Contact us



Navigate our glossary section in case you're unfamiliar with some of the terms on our web site.

Two-Factor Authentication, or 2FA, is a way of confirming the user's identity by checking two out of three security elements. It is a subset of Multi-Factor Authentication and requires exactly two out of three security elements. The mentioned security elements include something the user knows (PINs, passwords), something the user owns (phone, card), or something the user is (fingerprint, face recognition).

3D Secure 1.0, also known as 3DS1, is a protocol launched by VISA in 2001 with the intention of assuring an additional security layer for online payments. VISA users are familiar with it under the name VerifiedBy Visa, but the protocol is also used by other major card schemes, including MasterCard, Amex, JCB, and Diners Club. Authentication is done by using a password or PIN during checkout as an additional step for verifying the cardholder's identity. This protocol was originally designed for browsers and had poor performance on mobile devices.

3D Secure 2.0, also known as 3DS2, is a new version of the protocol motivated by issues revolving around the initial version, 3DS1. By having access to enriched transaction and customer data, 3DS2 enabled risk assessment and frictionless (no need for CH authentication) online payments. Moreover, it introduced additional authentication methods, including biometrics, and provides a smooth user experience on mobile devices.

3D Secure protocol is an eCommerce authentication protocol enabling secured processing of online payments, non-payment, and account confirmation card transactions.

3DS Requestor is a 3D Secure component responsible for initiating the 3D Secure Authentication Request within a purchase flow, i.e., 3DS Requestor initiates the AReq message.

3D Secure SDK is software designed to facilitate cardholder authentication within a merchant's app allowing the fully in-app experience. In order to verify the cardholder's identity during an in-app purchase, 3DS SDK initiates challenge flow and displays authentication windows to the CH.

3DS Server is a 3D Secure component present on the Merchant and Acquirer side. Its role is to:
- handle online transactions and facilitate communication between the 3DS Requestor and the Directory Server
- Validate Directory Server (DS), 3DS SDK, and 3DS Requestor
- Authenticate Directory Server (DS)

3RI transactions, also known as merchant initiated transactions, are introduced in 3D secure 2. They offer merchants the possibility to generate required authentication data necessary for customer authentication without the end-user being directly involved in the process, for example, in recurring transactions like subscriptions. 3RI transactions enable merchants to reference the previous authentication where the customer was actually involved.


Account Takeover Fraud, or ATO fraud, happens when a fraudster gains access to the victim's login credentials and uses the stolen account for their personal profits. That includes activities such as making online purchases using the stolen account and saved card data (card-on-file), using loyalty points, selling the account or the extracted account data on the dark web.

A typical ATO flow:
- The fraudster uses stolen credentials and accesses the victim's account
- The attacker makes necessary changes regarding account details (e.g., recovery email or phone number) so that the victim is unable to stop the attack
- The fraudster uses the account for making unauthorized online purchases or sells the account details to someone else

Merchant's bank. A bank acquiring funds for merchants from cardholders.

Access Control Server (ACS) is a 3D Secure component that operates in the Issuing domain. The role of ACS is to verify whether authentication is available for the given card number and device type, authenticate cardholders, and confirm account information for 3RI transactions.

AI, or Artificial Intelligence, simulates human intelligence through machines, predominantly computer systems. Common AI use cases include expert systems, speech recognition, natural language processing (NLP), and machine vision.

Artificial Intelligence is based on the input of labeled training data in large amounts and data analysis of the provided data. The extensive data analysis results in detecting patterns and correlations. The discovered patterns are used for making future predictions. A common example of AI would be a website chatbot programmed to recognize text and provide adequate next steps to the user.

Providers that are able to ask for permission to connect to a bank account using an API. They use that bank account information in order to provide a service. Having access to such data implies a ''read-only'' approach, i.e., they can't move the funds from the account.

An antifraud system is a software that detects and prevents fraudulent actions, most commonly fraudulent transactions. The software is based on analyzing every transaction and flagging it in accordance with its legitimacy level. Usually, an antifraud system includes a fraud-prevention system, a fraud-analysis system, and a fraud-detection system.

An API, or Application Programming Interface, is an intermediary that enables the communication between two individual applications.

