AIS (Account Information Services)
An online service which provides consolidated account information to a Payment Service User (PSU) on one or more payment accounts held by that PSU with various FIs.
AISP (Account Information Service Provider)
Any TPP that wishes to aggregate online account information of one or more accounts held at one or more ASPSPs (FIs). This service can be used for account management or generation of dashboards for a PSU.
API (Application Programming Interface)
In computer programming, an application programming interface (API) is a set of subroutine definitions, protocols, and tools for building application software. A good API makes it easier to develop a computer program by providing all the building blocks, which are then put together by the programmer. An API may be for a web-based system, operating system, database system, computer hardware, or software library. An API specification can take many forms, but often includes specifications for routines, data structures, object classes, variables, or remote calls. POSIX, Microsoft Windows API, the C++ Standard Template Library, and Java APIs are examples of different forms of APIs. Documentation for the API is usually provided to facilitate usage. The status of APIs in intellectual property law is controversial.
API Data is data made available to an API User or a TPP through the API.
An API Provider is a service provider implementing an Open Data API. An API Provider provides Open Data via an API gateway.
An API User is any person or organisation who develops web or mobile apps which access data from an API Provider.
ASPSP (Account Servicing Payment Service Provider)
An ASPSP is any financial institution that offers a payment account with online access. PSD2 means ASPSPs have to provide access to let regulated third parties initiate payments and access account information. APIs are currently considered the most practical way to do this.
An ASPSP brand is any registered or unregistered trademark or other Intellectual Property Right provided by an ASPSP.
Brexit (British Exit from the EU)
Brexit is the process by which the United Kingdom ended its membership of the European Union. In the context of PSD2 Brexit has had no effect on the implementation of the legislation in the UK.
CA (Competent Authorities (PSD2 related))
A competent authority is any person or organization that has the legally delegated or invested authority, capacity, or power to perform a designated function. For PSD2 the competent authority in each EU member state will have primary responsibility for monitoring compliance and enforcement of PSD2. In the UK the competent authority for PSD2 is the Financial Conduct Authority (FCA).
A payment network tied to payment cards (debit or credit). FIs can join these schemes to offer cards to consumers.
Certificate (X509 public key certificate)
A cryptographically protected data structure for storing and transporting a public key. The data structure contains the public key value together with the identity of the owner of the key, the validity period of the key and the identity of the Certificate Authority that registered the public key and signed the certificate.
CMA (Competition Markets Authority)
The Competition and Markets Authority is a UK body, they have been working to increase competition in UK banking; this has led them to push for reforms in retail banking that are in line with PSD2.
The nine largest FIs in the UK, based on the volume of personal and business current accounts. Barclays plc, Lloyds Banking Group plc, Santander, Danske, HSBC, RBS, Bank of Ireland, Nationwide and AIBG.
The Retail Banking Market Investigation Order 2017.
Remedies that the CMA deemed appropriate to introduce to address a number of key features of the UK Retail Banking market considered to be having an adverse effect on competition. These remedies included a requirement for the UK banking industry to adopt a subset of Her Majesty’s Treasury’s (HMT’s)proposals for Open Banking.
CNP (Card Not Present)
Sometimes referred to as cardholder not present, this refers to a transaction where the payer, payee and the method of payment (the card) are not in the same location, when the transaction takes place. Tackling fraud in the CNP process is a main objective of PSD2.
CP (Consultation Paper)
Consultation Paper issued by the EBA to the market to solicit feedback and opinions.
The data standards issued by Open Banking from time to time in compliance with the CMA Order.
EBA (The European Banking Authority)
An independent EU authority that works to ensure effective and consistent prudential regulation and supervision across the European banking sector. Its overall objectives are to maintain financial stability in the EU and to safeguard the integrity, efficiency and orderly functioning of the banking sector.
EBA Register (Electronic central register of the EBA)
The EBA Register provides an electronic central register that contains information on PSPs as notified by CAs.
EC (European Commission (PSD2 context))
An institution of the European union, it is responsible for proposing legislation, implementing decisions and upholding EU treaties. In the context of PSD2 it is the force behind the proposition and adoption of the directive at a European wide level. In each country this responsibility will be managed in conjunction with the local governments and appointed Competent Authorities, for example in the UK the FCA.
EEA (European Economic Area (PSD2 context)
The European Economic Area (EEA) unites the EU member states and the three EFTA States (Iceland, Liechtenstein and Norway) 31 countries are members. PSD2 is in force for payments within the EEA, from the EEA to outside countries and from outside countries into the EEA, in all currencies. Where one of the PSPs is situated outside the EEA these are known as One Leg Payment Transactions.
eIDAS (electronic IDentification, Authentication and trust Services)
A framework that provides a set of standards for electronic identification and trust services for electronic transactions in the European Single Market. For PSD2, the eIDAS framework was selected as the identity framework used to mutually authenticate TPPs and ASPSPs when establishing TLS sessions and to seal their message contents.
eIDAS Certificate (eIDAS public key certificate)
A public key certificate that conforms to the eIDAS framework and has been issued by a Qualified Trust Service Provider (QTSP).
eIDAS Seal Certificate (eIDAS public key certificate for Seals)
An eIDAS certificate containing the public key used to verify the Seal (or digital signature) generated by the corresponding private key.
EMD2 (Directive 2009/110/EEC (Electronic Money Directive)
The Directive regulates electronic payment systems in the European Union. The aim of the Directive is to enable new and secure electronic money services and to foster effective competition between all market participants.
EMI (Electronic Money Institution)
An e-money institution is a supplier of the financial product ‘electronic money’. The electronic money can be used to make payments to parties other than the issuer. ‘Electronic money’ is a monetary value stored on an electronic carrier or remotely in a central accounting system. An EMI has received regulatory approval from their NCA. An EMI can passport their regulatory status to other markets in the EU.
E-Money (Electronic money)
Electronic money is an electronic store of monetary value on a technical device that may be widely used for making payments to entities other than the e-money issuer.
EPC (European Payments Council)
Is a membership organisation created in 2002 by the major European FIs. The main task of the EPC is the development of the Single Euro Payment Area (SEPA), a key initiative of PSD1. They represented their members’ interests in the development of PSD2, for example by preparing responses to the developing Regulatory Technical Standards.
ERPB (Euro Retail Payments Board)
The purpose of the ERPB, launched by the European Central Bank (ECB) is to facilitate and contribute to the further development of an integrated, innovative and competitive market for euro retail payments in the EU.
ETV (Exemption Threshold Value)
Related to the application of exemptions from Strong Customer Authentication ETV defines the payment value at which the Reference Fraud Rates must be adhered to, in order to secure a payment using Transaction Risk Analysis.
EU (European Union)
The European Union is a political and economic union of 27-member states that are located primarily within Europe.
FCA (Financial Conduct Authority)
The Financial Conduct Authority is the conduct regulator for 56,000 financial services firms and financial markets in the UK and the prudential regulator for over 18,000 of those firms.
FI (Financial Institution)
A generic term applied to banks, credit unions, building societies, EMIs and Payment Institutions.
GDPR (General Data Protection Regulation)
A regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU).
ITS (Implementing Technical Standards)
Implementing Technical Standards define how requirements will be developed, agreed upon and implemented. The European Banking Authority is responsible for the development of the ITS’s to meet the objectives of PSD2 as defined by the European Commission.
IP (Internet Protocol)
Internet Protocol (IP) is the principal set (or communications protocol) of digital message formats and rules for exchanging messages between computers across a single network or a series of interconnected networks, using the Internet Protocol Suite (often referred to as TCP/IP).
A financial organisation that processes credit or debit card payments on behalf of a merchant.
NCA (National Competent Authority (PSD2 related))
As per competent authority but often called National Competent Authority. A national competent authority is any person or organization that has the legally delegated or invested authority, capacity, or power to perform a designated function. For PSD2 the competent authority in each EU member state will have primary responsibility for monitoring compliance and enforcement of PSD2. In the UK the competent authority for PSD2 is the Financial Conduct Authority (FCA).
OB (Open Banking)
The general term applied to the provision of access by TTPs to FI customers’ data normally through APIs.
OBIE (Open Banking Implementation Entity)
The Open Banking Implementation Entity is the delivery organisation working with the CMA9 and other stakeholders to define and develop the required APIs, security and messaging standards that underpin Open Banking. Otherwise known as Open Banking Limited.
OBWG (UK Open Banking Working Group)
Established in September 2015 to explore how data can be used to help people transact, save, borrow, lend and invest their money. The OBWG has set out an Open Banking Standard to guide how open banking data should be created, shared and used by its owners and those who access it. It is expected that the UK’s implementation of PSD2 will be somewhat driven by these recommendations.
Open Banking Ecosystem
The Open Banking Ecosystem refers to all the elements that facilitate the operation of Open Banking. This includes the API Standards, the governance, systems, processes, security and procedures used to support participants.
Open Banking Services
The open banking services to be provided by Open Banking to Participants, including but not limited to, the provision and maintenance of the Standards and the Directory.
Information on ATM and Branch locations, and product information for Personal Current Accounts, Business Current Accounts (for SMEs), and SME Unsecured Lending, including Commercial Credit Cards. Open Data is data that anyone can access, use or share.
An Open API or Public API is a free-to-use, publicly available application programming interface (API) that provides developers with programmatic access to a proprietary software application.
Founded in 2017, the P20 will bring together 20 leaders in the payments industry, plus UK and US government officials and regulators to promote growth of the industry globally.
PI (Payment Institution)
Born out of the original Payment Services Directive (PSD), a Payment Institution is a special form of payment service provider. It offers services including payment processing, foreign exchange and money remittance.
PIS (Payment Initiation Services)
An online service which accesses a PSU’s account to initiate the transfer of funds on their behalf with the user’s consent and authentication. Alternative payment methods commonly called push & pull payments.
PISP (Payment Initiation Service Provider)
A type of TPP offering a service that allows initiation of payments without the customer needing to directly access their account or use a debit or credit card.
PSD (Payments Systems Directive)
The Directive on Payment Services (PSD) provides the legal foundation for the creation of an EU-wide single market for payments. The PSD aims to establish a modern and comprehensive set of rules applicable to all payment services in the European Union. The goal is to make cross-border payments as easy, efficient and secure as “national” payments within a Member State.
PSD1 (Directive 2007/64/EC (Payment Services Directive))
Provides the necessary legal platform for the Single Euro Payments Area (SEPA).
PSD2 (Directive(EU)2015/2366 (Revised Payment Services Directive))
Provides the necessary legal platform and changes to the payments framework in order to better serve the needs of an effective European payments market, fully contributing to a payments environment which nurtures competition, innovation and security to the benefits of all stakeholders and consumers in particular.
PSD2 Exemptions (Exemptions (PSD2 context))
For PSD2 Exemptions are most widely talked about in the context of exemptions from using Strong Customer Authentication, for example for parking or ticketing payments or for payments where the threshold is met based on Reference Fraud Rates for the payment value; these permissible exemptions are detailed in the Regulatory Technical Standards.
PSP (Payment Service Provider)
A Payment Services Provider is an entity which carries out regulated payment services, including AISPs, PISPs, CBPIIs and ASPSPs.
PSR (Payment Services Regulations)
The Payment Services Regulations 2017, the UK’s implementation of PSD2, as amended or updated from time to time and including the associated Regulatory Technical Standards as developed by the EBA.
PSU (Payment Service User)
A Payment Services User is a natural or legal person making use of a payment service as a payee, payer or both.
QTSP (Qualified Trust Service Provider)
An entity approved to issue qualified digital certificates which can be used to establish mutually authenticated SLL sessions or create qualified electronic signatures or seals.
QSealCs (Qualified electronic Seal Certificates)
Qualified electronic Seals provide integrity and proof of origin of the signed message data over time but doesn’t provide confidentiality.
REST (Representational State Transfer)
A set of architectural principles for designing web services.
QWACs (Qualified Website Authentication Certificates)
eIDAS QWACs ensure the confidentiality, integrity and authenticity of data communicated between the TPP and ASPSP but only during transmission.
RTS (Regulatory Technical Standards)
Regulatory Technical Standards define certain requirements of PSD2 in more detail. The European Banking Authority is responsible for the development of the RTS to meet the objectives of PSD2 as defined by the European Commission.
SCA (Strong Customer Authentication)
Strong Customer Authentication as defined by EBA Regulatory Technical Standards is an authentication based on the use of two or more elements categorised as knowledge (something only the user knows [for example, a password]), possession (something only the user possesses [for example, a particular cell phone and number]) and inherence (something the user is [or has, for example, a finger print or iris pattern]) that are independent, [so] the breach of one does not compromise the others, and is designed in such a way as to protect the confidentiality of the authentication data.
SDK (Software Developer Kit)
A set of software development tools that allows the creation of applications.
The Standards are the Data Standards and Security Standards in accordance with which ASPSPs will be required to make Read/Write APIs available.
TPP (Third Party Provider)
Third Party Providers are organisations or natural persons that use APIs developed to Standards to access customers’ accounts, in order to provide account information services and/or to initiate payments. Third Party Providers are either/both Payment Initiation Service Providers (PISPs) and/or Account Information Service Providers (AISPs).
XS2A (Access to Accounts)
Gives financial institutions, plus approved and regulated third parties, access to the customer accounts of FIs in the EEA.