A Beginners Guide to Online Payments Processing


Today the financial technology sector has witnessed enormous growth in recent years, with entrepreneurs from this area rising over a billion in the first eight months of 2021 alone. UAE’sdigital payment solutions are among the most sophisticated in the world, and it is a terrific place to be if you want to make a big effect. This was the driving force behind your career change earlier this year. You wanted to be a part of an industry where you are creating world-first solutions, and therefore you opted for a renowned financial company in their online product team. When you join a payments company or contact someone in the payments industry, you will quickly discover that it is a jargon-filled environment. You may experience many headaches as a result of attempting to decipher the terms hurled at you. This article includes a glossary of terminology often used in the payment business.

Payment Processing

Four Party Model

online payments processing

This is the most common payment processing framework for describing how a card transaction occurs, such as when you swipe your card at a merchant business. It explains how information is transferred between the model’s various entities during a payment transaction.

First, let’s start with an overview of the model’s various entities

A cardholder– The person who is the owner of the card and swipes it at the Merchant is the cardholder

Merchant- The entity that sells an item to the customer and accepts money

Acquiring bankBy connecting to the issuer during the transaction, the Merchant’s handles the digital payment transaction. The bank that processes the Merchant’s transactions. The acquirer is the entity that has a relationship with the Merchant Acount in a four/three-party setup. For instance, ADCD, Emirates NBD, Mashreq and RAKBANK.

Issuing bankThe customer’s bank verifies whether the cardholder is the card’s owner (authentication), examines whether the customer has sufficient balance (for debit cards) or credit limit (for credit cards), and answers whether the transaction is acceptable. The bank that offers credit or debit cards to the end-user is known as the issuer. The issuer is the entity that has a relationship with the end customer in a four/three-party business. Issuers carry the most risk and are penalized the most under the MDR. For instance, Emirates NBD, Mashreq, First abu dhabi, RAKBANK and others.

Network/card scheme  During a payment transaction, it connects the issuer and the acquirer. It facilitates the payment process by securely transmitting card details from the acquiring bank to the issuing bank and back. When a card is activated, it creates a directory server that maps BIN to issuer banks, directing transactions to the appropriate issuing bank. UAEFTS, UAESWITCH, UAEPGS, UAEDDS such as the UAE card payment network.

Payment Gateway/PoS: A technical solution allows a merchant to accept payments by connecting to the acquirer during the transaction.

To summarise the following steps happen in a four-party model

  • For an offline merchant, the customer swipes the card at the PoS terminal for an online merchant, or the customer swipes the card at the payment gateway.
  • To process the transaction, the PoS terminal/Payment gateway interfaces with the acquiring bank.
  • The acquiring bank connects to the network’s Directory server. The network then uses the first 6–9 digits of the Card Number to check the issuing bank for this card.
  • The issuing bank performs the appropriate checks and balances on the customer’s account to validate the cardholder’s identification and account balance.
  • After the money is successfully deducted from the customer account, the acquiring bank returns success to the PoS/Payment gateway.

Three party models

The only difference between this model and the one above is that the acquiring and issuing banks are the same. It is not necessary to route a transaction across the network to determine whose issuing bank it belongs to.

On-US transaction

The collecting and issuing banks are the same in this transaction, and the transaction does not need to be forwarded through the network to determine the card’s issuing bank.

Off-US transaction

A transaction in which the buying and issuing banks are not the same. The transaction must be sent to the network to determine who is the issuing bank for this card.

3DS secure

3DS, or 3D secure, is a Visa (Verified by Visa) and Mastercard protocol (SecureCode). The issuing bank must maintain an Access control server, which authenticates the cardholder using a second factor of authentication, such as a PIN. This was designed to combat fraud, particularly with regard to online payments.

ACS (Access control server)

The issuer bank server, which is in charge of authentication, is required to follow 3DS.

(MPI) Merchant plug-In

It is an acquiring bank server that supports 3DS authentication calls to the issuer bank. It sends card information to the network’s directory server in the form of a Verifying Enrollment request (VEReq). The DS communicates to ACS to see if the card is enrolled in 3DS and responds with a Verifying Enrollment answer if it is (VERes). If the card is activated, VERes will contain the issuer’s ACS URL, to which the customer will be referred to authenticate themselves.

Bank identification number (BIN)

The first 4, 6, or 9 digits of a card number are used to identify the card’s issuing bank.

Directory server

This is the payment network’s server that holds the mapping of card BINs to issuers.

Payment switch

This server is connected to the payment gateway and assists in dynamically routing transactions according to merchant regulations. Routing by low cost, success rates, or BIN are examples of such rules.

Payment gateway

To conduct the payment transaction, the payment gateway connects the online Merchant with the acquirer. Banks or networks such as ADCD, Emirates NBD, Mashreq and RAKBANK and others provide these services.

Payment aggregator

The payment aggregator links to different payment gateways and offers the online retailer a variety of payment alternatives. The benefit to the Merchant is that they can have several payment choices with just one integration. Telr, Payfort, 2checkout are some examples.

(VEREQ) Verifying enrollment request 

The request from MPI to ACS to determine whether or not the card is enrolled in 3DS

(VERes) Verifying enrollment response

The ACS answer to MPI indicates whether the card is enrolled in 3DS or not. This contains the ACS URL, where the consumer is forwarded to authenticate if the card is enrolled for 3DS.

(PAReq) Payer authentication request

MPI redirects the browser to ACS and sends a Payer authentication request if the card is set up for 3DS.


After a customer authenticates, ACS sends a payer authentication response, indicating whether or not the authentication was successful. The MPI receives the PARes, which indicate the transaction status and whether or not the payment was successfully authenticated.


