Okay Glossary

3-D Secure 2 is a new version of the 3-D secure specification, published in 2016. It is designed to be less intrusive, to allow the usage of mobile apps (not just SMS), and to enable biometric authentication. It is also known as 3DS 2.x

3-D Secure is a protocol which adds an additional security layer for online credit and debit card transactions. The 3D refers to the three domains of Merchant/acquirer, the issuer and the interoperability domain. Also known as 3DS 1.x

Two factor authentication, where two factors are used to authenticate a user. As an example: username + password (knowledge) used with biometry (inherence).

With 3-D secure an [issuing] bank is required to deploy an Access Control Server (ACS) to manage the authentication process, in order to trigger the Strong Customer Authentication when needed.

In 3-D Secure the Access Control Server is on the issuer side, where it makes sure that the cardholder is authenticated. The authentication can take place with multiple different factors, depending on bank and version of 3-D Secure.

Anti-money-laundering usually refers to the regulation, laws and procedures that banks and anyone doing payments have to follow, in order to stop criminals from disguising illegally obtained funds as legitimate. This includes attempts at tax-evasion and any kind of suspicious activity (e.g. large transfers to blacklisted countries).

An acquiring bank (acquirer) is a bank or financial institution that processes credit or debit card payments on behalf of a merchant. The acquirer allows merchants to accept credit card payments from the card-issuing banks within an association.

An Account Servicing Payment Service Provider provides and maintains a payment account for a customer - the traditional function of banks. In a PSD2 context they make their customers’ account transaction data available to third party providers via their API end points, often as defined by either Open Banking or the Berlin Group.

An Account Information Service Provider is a service provider defined under the PSD2, which gives you an overview of multiple bank accounts. An example of an AISP would be a money management service, which itself can’t initiate payments.

In payments an authorization is the process where a transaction is authorized. It typically involves authenticating the customer identity with SCA and verifying the transaction details.

In computer security authenticity means that the originator of a message can be verified.

An Application Programming Interface is the generic term for how an application or service can make something available for other applications. This can be over a network, or locally on a device.

Anti-money-laundering usually refers to the regulation, laws, and procedures that banks and anyone doing payments have to follow, in order to stop criminals from disguising illegally obtained funds as legitimate. This includes attempts at tax-evasion and any kind of suspicious activity (e.g. large transfers to blacklisted countries).

The Berlin Group is a company created by 40 banks in central Europe for defining payment interfaces and APIs under the PSD2. An example of such an API is Access-to-the-Account (XS2A), used for PSPs to access a customer’s account without going through a credit card.

A type of authentication based on how you act, such as how you walk, type on a keyboard or how your location changes over time. Behavioural biometrics are harder to measure than physical biometrical aspects.

A type of authentication based on physical aspects of yourself, such as your fingerprint, iris or veins in your hand.

Card schemes are payment networks linked to payment cards, such as debit or credit cards. Banks or any other eligible financial institution join such networks to do payments and issue physical cards. Examples of card schemes are Three party schemes and Four party schemes.

Card Not Present refers to online payment transactions, where the customer, business owner, and payment card are not all present at the same location, as it is in a brick-and-mortar transaction.

In computer security confidentiality means that access to information is restricted. As an example transaction details are covered by confidentiality.

A container is a type of security mechanism where applications run in individual containers, protecting the underlying operating system from attackers. An operating system can have multiple containers, but each container can’t see what runs in the other containers. Containers are used on servers, but have also become common on mobile devices.

There are two main categories of digital identities: The first is eID solutions, such as the European eIDAS initiative or the Scandinavian Bank ID initiative. These identities can be used with government and payment services. The second type of identity hasn’t been formally verified. Examples here are your identity on services such as Facebook and LinkedIn.

When a transaction is authorized there is a requirement in the PSD2 that a “transaction code” should follow the transaction on each step in the process. This is one reason that using an offline dongle to authorize a payment is problematic.

One of the many types of attacks against the “Domain name system”, which can be considered the phone book of the internet. With DNS spoofing your browser (or app) is tricked into visiting the attacker’s site, which attempts to trick you into revealing your credentials.

Distributed Denial of Service, which overwhelm your systems with traffic. This can be used to extort money, or to distract while another attack is taking place. Websites are the most common target, but also services such as helpdesk phone lines can be overwhelmed with incoming calls.

Device fingerprinting is a process to create a unique fingerprint during enrolment that later can be compared during a payment transaction. Device fingerprinting is required by both 3DS 2.0 and PSD2. The purpose of device fingerprinting is to ensure that an attacker can’t impersonate a user device, potentially ensuring that fraud attempts can be detected.