A message requesting cardholder authentication. It usually contains transaction information such as cardholder name, payment information, and device details.

A message from the ACS indicating successful authentication or demanding further action in order to authenticate the transaction.

A customer's issuing bank that provides and maintains payment accounts. They publish APIs so that the customers are able to share their account data with Third-Party Providers (TPPs) in case they want them to initiate payments on their behalf.

Asymmetric cryptography, also known as asymmetric encryption or PKI (Public Key Infrastructure), is a type of cryptography that uses a mathematically connected keypair – a public key and a private key – to encrypt and decrypt the contents of the message in transfer.

Attack surface, in terms of cyber security, is the total number of entry points where a system can be attacked and data can be extracted/tampered with. A smaller attack surface would be easier to protect.

An attack vector, in terms of cyber security, is a pathway for achieving unauthorized access to a network in order to conduct a cyber attack. Attack vectors enable cybercriminals to take advantage of existing vulnerabilities within the system and gain unauthorized access to sensitive information, PII (Personally Identifiable Information), and other sensitive data available upon a data breach.

Authentication is the process of proving that an identity is valid, i.e., that the user is really who they claim to be. The most common ways of validating someone's identity nowadays include: OTP by SMS/email, biometrics (face recognition or fingerprint), and push notification.

An authentication factor is a security credential used for verifying the identity of the user gaining access or exchanging information with a particular system or a service. Today there are five main authentication factors (the first three are recognized as the official authentication factors by regulation bodies):
- Knowledge (password) - Possession (HW token)
- Inherence (fingerprint/face recognition)
- Location (IP address)
- Behavior (typing speed/pattern)

An authentication server is used for facilitating the authentication of an entity attempting to access a service or a network. An authentication server verifies whether the provided credentials match with the ones stored in the credential database.

Authorization is the process of enabling a user or a service to access particular resources. The simplest explanation of the term authorization would be ''to give permission''.


A backup refers to making copies of original (digitally stored) documents in or to prevent loss in case the original gets altered or deleted. Other use cases for a backup include preserving historical data in order to meet the data retention policies or to compare them with current data.

Behavioral authentication is the process of authenticating the user based on their unique patterns of interaction with the device used for authentication. Examples of behavioral authentication factors are keyboard pressure, typing speed, and the angle at which a user holds the device (smartphone, tablet).

Biometric Authentication is a way of verifying someone's identity by using unique biological characteristics. It is based on comparing biometric data captured, e.g., for the sake of authenticating a transaction, with biometric data stored in the database. Types of biometric authentication include face recognition, fingerprint scanning, and voice recognition.

A bot, which is short for robot, refers to a specific type of software application able to perform scripted, automated tasks upon command.

A brute-force attack, due to the simplicity of its execution, is one of the most popular hacking methods out there. A brute-force attack involves guessing a series of usernames and passwords until the targeted account is finally cracked. A more sophisticated form of a brute-force attack would involve an automated script that runs the combinations of user credentials on its own. A popular way of obtaining rich lists of user credentials and commonly used passwords is through the dark web.

BYOD, short for Bring Your Own Device, is a policy enforced by companies and enterprises that enables employees to use their own devices (smartphones, laptops, tablets) for work purposes.


A card scheme is a payment network providing the infrastructure for card issuing and card payment processing, for example, Visa and MC. To make the payment possible, both Issuing and Acquiring banks need to be members of the same network as the card being used to process a payment.

Card-not-present fraud is a type of payment card fraud where the merchant is not able to physically examine the card being used because it is used for making an online or mobile purchase. It is a broad term that includes all payment card fraud where the physical credit/debit card is not showcased.

A Card-On-File transaction is a transaction where a cardholder allows the merchant to save their payment card details to avoid manual input in the future.

Cart Abandonment Rate is a common KPI used for measuring the performance of a web store. It indicates how many customers added an item to their online shopping cart but never finalized the purchase. In other words, it showcases the rate of customers who showed interest in a particular product/service by adding it to the cart but left without making the purchase, compared to the total number of completed transactions.

