A–Z Glossary of Payment Fraud and Security Terms
Plain-English definitions of every fraud and security term you'll encounter — from Account Takeover to Zero-Day Vulnerability.
Last Updated: February 2026
A reference guide for consumers, merchants, and security professionals. Terms are explained in plain English.
A
Account Takeover (ATO) When a criminal gains unauthorised access to someone's financial account — typically through stolen credentials, phishing, or SIM swap — and uses or modifies it without the owner's knowledge. ATO can lead to fund transfers, credit applications, and identity theft.
Acquirer (Acquiring Bank) The financial institution that processes card payment transactions on behalf of a merchant. When a merchant needs to report a suspected POS compromise, their acquirer is the first call.
Address Verification Service (AVS) A fraud prevention tool used in card-not-present transactions. The billing address provided by the buyer is checked against the address on file with the card issuer. Mismatches flag potential fraud.
Anti-Skimming Hardware Physical devices fitted to ATM card readers that either physically prevent a skimmer from being attached, actively jam the data transmission from a skimmer, or electronically detect the presence of a shimmer inside the reader. See: Anti-Skimming Solutions
Authorised Push Payment Fraud (APP Fraud) A fraud type where a victim is deceived into voluntarily initiating a bank transfer to a criminal-controlled account. Common in vishing and impersonation scams. Unlike card fraud, the payment is technically "authorised" — which has historically complicated reimbursement. Some jurisdictions now have specific APP fraud reimbursement protections.
ATM (Automated Teller Machine) A machine that allows bank customers to perform transactions — primarily cash withdrawals — without visiting a branch. ATMs are a target for physical fraud (skimming, shimming, card trapping) and logical attacks (jackpotting).
B
Beneficiary The recipient of a bank transfer. In fraud, criminals often instruct victims to set up a new beneficiary (payee) on their account. Reviewing unrecognised beneficiaries is an important account security check.
BIN (Bank Identification Number) The first 6–8 digits of a payment card number, identifying the issuing bank and card network. Used in fraud analysis to identify patterns in compromised card batches.
Black-Box Attack A type of ATM logical attack where a criminal connects a device (a "black box") to the ATM's internal card dispenser interface to command cash dispensing outside of normal transaction flow. A variant of jackpotting.
Brute Force Attack An automated attempt to access an account by systematically trying all possible password combinations. Defended against with strong, complex passwords and account lockout policies.
C
Card Cloning The creation of a duplicate card using data copied from the original card's magnetic stripe. A cloned card can be used wherever magstripe transactions are accepted. EMV chip cards make cloning significantly harder for card-present fraud.
Card-Not-Present (CNP) Fraud Fraud involving the use of card details (number, expiry, CVV) in transactions where the physical card is not presented — typically online, phone, or mail-order purchases. CNP fraud is the dominant card fraud type in markets with widespread EMV adoption.
Card Trapping An ATM attack where a device is inserted into the card slot to retain the cardholder's card after a transaction. The criminal retrieves the card once the victim leaves. Not a data theft attack — the goal is physical card theft.
Carrier PIN A PIN or security code set on a mobile carrier account to authorise significant changes — including SIM transfers. Setting a carrier PIN is the most effective individual defence against SIM swap fraud.
Cash Trapping An ATM attack where a device is placed in or around the cash dispenser to physically hold the dispensed notes. The customer's account is debited, but the cash is not received. The criminal retrieves the notes after the victim leaves.
Chargeback A reversal of a card transaction initiated by the cardholder through their bank. Chargebacks may be raised for unauthorised transactions, non-delivery of goods, or merchant errors. Merchants pay a fee for each chargeback and bear the liability in most CNP fraud scenarios.
Chip-and-PIN An EMV card payment method where the chip generates a dynamic transaction code and the cardholder verifies the transaction with a PIN. More secure than magstripe swipe.
Contactless Payment A payment method using NFC (near-field communication) technology, where the card or device is held close to a reader rather than inserted or swiped. Typically subject to per-transaction limits for unauthenticated payments.
Credential Stuffing An automated attack that uses large lists of username/password combinations from previous data breaches to attempt logins across multiple services. Effective against accounts where passwords are reused.
CVV / CVC (Card Verification Value / Code) The 3-digit (or 4-digit for Amex) security code on a payment card. Not stored by legitimate merchants; required for most CNP transactions to confirm the buyer has physical possession of the card.