Device linking is part of the enrolment process, where the device is linked to the user. Device linking and device fingerprinting is important to ensure that an attacker doesn’t copy the payment environment to their own device.

Device fingerprinting is a process to create a unique fingerprint during enrolment that later can be compared during a payment transaction. Device fingerprinting is required by both 3DS 2.0 and PSD2. The purpose of device fingerprinting is to ensure that an attacker can’t impersonate a user device, potentially ensuring that fraud attempts can be detected.

Distributed Denial of Service, which overwhelm your systems with traffic. This can be used to extort money, or to distract while another attack is taking place. Websites are the most common target, but also services such as helpdesk phone lines can be overwhelmed with incoming calls.

One of the many types of attacks against the “Domain name system”, which can be considered the phone book of the internet. With DNS spoofing your browser (or app) is tricked into visiting the attacker’s site, which attempts to trick you into revealing your credentials.

eIDAS or electronic IDentification, Authentication and trust Services is a EU regulation for electronic identification. The standard went into force in 2014.

The EBA is the European Banking Authority, tasked with ensuring consistency in regulation and supervision across the EU banking sector. For the PSD2, they are responsible for issuing Regulatory Technical Standards and guidelines.

Enrolment is the process of adding a customer’s device to a service. For payment applications enrolment can consist of authenticating the customer, creating a trust anchor and establishing secure storage.

The last 30 years there have been many attempts at establishing Electronic ID solutions, such as BankID in the Nordics. An eID can replace physical identification online, making KYC much simpler and cheaper. A challenge with eID solutions is that they don’t become useful before a sufficiently large percentage of the population can be identified with it.

The EBA is a European Union authority that ensures consistency in regulation and supervision across the EU banking sector. For PSD2, they are responsible for issuing Regulatory Technical Standards and guidelines.

eIDAS is a framework for electronic transactions made in the European Single Market, established in July 2014. This framework specifically sets standards for electronic identification and trust services.

In payments a four party scheme involves (1) an issuing institution that has issued a card to a (2) card holder, and a (3) merchant that receives the payment through an (4) acquiring institution. This is also known as an open scheme, as more than one bank can be involved. VISA and Mastercard are examples here.

Also known as overlay attack. A floating window can obscure parts or all of the user interface of an app or a web page. The purpose of a floating window is typically to trick the user into authenticating a fraudulent transaction.

Also known as overlay attack. A floating window can obscure parts or all of the user interface of an app or a web page. The purpose of a floating window is typically to trick the user into authenticating a fraudulent transaction.

A payment gateway is a payment processing service for merchants that authorizes credit card or direct payments. Customers are e-businesses, online retailers, as well as brick and mortar stores. The payment gateway may be provided by a bank to its customers, but can be provided by a specialised financial service provider as a separate service, such as a payment service provider.

A honeypot is a tempting target for an attacker, which otherwise won’t be triggered. If a honeypot is triggered it is an indicator that someone is trying to break into your app.

A honeypot is a tempting target for an attacker, which otherwise won’t be triggered. If a honeypot is triggered it is an indicator that someone is trying to break into your app.

An issuing bank (also known as issuer) is a key player in most online payments today. They provide credit and debit cards to customers on behalf of big card networks like Visa and MasterCard.

Under the PSD2 inherence is one of the factors that can strongly authenticate a user. Inherence is something that a user is, such as a fingerprint provided with biometry.

In computer security integrity means that the data has not been tampered with. With payments an example of tampering would be to change the recipient of a payment.

IoT is the Internet of Things, which consists of single-purpose devices. This can be anything from tollbooth tokens to webcams. This type of device can in some cases initiate transactions.

Internet Control Message Protocol. Network layer Internet protocol that reports errors and provides other information relevant to IP packet processing. Documented in RFC 792.

Jailbreak is the iOS version of root access. Software on iOS runs in a sandbox, and by breaking out of that “jail” a user or application can access the private storage of other applications and even the memory of the operating system and other applications. An example of how this can be misused is to read encryption keys from memory, or to send finger touches.

Under the PSD2 knowledge is one of the factors that can strongly authenticate a user. An example of knowledge would be a password.

Know-your-customer is the process of securely identifying a customer, so that the customer can be onboarded to a service. This is a service which is often outsourced to a third-party. eID services, if available for the customer, can make this much simpler, and potentially much cheaper.

Period of time between each keepalive message sent by a network device.

In data transmission, the delay in transmission time that occurs while information remains in a device’s buffered memory (such as a bridge or router) before it can be sent along its path.