The formula for calculating Cart Abandonment Rate is as follows:
1 - ( transactions completed/transactions initiated * 100 )

Chargebacks are a way of customer protection that guarantees a return of funds in particular cases. Common reasons for incoming chargeback disputes include fraudulent transactions, item not received, processing issues, etc. If the cardholder has any reason to believe that their payment card was/is used in a fraudulent manner, e.g., an unfamiliar transaction on their billing statement appears, they are able to file a dispute and initiate the chargeback process.

Clickjacking refers to the malicious practice of concealing hyperlinks beneath seemingly clickable content in order to lure the user into unknowingly performing actions such as triggering the installation of malware.

CNP Fraud, short for Card-Not-Present Fraud, refers to all types of credit card fraud where a credit card is not physically present. CNP Fraud typically occurs in online transactions and MOTO (Mail Order/Telephone Order) transactions. CNP fraud is generally harder to prevent, taking into consideration the fact that the merchant cannot examine the physical credit card used for a purchase.

Code injection refers to all attack types that include injecting malicious code executed by the targeted application. The attacker uses a vulnerable end-point of an application to inject malicious code that changes the execution course of the application in question.

Code obfuscation is the process of altering the initial code in a way that can't be interpreted by a hacker while the code remains fully functional. For a layered approach and enhanced security, use several different code obfuscation techniques on top of each other. Code obfuscation is an effective method for preventing reverse engineering attacks that aim to disassemble the software in order to understand its logic and finally copy the entire application. Some popular code obfuscation techniques are rename obfuscation, packing, dummy code insertion, and metadata and unused code removal.

Credential stuffing is an automated cyberattack that uses stolen credentials and injects them into website/service forms in order to gain unauthorized access to the accounts.

Challenge request signals that cardholder interaction is necessary for successful authentication. In an app-based scenario, CReq is sent by the mobile SDK, and in a browser scenario, it is sent by 3DS Server.

Challenge response signals the result of cardholder authentication (sent by the ACS), successful or unsuccessful.

A cryptographic key is a string of characters resulting from an encryption algorithm. Just like a standard key, a cryptography key has the ability to lock (encrypt) and unlock (decrypt) data, so only the entity owning the ''right'' key can gain access to the encrypted message.

Cryptography studies secure communication methods that assure that only the sender and the intended recipient of a message can access its contents.

Cybersecurity is a proactive measure that includes the protection of networks, programs and systems from attacks. Cyberattacks aim to change, access or destroy sensitive information, money extortion from unsuspecting users, or interrupt businesses from daily operations.


DDoS Attack, or Disturbed Denial of Service Attack, aims to overwhelm the network with increased internet traffic in order to prevent legitimate users from accessing a particular service. The motivation behind a DDoS attack varies from financial gain, disrupting the competition and hacktivism to simply making a statement.

Decoupled authentication is an authentication method that allows cardholder authentication to be separate from the payment workflow, and without the customer interacting with the online merchant. This method verifies the customer's identity and authenticates the transaction via a separate channel, for example, a push notification. Authentication responsibility shifts to the issuing bank, enabling the execution of cardholder authentication even though the cardholder in question is offline. It allows the cardholder several days to complete the authentication process, and it is ideal when the cardholder is not immediately available for authentication, but authentication is mandatory. Therefore, decoupled authentication is a type of Merchant Initiated Transaction (MIT), and it is applicable to all device channels: browser, app, and 3RI.

Device information is data provided by the device being used in the authentication process.

A dictionary attack is a type of brute-force attack using words from a dictionary to access a password-protected network or a service. A dictionary attack is also used to discover keys for encrypting a document or a message. Although trivial, dictionary attacks have proven to be successful in the past in breaching company networks since many businesses insisted on using ordinary words as passwords. It is highly unlikely that a dictionary attack would be a successful method of breaching a system in today's cybersecurity environment.

A digital certificate is a password or a file proving the authenticity of a user, server, or device through the use of PKI technology and cryptography. Digital certificates help assure that only trusted users and devices are accessing the company's network. Other use cases for digital certificates include confirming the authenticity of a website (SSL certificates).

