Glossary

0

Two-Factor Authentication, or 2FA, is a way of confirming the user's identity by checking two out of three security elements. It is a subset of Multi-Factor Authentication and requires exactly two out of three security elements. The mentioned security elements include something the user knows (PINs, passwords), something the user owns (phone, card), or something the user is (fingerprint, face recognition).

3D Secure 1.0, also known as 3DS1, is a protocol launched by VISA in 2001 with the intention of assuring an additional security layer for online payments. VISA users are familiar with it under the name VerifiedBy Visa, but the protocol is also used by other major card schemes, including MasterCard, Amex, JCB, and Diners Club. Authentication is done by using a password or PIN during checkout as an additional step for verifying the cardholder's identity. This protocol was originally designed for browsers and had poor performance on mobile devices.

3D Secure 2.0, also known as 3DS2, is a new version of the protocol motivated by issues revolving around the initial version, 3DS1. By having access to enriched transaction and customer data, 3DS2 enabled risk assessment and frictionless (no need for CH authentication) online payments. Moreover, it introduced additional authentication methods, including biometrics, and provides a smooth user experience on mobile devices.

3D Secure protocol is an eCommerce authentication protocol enabling secured processing of online payments, non-payment, and account confirmation card transactions.

3DS Requestor is a 3D Secure component responsible for initiating the 3D Secure Authentication Request within a purchase flow, i.e., 3DS Requestor initiates the AReq message.

3D Secure SDK is software designed to facilitate cardholder authentication within a merchant's app allowing the fully in-app experience. In order to verify the cardholder's identity during an in-app purchase, 3DS SDK initiates challenge flow and displays authentication windows to the CH.

3DS Server is a 3D Secure component present on the Merchant and Acquirer side. Its role is to:
- handle online transactions and facilitate communication between the 3DS Requestor and the Directory Server
- Validate Directory Server (DS), 3DS SDK, and 3DS Requestor
- Authenticate Directory Server (DS)

3RI transactions, also known as merchant initiated transactions, are introduced in 3D secure 2. They offer merchants the possibility to generate required authentication data necessary for customer authentication without the end-user being directly involved in the process, for example, in recurring transactions like subscriptions. 3RI transactions enable merchants to reference the previous authentication where the customer was actually involved.

A

Account Takeover Fraud, or ATO fraud, happens when a fraudster gains access to the victim's login credentials and uses the stolen account for their personal profits. That includes activities such as making online purchases using the stolen account and saved card data (card-on-file), using loyalty points, selling the account or the extracted account data on the dark web.

A typical ATO flow:
- The fraudster uses stolen credentials and accesses the victim's account
- The attacker makes necessary changes regarding account details (e.g., recovery email or phone number) so that the victim is unable to stop the attack
- The fraudster uses the account for making unauthorized online purchases or sells the account details to someone else

Merchant's bank. A bank acquiring funds for merchants from cardholders.

Access Control Server (ACS) is a 3D Secure component that operates in the Issuing domain. The role of ACS is to verify whether authentication is available for the given card number and device type, authenticate cardholders, and confirm account information for 3RI transactions.

AI, or Artificial Intelligence, simulates human intelligence through machines, predominantly computer systems. Common AI use cases include expert systems, speech recognition, natural language processing (NLP), and machine vision.

Artificial Intelligence is based on the input of labeled training data in large amounts and data analysis of the provided data. The extensive data analysis results in detecting patterns and correlations. The discovered patterns are used for making future predictions. A common example of AI would be a website chatbot programmed to recognize text and provide adequate next steps to the user.

Providers that are able to ask for permission to connect to a bank account using an API. They use that bank account information in order to provide a service. Having access to such data implies a ''read-only'' approach, i.e., they can't move the funds from the account.

An antifraud system is a software that detects and prevents fraudulent actions, most commonly fraudulent transactions. The software is based on analyzing every transaction and flagging it in accordance with its legitimacy level. Usually, an antifraud system includes a fraud-prevention system, a fraud-analysis system, and a fraud-detection system.

Apache HTTP Server is one of the most widely used open-source web servers, commonly used to host websites and web applications. In the context of certificate management, Apache is one of the primary server environments on which TLS/SSL certificates are installed and renewed, often automated via tools such as Certbot and the ACME protocol.

An API, or Application Programming Interface, is an intermediary that enables the communication between two individual applications.

A message requesting cardholder authentication. It usually contains transaction information such as cardholder name, payment information, and device details.

A message from the ACS indicating successful authentication or demanding further action in order to authenticate the transaction.

A customer's issuing bank that provides and maintains payment accounts. They publish APIs so that the customers are able to share their account data with Third-Party Providers (TPPs) in case they want them to initiate payments on their behalf.

Asymmetric cryptography, also known as asymmetric encryption or PKI (Public Key Infrastructure), is a type of cryptography that uses a mathematically connected keypair – a public key and a private key – to encrypt and decrypt the contents of the message in transfer.

Attack surface, in terms of cyber security, is the total number of entry points where a system can be attacked and data can be extracted/tampered with. A smaller attack surface would be easier to protect.

An attack vector, in terms of cyber security, is a pathway for achieving unauthorized access to a network in order to conduct a cyber attack. Attack vectors enable cybercriminals to take advantage of existing vulnerabilities within the system and gain unauthorized access to sensitive information, PII (Personally Identifiable Information), and other sensitive data available upon a data breach.

In the context of certificate management, an audit trail is a chronological log of all certificate lifecycle events, including issuance, renewal, revocation, deployment, and policy changes, attributed to specific users or automated processes. A complete audit trail is essential for demonstrating compliance with regulatory frameworks such as PCI-DSS, GDPR, and NIS2, and for forensic investigation following a security incident or service outage.

Authentication is the process of proving that an identity is valid, i.e., that the user is really who they claim to be. The most common ways of validating someone's identity nowadays include: OTP by SMS/email, biometrics (face recognition or fingerprint), and push notification.

An authentication factor is a security credential used for verifying the identity of the user gaining access or exchanging information with a particular system or a service. Today there are five main authentication factors (the first three are recognized as the official authentication factors by regulation bodies):
- Knowledge (password) - Possession (HW token)
- Inherence (fingerprint/face recognition)
- Location (IP address)
- Behavior (typing speed/pattern)

An authentication server is used for facilitating the authentication of an entity attempting to access a service or a network. An authentication server verifies whether the provided credentials match with the ones stored in the credential database.

Authentication and authorization are two distinct but complementary security processes. Authentication answers the question 'Who are you?'. It verifies the identity of a user or system. Authorization answers 'What are you allowed to do?'. It determines what resources or actions the authenticated identity is permitted to access. Authentication always precedes authorization in a secure access control model.

Authorization is the process of enabling a user or a service to access particular resources. The simplest explanation of the term authorization would be ''to give permission''.

B

A backup refers to making copies of original (digitally stored) documents in or to prevent loss in case the original gets altered or deleted. Other use cases for a backup include preserving historical data in order to meet the data retention policies or to compare them with current data.

Behavioral authentication is the process of authenticating the user based on their unique patterns of interaction with the device used for authentication. Examples of behavioral authentication factors are keyboard pressure, typing speed, and the angle at which a user holds the device (smartphone, tablet).

Biometric Authentication is a way of verifying someone's identity by using unique biological characteristics. It is based on comparing biometric data captured, e.g., for the sake of authenticating a transaction, with biometric data stored in the database. Types of biometric authentication include face recognition, fingerprint scanning, and voice recognition.

A bot, which is short for robot, refers to a specific type of software application able to perform scripted, automated tasks upon command.

A brute-force attack, due to the simplicity of its execution, is one of the most popular hacking methods out there. A brute-force attack involves guessing a series of usernames and passwords until the targeted account is finally cracked. A more sophisticated form of a brute-force attack would involve an automated script that runs the combinations of user credentials on its own. A popular way of obtaining rich lists of user credentials and commonly used passwords is through the dark web.