Multi factor authentication is where two or more authentication factors are used. In general using more factors makes the authentication more secure, but it is important that the transaction details are verified separately for each factor. If the transaction details are decoupled from the authentication an attacker might only need to compromise one of the factors, if any.

Malware is a generic term for software created by criminals to exploit end-users. Malware comes in many forms, but with payments the target is typically to steal credentials, capture data such as text messages used for OTP codes or to modify banking software to trick users with floating windows.

This is a class of attacks, where an attacker can either listen in on data traffic, or potentially modify the data sent. Typical examples of this type of attack are attacks on intermediate network hardware (rerouting traffic), or an attacker impersonating a real service, passing possibly modified data to the real service.

This is a class of attacks where the device used by the end-user is compromised. Typical examples of man-in-the-device attacks are malware and viruses which can infect both mobile operating systems and desktop computers

A mobile operating system is a multipurpose operating system for mobile devices. In addition to allowing installation of software, it also handles fundamental phone functionalities. Android and iOS are examples here.

Standardized data link layer address that is required for every port or device that connects to a LAN. Other devices in the network use these addresses to locate specific ports in the network and to create and update routing tables and data structures. MAC addresses are 6 bytes long and are controlled by the IEEE. Also known as a hardware address, a MAC-layer address, or a physical address.

A networked computing device that takes a protocol address and can initiate and respond to communication from other networked devices that employ similar protocols.

Much of the Open Banking initiative originates in the UK, where it is the Competition & Markets Authority (CMA) attempt at defining the interfaces and APIs used to exchange data as defined in the PSD2 and RTS. In mainland Europe, except France, the Berlin Group has a similar position.

Customer onboarding is the process of adding a customer to a service. This typically involves the user identifying themselves through some secure method, and might involve enrolment on a device. A part of the onboarding is typically a Know-Your-Customer KYC process.

In payments an out-of-band authentication is a type of two-factor authentication where the second factor takes place through a separate communication channel. This can be problematic in a single device situation.

Obfuscation is a technique used to make it harder for an attacker to reverse engineering the inner mechanisms of an app. It can be static, where it is only done once for every install, or dynamic, where every install is different.

One time PIN (personal identification number) has been used to identify people for a long time. Traditionally they were generated by a personal dongle, which now creates issues around dynamic linking. The use of text messages for sending OTP codes is also questionable, due to the low security of text messages.

Obfuscation is a technique used to make it harder for an attacker to reverse engineer the inner mechanisms of an app. It can be static, where it is only done once for every install, or dynamic, where every install is different.

An operating system (OS) is the layer between the hardware and the applications, which manages system resources and shared resources. The challenge with mobile operating systems in particular is that they’re not always kept up to date.

Fintechs that are authorised PISP’s can ask for permission to connect to a bank account and initiate payments on the customer’s behalf, from their bank account.

Under the PSD2 possession is one of the factors that can strongly authenticate a user. An example of possession is the device used by the user, if the device is identified with device fingerprinting.

The Payment Card Industry Security Standards Council (PCI SSC) were created by the main American credit cards to create standards for building and maintaining secure networks and systems, protecting cardholder data and implementing Strong Access Control measures.

A Payment Service Provider is a broad term, but used as a generic term it is a service that connects merchants with a banking network, similar to a payment gateway. A PSP allows a merchant to receive online payments such as by credit card, debit card, or bank transfers.

The Payment Services Directive 2 (PSD2) is an update from the original directive (PSD) adopted in 2007. The PSD created a single market for payments in the EU, and the foundation for a Single Euro Payments Area (SEPA). The PSD2 aims to improve security and fraud prevention and encourage innovation and competition, creating a Single Digital Market.

Password attacks try to log in using common passwords, and known passwords for email addresses that have been leaked. If you reuse a combination of email address and password (or a variation of the password) there is a big chance you can become a victim of this type of attack.

Phishing is a contact by email, telephone, or text message by someone posing as a legitimate institution. The goal is often to trick individuals into providing login credentials, credit card details, and passwords through a fake website, but it can also be in an attempt to trick the user into installing malware. This is a type of social engineering.

The Payment Card Industry Security Standards Council (PCI SSC) was created by the main American credit cards to create standards for building and maintaining secure networks and systems, protecting cardholder data, and implementing Strong Access Control Measures.

The RTS is the “Regulatory technical standard on strong customer authentication and secure communication under PSD2”, which was published by the EBA in February 2017, and further details the requirements on SCA and communication security. The RTS became effective on Sep. 2019, but the deadline was pushed back with several different dates across the EEA. 