Information contained on a digital certificate includes the user's name, company, department, and the device's IP address/serial number. The certificates contain a public key obtained from the certificate holder and a corresponding private key to verify its authenticity. The body in charge of inspecting and verifying the identity of the certificate holder (device/user) is the Certificate Authority (CA).

Directory Server is a 3D Secure component managed by card networks/schemes operating in the Interoperability domain. Roles of the directory server include: - validating 3DS Server, SDK, and 3DS Requestor -authenticating 3DS Server and ACS - routing messages between 3DS Server and ACS - defining specific program rules (logos, time-out values, etc.) - onboarding 3DS Server and ACS - maintaining ACS and DS Start and End Protocol Versions and 3DS Method URLs

Dynamic linking demands that each transaction is assigned a unique authentication code and is specific to the transaction amount and recipient. The end goal of dynamic linking is to prevent social engineering attacks such as ''man-in-the-middle'' attack, where the fraudster attempts to interrupt the connection established between the payer and the payee, alters transaction details, and finally authorizes a fraudulent transaction. When applying dynamic linking, ''man-in-the-middle'' attacks would prove to be unsuccessful because the authentication code would automatically fail if any of the transaction details are altered.


End-to-end encryption (E2EE) provides secure communication by preventing the third party from accessing the data in transfer. By implementing end-to-end encryption, the data in transfer is encrypted on the sender's side and the recipient is the only one who can decrypt the message. The data in transfer cannot be accessed by any ISP (Internet service provider), ASP (application service provider), hacker, or any other third party.

EMVCo is a global standard for credit and debit payments established by Europay, MasterCard, and VISA. It facilitates worldwide interoperability and acceptance of secure payments, as well as managing the specification of 3D Secure 2.

Encryption is a method of making the data unreadable for parties without authorized access to read the encrypted message. The plaintext – a message readable for everyone, is converted to ciphertext – incomprehensible text made up of seemingly random characters. Encryption takes simple, readable data and converts it to a seemingly random set of characters in order to make it unreadable to the unauthorized party.


False declines are legitimate transaction attempts that are declined becaus of suspected fraud. They are also called ''false positives'', fully valid transactions classified and invalid, and rejected by the ACS.

A false positive, in terms of cyber security, is an alert incorrectly informing the body in charge about malicious activity.

Frictionless flow enables Issuing banks to authenticate an online transaction without interacting with the cardholder. This is possible because of Risk-Based Authentication performed in the ACS. If ACS (Issuer) deems that transaction risk is lower than the set threshold, the cardholder is not required to apply any additional authentication.

Friendly fraud differs from conventional card-not-present fraud because the fraudster is the actual owner of the payment card being used to commit a fraudulent purchase. The initial intent of the fraudster in question is to receive and retain goods and services while asking for chargeback under the claim that they are not the ones who made the purchase or that the goods were never delivered.


A hacker is an individual that uses their technical skills to gain unauthorized access to computers/services/networks.

Hooking covers a wide range of code modification methods aimed at altering the behavior of the mobile application in question. This is done by intercepting function calls, messages, or events passed between the software components. The code used for function interception is called a hook. It applies to changing the behavior of operating systems and software components.  

HTTP, short for Hypertext Transfer Protocol, is a protocol used for transferring files, including text, sound, video, images, etc., over the web. HTTP enables communication between the web browser and the web server.

HTTPS, short for Hypertext Transfer Protocol Secure, is the secure version of HTTP – the primary protocol used for communication between web browsers and web servers. HTTPS provides more security since it is encrypted in order to keep the data in transfer secure. HTTPS is especially important in cases where a user submits sensitive data such as credit card information on a website.


The Issuing bank, or the Issuer, is the financial institution that issues cards to cardholders to make payments with.


Jailbreaking (specific for iOS devices) means unlocking your phone from manufacturing restrictions made by the manufacturer, allowing the user to have root access to the device. The user can download any mobile application they wish or customize the phone’s appearance. On the downside, a jailbroken phone is more vulnerable and susceptible to hacker attacks and data leakage. 

JavaScript is a programming language that enables the implementation of complex features on web pages. JavaScript enables dynamic content updates, multimedia control, image animation, etc.


