Payments terms, defined for builders.
Network tokens, cryptograms, PCI scope, and PSP independence, explained for merchants and engineers who need portable credentials, not processor lock-in.
Network tokens & schemes
- AETSAmerican Express Token ServiceAmerican Express Token Service
- BINBank Identification NumberBank Identification Number (first digits of the card)
- MDESMastercard Digital Enablement ServiceMastercard Digital Enablement Service
- PANPrimary Account NumberPrimary Account Number: the raw card number
- TRIDToken Requestor IDToken Requestor ID: your merchant identifier on the card networks
- VTSVisa Token ServiceVisa Token Service
Cryptograms & authorization
- AEVVAmerican Express Verification ValueAmerican Express Verification Value
- ECIElectronic Commerce IndicatorElectronic Commerce Indicator
- TAVVToken Authentication Verification ValueToken Authentication Verification Value (Visa cryptogram)
- UCAFUniversal Cardholder Authentication FieldUniversal Cardholder Authentication Field (Mastercard cryptogram)
Payments & credentials
Security, PCI & cryptography
- AoCAttestation of ComplianceAttestation of Compliance: formal QSA-signed PCI evidence document
- BYOKBring Your Own KeyBring Your Own Key: wrap our DEK with a key in your KMS
- DEKData Encryption KeyData Encryption Key: encrypts data at rest, scoped per tenant
- FIPS 140-2 Level 3FIPS 140-2 Level 3US federal standard for tamper-evident, hardware-backed cryptographic modules
- HSMHardware Security ModuleHardware Security Module: tamper-resistant cryptographic device
- HMACHash-based Message Authentication CodeHash-based Message Authentication Code: signed integrity proof
- JWEJSON Web EncryptionJSON Web Encryption: encrypted JSON envelope
- KEKKey Encryption KeyKey Encryption Key: wraps a DEK; held in your KMS for BYOK
- KMSKey Management ServiceKey Management Service: your cloud-provider key store (AWS KMS, GCP KMS, etc.)
- mTLSMutual TLSMutual TLS: both client and server authenticate via certificates
- PCIPayment Card Industry Data Security StandardPayment Card Industry Data Security Standard
- SAQ-APCI SAQ-APCI SAQ-A: card data never touches merchant servers
- SAQPCI Self-Assessment QuestionnairePCI Self-Assessment Questionnaire
- TTLTime To LiveTime To Live: how long a value remains valid after issue
- TLSTransport Layer SecurityTransport Layer Security: modern HTTPS encryption protocol
Regulation
Commercial & legal
- CFAAComputer Fraud and Abuse ActComputer Fraud and Abuse Act: US anti-hacking statute
- DPAData Processing AddendumData Processing Addendum: processor terms for customer personal data
- DMCADigital Millennium Copyright ActDigital Millennium Copyright Act: US safe-harbor statute
- MSAMaster Services AgreementMaster Services Agreement: primary commercial contract with Veliro
- SLAService Level AgreementService Level Agreement: availability targets and service credits
Put the vocabulary into practice.
Provision your first network token under your TRID in sandbox: Secure Fields, one REST surface, PSP routing on your terms.