PANs never touch your servers.

The 12 Requirements
Compliance vs technical — know the difference
Standard / programme Governing body Type What it certifies / requires Who it applies to
PCI DSS PCI SSC Compliance Data security controls for cardholder data Any entity storing/processing/transmitting PAN
PCI PTS PCI SSC Compliance Physical tamper-resistance of PIN entry devices PIN-accepting terminal hardware vendors
PCI PA-DSS / SRED PCI SSC Compliance Security of payment application software Payment software vendors
EMV L1 EMVCo Technical Terminal physical/electrical interface (ISO 7816) Terminal hardware manufacturers
EMV L2 EMVCo Technical EMV payment kernel (app selection, CVM, cryptogram) Terminal software / kernel developers
EMV L3 / Acquirer cert Visa / MC scheme Technical End-to-end ISO 8583 flow through acquirer host Acquirers, payment gateways
ISO 7816 / 7812 / 7813 ISO / IEC Technical Card physical interface, BIN numbering, magstripe format Card manufacturers, terminal vendors, issuers
ISO 14443 / NFC ISO / IEC Technical Contactless RF interface and protocol Contactless terminal and card developers
ISO 8583 ISO / IEC Technical Financial transaction message format Acquirers, processors, issuers, gateways
EMV 3DS (3DS2) EMVCo Technical Cardholder authentication protocol for CNP Merchants, PSPs, issuers (ACS)
PSD2 / SCA EU / EBA Compliance Strong customer authentication mandate for CNP in EEA PSPs and issuers operating in the EEA
Network token (VTS/MDES) Visa / MC Technical Token provisioning, lifecycle, DPAN/TAVV generation Issuers, wallet providers, merchants (CoF)
Compliance = mandatory rules enforced by regulators or scheme contracts — penalties for non-compliance.  ·  Technical = interoperability specifications — systems that don't implement them correctly won't work, but there's no regulator.
Req 1
Network security controls
Firewalls and network segmentation isolating the CDE. No direct internet access to cardholder systems.
All merchants
Req 2
Secure configurations
Vendor defaults changed, unnecessary services disabled, system hardening standards applied.
All merchants
Req 3
Protect stored account data
PAN must be rendered unreadable (AES-256 or truncation). SAD must never be stored post-auth.
All merchants
Req 4
Encrypt data in transit
TLS 1.2+ for all PAN transmission. No fallback to SSL or early TLS. Certificate pinning recommended.
All merchants
Req 5
Protect against malware
Anti-malware on all systems, regular scans, log reviews. Anti-phishing controls for personnel.
SAQ A-EP+
Req 6
Secure systems & software
Security patches within 1 month. OWASP Top 10 addressed. Change management enforced.
All merchants
Req 7
Restrict access by need
Least-privilege access controls. Role-based access to all CDE systems and data.
All merchants
Req 8
Identify users & authenticate
Unique IDs per user, MFA on all CDE access, password complexity, session management.
All merchants
Req 9
Restrict physical access
Physical access controls to CDE. Media destruction policy. POS device tamper monitoring.
SAQ B+
Req 10
Log & monitor all access
Audit logs for all CDE access. Log integrity, SIEM, 12-month retention, daily review.
All merchants
Req 11
Test security regularly
Quarterly ASV scans, annual penetration test, internal vulnerability scans, IDS.
All merchants
Req 12
Security policies & programme
Information security policy, annual risk assessment, staff training, incident response plan.
All merchants
Fraud & Risk

Risk-based authentication & fraud scoring

How issuers and networks score transactions in real time — and how to build with that in mind.

Live RBA Score Simulator
Transaction amount£45
Device trust scorehigh
Velocity (txns / hr)2
Geo anomalylow
Merchant category risklow
3DS2 enrichmentrich
Risk score
18
Frictionless — approve
Low risk profile. 3DS2 frictionless flow likely. No step-up required.
Approve No 3DS challenge
Authentication

EMV 3DS 2.2 & 2.3 — Issuer authentication for CNP

EMV 3-D Secure is the protocol that authenticates cardholders in card-not-present transactions. Version 2.2 is the current production baseline; 2.3 adds decoupled authentication and enhanced data fields. Both are mandated under PSD2 SCA in the EEA.