BYOD, short for Bring Your Own Device, is a policy enforced by companies and enterprises that enables employees to use their own devices (smartphones, laptops, tablets) for work purposes.

C

Certificate transparency is a public logging framework that requires Certificate Authorities to record every issued certificate in publicly auditable logs. It enables organizations to monitor for unauthorized or misissued certificates for their domains, providing an additional layer of visibility beyond internal certificate inventory management. Certificate transparency logs are a standard component of the public CA ecosystem and are checked by major browsers as part of certificate validation.

Certificate management is the systematic process of discovering, tracking, issuing, deploying, renewing, and revoking digital certificates across an organization's IT infrastructure. As enterprises scale, manual certificate management becomes error-prone and unsustainable, dedicated certificate management platforms (CMPs) or Certificate Authority services automate these workflows to ensure continuous TLS/SSL coverage and compliance.

Certificate lifecycle management is the process of managing digital certificates from issuance through renewal to revocation. It covers discovery, monitoring, automated renewal, and retirement of TLS/SSL certificates across an organization's infrastructure, reducing operational risk and preventing service outages caused by certificate expiration.

Certificate discovery is the process of automatically scanning an organization's infrastructure to locate all deployed digital certificates, including those on servers, APIs, microservices, VPNs, load balancers, and cloud workloads. Discovery is the essential first step of certificate lifecycle management; without a complete picture of every certificate in the environment, organizations cannot monitor expiration, enforce policy, or prevent unexpected service outages.

A Certificate Authority is a trusted organization that issues, signs, and revokes digital certificates. CAs verify the identity of the certificate applicant before issuance and are the cornerstone of the PKI (Public Key Infrastructure) chain of trust that browsers and operating systems rely on to validate secure connections.

A card scheme is a payment network providing the infrastructure for card issuing and card payment processing, for example, Visa and MC. To make the payment possible, both Issuing and Acquiring banks need to be members of the same network as the card being used to process a payment.

Card-not-present fraud is a type of payment card fraud where the merchant is not able to physically examine the card being used because it is used for making an online or mobile purchase. It is a broad term that includes all payment card fraud where the physical credit/debit card is not showcased.

A Card-On-File transaction is a transaction where a cardholder allows the merchant to save their payment card details to avoid manual input in the future.

Cart Abandonment Rate is a common KPI used for measuring the performance of a web store. It indicates how many customers added an item to their online shopping cart but never finalized the purchase. In other words, it showcases the rate of customers who showed interest in a particular product/service by adding it to the cart but left without making the purchase, compared to the total number of completed transactions.

The formula for calculating Cart Abandonment Rate is as follows:
1 - ( transactions completed/transactions initiated * 100 )

A Certificate Authority is a trusted organization that issues, signs, and revokes digital certificates. CAs verify the identity of the certificate applicant before issuance and are the cornerstone of the PKI (Public Key Infrastructure) chain of trust that browsers and operating systems rely on to validate secure connections.

A certificate chain is the ordered sequence of digital certificates linking an end-entity certificate back to a trusted root certificate through one or more intermediate certificates. During the TLS handshake, the server presents its certificate chain so the client can verify that the end-entity certificate has been issued by a CA that traces back to a trusted root. A broken or incomplete certificate chain will cause the connection to fail, even if the end-entity certificate itself is valid.

Certificate decommission is the final stage of the certificate lifecycle, in which a certificate is permanently removed from the environment following retirement. Proper decommissioning includes revoking the certificate if it has not yet expired, removing it from all deployment locations, and updating the certificate inventory to reflect its removal. Neglecting decommission leaves orphaned certificates in the environment that are difficult to track and may pose security risks.

Certificate deployment is the process of installing a newly issued or renewed TLS/SSL certificate on the relevant web servers, load balancers, APIs, or other infrastructure components. Successful deployment is the final step of the certificate renewal process, a renewed certificate that has not been correctly deployed provides no protection and will not resolve browser trust errors or service disruptions caused by an expired certificate.

Certificate discovery is the process of automatically scanning an organization's infrastructure to locate all deployed digital certificates, including those on servers, APIs, microservices, VPNs, load balancers, and cloud workloads. Discovery is the essential first step of certificate lifecycle management; without a complete picture of every certificate in the environment, organizations cannot monitor expiration, enforce policy, or prevent unexpected service outages.

Certificate enrollment is the process of initiating a request for a new digital certificate, beginning with the generation of a key pair and the creation of a CSR (Certificate Signing Request) submitted to a Certificate Authority (CA). Enrollment is the first active stage of the certificate lifecycle and establishes the cryptographic foundation, public key and private key, on which the certificate will be built.

Certificate expiration occurs when a TLS/SSL digital certificate reaches the end of its validity period, after which it is no longer trusted by browsers and clients. Expired certificates cause connection errors, service outages, and security warnings that erode user trust. Organizations must monitor certificate expiration dates proactively and implement automated renewal processes to prevent disruptions.

Certificate health tracking is the continuous monitoring of digital certificates to detect approaching expiration dates, revocation events, misconfigurations, policy violations, and encryption standard compliance issues. Effective health tracking provides real-time visibility into the status of every certificate in the inventory and enables proactive remediation before issues escalate into service outages or security incidents.

A certificate inventory is a centralized, continuously updated record of all digital certificates within an organization's infrastructure, including their validity periods, issuing Certificate Authority, deployment locations, ownership, and compliance status. A complete and accurate certificate inventory is the operational foundation of effective certificate lifecycle management and is required for proactive monitoring, policy enforcement, and audit readiness.

Certificate issuance is the process by which a Certificate Authority (CA) validates an applicant's identity via a Certificate Signing Request (CSR) and issues a signed digital certificate within the PKI (Public Key Infrastructure) chain of trust. Issuance may involve domain control validation for DV certificates, organizational identity verification for OV certificates, or extended vetting for EV certificates, depending on the required assurance level.

The certificate issuer is the entity that signs and issues a digital certificate, typically a Certificate Authority (CA) in standard PKI environments. The issuer's identity is embedded in the certificate and is used by browsers and applications to locate and verify the appropriate trust anchor. In a self-signed certificate, the issuer and the subject are the same entity, which is why no external trust validation is possible.

Certificate lifecycle refers to the complete sequence of stages a digital certificate passes through, from initial request and issuance by a Certificate Authority (CA), through deployment, monitoring, renewal, and finally revocation or retirement. Effective certificate lifecycle management is critical for maintaining continuous service availability and preventing security gaps caused by expired or misconfigured certificates.

Certificate lifecycle management is the process of managing digital certificates from issuance through renewal to revocation. It covers discovery, monitoring, automated renewal, and retirement of TLS/SSL certificates across an organization's infrastructure, reducing operational risk and preventing service outages caused by certificate expiration.

Certificate lifespan refers to the total duration for which a TLS/SSL certificate is considered valid, as defined by its validity period. Currently capped at 398 days for publicly trusted certificates, the industry is actively moving toward shorter lifespans of 90 days or less. Shorter lifespans reduce the window of exposure in the event of a private key compromise and encourage automated renewal practices.

Certificate management is the systematic process of discovering, tracking, issuing, deploying, renewing, and revoking digital certificates across an organization's IT infrastructure. As enterprises scale, manual certificate management becomes error-prone and unsustainable, dedicated certificate management platforms (CMPs) or Certificate Authority services automate these workflows to ensure continuous TLS/SSL coverage and compliance.

Certificate monitoring is the continuous tracking of digital certificates across an organization's infrastructure to detect approaching expiration dates, revoked certificates, and misconfigurations. Proactive certificate monitoring prevents service outages, compliance violations, and security incidents caused by expired or invalid certificates.

A security technique that instructs a browser or application to accept only a specific certificate or public key for a given domain, rather than trusting any certificate issued by a recognized CA. Pinning provides an additional defense against man-in-the-middle (MitM) attacks where a fraudulent but technically valid certificate could otherwise be accepted. Commonly implemented in mobile applications handling sensitive data such as banking or payments.

Certificate policy enforcement is the process of applying and monitoring organizational rules governing the use of digital certificates, including permitted Certificate Authorities, maximum validity periods, required encryption standards, key length requirements, and naming conventions. Enforcement ensures that all certificates in the environment conform to security standards and compliance requirements, and flags or blocks certificates that violate defined policies.

Certificate provisioning is the end-to-end process of preparing a digital certificate for active use encompassing validation, issuance by the Certificate Authority, and deployment to the target infrastructure. In automated certificate lifecycle management environments, provisioning is triggered programmatically and completed without manual intervention, ensuring consistent and timely certificate availability across complex, large-scale infrastructure.

Certificate reissuance is the process of issuing a replacement certificate with the same or updated parameters before the existing certificate has expired typically triggered by a configuration change, a domain name update, or a requirement to update the certificate's cryptographic parameters. It differs from renewal, which is driven by expiration, and from revocation, which is driven by compromise or invalidation.

Certificate renewal is the process of replacing an expiring or expired TLS/SSL certificate with a new one issued by a Certificate Authority (CA), maintaining the continuity of trusted encrypted communications. Renewal can be performed manually or automated via protocols like ACME. Failing to renew certificates on time leads to outages, browser security warnings, and potential breaches of compliance requirements.

Certificate retirement is the formal process of removing a digital certificate from active use when it is no longer needed. For example, when a service is decommissioned, a domain is retired, or infrastructure is consolidated. Retiring certificates properly ensures they are removed from the certificate inventory, preventing orphaned certificates from creating unnecessary attack surface or complicating compliance audits.

Certificate revocation is the process of permanently invalidating a digital certificate before its validity period ends typically because the private key has been compromised, the certificate was issued in error, or the organization's circumstances have changed. Revoked certificates are published via CRL (Certificate Revocation List) or checked in real time via OCSP (Online Certificate Status Protocol). In multi-server environments, revocation must be coordinated across all deployment locations to ensure the invalidated certificate is replaced promptly on every affected server.

Certificate rotation is the process of replacing an active digital certificate with a new one on a scheduled basis, independent of expiration typically as part of a security hygiene program or in response to a policy requiring regular cryptographic key refresh. Automated certificate rotation, coordinated by a CLM platform, ensures that certificates and their associated private keys are replaced consistently across all deployment targets without service interruption.

A Certificate Signing Request is a message sent to a Certificate Authority containing the applicant's public key and identity information, used to apply for a digital certificate. The CA validates the information in the CSR before issuing the certificate.

Certificate sprawl refers to the uncontrolled proliferation of digital certificates across an organization's infrastructure, often resulting from inconsistent issuance practices, lack of centralized tracking, and manual management processes. Certificate sprawl increases the risk of overlooked expirations, misconfigurations, and unauthorized certificates, making it a significant operational and security challenge in large enterprises.

Certificate storage refers to the secure retention of issued digital certificates and their associated private keys within an organization's infrastructure. Proper certificate storage ensures that private keys are protected from unauthorized access, ideally via a Hardware Security Module (HSM), and that certificates are retrievable for deployment, renewal, and audit purposes without exposing sensitive cryptographic material.

The certificate subject is the entity to which a digital certificate is issued, identified within the certificate by fields such as the common name (CN), organization (O), and country (C). In standard CA-issued certificates, the subject and issuer are different entities. In self-signed certificates, the subject and issuer are identical, which is the defining characteristic that causes browsers to reject them as untrusted.

Certificate transparency is a public logging framework that requires Certificate Authorities to record every issued certificate in publicly auditable logs. It enables organizations to monitor for unauthorized or misissued certificates for their domains, providing an additional layer of visibility beyond internal certificate inventory management. Certificate transparency logs are a standard component of the public CA ecosystem and are checked by major browsers as part of certificate validation.

Certificate use refers to the active phase of the certificate lifecycle during which a deployed digital certificate performs its intended function authenticating servers to clients, enabling the TLS handshake, protecting data integrity, and securing encrypted communications. The certificate use phase spans from successful deployment until the certificate is renewed, revoked, or retired.

Challenge/Response (C/R) authentication is a security protocol in which the authenticating system issues a unique challenge, typically a random value or token, and the user or device must provide the correct response derived from a shared secret or private key. This mechanism prevents replay attacks because each challenge is unique and time-bound. C/R authentication is used in hardware tokens, FIDO2, and various cryptographic authentication protocols.

Chargebacks are a way of customer protection that guarantees a return of funds in particular cases. Common reasons for incoming chargeback disputes include fraudulent transactions, item not received, processing issues, etc. If the cardholder has any reason to believe that their payment card was/is used in a fraudulent manner, e.g., an unfamiliar transaction on their billing statement appears, they are able to file a dispute and initiate the chargeback process.

Clickjacking refers to the malicious practice of concealing hyperlinks beneath seemingly clickable content in order to lure the user into unknowingly performing actions such as triggering the installation of malware.

A client authentication certificate is a digital certificate issued to a user, device, or application that proves its identity to a server during the TLS handshake. Unlike server certificates, which authenticate websites to users, client authentication certificates enable mutual TLS (mTLS), where both parties verify each other's identity before establishing an encrypted connection. They are commonly used in zero-trust architecture environments, VPNs, and API security.

Cloud workload certificates are TLS/SSL certificates issued to cloud-based infrastructure components, including virtual machines, containers, serverless functions, and cloud-native services, to authenticate their identity and secure encrypted communication within and between cloud environments. Managing cloud workload certificates at scale requires integration between CLM platforms and cloud provider APIs to maintain continuous certificate visibility, automated renewal, and policy enforcement across dynamic, ephemeral cloud infrastructure.

CMPv2 is an IETF standard protocol for communication between certificate management systems and Certificate Authorities, enabling automated certificate issuance, renewal, revocation, and key update operations. It is used primarily in enterprise and government PKI environments where advanced certificate lifecycle automation and CA interoperability are required.

CNP Fraud, short for Card-Not-Present Fraud, refers to all types of credit card fraud where a credit card is not physically present. CNP Fraud typically occurs in online transactions and MOTO (Mail Order/Telephone Order) transactions. CNP fraud is generally harder to prevent, taking into consideration the fact that the merchant cannot examine the physical credit card used for a purchase.

Code injection refers to all attack types that include injecting malicious code executed by the targeted application. The attacker uses a vulnerable end-point of an application to inject malicious code that changes the execution course of the application in question.

Code obfuscation is the process of altering the initial code in a way that can't be interpreted by a hacker while the code remains fully functional. For a layered approach and enhanced security, use several different code obfuscation techniques on top of each other. Code obfuscation is an effective method for preventing reverse engineering attacks that aim to disassemble the software in order to understand its logic and finally copy the entire application. Some popular code obfuscation techniques are rename obfuscation, packing, dummy code insertion, and metadata and unused code removal.

A code-signing certificate is a digital certificate used to sign software, scripts, and executable files, allowing end users and operating systems to verify that the code originates from a trusted source and has not been tampered with since it was signed. Code-signing certificates are issued by a Certificate Authority and are a standard security requirement for software distribution in enterprise and consumer environments.A code-signing certificate is a digital certificate used to sign software, scripts, and executable files, allowing end users and operating systems to verify that the code originates from a trusted source and has not been tampered with since it was signed. Code-signing certificates are issued by a Certificate Authority and are a standard security requirement for software distribution in enterprise and consumer environments.

Credential stuffing is an automated cyberattack that uses stolen credentials and injects them into website/service forms in order to gain unauthorized access to the accounts.

Credential theft is the unauthorized acquisition of authentication credentials — such as usernames, passwords, API keys, session tokens, or certificates — through methods including phishing, keylogging, man-in-the-middle attacks, and data breaches. Stolen credentials are the primary enabler of account takeover fraud, lateral movement within networks, and data exfiltration. Multi-factor authentication and passwordless solutions significantly reduce the impact of credential theft.

The Cyber Resilience Act (CRA) is a European Union regulation that establishes mandatory cybersecurity requirements for products with digital elements sold in the EU market. It applies to hardware and software products, from smart home devices to enterprise software, and requires manufacturers to ensure security by design, provide security updates throughout the product lifecycle, and report actively exploited vulnerabilities. The CRA aims to reduce the cybersecurity risks posed by connected devices across the EU single market.

Challenge request signals that cardholder interaction is necessary for successful authentication. In an app-based scenario, CReq is sent by the mobile SDK, and in a browser scenario, it is sent by 3DS Server.

Challenge response signals the result of cardholder authentication (sent by the ACS), successful or unsuccessful.

A cryptographic key is a string of characters resulting from an encryption algorithm. Just like a standard key, a cryptography key has the ability to lock (encrypt) and unlock (decrypt) data, so only the entity owning the ''right'' key can gain access to the encrypted message.

Cryptography studies secure communication methods that assure that only the sender and the intended recipient of a message can access its contents.

Cybersecurity is a proactive measure that includes the protection of networks, programs and systems from attacks. Cyberattacks aim to change, access or destroy sensitive information, money extortion from unsuspecting users, or interrupt businesses from daily operations.

D

DDoS Attack, or Disturbed Denial of Service Attack, aims to overwhelm the network with increased internet traffic in order to prevent legitimate users from accessing a particular service. The motivation behind a DDoS attack varies from financial gain, disrupting the competition and hacktivism to simply making a statement.

Decoupled authentication is an authentication method that allows cardholder authentication to be separate from the payment workflow, and without the customer interacting with the online merchant. This method verifies the customer's identity and authenticates the transaction via a separate channel, for example, a push notification. Authentication responsibility shifts to the issuing bank, enabling the execution of cardholder authentication even though the cardholder in question is offline. It allows the cardholder several days to complete the authentication process, and it is ideal when the cardholder is not immediately available for authentication, but authentication is mandatory. Therefore, decoupled authentication is a type of Merchant Initiated Transaction (MIT), and it is applicable to all device channels: browser, app, and 3RI.

Device information is data provided by the device being used in the authentication process.

A dictionary attack is a type of brute-force attack using words from a dictionary to access a password-protected network or a service. A dictionary attack is also used to discover keys for encrypting a document or a message. Although trivial, dictionary attacks have proven to be successful in the past in breaching company networks since many businesses insisted on using ordinary words as passwords. It is highly unlikely that a dictionary attack would be a successful method of breaching a system in today's cybersecurity environment.

A digital certificate is a password or a file proving the authenticity of a user, server, or device through the use of PKI technology and cryptography. Digital certificates help assure that only trusted users and devices are accessing the company's network. Other use cases for digital certificates include confirming the authenticity of a website (SSL certificates).

Information contained on a digital certificate includes the user's name, company, department, and the device's IP address/serial number. The certificates contain a public key obtained from the certificate holder and a corresponding private key to verify its authenticity. The body in charge of inspecting and verifying the identity of the certificate holder (device/user) is the Certificate Authority (CA).

A digital identity is the collection of attributes, credentials, and data that uniquely represents an individual, organization, or device in a digital environment. It includes authentication credentials (passwords, biometrics, certificates), profile information, behavioral patterns, and access rights. Robust digital identity management is foundational to zero trust security architectures and is governed by frameworks such as eIDAS in the EU.

A digital signature is a cryptographic mechanism that uses a private key to sign data such as a certificate, document, or software package in a way that can be verified by anyone with access to the corresponding public key. Digital signatures provide authentication, data integrity, and non-repudiation, confirming that the signed content originates from a known, verified source and has not been altered since it was signed. In the context of digital certificates, the CA's digital signature on a certificate is what establishes its trustworthiness within the PKI chain of trust.

Directory Server is a 3D Secure component managed by card networks/schemes operating in the Interoperability domain. Roles of the directory server include: - validating 3DS Server, SDK, and 3DS Requestor -authenticating 3DS Server and ACS - routing messages between 3DS Server and ACS - defining specific program rules (logos, time-out values, etc.) - onboarding 3DS Server and ACS - maintaining ACS and DS Start and End Protocol Versions and 3DS Method URLs

Domain control validation is the process by which a Certificate Authority verifies that the entity requesting a certificate has actual control over the domain in question. It is the minimum validation requirement for all TLS/SSL certificates and is typically completed by placing a specific file on the web server, adding a DNS record, or responding to an email sent to the domain's registered address.

The Digital Operational Resilience Act (DORA) is an EU regulation that establishes a comprehensive framework for the digital operational resilience of financial entities, including banks, insurers, investment firms, and their critical ICT third-party providers. DORA mandates requirements for ICT risk management, incident reporting, digital resilience testing, and third-party risk oversight, with the aim of ensuring that financial institutions can withstand, respond to, and recover from ICT-related disruptions. DORA became applicable on 17 January 2025.

Dynamic linking demands that each transaction is assigned a unique authentication code and is specific to the transaction amount and recipient. The end goal of dynamic linking is to prevent social engineering attacks such as ''man-in-the-middle'' attack, where the fraudster attempts to interrupt the connection established between the payer and the payee, alters transaction details, and finally authorizes a fraudulent transaction. When applying dynamic linking, ''man-in-the-middle'' attacks would prove to be unsuccessful because the authentication code would automatically fail if any of the transaction details are altered.

E

End-to-end encryption (E2EE) provides secure communication by preventing the third party from accessing the data in transfer. By implementing end-to-end encryption, the data in transfer is encrypted on the sender's side and the recipient is the only one who can decrypt the message. The data in transfer cannot be accessed by any ISP (Internet service provider), ASP (application service provider), hacker, or any other third party.

EMVCo is a global standard for credit and debit payments established by Europay, MasterCard, and VISA. It facilitates worldwide interoperability and acceptance of secure payments, as well as managing the specification of 3D Secure 2.

Encryption is a method of making the data unreadable for parties without authorized access to read the encrypted message. The plaintext – a message readable for everyone, is converted to ciphertext – incomprehensible text made up of seemingly random characters. Encryption takes simple, readable data and converts it to a seemingly random set of characters in order to make it unreadable to the unauthorized party.

In the context of certificate management, encryption standards refer to the cryptographic algorithms and key length requirements that digital certificates must meet to be considered secure and compliant. Current industry standards require a minimum key length of 2048 bits for RSA certificates, with ECC (Elliptic Curve Cryptography) keys of 256 bits or more as the modern alternative. Certificates using deprecated algorithms such as SHA-1 or key lengths below accepted thresholds are flagged as non-compliant and must be replaced.

Also called a leaf certificate, this is the digital certificate issued directly to a website, server, application, or user, as opposed to the intermediate or root certificates that form the upper layers of the PKI trust chain. It is the certificate that browsers validate during the TLS handshake to establish an encrypted connection.

EST is a certificate enrollment protocol that enables automated certificate issuance and renewal over HTTPS, using TLS for transport security. It is the modern successor to SCEP in many enterprise PKI environments, offering improved security and flexibility for automated certificate management across network devices, servers, and IoT endpoints.

F

False declines are legitimate transaction attempts that are declined becaus of suspected fraud. They are also called ''false positives'', fully valid transactions classified and invalid, and rejected by the ACS.

A false positive, in terms of cyber security, is an alert incorrectly informing the body in charge about malicious activity.

Frictionless flow enables Issuing banks to authenticate an online transaction without interacting with the cardholder. This is possible because of Risk-Based Authentication performed in the ACS. If ACS (Issuer) deems that transaction risk is lower than the set threshold, the cardholder is not required to apply any additional authentication.

Friendly fraud differs from conventional card-not-present fraud because the fraudster is the actual owner of the payment card being used to commit a fraudulent purchase. The initial intent of the fraudster in question is to receive and retain goods and services while asking for chargeback under the claim that they are not the ones who made the purchase or that the goods were never delivered.

G

The General Data Protection Regulation (GDPR) is a comprehensive EU data privacy law that governs how organizations collect, process, store, and transfer the personal data of EU/EEA residents. It grants individuals rights including data access, rectification, erasure ('right to be forgotten'), and data portability. GDPR imposes strict obligations on data controllers and processors, with penalties for non-compliance of up to 4% of global annual turnover or €20 million, whichever is greater.

H

A hacker is an individual that uses their technical skills to gain unauthorized access to computers/services/networks.

Hooking covers a wide range of code modification methods aimed at altering the behavior of the mobile application in question. This is done by intercepting function calls, messages, or events passed between the software components. The code used for function interception is called a hook. It applies to changing the behavior of operating systems and software components.

HSM (Hardware Security Module) is a dedicated physical device used to generate, store, and protect cryptographic keys. HSMs ensure that private keys never exist in software or unprotected memory, significantly reducing the risk of key compromise. They are widely used by Certificate Authorities and enterprises managing large volumes of machine identities and digital certificates.

HTTP, short for Hypertext Transfer Protocol, is a protocol used for transferring files, including text, sound, video, images, etc., over the web. HTTP enables communication between the web browser and the web server.

HTTPS, short for Hypertext Transfer Protocol Secure, is the secure version of HTTP – the primary protocol used for communication between web browsers and web servers. HTTPS provides more security since it is encrypted in order to keep the data in transfer secure. HTTPS is especially important in cases where a user submits sensitive data such as credit card information on a website.

I

Identity and Access Management (IAM) is the framework of policies, processes, and technologies that ensures the right individuals have the appropriate access to the right resources at the right time, and that unauthorized access is prevented. IAM encompasses user authentication, authorization, role-based access control (RBAC), single sign-on (SSO), multi-factor authentication (MFA), privileged access management (PAM), and identity lifecycle management. It is a cornerstone of zero trust security architectures.

Identity Governance and Administration (IGA) is a subset of IAM that focuses on the policies and processes for managing digital identities and controlling access across an organization. IGA encompasses user provisioning and de-provisioning, access certification and reviews, role management, segregation of duties (SoD) enforcement, and audit reporting. IGA platforms provide visibility and control over who has access to what, reducing the risk of privilege creep and compliance violations.

Internet Information Services (IIS) is Microsoft's web server platform built into Windows Server environments. In the context of certificate management, IIS is a common deployment target for TLS/SSL certificates in enterprise Windows-based infrastructure, where certificate renewal and installation are managed either manually or through automated certificate lifecycle management tools.

An intermediate certificate is a digital certificate issued by a root Certificate Authority and used to sign end-entity certificates. Intermediate certificates act as a buffer between the root CA and the certificates issued to websites and services, reducing the risk of root certificate compromise.

The Issuing bank, or the Issuer, is the financial institution that issues cards to cardholders to make payments with.

ITSM (IT Service Management) integration in certificate lifecycle management refers to the ability of a CLM platform to connect with IT service management tools such as ServiceNow or Jira, enabling certificate renewal requests, expiration alerts, and deployment tasks to be managed within existing IT operations workflows. ITSM integration ensures that certificate management is embedded in the organization's standard change management and incident response processes.

J

Jailbreak detection is a mobile application security mechanism that identifies whether an iOS device has been jailbroken, meaning manufacturer-imposed security restrictions have been removed to allow root access. Jailbroken devices are more vulnerable to malware, hooking attacks, and unauthorized app installations. Mobile security SDKs implement jailbreak detection to prevent sensitive applications from running in potentially compromised environments.

Jailbreaking (specific for iOS devices) means unlocking your phone from manufacturing restrictions made by the manufacturer, allowing the user to have root access to the device. The user can download any mobile application they wish or customize the phone’s appearance. On the downside, a jailbroken phone is more vulnerable and susceptible to hacker attacks and data leakage.

JavaScript is a programming language that enables the implementation of complex features on web pages. JavaScript enables dynamic content updates, multimedia control, image animation, etc.

K

Key length refers to the size of a cryptographic key measured in bits, which directly determines the computational difficulty of breaking the encryption. For RSA certificates, the current minimum accepted key length is 2048 bits, with 4096 bits recommended for sensitive environments. For ECC certificates, 256 bits is the standard minimum. Key length is a core parameter of certificate policy enforcement. Certificates using insufficient key lengths are considered non-compliant and must be replaced.

A key pair is a set of two mathematically related cryptographic keys, a public key and a private key, generated together as part of asymmetric cryptography. The public key is embedded in the digital certificate and shared openly, while the private key is kept secret by the certificate owner and used to decrypt data or prove identity during the TLS handshake. The security of the entire certificate depends on the private key remaining confidential.

Key rotation is the process of replacing existing cryptographic keys with new ones on a regular schedule or following a security incident. Regular key rotation limits the window of exposure if a private key is compromised and is a core practice in certificate lifecycle management and PKI hygiene. In zero-trust architecture environments, key rotation is considered a baseline security requirement.

The Know Your Customer/Client (KYC) principle, present in the financial service's guidelines, demands that the institution makes necessary checks in order to verify the identity, suitability, and risks involved with maintaining a business relationship with its customer/client.

L

Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral protocol used to access and manage distributed directory information services, such as Active Directory, over a network. LDAP is widely used for centralized user authentication and authorization in enterprise environments, enabling applications to query a directory server to verify credentials and retrieve user attributes. LDAP can be secured with TLS (LDAPS) to protect credentials in transit.

The principle of least-privilege access holds that every user, application, and system should be granted only the minimum permissions necessary to perform its intended function — and no more. By limiting access rights, organizations reduce the blast radius of compromised credentials, insider threats, and lateral movement by attackers. Least-privilege access is a foundational principle of zero trust security and a key requirement in frameworks such as GDPR, NIS2, and DORA.

Liability shift is a scenario in which chargeback responsibility shifts from merchant to the issuing bank when a credit card is 3D secured. When a 3D Secure transaction proves to be a fraudulent one, Issuing bank is the one that needs to return those funds to the damaged cardholder.

M

Machine Learning (ML) is a type of Artificial Intelligence (AI) and computer science that uses data and algorithms with the goal of imitating the human learning process that results in improved, more accurate predictions.

Malware is software specifically designed to gain unauthorized access, damage, or disrupt a system or a network.

Man-in-the-Browser (MitB) is a type of a Man-in-the-Middle attack where the bad actor inserts themselves into the communication between two trusting parties by compromising the web browser used by one of the parties. The motivation behind Man-in-the-Browser data includes data theft, eavesdropping, and session tampering.

A Man-in-the-Middle (MitM) attack is a term used for malicious interception of a conversation between the user and an app (or another user). The process involves impersonating the other party, making it seem like a standard exchange of information. The main motivations behind a Man-in-the-Middle attack are either impersonation or eavesdropping.

The goal of a Man-in-the-Middle attack is to steal sensitive information (e.g., personal, financial, enterprise data). The most common targets of a Man-in-the-Middle attack are financial apps, users, e-commerce websites and other services requiring login credentials. The consequences of a Man-in-the-Middle attack vary from account takeover, identity theft to illicit fund transfers.

The most simple parallel for a Man-in-the-Middle attack would be the scenario in which a mailman opens your personal mail, makes a copy of the contents, and reseals the envelope.

Merchant Whitelisting, or Trusted Beneficiaries, enables cardholders to choose known merchants who they trust in order to skip the additional authentication step. Regardless of the transaction amount or merchant fraud rate, SCA won't be applied.

Multi-Factor Authentication, or MFA, is a way of confirming the user's identity by checking at least two or more security elements. The mentioned security elements include something the user knows (PINs, passwords), something the user owns (phone, card), something the user is (fingerprint, face recognition).

Mixed environments refer to infrastructure architectures that combine on-premise servers, private cloud, public cloud, and hybrid deployments within a single organization. In the context of certificate management, mixed environments significantly increase operational complexity, as certificates must be discovered, monitored, and renewed across heterogeneous systems with different tooling, ownership models, and renewal processes, making automated certificate lifecycle management essential.

Mobile app integrity refers to the assurance that a mobile application has not been altered, tampered with, or repackaged since it was originally signed and published by its developer. Integrity verification detects unauthorized modifications to the app binary, resources, or configuration — protecting against the distribution of malicious clones and ensuring that users are running the genuine, unmodified version of the application.

Mobile application management (MAM) is software used for remote access to enterprise applications on the end user side. This includes access to both personal and corporate devices (smartphones and tablets).

Mobile application management is used for applying corporate policies and limiting data transfers between applications. Another feature MAM cover is the separation of personal and corporate content stored on the same device. Additional features a Mobile application management software enables are software delivery (mostly by using the enterprise app store), license management, application configuration, as well as inventory and app lifecycle management.

Mobile application security is a general term used for securing mobile apps and the users' digital identities from malicious attacks. Mobile application security aims to safeguard mobile applications from reverse engineering attacks, tampering, malware, debugging, and emulator attacks, as well as some platform-specific mobile threats such as screen recording (iOS).

A solid mobile application security strategy should implement a layered approach and incorporate multiple mobile app security measures such as RASP mechanism and code obfuscation.

Mobile app hardening is the process of applying a comprehensive set of security controls to a mobile application to make it resilient against attack, particularly in untrusted or hostile environments. Hardening techniques include binary protection, anti-debugging, anti-tampering controls, secure storage enforcement, certificate pinning, and runtime threat detection. Hardened apps maintain their security posture even when deployed on compromised or rooted/jailbroken devices.

To aid them in the debugging process, programmers use debuggers. A debugger is a tool that enables you to view the application code while it is running. You can stop the execution of the program, analyze variable values, execute the program in steps (line after line), set breakpoints on specific lines which stop the execution, and more. This detailed view of the code in its running mode enables you to understand flows and application logic, as well as to detect errors within the code.

Although mobile debuggers are convenient tools for making sure that the application code is running properly, mobile debuggers can also be used for malicious practices. In case a bad actor uses a debugger on a legitimate application, they can easily assemble a malicious copy of the app by understanding the application logic revealed by the debugger.

Mobile Device Management (MDM) is software that enables IT to control, secure, and automate administrative policies on employees' devices connected to the organization's network. Generally, the goal of Mobile Device Management software is to optimize device support, enhance enterprise functionality and security while preserving flexibility (e.g., BYOD policies).

Mobile app shielding is a comprehensive set of in-app security techniques applied to a mobile application to protect it from reverse engineering, tampering, and runtime attacks, even when deployed in a hostile or compromised environment. It typically combines code obfuscation, RASP (Runtime Application Self-Protection), anti-debugging, anti-rooting/jailbreak detection, and integrity verification into a unified defense-in-depth layer built directly into the app.

Mobile emulators are tools designed for running tests on mobile devices using desktop computers, particularly useful when it comes to testing mobile applications. They allow developers to simulate, imitate, and optimize mobile app software and hardware behavior without the need to use multiple types of devices.

Mutual TLS (mTLS) is an extension of the standard TLS protocol in which both the client and the server authenticate each other using digital certificates, rather than only the server authenticating itself to the client. mTLS is a foundational component of zero-trust architecture, commonly used to secure API-to-API communication, microservices, and machine-to-machine connections where both parties must verify each other's identity before establishing an encrypted connection.

N

Nginx is a high-performance open-source web server and reverse proxy commonly used for serving web applications and managing traffic at scale. In the context of certificate management, Nginx is one of the primary server environments on which TLS/SSL certificates are deployed and renewed, frequently automated via the ACME protocol.

The Network and Information Security Directive 2 (NIS2) is an EU cybersecurity directive that establishes minimum security requirements and incident reporting obligations for organizations in critical and important sectors, including energy, transport, banking, healthcare, digital infrastructure, and public administration. NIS2 significantly expands the scope of its predecessor (NIS1), introduces stricter governance and accountability requirements, and imposes greater penalties for non-compliance. Member states were required to transpose NIS2 into national law by October 2024.

Non-Payment Authentication enables merchants to submit an authentication request when it is necessary for a non-payment use case. Such use cases can be adding a card to a merchant's website, modifying stored cardholder information, or issuer cardholder verification during token provisioning.

O

OAuth 2.0 is an open authorization framework (RFC 6749) that enables a user to grant a third-party application limited access to their resources on a server, without sharing their credentials. It is widely used for delegated authorization in web and mobile applications, underpinning 'Sign in with Google/Apple/Facebook' flows and open banking API access under PSD2. OAuth 2.0 defines multiple grant types to accommodate different use cases and client types.

OCSP is a protocol used to check the revocation status of a digital certificate in real time. Unlike CRL, which requires downloading a full list, OCSP allows a single certificate's status to be queried instantly, making it faster and more efficient for modern certificate validation.

OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 protocol that enables clients to verify the identity of an end-user based on authentication performed by an authorization server. OIDC extends OAuth 2.0's authorization capabilities with an ID Token — a JSON Web Token (JWT) containing user identity claims — and a UserInfo endpoint, enabling federated single sign-on (SSO) and identity verification across applications and services.

One-Click-Payment is a form of Card-On-File payment. By saving the card details on a particular site, the cardholder is able to skip authentication and process a payment with a single click on the ''buy'' button.

Out-Of-Band (OOB) Authentication is a form of two-factor authentication (2FA) that implies a secondary communication channel necessary for successful authentication. The use of two separate communication channels significantly reduces the attacker's chances of compromising a particular account. It is widely used in the financial industry for online payment authorization. A typical use case is receiving an SMS OTP or push notification on your mobile phone in order to successfully process an online transaction. Common forms of OOB authentication are authorization codes sent via SMS, use of voice channel, push notification containing an authorization code, etc.

Open Source Software is software released under a license that grants the holder permission to access the code as well as examine, modify, and distribute the code with its original rights.

One Time Password (OTP) is an authentication method involving an automatically generated alphanumeric code that corresponds to only one login session or transaction authorization. Think of it as a ''disposable'' code that is used for authorizing a single transaction. Generated OTPs are usually sent to the end-user via SMS and are widely used in online banking.

The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation dedicated to improving software security through community-driven open-source projects, research, and education. OWASP is best known for the OWASP Top 10, an authoritative list of the most critical web application security risks, as well as the Mobile Security Testing Guide (MSTG), Application Security Verification Standard (ASVS), and other security frameworks widely used by developers and security professionals worldwide.

Overlay attacks are a type of mobile malware attack in which a malicious application or code displays a fake, transparent UI layer on top of a legitimate app, such as a banking application, to capture credentials, OTPs, or card details entered by the user. The victim interacts with what they believe is the genuine app, unaware that their input is being intercepted. RASP and app integrity checks are key defenses against overlay attacks.

P

Passwordless authentication is a method of verifying user identity without requiring a traditional password. Instead, it relies on possession-based or inherence-based factors such as biometrics (fingerprint, face recognition), hardware security keys, magic links sent via email, or FIDO2-compliant device authenticators. Passwordless authentication eliminates the primary attack surface exploited in credential theft, phishing, and brute-force attacks while improving the user experience.

PSD2 terminology implies that the payee is the merchant, an entity selling goods/services online.

PSD2 terminology implies that the ''Payee's PSP'' is the Acquirer for card payments.

PSD2 terminology implies that the ''Payer'' is the consumer, a customer buying goods/services online.

PSD2 terminology implies that the ''Payer's PSP'' is the Issuer for card payments.

Payment gateway is an online payment service necessary for the functioning of an eCommerce webshop. It is a channel used for making and receiving payments. The primary role of a payment gateway is to verify transactions between cardholders and merchants. It is a mechanism that transfers funds between the cardholder's issuing bank and the merchant's acquiring bank.

Penetration testing, also known as pen testing, is a simulation of a cyberattack on a system aiming to uncover existing vulnerabilities. The process of pen testing includes numerous application systems that are prone to containing vulnerabilities such as malicious code injection. The results of a pentest are generally used for fine-tuning security policies and patching the detected flaws within the system.

Perfect Forward Secrecy (PFS) is a TLS property that ensures session encryption keys are generated fresh for every connection and never derived from the server's long-term private key. If a private key is compromised in the future, PFS ensures that past encrypted sessions cannot be decrypted retroactively. Considered a best practice for any infrastructure where data confidentiality and long-term encrypted communication security are priorities.

Phishing is a cybercrime commonly conducted through mediums such as e-mail, telephone, or direct messages. The bad actor is presenting themselves as a trustworthy individual, often a government body or a reputable CEO, and prompts the user to provide them with some type of sensitive information (user credentials, credit card details, sensitive company information, etc.). The content of the message usually mentions urgency. Possible outcomes of a phishing attack include identity theft and illicit withdrawal of funds.

Authorized PISPs are able to move funds on the customer's behalf upon connecting to the bank account. An example of a practical use case is the automatic transfer of funds to a customer's savings account.

PKI orchestration is the automated coordination of certificate lifecycle operations across multiple Certificate Authorities, infrastructure components, and deployment targets within a Public Key Infrastructure environment. It enables organizations to enforce consistent policies, automate issuance and renewal workflows, and maintain centralized visibility across both public and private CA estates simultaneously, regardless of the underlying CA vendor or deployment environment.

Look under ''Asymmetric Cryptography''.

PoC, short for Proof of Concept, summarizes evidence proving that a particular business plan or a project is feasible.

A private CA is a Certificate Authority operated internally by an organization to issue digital certificates for internal use including certificates for servers, APIs, microservices, Kubernetes workloads, IoT devices, and machine-to-machine communication, without relying on a publicly trusted CA. Private CAs enable organizations to automate internal certificate issuance at scale, enforce custom certificate policies, and manage short-lived certificates for zero trust and mTLS environments without incurring per-certificate public CA issuance costs.

PSD2 or The Second Payment Services Directive is a comprehensive set of rules whose main goal is to achieve simple, efficient, and secure online payments across Europe. The main goals of the directive include offering a broader supply and better pricing for the end-users, creating more competition, ultimately bringing more efficiency, and working on improving consumer trust. The most notable suggestions covered in PSD2 striving to level the payments playing field are expanding the EU payments market, empowering consumers, and restricted interchange fees.

PSD3 (Third Payment Services Directive) is the proposed successor to PSD2, currently under development by the European Commission. It aims to further modernize the EU payments regulatory framework by addressing gaps identified in PSD2 implementation — including open banking API performance, SCA usability, and liability frameworks — and adapting to new payment technologies and market developments such as digital wallets and instant payments. PSD3 is expected to be accompanied by a directly applicable Payment Services Regulation (PSR).

Payment Service Providers or PSPs are responsible for enabling merchants to accept payments, both credit, and debit, from cardholders. It is an entity that connects merchants, cardholders, card schemes, issuing banks, and acquiring banks.

Users of any of the service providers: TPPs, PISPs, ASPSPs, AISPs.

Public-facing infrastructure refers to servers, applications, APIs, and services that are accessible to users or systems outside the organization's internal network, including websites, customer portals, payment platforms, and public APIs. All public-facing infrastructure must use CA-issued TLS/SSL certificates to establish browser trust and encrypted connections. Self-signed certificates are never appropriate for public-facing infrastructure, as they will trigger browser trust warnings for all external users.

Push authentication is a multi-factor authentication method in which the authentication system sends a push notification to the user's registered mobile device, prompting them to approve or deny an access request or transaction with a single tap. Unlike OTP-based methods, push authentication does not require the user to manually enter a code, delivering a frictionless experience while maintaining strong security. It is widely used in mobile banking and enterprise authentication solutions.

A push notification is a pop-up message appearing on a user's smartphone, web browser, or desktop prompting the user to take a certain action. In terms of authentication, push notification authentication enables the user to verify their identity through a push notification appearing on their mobile device instead of submitting their password for a particular service. Push notification authentication is a popular method in mobile/internet banking.

Q

QR code authentication is a login or transaction verification method in which a QR code is displayed on one device (e.g., a browser on a desktop) and scanned by the user's trusted mobile device to confirm their identity. The mobile device acts as a second factor of authentication, combining possession (the registered device) with optional biometric verification. QR code authentication is phishing-resistant and provides a seamless user experience for cross-device login scenarios.

R

Ransomware is a type of malware that, when initiated, encrypts the target's data, making it inaccessible until a certain amount of money is paid to the designer of the attack.

Rekeying is the process of generating a new private key and CSR when renewing a digital certificate, rather than reusing the existing cryptographic keys. It is considered a security best practice as it limits the exposure window of any given private key and ensures that renewed certificates are built on fresh cryptographic material.

Reverse engineering in cyber security refers to deconstructing the software in order to extract useful information about its design and architecture with the end goal of duplicating or enhancing the software.

Risk-Based Authentication or RBA is a mechanism used for fraud prevention by determining the risk level of a particular transaction. Based on risk assessment, an appropriate authentication method is required from the cardholder; or in case of high-risk detection, the transaction is terminated. This method is proven to work well when it comes to account takeover attacks and mobile payment fraud. RBA is also known as step-up authentication or adaptive authentication.

Root detection is a mobile application security mechanism that identifies whether an Android device has been rooted, meaning the user has gained superuser (root) access by bypassing Android's built-in security model. Rooted devices present elevated security risks, including exposure to malware with elevated privileges, bypassing of security controls, and tampering with application data. Security-sensitive apps implement root detection to refuse operation or warn users when a rooted device is detected.

RASP, short for Runtime Application Self-Protection, is a security component built in the application's runtime environment, enabling protection from the inside. Since Runtime Application Self-Protection is an integral part of the application, it allows monitoring in real-time and detection of any anomaly in the mobile app's runtime behavior. With continuous monitoring of the app's behavior, RASP protects the mobile application from data breaches, various mobile app security threats (e.g., hooking and emulator attacks), and tampering - without any human intervention.

S

Security Assertion Markup Language (SAML) is an open XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). SAML is widely used for enterprise Single Sign-On (SSO), enabling users to authenticate once with their corporate identity provider and gain access to multiple applications without re-entering credentials. SAML 2.0 is the current standard and is commonly used alongside OAuth 2.0 and OIDC in modern identity architectures.

A SAN certificate is a TLS/SSL digital certificate that uses the Subject Alternative Name extension to explicitly list multiple domain names, subdomains, and IP addresses covered by a single certificate. Unlike wildcard certificates, which use pattern matching to cover all first-level subdomains, SAN certificates specify each covered domain individually, making them more flexible for organizations managing multiple distinct domains or second-level subdomains within a single certificate.

SAN (Subject Alternative Name) is a certificate extension that allows a single TLS/SSL certificate to cover multiple domain names, IP addresses, or subdomains. SAN certificates — also called multi-domain certificates — are commonly used by organizations managing complex infrastructure, as they reduce the total number of certificates required while maintaining individual domain coverage.

SCA exemptions are particular payment scenarios introduced by PSD2 which do not demand an additional authentication step. This approach enables a frictionless online payment experience for the cardholder, as well as reducing cart abandonment rates which is a benefit for the merchants. SCA exempted scenarios are the following: low-risk transactions, low-value payments (LVP), merchant whitelisting, corporate payments, recurring payments. However, since issuing bank is the one that approves if a transaction will, in fact, be exempted or not, not all mentioned scenarios will automatically be exempted. This means that even if a transaction is qualified as an SCA exemption, the issuing bank might request additional authentication.

Strong Customer Authentication (SCA) is an additional layer of security used for protecting online payments, which means the CH is going to be asked for authentication.

It is based on at least two out of three security elements, namely:
- knowledge (what the cardholder knows, e.g., PIN, password)
- possession (what the cardholder has, e.g., phone, hardware token)
- inherence (what the cardholder is, e.g., facial recognition, fingerprints)

SCEP is a protocol that enables automated certificate enrollment and renewal between network devices and a Certificate Authority, without manual intervention. It is widely used for managing certificates on network infrastructure such as routers, firewalls, and VPN gateways, and is a common protocol in enterprise private PKI environments alongside ACME and EST.

A self-signed certificate is a TLS/SSL certificate that is signed by its own creator rather than by a trusted, third-party Certificate Authority (CA). While self-signed certificates provide encryption, they are not trusted by browsers or clients by default, resulting in security warnings. They are commonly used in internal development, testing environments, and intranet services — but should not be used in public-facing applications where trust validation is required.

SIEM (Security Information and Event Management) integration in the context of certificate management refers to the ability of a CLM platform to feed certificate lifecycle events such as expiration warnings, revocation events, policy violations, and anomalous certificate changes into an organization's central security monitoring platform. SIEM integration enables certificate management events to be correlated with other security signals, supporting incident detection and compliance audit workflows.

SSO, short for Single Sign-On, is an authentication method that enables users to securely access multiple applications using a single set of credentials.

Single-Factor Authentication is a low-security authentication method commonly using a password as the single factor necessary to access an account or a service.

S/MIME is a standard for encrypting and digitally signing email messages using public key cryptography. It relies on digital certificates issued by a Certificate Authority to verify the sender's identity and ensure that email content has not been tampered with in transit. Widely used in enterprise environments where email data integrity and authentication are required for regulatory compliance.

Social engineering, in terms of information security, is the act of luring users into revealing sensitive information that is later used for fraudulent actions. Phishing attacks are good examples of social engineering.

Source code is a set of instructions written in a programming language that is easily read and understood by humans. Source code contains instructions about how a programmer wants a certain application/website/software to function. Source code is typically written in a text-based program and later translated into a format readable by a computer program. The translation is done by using a compiler. Once a source code undergoes such translation, it becomes an object code.

Spoofing, in terms of cyber security, refers to imitating any entity involved in information technology (users, computers, networks, companies) in order to conduct fraudulent actions.

Spyware is a type of malicious software designed to gather information about the user by tracking their actions on the device (smartphone, laptop, tablet). The stolen data is later forwarded to a third party without the user's consent and used for fraudulent purposes.

An SSL (Secure Sockets Layer) certificate is a digital certificate that authenticates a website's identity and enables encrypted communication between a web server and a browser. Although SSL has been deprecated in favor of the more secure TLS protocol, the term 'SSL certificate' is still widely used to describe TLS certificates. SSL/TLS certificates are issued by trusted Certificate Authorities (CAs) and are indicated by the padlock icon and HTTPS prefix in browser address bars.

SSL, short for Secure Sockets Layer, is a standard technology that keeps the internet connection secure and protects any sensitive data that is being transferred between two systems. SSL prevents bad actors from gaining access and modifying the information in transit. It protects both server-to-server and server-to-client communication.

Step-up authentication is a risk-adaptive security mechanism in which a user who has already authenticated at a base level is required to provide additional identity verification when attempting to access a higher-risk resource or perform a sensitive action. For example, a user logged in with a password may be prompted for biometric verification before approving a large financial transaction. Step-up authentication is a key component of risk-based authentication (RBA) frameworks.

T

Tampering, in mobile and application security, refers to the unauthorized modification of an application's binary code, resources, configuration files, or runtime behavior with the intent to bypass security controls, inject malicious functionality, or circumvent licensing protections. Tampered applications may be redistributed as trojanized fakes. Anti-tampering controls, including code signing, integrity verification, and RASP, are essential defenses in mobile application security.

A testing environment is an isolated infrastructure setup used to validate the behavior of applications and systems before they are promoted to production. Like development environments, testing environments are appropriate contexts for self-signed certificates, provided that the scope is strictly controlled and that certificate management practices in testing do not create habits or configurations that compromise production security.

The Internet of Things (IoT) describes the network of physical objects—"things"— embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet. These devices range from ordinary household objects to sophisticated industrial tools. Examples of IoT devices are smartwatches, smart door locks, smart refrigerators, etc.

A TLS (Transport Layer Security) certificate is a digital certificate issued by a Certificate Authority (CA) that authenticates a server's identity and enables encrypted communication between clients and servers using the TLS protocol. TLS certificates contain the domain name, certificate validity period, issuing CA, and the server's public key. They are the foundation of HTTPS and secure API communications, and must be renewed regularly to maintain trust.

TLS, short for Transport Layer Security, is a protocol enabling end-to-end protection of data transferred between two internet applications. It is an evolution of the SSL protocol.

VPN, short for Virtual Private Network, enables a protected network connection while using a public one through encryption. VPN disguises the user's online identity by encrypting their internet traffic.

V

The Internet of Things (IoT) describes the network of physical objects—"things"— embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet. These devices range from ordinary household objects to sophisticated industrial tools. Examples of IoT devices are smartwatches, smart door locks, smart refrigerators, etc.

Z

In the context of certificate management, zero downtime refers to the operational goal of ensuring that certificate expiration never causes service interruptions, browser trust errors, or encrypted communication failures. It is achieved through automated certificate lifecycle management, combining continuous monitoring, proactive expiration alerts, and automated renewal via protocols such as ACME, so that certificate replacement is a routine, invisible background process rather than a crisis response.

Zero Trust Architecture (ZTA) is a security framework and design philosophy based on the principle of 'never trust, always verify.' Unlike traditional perimeter-based security models that assume everything inside the corporate network is trusted, ZTA treats every user, device, and workload as potentially compromised, requiring continuous verification of identity, device health, and access context before granting access to any resource. ZTA is implemented through micro-segmentation, identity-centric access controls, and continuous monitoring.

Zero Trust Policy is a security framework that requires all users, inside or outside the organization's network, to be authorized, authenticated, and continuously validated in order to gain access to company applications and data.

A zero-day vulnerability, also called a zero-day exploit, is a vulnerability in a system or device that has been disclosed but is not yet patched. A zero-day vulnerability is exploited before cybersecurity researchers and developers get the chance to detect it themselves. An attack conducted through a zero-day vulnerability is called a zero-day exploit.

Zero-touch certificate renewal is the automated, hands-free process of renewing TLS/SSL certificates before they expire, without any manual intervention from IT or security teams. Implemented via protocols such as ACME, zero-touch renewal eliminates the risk of service outages and security lapses caused by certificate expiration, and is a best practice for organizations managing large numbers of certificates across complex infrastructures.

Want to learn more about cybersecurity trends and industry news?

CyberSecurityhub

Products

Products

Products

Developers corner

About