Payments glossary

3DS / 3DS2 / 3-D Secure: Card scheme protocol that authenticates the cardholder at checkout via the issuing bank, typically by a one-time code or biometric. 3DS2 (also called EMV 3DS) is the current version mandated under SCA in the UK (Payment Services Regulations 2017) and the EU (PSD2). Successful 3DS authentication produces a liability shift on fraud chargebacks.
Acquirer: The licensed bank or institution that holds the merchant account, processes card transactions on behalf of the merchant, and is liable to the Card Schemes for the merchant’s activity. Fluxa operates on top of an FCA-authorised payment partner.
ARN: Acquirer Reference Number. A 23-digit identifier assigned by the acquirer when a payment is sent for clearing. The ARN follows the transaction through the schemes and shows on the cardholder’s statement, so it is the canonical reference cardholders quote when raising a query with their issuer. Fluxa exposes the ARN on every captured payment and in the dispute payload.
AML: Anti-Money Laundering. UK regulatory framework (Money Laundering Regulations 2017) requiring payment processors to verify business identity, screen for sanctions and PEPs, and report suspicious activity to the National Crime Agency.
Authorisation: The first step of a card transaction: the merchant requests permission from the issuer to charge a specific amount to a specific card. A successful authorisation reserves the funds but does not yet move them.
AVS: Address Verification System. A fraud check available on CNP payments where the merchant submits the cardholder’s billing address (or just the numeric parts of the postcode and street) and the issuer returns a match code. AVS does not produce a liability shift; it is a risk signal you can act on alongside 3DS.
BACS: The Bankers’ Automated Clearing System. The UK’s three-working-day clearing scheme, operated by Pay.UK. Used for the majority of merchant settlements, business salary runs and Direct Debit collections. Bank statement credit reference appears as BACS CR on the settlement line; Fluxa attaches the settlement reference to the same line so you can match the batch.
BIN: Bank Identification Number. The first six to eight digits of a card number, identifying the issuer and the card product (consumer, commercial, debit, credit). Used for routing and for applying card-type-specific rules.
Capture: The second step of a card transaction: the merchant confirms the authorised amount and the funds begin moving from issuer to acquirer. In Fluxa, capture is one of the six payment states visible in the dashboard and API.
Card Scheme: The networks that operate card payments and set the rules: Visa, Mastercard, American Express, JCB, Diners. The Schemes set interchange, scheme fees, technical standards, and operational rules that all acquirers and merchants must follow. Fluxa supports Visa and Mastercard for UK launch.
Card-not-present (CNP): A transaction where the cardholder is not physically present and the card is not read by a terminal. Online checkouts, recurring billing, and phone orders are CNP. CNP transactions carry higher fraud risk and stricter scheme rules; 3DS is mandatory for most CNP card payments under SCA. Optional fraud signals include AVS on the cardholder address.
Card-on-file: A card detail set stored after an initial cardholder-authenticated transaction so that subsequent charges can be processed without re-entering details. Each stored card carries a stored-credential indicator and a transaction-type flag (CIT or MIT) the acquirer passes to the scheme. Required for recurring billing, click-to-buy and post-purchase upgrades. Fluxa vaults card-on-file credentials in the payment partner’s PCI Level 1 environment; tokens are returned to the merchant.
Chargeback: A reversal of a card transaction initiated by the cardholder via their issuing bank, typically for fraud, non-delivery, or duplicate billing. Chargebacks carry fees, dispute deadlines, and reporting consequences for merchants. Each chargeback references the original payment by ARN. Merchants can contest via representment.
CIT / MIT: Customer-Initiated Transaction and Merchant-Initiated Transaction. The two stored-credential flags the schemes require on every charge made against a card-on-file. CIT means the cardholder is in session and authenticating the charge (subject to SCA); MIT means the merchant is charging without the cardholder present, under a pre-agreed mandate (subject to TRA or recurring exemption). Mis-flagging is a top reason scheme submissions get re-rated.
CVV / CVC / CVC2: The three- or four-digit code printed on the back of a card (front, for Amex). Used in card-not-present transactions to demonstrate the cardholder has the physical card. Cannot be stored by merchants per PCI DSS.
Decline: A transaction the issuer refuses to authorise. Decline reasons range from insufficient funds and incorrect details to suspected fraud. Each scheme defines a set of standard decline codes; merchants typically see a generic reason for security. Declines are either retryable (see soft decline) or final.