D
Data Breach An incident where personal or financial data held by an organisation is accessed or exfiltrated without authorisation. Breached data frequently ends up in criminal marketplaces and is used for credential stuffing, phishing, and identity theft.
Device Account Number (DAN) A tokenised card number specific to a digital wallet device. When you add a card to Apple Pay or Google Pay, the DAN — not your real card number — is used for transactions. The DAN cannot be used to make transactions on other devices.
E
EMV (Europay, Mastercard, Visa) The global standard for chip-based payment cards and terminals. EMV chip cards generate a dynamic cryptographic code per transaction, making card-present cloning significantly harder than magstripe. Named for the three organisations that originally developed the standard.
Express Transit A feature in Apple Pay that allows contactless tap for transit payments (some public transport networks) without requiring biometric or passcode authentication — even with a locked screen.
F
FIDO2 / WebAuthn An open authentication standard using public-key cryptography. FIDO2-based hardware security keys (such as YubiKey) are phishing-resistant because the authentication response is bound to the specific website domain.
Fallback Transaction When an EMV chip card cannot be read (e.g., due to a shimmer interfering with the chip communication), some ATMs and terminals "fall back" to reading the magnetic stripe. Fallback transactions are a known fraud vector.
Friendly Fraud A chargeback filed by a consumer who did receive the goods or services they ordered, but disputes the transaction anyway. Also called first-party misuse. May be deliberate or accidental (e.g., family member's purchase not recognised).
G
GPS Skimmer A skimming device that uses GPS technology to transmit captured card data wirelessly to the criminal, eliminating the need to physically retrieve the device. Reduces the risk of detection for the criminal.
I
Identity Theft The use of another person's personal information — name, address, date of birth, national ID number, financial details — without their consent, typically to commit fraud, access accounts, or obtain credit or services.
Insider Threat A security risk posed by individuals within an organisation — employees, contractors, or business partners — who misuse their access for personal gain. In payment fraud, this includes employee card skimming, cash theft, and data exfiltration.
J
Jackpotting A logical attack on an ATM that forces the cash dispenser to release notes without a legitimate transaction. At a high level, it typically involves gaining access to the ATM's internal systems through a compromised network, USB port, or physical access, then deploying specialised software or hardware. A significant threat for ATM operators.
Jitter Mechanism An anti-skimming measure built into some ATM card readers that physically vibrates the card during insertion, disrupting the ability of a shimmer to maintain stable data contact.
K
Keylogger Malware that records keystrokes on an infected device, capturing usernames, passwords, and other input — including banking credentials.
M
Magstripe (Magnetic Stripe) A band on the back of a payment card containing static account data encoded magnetically. Magstripe data can be easily copied (skimmed) and used to create a cloned card. Considered the least secure card technology.
Man-in-the-Browser (MitB) A form of banking malware that sits between a browser and online banking sessions, modifying what the user sees and what is transmitted. Can silently alter transaction amounts and beneficiary details.
Money Mule A person used to transfer fraudulently obtained money, often unknowingly. Mules receive funds into their account and are instructed to forward them or withdraw cash. Acting as a money mule — even unwittingly — may carry legal consequences.
N
NFC (Near-Field Communication) The short-range wireless technology (typically 4cm maximum in real conditions) that enables contactless payments. Used by contactless cards, Apple Pay, and Google Pay.
NFC Relay Attack An attack where a device near a contactless card relays its NFC signal to a second device near a payment terminal, potentially completing a transaction without the cardholder's knowledge. Demonstrated in research; rare in real-world fraud.
O
OTP (One-Time Password) A time-limited code used as a second factor in authentication or to authorise a transaction. Typically delivered by SMS or generated by an authenticator app. SMS OTPs are vulnerable to SIM swap; app-based OTPs are significantly more secure.
P
PCI DSS (Payment Card Industry Data Security Standard) A set of security requirements established by the major card schemes (Visa, Mastercard, etc.) that all organisations handling card payment data must comply with. Compliance is not a guarantee against fraud, but it significantly raises the bar for attackers.
Phishing A fraudulent communication — most commonly email — impersonating a trusted organisation to obtain credentials, personal information, or payments. Bank phishing is among the most common forms.
PIN (Personal Identification Number) A numeric code known only to the cardholder, used to authenticate ATM withdrawals and some card transactions. Never share your PIN with anyone, including callers claiming to be from your bank.
Port-Out Fraud A form of SIM swap where a criminal initiates a mobile number port — transferring your number to a new carrier — rather than a SIM swap within the same carrier. The effect is the same: your number is redirected to the criminal.
Provisional Credit A temporary credit applied to a bank account while a fraud dispute investigation is ongoing. In many jurisdictions, banks are required to apply provisional credit within a short timeframe after a fraud report.
Q
Quishing (QR Phishing) A phishing attack delivered through a QR code. The QR code redirects to a fraudulent website or payment link. Increasingly used in emails, physical signage replacement attacks (criminals paste their QR code over legitimate ones), and postal fraud.
R
RFID (Radio-Frequency Identification) A broad category of radio-based identification technology. Payment contactless cards use a specific form of RFID (NFC). RFID-blocking wallets aim to prevent readers from accessing card data when the card is stored.
Relay Attack See: NFC Relay Attack.
S
Safe Account Scam A vishing scam where the victim is convinced their bank account is compromised and they must move their funds to a "safe" account controlled by the criminal. One of the most damaging banking scam variants. Your bank will never ask you to do this.
Shimming A form of card skimming using a paper-thin device inserted inside the ATM card reader slot to intercept EMV chip card data. Unlike traditional skimmers, shimmers are inside the machine and undetectable through external visual inspection.
SIM Swap Fraud A form of identity/account takeover where a criminal convinces a mobile carrier to transfer the victim's phone number to a SIM card the criminal controls. This allows the criminal to receive SMS-based one-time passwords, bypassing two-factor authentication.
Skimmer / Skimming A device placed on or in an ATM card reader to capture magnetic stripe data from inserted cards. Usually accompanied by a PIN capture mechanism (camera or keypad overlay). See: How to Spot a Card Skimmer on an ATM: 10 Warning Signs
Smishing SMS phishing — fraudulent text messages designed to steal credentials, capture OTPs, or direct victims to malicious websites. Can appear in genuine message threads due to sender ID spoofing.
Social Engineering Manipulation of people — rather than technical systems — to obtain money, access, or information. In financial fraud, social engineering includes vishing, smishing, phishing, bank impersonation, and romance/investment scams.
Spear-Phishing A targeted phishing attack using the victim's real name, employer, bank, and other personal details to appear more credible. More dangerous than mass phishing due to its personalised nature.
Strong Customer Authentication (SCA) A regulatory requirement (under PSD2 in the EU/UK) for additional authentication factors on electronic payments above certain thresholds. Typically requires at least two of: something you know, something you have, something you are.
T
Terminal Swap A POS fraud technique where the genuine payment terminal is removed and replaced with a compromised one. Detected through serial number verification.
Tokenisation The replacement of sensitive data (such as a card number) with a non-sensitive substitute (a token) that has no intrinsic value or use outside the specific context. Digital wallets use tokenisation to protect card numbers during transactions.
Two-Factor Authentication (2FA) / Multi-Factor Authentication (MFA) An authentication method requiring more than one verification factor — typically something you know (password) combined with something you have (OTP) or something you are (biometric). Significantly reduces account takeover risk.
V
Velocity Check A fraud detection measure that flags or blocks multiple transactions from the same source within a short time period. Used by banks and merchants to detect unusual transaction patterns.
Vishing Voice phishing — a phone call scam impersonating a trusted organisation (bank, police, HMRC/IRS) to steal credentials, OTPs, or money. See: Vishing: The Phone Call Scam That Empties Bank Accounts
W
Whaling A form of spear-phishing targeting senior executives or high-net-worth individuals. In business contexts, this may target CFOs or finance directors to authorise fraudulent wire transfers.
X
XFS Layer The ATM software layer that handles communication between ATM applications and hardware components (including the cash dispenser). Logical ATM attacks often target this layer to command unauthorised cash dispensing.
Z
Zero-Day Vulnerability A software vulnerability that is unknown to the vendor and for which no patch yet exists. Zero-day vulnerabilities are exploited in sophisticated attacks against ATM networks and banking systems.
Glossary last updated: February 2026. Terms and definitions are provided for general educational purposes.
Related resources:
- ATM Fraud Prevention: The Complete Guide — ATM Fraud Guide
- Card Fraud Prevention: EMV, Contactless & Digital Payments — Card Fraud Guide
- Online Banking Security: How to Protect Your Accounts — Online Banking Security
- Social Engineering & Banking Scams: How to Spot and Stop Them — Social Engineering Guide
Need Professional ATM Security Support?
ATM Fortify provides anti-skimming hardware, security assessments, and fraud prevention consulting for ATM operators and financial institutions across 30+ countries.