Version comparison — 2.1 → 2.2 → 2.3
3DS 2.1 — baseline
Initial EMVCo release. Introduced frictionless flow, 80+ data elements, browser fingerprinting, and liability shift. Replaced the universally hated 3DS1 redirect. Now considered legacy — schemes are deprecating it.
3DS 2.2 — current
Adds decoupled authentication (cardholder authenticates independently of the transaction), enhanced 3RI (3DS Requestor Initiated) for merchant-initiated transactions, and whitelisting (trusted beneficiary). Mandated in EU under PSD2. Current production standard.
3DS 2.3 — latest
Extends decoupled auth with a longer maximum timeout (7 days vs 30 minutes in 2.2). Adds new authentication methods (QR code, out-of-band), enhanced app-based flows, and additional data elements for improved risk scoring. Adoption growing — Visa and MC mandating from 2025.
Card Standards

ISO standards underpinning card payments

Every tap, swipe, and dip is governed by a stack of ISO standards. This section breaks down the four core specifications every payment developer should understand.

ISO/IEC 7812
Card Identification
BIN / IIN numbering, PAN structure, Luhn checksum
ISO/IEC 7813
Magnetic Stripe
Track 1, Track 2, Track 3 data formats
ISO/IEC 7816
ICC / EMV Chip
Contact chip interface, APDU protocol, file structures
ISO/IEC 14443
NFC / Contactless
RF interface, anti-collision, APDU over NFC
ISO/IEC 7812 — Card identification & numbering
What it defines

ISO/IEC 7812 specifies the structure of the Primary Account Number (PAN) — the 8–19 digit card number — and the Issuer Identification Number (IIN, commonly called the BIN). It also mandates the Luhn algorithm (Mod 10) as the checksum that validates PAN structural integrity before any network lookup is attempted.

PAN structure
iso7812_pan_anatomy.txt
PAN:  4  5  3  2  0  1  5  1  1  2  8  3  0  3  6  6
      |________|  |___________________________|  |_|
        IIN/BIN        Account identifier       Check
       (6–8 digits)     (variable length)       digit

IIN breakdown (first 6–8 digits):
  MII (first digit):  4 = Visa
                      5 = Mastercard
                      3 = Amex / JCB / Diners
                      6 = Discover / UnionPay
  IIN range:          identifies issuer bank
  Account ID:         assigned by issuer
  Check digit:        Luhn (Mod 10) checksum
Luhn algorithm (Mod 10)
luhn.py
def luhn_valid(pan: str) -> bool:
    digits = [int(d) for d in pan if d.isdigit()]
    # Double every second digit from the right
    for i in range(len(digits) - 2, -1, -2):
        digits[i] *= 2
        if digits[i] > 9:
            digits[i] -= 9
    return sum(digits) % 10 == 0

# 4532015112830366 → True  (valid Visa test PAN)
# 4532015112830367 → False (single digit changed)
StandardISO/IEC 7812-1:2017 + 7812-2
PAN length8–19 digits (most cards: 16)
IIN / BIN length6 digits (legacy) → 8 digits (2017+)
MII digit 4Visa
MII digit 5Mastercard (51–55 range)
MII digit 3Amex (34, 37) / JCB (35) / Diners
MII digit 6Discover (6011, 65) / UnionPay (62)
Check digitLuhn algorithm (ISO/IEC 7812-1 Annex B)
Card Present

Card-present, contactless & acquirer certification

The technical differences between CP and CNP, how a contactless tap actually works end-to-end, fallback handling, POS entry modes, and what acquirer domain certification involves.