The Know Your Customer/Client (KYC) principle, present in the financial service's guidelines, demands that the institution makes necessary checks in order to verify the identity, suitability, and risks involved with maintaining a business relationship with its customer/client.


Liability shift is a scenario in which chargeback responsibility shifts from merchant to the issuing bank when a credit card is 3D secured. When a 3D Secure transaction proves to be a fraudulent one, Issuing bank is the one that needs to return those funds to the damaged cardholder.


Machine Learning (ML) is a type of Artificial Intelligence (AI) and computer science that uses data and algorithms with the goal of imitating the human learning process that results in improved, more accurate predictions.

Malware is software specifically designed to gain unauthorized access, damage, or disrupt a system or a network.

Man-in-the-Browser (MitB) is a type of a Man-in-the-Middle attack where the bad actor inserts themselves into the communication between two trusting parties by compromising the web browser used by one of the parties. The motivation behind Man-in-the-Browser data includes data theft, eavesdropping, and session tampering.

A Man-in-the-Middle (MitM) attack is a term used for malicious interception of a conversation between the user and an app (or another user). The process involves impersonating the other party, making it seem like a standard exchange of information. The main motivations behind a Man-in-the-Middle attack are either impersonation or eavesdropping.

The goal of a Man-in-the-Middle attack is to steal sensitive information (e.g., personal, financial, enterprise data). The most common targets of a Man-in-the-Middle attack are financial apps, users, e-commerce websites and other services requiring login credentials. The consequences of a Man-in-the-Middle attack vary from account takeover, identity theft to illicit fund transfers.

The most simple parallel for a Man-in-the-Middle attack would be the scenario in which a mailman opens your personal mail, makes a copy of the contents, and reseals the envelope.

Merchant Whitelisting, or Trusted Beneficiaries, enables cardholders to choose known merchants who they trust in order to skip the additional authentication step. Regardless of the transaction amount or merchant fraud rate, SCA won't be applied.

Multi-Factor Authentication, or MFA, is a way of confirming the user's identity by checking at least two or more security elements. The mentioned security elements include something the user knows (PINs, passwords), something the user owns (phone, card), something the user is (fingerprint, face recognition).

Mobile application management (MAM) is software used for remote access to enterprise applications on the end user side. This includes access to both personal and corporate devices (smartphones and tablets).

Mobile application management is used for applying corporate policies and limiting data transfers between applications. Another feature MAM cover is the separation of personal and corporate content stored on the same device. Additional features a Mobile application management software enables are software delivery (mostly by using the enterprise app store), license management, application configuration, as well as inventory and app lifecycle management.

Mobile application security is a general term used for securing mobile apps and the users' digital identities from malicious attacks. Mobile application security aims to safeguard mobile applications from reverse engineering attacks, tampering, malware, debugging, and emulator attacks, as well as some platform-specific mobile threats such as screen recording (iOS).

A solid mobile application security strategy should implement a layered approach and incorporate multiple mobile app security measures such as RASP mechanism and code obfuscation.

To aid them in the debugging process, programmers use debuggers. A debugger is a tool that enables you to view the application code while it is running. You can stop the execution of the program, analyze variable values, execute the program in steps (line after line), set breakpoints on specific lines which stop the execution, and more. This detailed view of the code in its running mode enables you to understand flows and application logic, as well as to detect errors within the code. 

Although mobile debuggers are convenient tools for making sure that the application code is running properly, mobile debuggers can also be used for malicious practices. In case a bad actor uses a debugger on a legitimate application, they can easily assemble a malicious copy of the app by understanding the application logic revealed by the debugger.

Mobile Device Management (MDM) is software that enables IT to control, secure, and automate administrative policies on employees' devices connected to the organization's network. Generally, the goal of Mobile Device Management software is to optimize device support, enhance enterprise functionality and security while preserving flexibility (e.g., BYOD policies).

Mobile emulators are tools designed for running tests on mobile devices using desktop computers, particularly useful when it comes to testing mobile applications. They allow developers to simulate, imitate, and optimize mobile app software and hardware behavior without the need to use multiple types of devices.  