In a digital payment transaction, authentication is used to ensure that the cardholder is the card owner. 3DS is a method of confirming the identification of a cardholder.


This is the issuing bank’s certification of the cardholder’s ability to pay. The amount will be deducted from the cardholder’s account and placed on hold.


After authorization, capture is a process that moves funds from the customer’s account to the Merchant’s account. Businesses that require a lengthy time to fulfil orders or have a significant risk of returns (such as travel and e-commerce) postpone the capture to later.

Pre Auth

In most cases, auth and capture occur in that order, but, in this case, only auth occurs first, with capture occurring subsequently. This is utilized by firms if order fulfilment takes a long time or there are a lot of returns to deal with (like travel, e-commerce).

CSC/CVV (Card security code/ card verification code value)

The card has a three-digit/4-digit security code (usually at the back of the card). This was a secure code to be entered for card transactions, not for in-person transactions.

(AVS) Address verification system

AVS stands for address verification system, which compares the cardholder’s address to the information on file with the issuing bank. Only the numbers on the address are matched, not the complete address.

Basic points (BPS/Bips):

Basis points abbreviated as Bips or Bps signify 0.01 of a percentage point (0.001 of a value). This term is widely used to refer to financial fees, interest rates, and other similar terms.

(ARN) Acquirer reference number 

This is a trace ID to know where the money was at a given point of time when it was transferred from the issuing bank to the merchant account.

(UTR) Unique transaction reference 

The abbreviation UTR stands for unique transaction reference, and it is like ARN, but it’s for UPI/NEFT/RTGS transactions.

(PAN) Primary account number

The 16-digit card numbers seen on credit and debit cards are known as the PAN.

(PIN) Personal identification number 

The term PIN refers to a personal identification number that is used to verify financial transactions.

(API) Application programming interface 

A programming interface (API) is a way for different internet services to communicate with one another.

Void transaction

Before the transaction is settled, it is cancelled. When money has already been settled, a refund transaction is performed.

Message protocols and formats

This is a message standard through which systems interact with one another for card payments.

The following is the structure of an ISO message.

Message Type Indicator (MTI) – Indicates the ISO 8583 version being used, the message’s purpose, communication route, and origin.

Bitmaps- Indicates where data items in the message can be found.

Data elements- These are the real financial transaction details such as card number, amount, etc.

(TCP/IP) The transmission control protocol 

When data is sent across the internet from point A to point B, it is broken down into packets and checked at the destination to determine if all of the packets have arrived.

(HTTP) Hypertext transfer protocol 

When data reaches the target node, the Internet protocol specifies how it should be read and processed.

(JSON) JavaScript object notation 

A data transfer format that is not language-dependent. This is a common method of serializing data for use with APIs.


Example of JSON data

XML (Extensive markup language)

To represent data elements, it employs a tag language similar to HTML. This is more difficult to comprehend than JSON, but it is more secure and has more encoding possibilities.


Example of XML data


(AFA) The additional factor of authentication 

This is used to indicate that an additional method of identifying the cardholder’s identity is required for the transaction. When the cardholder enters the CVV during a card, not a present transaction, that is a single authentication factor. However, if the cardholder is now asked to enter an OTP sent to the cardholder’s registered mobile number. That becomes an additional way to identify that the cardholder is the card’s owner. In India, AFA is required just for card transactions, not for present transactions.

(EMV) Europlay MasterCard visa

These are the requirements that guided the development of chip-based cards. These are more secure than magnetic strip cards because magnetic stripes can be copied and used to make payments repeatedly.


With the use of a public key and an encryption algorithm, the plaintext is turned into non-readable ciphertext. Using a private key, this may then be decoded back to plain text. Card numbers are never saved in plain text when we save our cards on an e-commerce website. Instead, they are saved in an encrypted format (known as tokens). This is then decrypted and sent during the payment flow by the entity that encrypted it in the first place. AES encryption, RSA encryption, and other encryption methods are examples.


It is a method of converting data from one format to another. The goal here is to make it readable by other systems rather than secure. The publicly available algorithms can readily decode this, and Unicode, base64, and ASCII are examples of encodings.


It is a method of converting data into a fixed-length sequence of alphanumeric numbers. When compared to encoding or encryption, the distinctive feature of hashing is that it is impossible to deduce the original data from the hash data in any way. Hashing is used to store login passwords on servers, and MD5, SHA256, SHA512, and other hashing algorithms are examples.

(PCIDSS) Payment card industry data security standard

This is a security standard established by Networks that must be fulfilled by businesses that handle card details for payment processing (Payment Aggregators, Merchants, etc.) PCI compliance is required for every organization that accepts credit card information from customers. To be PCI compliant, an entity must meet around 12 requirements in data storage, encryption, system access control, network monitoring, and so forth.

(PADSS) Payment applications data security standard

This is comparable to PCI DSS. However, it applies only to companies that create and sell payment applications.

Transaction types

Card present transaction

A Present Card Transaction is when the cardholder may physically display the card to the Merchant during the payment – for example, payment at any offline store.

Card Not present transaction

A Card Not Present Transaction presents when the cardholder is unable to physically show the card to the Merchant throughout the payment process: for example, payment at any e-commerce shop.

Payment links

Payment links are a good way to accept payments in situations when the Merchant doesn’t have a website or if the user can’t go to a website to make a payment. In such cases, the Merchant can send a payment link to the client’s phone number/email address for the services provided, and the consumer can then click on the payment link and complete the transaction.

Final thoughts

Finally, the information presented above improved your understanding of the payments industry and piqued your interest. The next time you swipe a card, you will surely be impressed by the payment processing technology that allows you to make a secure and flawless payment while performing many backend operations in Milliseconds.