Card-present vs card-not-present
CARD-PRESENT (CP) Card / NFC chip / tap ARQC Terminal ISO 8583 TLS Acquirer routes Issuer decides ✓ Chip cryptogram = hardware proof of card ✓ PIN verifies cardholder in person ✓ Lower interchange rate (card present) ✓ Liability: issuer for lost/stolen if chip used Auth: DE 22 POS Entry Mode 05 (chip) / 07 (NFC) Fraud rate: ~0.01–0.03% of CP volume
CARD-NOT-PRESENT (CNP) Browser PAN keyed in Merchant API gateway 3DS / ACS optional auth (PSD2 mandatory) Acquirer routes 0100 Scheme fraud score Issuer RBA + decides ✗ No hardware proof — only static data (PAN, CVV2, expiry) ⚠ 3DS adds cardholder auth but adds friction ✗ Higher interchange rate + higher fraud rate ✗ Merchant bears fraud liability without 3DS Auth: DE 22 POS Entry Mode 01 (keyed) / 81 (e-comm) Fraud rate: ~0.1–0.3% of CNP volume (10× higher)
Why CP and CNP are different channels

Card-present (CP) means the physical card or device was used at a terminal — the chip, contactless, or magstripe was read directly. Card-not-present (CNP) covers e-commerce and MOTO where only the card number, expiry, and CVV2 are provided. The distinction affects fraud liability, interchange rates, authentication requirements, and which data fields appear in the ISO 8583 message.

Card-present (CP)
Auth methodEMV chip / contactless / magstripe
Fraud liabilityIssuer bears (EMV chip used)
InterchangeLower — regulated EU/UK rates apply
3DS requiredNo — not applicable for CP
CVV2 requiredNo — CVV1 on stripe / chip cryptogram used
Chargeback riskLower — physical presence evidenced
Card-not-present (CNP)
Auth methodPAN + expiry + CVV2 only
Fraud liabilityMerchant bears (no 3DS) or issuer (3DS auth)
InterchangeHigher — CNP surcharge applies
3DS requiredYes — mandated under PSD2 SCA in EEA
CVV2 requiredYes — only verifiable credential available
Chargeback riskHigher — no physical evidence of cardholder
Disputes & Chargebacks

Chargeback rules, reason codes & dispute processing

How Visa and Mastercard handle disputed transactions — the full lifecycle from first notification to arbitration, reason code taxonomy, time limits, compelling evidence rules, and merchant monitoring programmes.

How disputes work
Visa calls them disputes — Mastercard calls them chargebacks

Visa officially retired the term "chargeback" and now refers to all reversals as "disputes." Mastercard still uses "chargeback" in its documentation. The underlying process is functionally identical: a cardholder contacts their issuing bank to contest a transaction, the issuer raises the dispute with the acquirer via the scheme network, the acquirer notifies the merchant, and the disputed funds are provisionally reversed pending resolution. The main interaction in every case is between issuer and acquirer — the merchant operates through their acquirer and is never a direct party to the scheme dispute process.

Visa terminologyDispute — all reversals are called disputes since 2018
Mastercard terminologyChargeback — term still used in official MC documentation
Legal basis (US)Fair Credit Billing Act 1974 (credit) / EFTA 1978 (debit)
Legal basis (EU/UK)Payment Services Directive 2 / Consumer Credit Act
Who filesIssuer — on behalf of cardholder
Who respondsAcquirer — on behalf of merchant
Merchant's roleProvides evidence to acquirer — no direct scheme access
Funds during disputeDebited from merchant account immediately on chargeback filing
Sources — Visa: Dispute Management Guidelines for Visa Merchants, June 2024 (public PDF). Reason code structure and CE 3.0 rules sourced from Visa Core Rules and Visa Product and Service Rules, October 2025 (public).  ·  Mastercard: Chargeback Guide (Merchant Edition), May 2025 (public PDF). Lifecycle and reason code details corroborated against Adyen technical documentation.  ·  Programme thresholds are current as of early 2025 — schemes update these periodically; always verify against current scheme bulletins.
Glossary

Payment terminology

Essential terms for card payment integrations.