DSAR: Data Subject Access Request. The UK GDPR right of any individual to request copies of personal data a company holds about them, with a one-month response deadline. Fluxa publishes the DSAR process in the privacy notice.
Digital wallet: A device-resident payment surface that wraps a Visa or Mastercard credential in a device-bound token. Apple Pay, Google Pay and Samsung Pay are the dominant UK wallets. Each charge carries a wallet-issued cryptogram in addition to the card-side 3DS data, and benefits from biometric in-device authentication that counts as SCA. Fluxa’s hosted and embedded checkouts surface Apple Pay and Google Pay where the device supports them.
Effective rate: The total cost of card processing as a percentage of total volume, including all fees: headline rate, fixed per-transaction fee, card-type surcharges, FX uplifts, scheme fees, and refund fees. Typically 0.5-1.0 percentage points above the headline rate at incumbent processors.
EMI: Electronic Money Institution. A firm authorised under the UK’s Electronic Money Regulations 2011 to issue e-money and safeguard customer funds. EMIs must safeguard client money in a segregated account or insure it. Fluxa is not an EMI: under our Referrer status, funds settle directly from the payment partner to the merchant’s bank account and Fluxa never holds them.
FCA: Financial Conduct Authority. The UK regulator for financial services firms, including payment institutions and e-money institutions. Fluxa operates as a Payment Facilitator under the FCA authorisation of its payment partner, with its Referrer status defined by PSRs 2017.
Faster Payments: The UK’s near-instant interbank payment scheme, operated by Pay.UK. Most payments clear in seconds, 24/7. Maximum per-payment value varies by participating bank (up to £1 million on some). Fluxa offers Faster Payments as the accelerated settlement option (settlement_method: faster_payment) where the payment partner supports it; standard settlement remains BACS.
Gateway: The technical layer that accepts card details from the merchant’s checkout, encrypts them, and passes them to the acquirer for authorisation. The Fluxa hosted checkout and embedded SDK both act as the gateway.
Idempotency key: A unique value sent on a POST request that lets the API safely return the same response if the request is retried. Prevents duplicate charges or refunds when a network error obscures whether the first request succeeded. Fluxa accepts an Idempotency-Key header on every POST and remembers the result for 24 hours. See also Webhook.
Interchange: The fee paid by the acquirer to the issuer on every card transaction, set by the Card Schemes. Interchange varies by card type (consumer / commercial / corporate), region, and transaction context (CNP / CP / contactless). The largest cost component of card acceptance.
Issuer: The bank that issues the card to the cardholder. Authorises transactions, bills the cardholder, handles chargebacks. Examples: Barclays, HSBC, Monzo, Revolut.
KYB: Know Your Business. The verification process applied to business customers under the Money Laundering Regulations 2017. Confirms company existence, ownership structure, director identity, and operating activity. Required before a merchant can process live transactions.
KYC: Know Your Customer. The individual-identity version of KYB, applied to natural persons (sole traders, directors, beneficial owners) involved in a business. Confirms identity, address, and source of funds.
Liability shift: The transfer of fraud-chargeback liability from the merchant to the issuer that occurs when a payment is authenticated under 3DS. Specifically, on an authenticated transaction the merchant cannot be charged back on the “fraud, no authorisation” reason codes. Liability shift does not cover non-fraud disputes (goods not received, not as described). AVS alone does not produce a liability shift.
Ledger state: A coarser, three-value view of the six payment states intended for double-entry bookkeeping: CAPTURED, SETTLING, SETTLED. Sits alongside the full state on every payment object so accounting integrations can hide intermediate transitions that are noise to the general ledger.
Merchant account: A bank account or financial relationship that allows a business to accept card payments. Held with an acquirer or, in the PFaaS model, accessed via a payment facilitator’s payment partner.
Merchant ID (MID): The unique identifier assigned to a merchant by an acquirer. Used by the Card Schemes to track activity, calculate interchange, and route disputes.
Merchant of record: The legal seller of the goods or service the cardholder is paying for. The merchant of record is liable for refund policy, customer support, tax, and chargeback defence. Under PFaaS, the underlying merchant is the merchant of record; Fluxa is not. Under marketplace or aggregator models the platform is sometimes the merchant of record instead.
