Glossary
Twenty terms a bank, wallet or FinTech product team typically needs to read a payment processor's documentation. Written as we use them — not as a textbook.
The institution that issues a payment card to a consumer or business and stands behind the credit, debit or prepaid funds attached to it. An issuing bank holds the cardholder relationship and the funds; an issuing processor (like Coshine) operates the technical platform that authorizes transactions, posts them to the cardholder account, and exchanges files with the card scheme on behalf of the bank.
See alsoAcquirerBIN sponsorshipProcessor
The institution that holds the merchant relationship and, ultimately, deposits net funds into the merchant's bank account. An acquiring bank carries the liability; an acquiring processor runs the gateway, routing and settlement plumbing that turns a card swipe or API call into a credit to the merchant. The acquirer's counterpart on the cardholder side is the issuer.
See alsoIssuerProcessorInterchange
An arrangement under which a non-bank entity issues cards on a bank's licensed BIN range, with the sponsor bank holding the scheme membership, the funds and the compliance liability. Common path for FinTechs that want to launch a card program without applying for principal-membership status with Visa or Mastercard themselves. The sponsor bank delegates day-to-day program operation (including processing) to its partners but cannot delegate ultimate accountability.
See alsoIssuerCard scheme
The 13–19 digit account number embossed on the front of a card and encoded on its chip and magnetic stripe. The first 6–8 digits are the BIN and identify the issuer; the remaining digits are the cardholder account, with the final digit a Luhn checksum. Storing PAN in the clear is the central concern of PCI DSS — most modern systems handle PAN only inside the cardholder data environment and substitute tokens everywhere else.
See alsoTokenizationCDEPCI DSS
A protocol that lets a card issuer authenticate the cardholder during a card-not-present transaction (typically e-commerce), shifting fraud liability from the merchant to the issuer when the flow completes. Version 2 ("EMV 3DS") replaced the older browser-redirect-heavy 3DS 1 with a richer data exchange that lets the issuer make a risk-based decision and skip the cardholder challenge entirely ("frictionless") for low-risk transactions, falling back to OTP or app-based challenge only when needed.
The issuer-side component in a 3-D Secure transaction. The ACS receives the authentication request from the directory server, applies the issuer's risk rules, and decides whether to approve the transaction frictionlessly or to challenge the cardholder. Coshine operates an EMV 3DS 2.x ACS on behalf of issuers; the ACS holds the device-binding state, the OTP delivery integration, and the policy engine that scores the transaction.
See also3-D Secure
The portion of an organization's network, systems and processes that stores, processes or transmits cardholder data — and therefore falls in scope for PCI DSS. Designing for a small CDE (through segmentation, tokenization and never persisting full PAN outside HSM-backed services) is the most reliable way to keep an audit tractable. Anything that touches PAN is in scope; anything that touches only tokens is not.
See alsoPANPCI DSSTokenization
Substituting the real PAN with a non-sensitive reference ("token") so that downstream systems can recognize the same card without ever seeing its actual digits. A network token is issued and recognized by the card scheme itself (Visa Token Service, Mastercard MDES) and can carry liability protections; a PSP or vault token is local to a single processor or merchant. Tokenization is the lever that shrinks the cardholder data environment and unlocks the lighter parts of PCI scope.
See alsoPANCDE3-D Secure
The real-time step in which the issuer is asked whether the cardholder has enough credit or funds for a specific transaction, and either approves or declines. An authorization typically holds (but does not move) the funds; the actual movement happens later in clearing and settlement. Authorization is the latency-sensitive hot path of payment processing — most processors hold their p95 here under 200 ms.
See alsoClearingSettlement
The exchange of formal transaction records between acquirer and issuer (via the card scheme) after authorization. Clearing files describe each captured transaction in detail — including fees, currency and reference data — and form the basis on which the issuer posts the charge to the cardholder account. Clearing happens in batches on a scheme-defined cadence (typically daily) and is the input to settlement.
See alsoAuthorizationSettlement
The actual movement of money between issuer and acquirer to discharge the obligations created during the clearing window. Card schemes typically net all flows between two members so that only the difference is wired, rather than every individual transaction. The acquirer then settles the merchant — minus the merchant discount rate (interchange + scheme fees + acquirer margin).
See alsoClearingInterchange
A cardholder-initiated reversal of a settled transaction, raised through their issuer under one of several scheme-defined reason codes (fraud, goods not received, duplicate, etc.). The funds are pulled back from the merchant pending evidence; the merchant has a fixed window to respond with proof. Chargeback economics — win rate, evidence quality, scheme thresholds — are a top operational concern for high-volume merchants.
See alsoAcquirer
The rails that connect issuers and acquirers and define the rules for how their members move money between each other. Visa, Mastercard, UnionPay, JCB, American Express and Discover are the major global schemes; many countries also have domestic schemes. A processor's value depends partly on which schemes it has certified connectivity to — adding a scheme means a multi-month certification project, not a config flag.
See alsoInterchangeISO 8583
The fee paid by the acquirer to the issuer for each transaction, set by the card scheme and tiered by card product (credit vs debit, consumer vs commercial, regulated vs unregulated, in-region vs cross-border, etc.). Interchange is the largest single component of merchant discount rate and the reason "premium" credit cards cost merchants more to accept than debit cards. The scheme itself takes a smaller assessment fee on top.
See alsoSettlementCard scheme
The ISO standard for the financial transaction messages exchanged between card networks, issuers and acquirers. Messages are typed (MTI 0100 = authorization request, 0110 = response, 0200 = financial request, etc.) and carry data in bitmap-indexed fields. Despite being decades old, ISO 8583 remains the lingua franca for scheme-side processing; modern processors typically expose REST or gRPC APIs on the client side and translate to ISO 8583 on the scheme side.
See alsoCard schemeAuthorization
The technology operator that runs the platform connecting cardholders, merchants, banks and card schemes — handling authorization, clearing, settlement, dispute and reporting. A bank may operate its own processing in-house or outsource it to a third-party processor (like Coshine) while retaining the cardholder or merchant relationship and regulatory licence. Issuing processors and acquiring processors are distinct disciplines, though many providers offer both.
The data security standard maintained by the PCI Security Standards Council, mandatory for any entity that stores, processes or transmits cardholder data. Compliance levels are determined by transaction volume; Level 1 — the most demanding — requires an annual on-site assessment by a Qualified Security Assessor (QSA) and quarterly network scans by an Approved Scanning Vendor (ASV). PCI DSS sits alongside PCI 3DS and PCI PIN as the core operational standards in the industry.
See alsoCDEPANTokenization
The chip-card standard developed by Europay, Mastercard and Visa, now maintained by EMVCo. EMV defines how a chip card and a terminal authenticate each other and generate a transaction-specific cryptogram that the issuer can verify — closing off the static-magnetic-stripe cloning attack. The same governance body now publishes the EMV 3-D Secure specification for online transactions.
See also3-D SecureCard scheme
Any transaction in which the physical card is not presented to a terminal — e-commerce, in-app, recurring billing, MOTO (mail order / telephone order). Without the chip cryptogram available, CNP transactions rely on different fraud controls: 3-D Secure for cardholder authentication, AVS/CVV checks, network tokens, device fingerprinting and merchant-side risk rules. CNP fraud rates have historically been an order of magnitude higher than card-present.
See also3-D SecureTokenization
A four-digit code assigned to a merchant by its acquirer that describes the kind of business it operates (e.g. 5411 grocery, 5812 restaurant, 4112 passenger rail). MCC drives interchange tiers, cardholder rewards eligibility, regulatory reporting and a long list of scheme-specific rules — assigning the wrong MCC at onboarding is a surprisingly common source of merchant economics surprises later.
See alsoInterchangeAcquirer
This glossary is curated, not exhaustive. If you're stuck on a payments term that isn't here, email sales@coshine.com — we'll either explain it or add an entry.