ARQC
Authorisation Request Cryptogram — 8-byte MAC generated by the EMV chip per transaction. Proves card presence; replay attacks fail on ARPC mismatch.
Acquirer
The bank holding the merchant's account, routing transactions to the card network on the merchant's behalf. Also called the merchant bank or PSP.
ACS
Access Control Server — the issuer's server that evaluates 3DS2 authentication requests and decides frictionless approval or challenge.
CDE
Cardholder Data Environment — any system that stores, processes, or transmits PAN or SAD. Minimising CDE scope reduces PCI compliance burden.
Chargeback
A dispute where the cardholder reverses a transaction through their issuer. Results in fee plus fund reversal. 3DS2 authentication shifts liability to the issuer.
CNP
Card Not Present — e-commerce and MOTO transactions. Higher fraud risk, higher interchange, requires 3DS2 under PSD2 in the EEA.
EMV
Europay–Mastercard–Visa chip standard. Defines the chip protocol including dynamic cryptogram generation, terminal risk management, and offline PIN verification.
Interchange
Fee paid by the acquirer to the issuer per transaction. Regulated at 0.2% debit / 0.3% credit in the EU and UK. Varies widely outside regulated regions.
ISO 8583
International standard for financial transaction messages. Defines message types (0100 auth, 0110 response, 0400 reversal) and data elements in fields 1–128.
Issuer
The bank that issued the card to the cardholder. Responsible for authorisation decisions, fraud scoring, and posting transactions to the cardholder's account.
MDR
Merchant Discount Rate — the total percentage fee charged by the acquirer to the merchant. Comprises interchange, scheme fees, and acquirer margin.
PAN
Primary Account Number — the 16-digit card number. Never log or store in plain text. PCI DSS scope is primarily defined by PAN presence in a system.
PCI DSS
Payment Card Industry Data Security Standard — 12 technical and operational requirements for any entity storing, processing, or transmitting cardholder data.
QSA
Qualified Security Assessor — PCI Council-certified auditor. Required for Level 1 merchants (6M+ Visa txns/yr) to conduct on-site ROC assessments.
RBA
Risk-Based Authentication — using transaction signals (device, geo, velocity, behaviour) to decide whether to approve frictionlessly or step up to a challenge.
SAD
Sensitive Authentication Data — full track data, CVV2/CVC2, PIN block. Must never be stored post-authorisation, even in encrypted form.
STAN
Systems Trace Audit Number — a 6-digit number assigned per transaction to match auth to capture and aid dispute resolution.
3DS2
3-D Secure v2 — issuer authentication for CNP. Passes up to 150 data elements to the ACS. Frictionless when risk is low; OTP or biometric challenge otherwise.
EMV Level 1
Terminal certification testing the physical and electrical interface between the terminal and the ICC. Covers ISO 7816-3 signal integrity, power tolerances, and contactless RF (ISO 14443). Conducted by an EMVCo-accredited lab.
EMV Level 2
Terminal certification testing the EMV payment application kernel — application selection, card authentication (SDA/DDA/CDA), cardholder verification method (CVM), and terminal risk management. Required separately for each kernel type (contact, contactless, per scheme).
EMV Level 3
End-to-end certification testing the full transaction path from terminal through acquirer host to the card scheme. Validates ISO 8583 message construction, Field 55 EMV data, and scheme-specific rules. Must be repeated per acquirer and per scheme. Typically takes 3–9 months.
PCI PTS
PIN Transaction Security — PCI SSC programme testing the physical tamper-resistance of PIN entry devices. Required for any terminal accepting PIN. Separate from EMV certification. Approval lasts 5 years from date of listing.
SoftPOS / CPOC
Contactless Payments on COTS — PCI SSC programme allowing a commercial smartphone to act as a POS terminal. Requires CPOC programme approval plus scheme-specific L2/L3 kernel certification for the payment software.
ISO/IEC 7812
Standard defining the structure of the Primary Account Number (PAN) and the Issuer Identification Number (IIN / BIN). Specifies the Major Industry Identifier (MII), BIN length (6 or 8 digits), and mandates the Luhn (Mod 10) checksum on all PANs.
ISO/IEC 7813
Standard defining the magnetic stripe data encoding on payment cards. Specifies Track 1 (IATA, 210 bpi, alphanumeric) and Track 2 (ABA, 75 bpi, numeric) formats including PAN, expiry, service code, and CVV1. Track data is SAD and must never be stored post-auth.
ISO/IEC 7816
Multi-part standard covering contact chip (ICC) cards. Parts 1–2 define physical dimensions and contact positions. Part 3 defines T=0/T=1 electrical protocols. Part 4 defines the APDU command/response structure used by EMV. EMV builds directly on 7816-3 and 7816-4.
ISO/IEC 14443
Standard defining the contactless card (PICC) and reader (PCD) interface at 13.56 MHz. Part 2 covers RF modulation (Type A: ASK 100%, Type B: ASK 10%). Part 3 defines anti-collision. Part 4 defines the T=CL block transmission protocol used by all EMV contactless and NFC phone payments.
APDU
Application Protocol Data Unit — the command/response message format defined in ISO 7816-4. Commands carry CLA, INS, P1, P2, Lc (data length), Data, and Le (expected response length). Responses carry Data plus a 2-byte status word (e.g. 9000 = success, 6A82 = file not found).