Master merchant: The payment facilitator itself, in the language of the card schemes. The master merchant holds the relationship with the acquirer, aggregates many sub-merchants under that relationship, and is named on every transaction sent to the network. Fluxa is the master merchant; UK businesses we onboard are sub-merchants.
MCC: Merchant Category Code. A four-digit code (maintained by ISO 18245, sometimes modified by the schemes) classifying the merchant’s business activity. Used to route interchange, apply scheme rules, surcharge taxes, and decide whether the category is in or out of scope for given products. Under PFaaS the MCC is assigned per sub-merchant at onboarding, not at the master-merchant level; Fluxa maps your business activity to the correct MCC during VCI.
MOTO: Mail Order / Telephone Order. A card-not-present transaction where the cardholder reads card details over the phone or by post. Higher fraud risk than online CNP; some processors do not support it.
Open Banking: The UK framework, mandated under PSRs 2017 following the Competition and Markets Authority retail-banking order, that requires the nine largest UK current-account providers to expose Account Information Service (AIS) and Payment Initiation Service (PIS) APIs to authorised third parties. Open Banking is a complement to card payments, not a replacement. Fluxa is a card-payments platform; Open Banking is on the roadmap as a parallel payment method, not an alternative architecture.
Payment Facilitator (PFaaS): A payment processor that aggregates many sub-merchants under a single acquirer relationship, simplifying onboarding and operations for small businesses. PFaaS (Payment Facilitation as a Service) is the operating model Fluxa uses. Fluxa is the master merchant; each UK business we onboard is a sub-merchant. The underlying merchant remains the merchant of record; Fluxa is a Referrer under PSRs 2017.
Payment Services Regulations 2017: The UK statutory instrument (SI 2017/752) that implements payment-services law in the UK. The PSRs 2017 transposed the EU’s Second Payment Services Directive into UK law and were retained after Brexit. They set out the regulatory perimeter (who needs to be FCA-authorised), Strong Customer Authentication (SCA) obligations, complaints handling, safeguarding duties, and the Referrer exclusion that Fluxa relies on.
PCI DSS: Payment Card Industry Data Security Standard. The Card Scheme-mandated security framework for any organisation that handles cardholder data. Fluxa operates at SAQ-A scope by not storing or transmitting cardholder data in plain form.
PCI SAQ-A: The simplest PCI DSS compliance tier, available to merchants that fully outsource card data handling to a hosted page or iframe operated by a PCI Level 1 provider. The merchant’s servers never touch card data. Fluxa’s hosted and embedded checkouts both keep merchants in SAQ-A scope.
PEP: Politically Exposed Person. Individuals in prominent public roles (heads of state, judges, senior politicians, their close associates) who require enhanced due diligence under the Money Laundering Regulations 2017.
PSP: Payment Service Provider. Generic term for any company that processes payments on behalf of merchants. Includes acquirers, gateways, payment facilitators, and e-money institutions.
Recurring billing: Automated charging of a cardholder on a recurring schedule (weekly, monthly, annually) for ongoing services. Requires merchant-initiated transaction support (see CIT / MIT) and cardholder consent under UK PSRs 2017 and EU PSD2. Fluxa runs a recurring billing engine documented at /developers.
Refund: A reversal of a captured transaction returning funds to the cardholder. Partial and full refunds are supported. Refunds carry their own scheme fees and timing rules.
Referrer: A status under the Payment Services Regulations 2017 for a firm that introduces customers to an authorised payment service provider without itself holding client funds or being authorised. Fluxa operates as a Referrer to its FCA-authorised payment partner; we are not an EMI and have no safeguarding duty because we never hold customer funds.
Representment: The merchant’s response to a chargeback, including evidence (transaction logs, delivery proof, cardholder communications) submitted within the scheme’s response window. If successful, the chargeback is reversed.
Sandbox: A test environment that mirrors production but processes simulated transactions only. Used for integration testing before going live. Fluxa publishes a sandbox at demo.fluxapay.co.uk.
Safeguarding: The regulatory duty under the PSRs 2017 Regulation 23 and the Electronic Money Regulations 2011 requiring authorised EMIs and payment institutions to ringfence customer funds in a segregated account or insure them. Safeguarding ensures customer money is protected if the firm fails. Fluxa is a Referrer, not an EMI; we never hold customer funds in the first place, so safeguarding obligations do not apply to us.