Non-Payment Authentication enables merchants to submit an authentication request when it is necessary for a non-payment use case. Such use cases can be adding a card to a merchant's website, modifying stored cardholder information, or issuer cardholder verification during token provisioning.


One-Click-Payment is a form of Card-On-File payment. By saving the card details on a particular site, the cardholder is able to skip authentication and process a payment with a single click on the ''buy'' button.

Out-Of-Band (OOB) Authentication is a form of two-factor authentication (2FA) that implies a secondary communication channel necessary for successful authentication. The use of two separate communication channels significantly reduces the attacker's chances of compromising a particular account. It is widely used in the financial industry for online payment authorization. A typical use case is receiving an SMS OTP or push notification on your mobile phone in order to successfully process an online transaction. Common forms of OOB authentication are authorization codes sent via SMS, use of voice channel, push notification containing an authorization code, etc.

Open Source Software is software released under a license that grants the holder permission to access the code as well as examine, modify, and distribute the code with its original rights.

One Time Password (OTP) is an authentication method involving an automatically generated alphanumeric code that corresponds to only one login session or transaction authorization. Think of it as a ''disposable'' code that is used for authorizing a single transaction. Generated OTPs are usually sent to the end-user via SMS and are widely used in online banking.


PSD2 terminology implies that the payee is the merchant, an entity selling goods/services online.

PSD2 terminology implies that the ''Payee's PSP'' is the Acquirer for card payments.

PSD2 terminology implies that the ''Payer'' is the consumer, a customer buying goods/services online.

PSD2 terminology implies that the ''Payer's PSP'' is the Issuer for card payments.

Payment gateway is an online payment service necessary for the functioning of an eCommerce webshop. It is a channel used for making and receiving payments. The primary role of a payment gateway is to verify transactions between cardholders and merchants. It is a mechanism that transfers funds between the cardholder's issuing bank and the merchant's acquiring bank.

Penetration testing, also known as pen testing, is a simulation of a cyberattack on a system aiming to uncover existing vulnerabilities. The process of pen testing includes numerous application systems that are prone to containing vulnerabilities such as malicious code injection. The results of a pentest are generally used for fine-tuning security policies and patching the detected flaws within the system.

Phishing is a cybercrime commonly conducted through mediums such as e-mail, telephone, or direct messages. The bad actor is presenting themselves as a trustworthy individual, often a government body or a reputable CEO, and prompts the user to provide them with some type of sensitive information (user credentials, credit card details, sensitive company information, etc.). The content of the message usually mentions urgency. Possible outcomes of a phishing attack include identity theft and illicit withdrawal of funds.

Authorized PISPs are able to move funds on the customer's behalf upon connecting to the bank account. An example of a practical use case is the automatic transfer of funds to a customer's savings account.

PoC, short for Proof of Concept, summarizes evidence proving that a particular business plan or a project is feasible.

PSD2 or The Second Payment Services Directive is a comprehensive set of rules whose main goal is to achieve simple, efficient, and secure online payments across Europe. The main goals of the directive include offering a broader supply and better pricing for the end-users, creating more competition, ultimately bringing more efficiency, and working on improving consumer trust. The most notable suggestions covered in PSD2 striving to level the payments playing field are expanding the EU payments market, empowering consumers, and restricted interchange fees.

Payment Service Providers or PSPs are responsible for enabling merchants to accept payments, both credit, and debit, from cardholders. It is an entity that connects merchants, cardholders, card schemes, issuing banks, and acquiring banks.

Users of any of the service providers: TPPs, PISPs, ASPSPs, AISPs.

A push notification is a pop-up message appearing on a user's smartphone, web browser, or desktop prompting the user to take a certain action. In terms of authentication, push notification authentication enables the user to verify their identity through a push notification appearing on their mobile device instead of submitting their password for a particular service. Push notification authentication is a popular method in mobile/internet banking.


Ransomware is a type of malware that, when initiated, encrypts the target's data, making it inaccessible until a certain amount of money is paid to the designer of the attack.

Reverse engineering in cyber security refers to deconstructing the software in order to extract useful information about its design and architecture with the end goal of duplicating or enhancing the software.