AID
Application Identifier — a 5–16 byte value registered under ISO 7816-5 that uniquely identifies a payment application on a chip card. Visa Credit uses A0000000031010; Mastercard uses A0000000041010. Terminals use the AID list to perform application selection.
Track 2
The numeric-only magnetic stripe track defined in ISO 7813. Contains PAN, expiry date, service code, and CVV1. Used by EMV terminals for fallback transactions when chip processing fails. Storing Track 2 post-authorisation is a PCI DSS violation.
DPAN
Device PAN — the token value provisioned to a digital wallet. Looks like a valid card number (passes Luhn, same BIN range) but maps to the real PAN only inside the Token Service Provider's vault. Used in contactless and in-app payments in place of the FPAN.
FPAN
Funding PAN — the real card number issued to the cardholder. Never exposed to the merchant in a tokenised payment. The TSP maps the DPAN back to the FPAN internally before passing the authorisation to the issuer.
TAVV
Token Authentication Verification Value — a dynamic cryptogram generated per transaction by the wallet using a limited-use key (LUK). Proves that the payment came from the legitimate device holding the token. Replaces the static CVV1 in tokenised transactions.
TSP
Token Service Provider — the entity that creates, manages, and vaults tokens. Visa Token Service (VTS) and Mastercard Digital Enablement Service (MDES) are the two main TSPs. They orchestrate provisioning, manage token lifecycle, and handle DPAN-to-FPAN mapping.
VTS
Visa Token Service — Visa's Token Service Provider. Issues and manages DPANs for Visa cards provisioned to Apple Pay, Google Pay, and other wallets. Communicates with issuers via a set of web service APIs (CheckEligibility, SubmitLifecycleCommand, TokenInquiry, etc.).
MDES
Mastercard Digital Enablement Service — Mastercard's equivalent of Visa VTS. Provides the same token provisioning and lifecycle management functions for Mastercard-branded cards in digital wallets.
HCE
Host Card Emulation — a software approach to NFC payments where the device OS emulates a contactless card without requiring a physical Secure Element. Used by Google Pay on Android. Limited-use keys are stored in the Trusted Execution Environment and replenished from the cloud.
LUK
Limited-Use Key — a session key provisioned to the wallet device and used to generate TAVV cryptograms for a finite number of transactions. Once a LUK is exhausted, the wallet replenishes it from the TSP cloud service. Prevents replay attacks even if a key is extracted.
STIP
Stand-In Processing — when an issuer's system is unavailable, Visa or Mastercard's systems approve or decline transactions on the issuer's behalf using pre-configured rules. Also applies during token provisioning — if the issuer doesn't respond to eligibility checks in time, the TSP makes the decision.
AReq / ARes
Authentication Request and Response — the core 3DS2 messages. The AReq carries up to 150 data fields from the merchant's 3DS Server to the issuer's ACS via the Directory Server. The ARes carries the authentication decision (Y/A/C/R/U/N) back.
CAVV
Cardholder Authentication Verification Value — Visa's cryptographic proof that 3DS authentication took place. Passed in ISO 8583 Field 126 alongside the ECI at authorisation time. Required to obtain liability shift. Mastercard equivalent is AAV.
ECI
Electronic Commerce Indicator — a 2-digit code passed in the authorisation request indicating the authentication outcome. Visa: 05 = fully authenticated (liability shift), 06 = attempted, 07 = not authenticated. Mastercard: 02, 01, 00 respectively.
Decoupled auth
A 3DS 2.2+ authentication mode where the cardholder authenticates through a separate channel (banking app, email) independently of the checkout session. The merchant sets a maximum wait time — up to 30 minutes in 2.2, up to 7 days in 2.3.
3RI
3DS Requestor Initiated — a 3DS2 flow for merchant-initiated transactions where the cardholder is not present. References a prior customer-initiated authentication. Used for recurring payments, instalments, and unscheduled credential-on-file charges.
TRA
Transaction Risk Analysis — a PSD2 SCA exemption allowing issuers or acquirers to skip authentication for low-risk transactions, provided their fraud rate stays below defined thresholds (0.13% for ≤€100, 0.06% for ≤€250, 0.01% for ≤€500).
SPC
Secure Payment Confirmation — a W3C browser API that uses FIDO2/WebAuthn to authenticate cardholders via a native OS biometric prompt instead of an HTML challenge iframe. Integrated into 3DS 2.3. Supported in Chrome and Edge from 2024.
Card-present (CP)
A transaction where the physical card or payment device is used at a terminal — the chip, contactless interface, or magnetic stripe is read directly. Carries lower fraud risk, lower interchange, and EMV liability shift (chip) compared to CNP.
DE 22 / Field 22
ISO 8583 Data Element 22 — POS Entry Mode. A 3-digit field indicating how the card data was captured (chip, contactless, magstripe, keyed) and which cardholder verification method was used (online PIN, offline PIN, no CVM). Used by issuers to apply fraud rules and interchange categories.
Fallback
When a chip card falls back to magstripe because the chip failed to read. Indicated by DE 22 = 801. The transaction loses EMV liability shift — the merchant bears fraud liability. Excessive fallback rates attract scheme fraud monitoring investigations.
Offline CVM limit
The transaction amount below which a contactless payment requires no cardholder verification (no PIN, no signature). Above the limit, online PIN is required. Limits vary by market: £100 (UK), €50 (EU). Mobile wallet payments bypass the limit via device biometric.
Acquirer domain cert
The certification process by which an acquirer host system is validated by a card scheme (Visa VCMS or Mastercard MPE) to correctly construct, route, and handle ISO 8583 messages. Required before processing live transactions. Distinct from EMV terminal certification and PCI DSS.
Floor limit
The maximum transaction amount an EMV terminal can approve offline without seeking online authorisation. Configured by the acquirer and scheme. Amounts above the floor limit require an online auth request. Contactless transactions typically have a floor limit of £0 — all taps go online.
TC / AAC / ARQC
The three types of Application Cryptogram generated by an EMV chip. ARQC (Authorisation Request Cryptogram) = card requests online auth. TC (Transaction Certificate) = card approves offline. AAC (Application Authentication Cryptogram) = card declines offline. All are 8-byte 3DES MACs.
TAC
Terminal Action Code — one of three 5-byte bitmasks (TAC-Denial, TAC-Online, TAC-Default) configured by the acquirer in the terminal. During Terminal Action Analysis, TACs are ORed with the card's IACs and ANDed against the TVR to decide whether to decline offline, request online auth, or approve offline.
IAC
Issuer Action Code — the card's equivalent of the TAC, stored in the card's application data. Three variants: IAC-Denial, IAC-Online, IAC-Default. ORed with the acquirer's TAC during Terminal Action Analysis. The issuer uses IACs to enforce their own risk policy regardless of what the acquirer configures.
TVR
Terminal Verification Results — a 5-byte bitmask populated by the terminal throughout the EMV transaction. Each bit represents a condition flagged during processing (e.g. offline data auth not performed, PIN tries exceeded, card on exception file). The TVR is ANDed against TAC/IAC masks during Terminal Action Analysis to determine the transaction outcome. Also sent to the issuer in Field 55.
AIP
Application Interchange Profile — a 2-byte field returned by the card in response to GET PROCESSING OPTIONS. Indicates which EMV capabilities the card supports: SDA, DDA, CDA, cardholder verification, terminal risk management, and issuer authentication.
Chargeback / Dispute
A reversal of a card transaction initiated by the cardholder's issuing bank. Visa officially calls these "disputes"; Mastercard still uses "chargeback." Funds are debited from the merchant account immediately on filing. The merchant responds through their acquirer — there is no direct merchant access to scheme dispute systems.
Representment
The process by which a merchant (via their acquirer) contests a chargeback by resubmitting the transaction along with compelling evidence. Also called a dispute response in Visa's terminology. Must be submitted within scheme time limits — typically 30 days (Visa) or 45 days (MC) from chargeback initiation.
Compelling Evidence 3.0
Visa's framework for countering first-party (friendly) fraud on code 10.4. Requires two prior undisputed transactions from the same cardholder (120–365 days prior) sharing at least two matching data points (device ID, IP, shipping address, phone, fingerprint). Meeting the threshold automatically shifts liability to the issuer.
Allocation workflow
Visa's dispute processing path for fraud (10.x) and authorisation (11.x) reason codes. Visa automatically assigns liability to the party responsible based on whether scheme rules were followed — primarily whether chip was used and 3DS authentication was performed. Limited merchant recourse.
Collaboration workflow
Visa's dispute processing path for processing errors (12.x) and consumer disputes (13.x). Both parties have the opportunity to present evidence before liability is determined. The acquirer submits a response within 30 days; the issuer can escalate to pre-arbitration.
NoC
Notification of Chargeback — Mastercard's first formal notification to the acquirer that a chargeback has been initiated. The RFI (Request for Information) stage was removed in October 2021; the process now starts directly at NoC. The acquirer has 45 days from NoC to respond.
Pre-arbitration
The escalation stage before formal scheme arbitration. If the issuer rejects the acquirer's dispute response, they can file a pre-arbitration case. For Mastercard, this applies to all reason codes except 4808, 4870, and 4871 — these go directly to arbitration. Visa equivalent: the pre-arbitration stage within the collaboration workflow.
VDMP / VFMP
Visa Dispute Monitoring Programme and Visa Fraud Monitoring Programme — the two scheme programmes that monitor merchant chargeback and fraud ratios. Breaching thresholds results in enrolment, escalating monthly fines, and ultimately loss of scheme acceptance rights. Early warning thresholds exist before formal enrolment.
Friendly fraud
When a cardholder disputes a legitimate transaction — either intentionally (to obtain goods for free) or unintentionally (failing to recognise the charge). Estimated by Visa to account for roughly 75% of all disputes. Visa CE 3.0 is specifically designed to counter friendly fraud on CNP transactions.
History