SCA: Strong Customer Authentication. The regulatory requirement under UK PSRs 2017 and EU PSD2 that online card transactions authenticate the cardholder. Some transactions are eligible for exemption, including TRA for low-risk payments. using two of three factors: something they know (password / PIN), something they have (phone / card), something they are (biometric). 3DS2 is the standard implementation.
Scheme fee: A fee charged by the Card Scheme to the acquirer on each transaction, separate from interchange. Includes assessment fees, cross-border fees, FX margins. The acquirer passes scheme fees to the merchant directly or blends them into the processing rate.
Settlement: The transfer of captured funds from the acquirer to the merchant’s nominated bank account. Settlement timing depends on the scheme, the merchant’s settlement agreement, and risk hold rules. Fluxa exposes the settlement lifecycle as discrete payment states, with a settlement reference on every settled payment for bank reconciliation. Standard settlement uses BACS; accelerated settlement uses Faster Payments where supported.
Settlement reference: The identifier Fluxa attaches to every SETTLED payment that lets merchants reconcile to their bank statement. Format STL-YYYY-MM-DD-FX-NNNNN: the date is the settlement date (not the transaction date), FX is the payment partner code, and NNNNN is a daily counter. The reference appears on the bank statement line alongside the credit, so a single grep matches the batch.
Soft decline: A decline that is recoverable on retry: insufficient funds, daily limit reached, temporary issuer outage, SCA challenge required. Distinct from a hard decline (card reported lost, stolen, closed, or blocked by the issuer) where retrying is not appropriate. Fluxa returns a structured failure_code and a retryable flag on every failed payment so your dunning logic can act correctly. Most automatic recurring-billing retries are scoped to soft declines only.
Sub-processor: A third-party service that processes personal data on behalf of a data controller. UK GDPR requires controllers to disclose sub-processors and ensure they meet equivalent data protection standards. Fluxa publishes its sub-processor list on /security.
Sub-merchant: A business onboarded under a payment facilitator’s master agreement with the acquirer, rather than holding a direct merchant account itself. Under Visa and Mastercard rules, sub-merchants under PFaaS may process up to roughly £800k Visa volume or £800k Mastercard volume per year before a direct acquirer agreement becomes required; above that threshold the sub-merchant graduates to its own direct relationship. Each UK business Fluxa onboards is a sub-merchant.
Tokenisation: Replacing a card number with a randomised reference (token) that can be safely stored and used to charge the card without exposing the original card details. Required for recurring billing under PCI DSS.
TRA: Transaction Risk Analysis. An SCA exemption mechanism: low-risk transactions can skip the cardholder challenge if the acquirer’s and issuer’s fraud rates are below scheme-set thresholds. Thresholds tier by value: under £500 if acquirer fraud rate <0.13%, under £250 if <0.06%, under £100 if <0.01%. The issuer makes the final exemption call.
UBO: Ultimate Beneficial Owner. The natural person (or persons) who ultimately owns or controls a business, typically defined as anyone holding 25% or more of shares or voting rights. UK companies must declare UBOs in their People With Significant Control register at Companies House.
VCI: Verified Commercial Identity. The Fluxa scheme for issuing Ed25519-signed certificates to verified businesses, anchored to Companies House and the FCA register. Documented at /vci.
VCMP / ECP: Visa Chargeback Monitoring Program (VCMP) and Mastercard Excessive Chargeback Program (ECP). Programmes that monitor merchant chargeback ratios; merchants exceeding thresholds face fines and reputational consequences.
Visa AU / Mastercard ABU: Account Updater services run by Visa and Mastercard that allow merchants to receive updated card credentials when an issuer reissues a card (expiry, replacement, brand change). Used in recurring billing to reduce involuntary churn from expired cards.
VAMP: Visa Acquirer Monitoring Programme. The successor to Visa’s legacy VCMP / VDMP from 1 April 2025. Tracks chargeback and enumeration ratios across an acquirer’s entire portfolio; merchants above the thresholds face fees and review. Fluxa surfaces your contribution to VAMP metrics in the dashboard so you can act before threshold breaches.
Webhook: An HTTP POST request fired by Fluxa to a merchant-supplied URL when an event occurs (transaction captured, settlement completed, refund processed). Signed with HMAC-SHA256 for verification. Pair with an idempotency key on any follow-up POST to keep retries safe. Documented at /developers.

Payments terminology. In plain English.

Got a term we should add?