A RAT is a Remote Access Trojan, which can be used to remotely control a smartphone or PC. A RAT might send touch input or keypresses similar to a normal application as well as record input from the keyboard.

This is a form of malware which encrypts files, then tries to extort the victim into paying for a decryption key.

In computer security reverse engineering is a process through which protocols and executable code is deconstructed and disassembled, potentially revealing sensitive information or allowing for an attacker to make changes.

Representational state transfer (REST) is a software architectural style for expressing web services. REST is one way to express an API.

On Android root access means that a user or malware has the same level of access as the operating system. This means that all files, including protected files, and all memory, including that of other applications, can be read and modified. Root access for malware and root access for users are often confused. On iOS the term jailbreak is used.

This is a form of malware that encrypts files, then tries to extort the victim into paying for a decryption key.

In payment security, “single device” indicates that a payment can be initiated, the customer authenticated, and the transaction authorized all on the same device. The problem here is that if the security of the device is broken, payments can be modified or initiated without the account holder’s knowledge.

The Single Euro Payments Area (SEPA) was established by the EU Regulation on Euro Payments back in 2001. SEPA defines interbank payments in the EU/EEA area, such as how IBAN (International Bank Account Numbers) work.

Strong Customer Authentication. SCA is required for login and for transaction authorization. Under the PSD2 it is handled by the bank administering the account, but the access can be delegated.

In payments a “single device” scenario is where the same device is used to initiate and to authorize a payment, typically a smartphone. This puts higher demands on security, as it might take only a compromise of a single device to compromise the account or payment.

When a customer is authenticating a transaction on a multipurpose device the process has to happen in a secure execution environment, as mandated by the PSD2. Okay is a good example of a secure execution environment provider.

In Security, social engineering is the manipulation of people into performing actions or divulging confidential information. An example would be a phishing email, or someone calling you claiming to be from your bank.

This is the SMS variant of phishing.

A secure storage requirement is required to securely store trust anchors and information about the customer. All current mobile operating systems have mechanisms for securing storage, but root level malware can bypass the security of the operating system.

In Security, a sandbox mechanism runs in the application layer, where the application running in the sandbox has limited access to the Operating System. Confusingly the term can also be used for a test instance of a server environment, configured so that a potential customer can experiment with a API provider by a service provider

Screen scraping is a method where the end-user shares banking credentials with a 3rd party (a PSP), so that the 3rd party can log into the banking system on their behalf and transfer funds. The alternative here is “Access to bank account” (XS2A), typically as defined by the Berlin Group or Open Banking.

A Software Development Kit is a collection of software used to create software, or to help implement some particular function. An example of an SDK is the Okay SDK, which can be used with common mobile software development platforms to securely implement authentication and transaction verification.

In a SIM swap an attacker is able to get a new SIM card for a target, then using the SIM card to either call customer service for a bank impersonating the target, or to receive a text message with an OTP pin, SIM swap attacks have been used in many high-profile attacks.

With Transaction Risk Analysis (TRA) a PSP examines the attributes related to a transaction in order to prevent, detect and block possible fraudulent behavior. Under the PSD2 TRA can let a PSP avoid SCA for every transaction, if the fraud rate can be kept low enough.

In payments a three-party scheme consists of three main parties, where the (1) card issuer (having the relationship with the (2) cardholder) and the (3) acquirer (having the relationship with the Merchant) is the same entity. This means that there is no need for any charges between the issuer and the acquirer.

A TPP is a third-party-provider. In practice this is a company that can do payments or check account balances without having a direct relationship with a customer or their bank. Examples are PISP and ASPSP providers.

A transaction authentication number (TAN) is used by some online banking services as a form of single use one-time passwords OTPs to authorize financial transactions. An example of a TAN is a OTP received by SMS to verify a transaction in a web based bank, or traditionally a paper sheet of one-time codes.

In cryptography a trust anchor is a key whose security is assumed, and not derived from another key. An example of such an anchor is a key which is created during an enrolment process, and which uniquely identifies a customer and device combination.

A transaction verification is the part of a payment process where the customer verifies that the transaction details are correct, in other words that the integrity and authenticity of the transaction is maintained.

Virtualization is a type of security mechanism where multiple operating systems with virtualized hardware runs on top of the same hardware. As the hardware is virtualized this makes it harder for applications running in different virtualized operating systems to break out of their virtual machine.

A technique to automatically extract content and data from websites, also known as web data extraction or web harvesting. Mainly used to get identifiers and passwords.

Access-to-bank-account is the generic term for the APIs required by the PSD2, and defined by the Berlin Group or Open Banking, to enable PSPs to do direct payments without going through a Card Scheme.