Evolution of card payments

Key milestones from charge plates to contactless and open banking.

50s
1950
Diners Club — first charge card
Paper-based, settled monthly. Frank McNamara's idea of one card accepted at multiple restaurants.
60s
1966
BankAmericard → Visa network
Bank of America licenses nationally. Interbank Card Association becomes Visa in 1976.
70s
1979
ISO 7813 magnetic stripe standard
Standardised Track 1/2/3 format, enabling interoperable terminal reads worldwide.
90s
1996
EMV specification published
Europay, Mastercard, Visa release the joint spec. Chip-and-PIN deployments begin in France and UK.
00s
2001
3-D Secure v1 (Verified by Visa)
First issuer authentication protocol for e-commerce. Widely criticised for redirect UX; superseded by 3DS2 in 2016.
00s
2004
PCI DSS v1.0 published
Card networks form PCI SSC. Merchants mandated to meet 12 requirements for cardholder data handling.
00s
2007
Contactless (ISO 14443 / NFC)
MasterCard PayPass and Visa payWave launch. UK limit started at £10, raised to £100 in 2021.
10s
2014
Apple Pay & network tokens
Device-bound DPAN tokens replace PAN in digital wallets. TRID framework established by schemes.
10s
2016
3DS2 & PSD2 SCA mandate
EMVCo releases 3DS2. EU PSD2 mandates Strong Customer Authentication for CNP — friction vs conversion war begins.
20s
2022
PCI DSS v4.0
Customised implementation approach introduced. New requirements for e-skimming (Magecart) defence. Full enforcement March 2025.
20s
2023+
Open Banking & A2A payments
PSD2 APIs enable VRP and Pay-by-Bank, bypassing card rails. Threatens debit card volume across Europe.
Developer Tools

Interactive utilities

Handy tools for card payment development and testing.

!
Test data only — not real card numbers

All PANs shown on this page are published test values from public payment gateway documentation (Stripe, Adyen, PayPal). They are structurally valid — they pass the Luhn checksum — but they are not associated with any real cardholder account, bank, or financial institution. They exist solely for developer testing. Never use real card numbers in any tool, log, or test environment.

Luhn / Mod 10 Checker
What is the Luhn algorithm?

The Luhn algorithm (ISO/IEC 7812) is a simple checksum formula used to validate card numbers (PANs). It catches single-digit errors and most transpositions. It does not prove a card exists or is active — only that the number is structurally valid.

Enter a card number above to validate
Quick test — click to load
Published test PANs — not real
Visa
4532 0151 1283 0366
Valid — passes Luhn
Mastercard
5425 2334 3010 9903
Valid — passes Luhn
Amex
3742 510187 20955
Valid — 15 digits
Invalid
4532 0151 1283 0367
Fails Luhn — wrong check digit
How the algorithm works
luhn.py
def luhn_check(card_number: str) -> bool:
    digits = [int(d) for d in card_number if d.isdigit()]
    # Step 1: reverse the digits
    digits = digits[::-1]
    total = 0
    for i, d in enumerate(digits):
        if i % 2 == 1:        # Step 2: double every second digit
            d *= 2
            if d > 9: d -= 9  # Step 3: subtract 9 if > 9
        total += d
    return total % 10 == 0   # Step 4: valid if sum mod 10 = 0

# Generate a valid check digit for a partial PAN
def luhn_generate(partial: str) -> int:
    digits = [int(d) for d in partial if d.isdigit()] + [0]
    digits = digits[::-1]
    total = sum(
        d * 2 - 9 if (d * 2 > 9 and i % 2 == 0) else
        d * 2 if i % 2 == 0 else d
        for i, d in enumerate(digits)
    )
    return (10 - total % 10) % 10
Payment flow simulator
What this simulates

Enter card details and click Pay. The simulator checks the PAN with Luhn, validates expiry and CVV format, then replays realistic issuer logic — picking a decline reason based on the specific card number you enter. Use the quick-fill buttons to trigger specific DE 39 response codes. All numbers are test-only.

•••• •••• •••• ••••
Card holder
YOUR NAME
Expires
MM/YY
£
Quick-fill scenarios
Transaction log
// awaiting transaction…
4 ...Visa — 16 digits (13 legacy)
51–55 / 2221–2720Mastercard — 16 digits
34 / 37Amex — 15 digits
6011 / 622126–622925 / 644–649 / 65Discover — 16 digits
3528–3589JCB — 16–19 digits
300–305 / 3095 / 36 / 38Diners Club — 14 digits
Appendix

Reference tables

ISO 8583 response codes, merchant category codes, ISO 3166 country codes, and ISO 4217 currency codes — the lookup tables every payment integration needs close to hand.

Approved Hard decline — never retry Soft decline — retry after delay Referral — call issuer System / processing
Code
Description
Category
Retry?
Source — Numeric codes 00–96 sourced from ISO 8583-1:1987 Field 39. Alpha codes (N0, N7, R0, R1, R3, P-series, Q1) are Visa/MC extensions. Retry guidance is editorial based on Visa Retry Rules and MC Transaction Processing Rules.