Risk-Based Authentication or RBA is a mechanism used for fraud prevention by determining the risk level of a particular transaction. Based on risk assessment, an appropriate authentication method is required from the cardholder; or in case of high-risk detection, the transaction is terminated. This method is proven to work well when it comes to account takeover attacks and mobile payment fraud. RBA is also known as step-up authentication or adaptive authentication.

RASP, short for Runtime Application Self-Protection, is a security component built in the application's runtime environment, enabling protection from the inside. Since Runtime Application Self-Protection is an integral part of the application, it allows monitoring in real-time and detection of any anomaly in the mobile app's runtime behavior. With continuous monitoring of the app's behavior, RASP protects the mobile application from data breaches, various mobile app security threats (e.g., hooking and emulator attacks), and tampering - without any human intervention.


SCA exemptions are particular payment scenarios introduced by PSD2 which do not demand an additional authentication step. This approach enables a frictionless online payment experience for the cardholder, as well as reducing cart abandonment rates which is a benefit for the merchants. SCA exempted scenarios are the following: low-risk transactions, low-value payments (LVP), merchant whitelisting, corporate payments, recurring payments. However, since issuing bank is the one that approves if a transaction will, in fact, be exempted or not, not all mentioned scenarios will automatically be exempted. This means that even if a transaction is qualified as an SCA exemption, the issuing bank might request additional authentication.

Strong Customer Authentication (SCA) is an additional layer of security used for protecting online payments, which means the CH is going to be asked for authentication.

It is based on at least two out of three security elements, namely:
- knowledge (what the cardholder knows, e.g., PIN, password)
- possession (what the cardholder has, e.g., phone, hardware token)
- inherence (what the cardholder is, e.g., facial recognition, fingerprints)

SSO, short for Single Sign-On, is an authentication method that enables users to securely access multiple applications using a single set of credentials.

Single-Factor Authentication is a low-security authentication method commonly using a password as the single factor necessary to access an account or a service.

Social engineering, in terms of information security, is the act of luring users into revealing sensitive information that is later used for fraudulent actions. Phishing attacks are good examples of social engineering.

Source code is a set of instructions written in a programming language that is easily read and understood by humans. Source code contains instructions about how a programmer wants a certain application/website/software to function. Source code is typically written in a text-based program and later translated into a format readable by a computer program. The translation is done by using a compiler. Once a source code undergoes such translation, it becomes an object code.

Spoofing, in terms of cyber security, refers to imitating any entity involved in information technology (users, computers, networks, companies) in order to conduct fraudulent actions.

Spyware is a type of malicious software designed to gather information about the user by tracking their actions on the device (smartphone, laptop, tablet). The stolen data is later forwarded to a third party without the user's consent and used for fraudulent purposes.

SSL, short for Secure Sockets Layer, is a standard technology that keeps the internet connection secure and protects any sensitive data that is being transferred between two systems. SSL prevents bad actors from gaining access and modifying the information in transit. It protects both server-to-server and server-to-client communication.


The Internet of Things (IoT) describes the network of physical objects—"things"— embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet. These devices range from ordinary household objects to sophisticated industrial tools. Examples of IoT devices are smartwatches, smart door locks, smart refrigerators, etc.

TLS, short for Transport Layer Security, is a protocol enabling end-to-end protection of data transferred between two internet applications. It is an evolution of the SSL protocol.

VPN, short for Virtual Private Network, enables a protected network connection while using a public one through encryption. VPN disguises the user's online identity by encrypting their internet traffic.


The Internet of Things (IoT) describes the network of physical objects—"things"— embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet. These devices range from ordinary household objects to sophisticated industrial tools. Examples of IoT devices are smartwatches, smart door locks, smart refrigerators, etc.


Zero Trust Policy is a security framework that requires all users, inside or outside the organization's network, to be authorized, authenticated, and continuously validated in order to gain access to company applications and data.

A zero-day vulnerability, also called a zero-day exploit, is a vulnerability in a system or device that has been disclosed but is not yet patched. A zero-day vulnerability is exploited before cybersecurity researchers and developers get the chance to detect it themselves. An attack conducted through a zero-day vulnerability is called a zero-day exploit.

Want to learn more about cybersecurity trends and industry news?



chevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram