Exemptions to Strong Customer Authentication (SCA)

With the Second Payment Services Directive (PSD2), the new set of laws and regulations for payment services in the European Union (EU) and the European Economic Area (EEA), Strong Customer Authentication (SCA) will be the requirement for all online transactions. However, there are still some exemptions from this rule where specific types of low-risk payments may be still exempted from Strong Customer Authentication (SCA).

Please keep in mind that banks can choose not to honor these exemptions and you need to be prepared to handle a SCA challenge even if the transactions has been submitted under one of the below exemptions.

The most relevant SCA exemptions are:

  • MIT
  • Low Risk / TRA
  • Low Value
  • Secure Corporate payments
  • Trusted Beneficiaries

1. Merchant Initiated Transaction (MIT)

MITs are payment transactions that are not initiated by the payer but by the payee only and are not subject to strong customer authentication (SCA) to the extent that these transactions are initiated without any interaction or involvement of the payer. MIT transactions are subjected to SCA except when a mandate is signed by the client. For example, SEPA Direct Debits are initiated by the merchant but have a direct debit mandate signed by the end customer. Thus, SCA is not applicable in this case and there are no restrictions to the frequency or the amount (obtained scheme transaction identifier needs to be provided for use in the subsequent transactions).

Adjustment of initial Authorisation allows merchants to increase or decrease the authorised amount after the initial authorisation has taken place is also MIT. This enables tipping.

2. TRA – Transactional Risk Analysis

SCA can be deactivated for online payments between €30 and €500, depending on the payment providers fraud rates (see table below). There are no low-risk exemptions for transactions over €500. Merchants have to rely on a payment service provider (e.g. an acquirer) to act upon their request. In addition, the test to trigger the exemption rests with whether the PSP satisfies the prescribed conditions, not the merchants themselves. Nuvei keeps a very low fraud rate by using state of the art anti-fraud solutions such as RedShield, Machine Learning algorithms and by working with low risk acquiring banks which have very good fraud scores.

Adding additional information in the payment request will maximize the probability of getting the exemption by Issuers. The chargeback liability shifts to the issuer as well.

Regulatory Technical Standards (RTS), that payment providers need to take into account through real-time risk analysis, covers the following:

  • abnormal spending or behavioral pattern of the payer;
  • unusual information about the payer’s device/software access;
  • malware infection in any session of the authentication procedure;
  • known fraud scenario in the provision of payment services;
  • abnormal location of the payer;
  • high-risk location of the payee.

The fraud rate limits for payment providers are being applied as follows:

Fraud rate and amount limits
Fraud transaction rate Amount limits
Up to 0.01% Up to €500
Up to 0.06% Up to €250
Up to 0.13% Up to €100

3. Low value: Small amounts less than 30 EUR

For a transaction of less than 30 EUR and up to 100 EUR accumulated or up to 5 transactions since the last SCA. Beyond 100 EUR or beyond 5 unauthenticated transactions, a new SCA is required. Keep in mind that since the information needed to validate these stipulations is only available to the issuing bank, you will still need to confirm if SCA is required on all transactions that might fall into this exemption category.

4. Payment to a trusted beneficiary

Customers can add their preferred online sellers to a list of trusted beneficiaries held by the issuing bank, so that they don’t required to authenticate for each new payment. Please instruct your customers if possible to add your business to the white-list at their bank.

5. Secure Corporate payments

SCA can de deactivated for corporate card payments made through secure processes and protocols initiated by businesses and not available for consumers. Payments that are included in this category are those made through central travel accounts, lodged cards, virtual cards, and secure corporate cards, like the ones used in a corporate travel management system.

See below an example of a MerchantInitiatedTransaction (MIT) transaction type:

Request:

POST https://securetest.smart2pay.com/v1/payments
Authorization: Basic MTAxMDpnYWJp

{
  "Payment": {
    "MerchantTransactionID": "s2ptest_m10",
    "Amount": 1000,
    "Currency": "EUR",
    "ReturnURL": "http://demo.smart2pay.com/redirect.php",   
    "Card": {
      "HolderName": "John Doe",
      "Number": "4548812049400004",
      "ExpirationMonth": "05",
      "ExpirationYear": "2021",
      "SecurityCode": "123"     
      },
     "3DSecure": true,
     "DeviceInfo": {
      "BrowserAcceptHeader": "application/json, text/javascript, */*; q=0.01",
      "BrowserUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36",
      "BrowserJavaEnabled": false,
      "BrowserJavaScriptEnabled": true,
      "BrowserLanguage": "ro-RO",
      "BrowserColorDepth": "24",
      "BrowserScreenHeight": "1080",
      "BrowserScreenWidth": "1920",
      "BrowserTimeZone": "-180"
    },         
    "ScaExemption": "MerchantInitiatedTransaction"
  }
}

There are 2 possible response scenarios:

  • Exemption is approved: The cardholder’s bank receives the request, assesses the risk level of the transaction, and approves the exemption and the SCA is no more necessary. The payment has status Authorized / Captured in the response.

    Response:

    HTTP/1.1 201 Created
    Content-Type: application/json; charset=utf-8
    
    {
      "Payment": {
        "ID": 172498,
        "ClientIP": null,
        "SkinID": 200,
        "Created": "20190913075654",
        "MerchantTransactionID": "s2ptest_m10",
        "OriginatorTransactionID": null,
        "Amount": "100",
        "Currency": "EUR",
        "CapturedAmount": "0",
        "ReturnURL": "http://demo.smart2pay.com/redirect.php",
       "Description": "silviu test",
        "StatementDescriptor": "Static Description",
        "MethodID": 6,
        "MethodOptionID": null,
        "SiteID": 1010,
        "NotificationDateTime": null,
        "Customer": null,
        "BillingAddress": null,
        "ShippingAddress": null,
        "Articles": null,
        "Card": {
          "HolderName": "Test Person",
          "Number": "VISA-0004",
          "ExpirationMonth": "05",
          "ExpirationYear": "2021",
          "IssuingBankCountry": null
        },
        "CreditCardToken": null,
        "Status": {
          "ID": 9,
          "Info": "Authorized",
          "Reasons": []
        },
        "MethodTransactionID": null,
        "AuthorizationCode": "971896",
        "PaymentTokenLifetime": 10,
        "Capture": false,
        "RedirectURL": null,
        "3DSecure": true,
        "3DSecureData": null,   
        "ScaExemption": "MerchantInitiatedTransaction",
        "CardOnFile": null,
        "Fraud": null
      }
    }
  • Exemption is rejected: The cardholder’s bank receives the request, assesses the risk level of the transaction, and rejectes the exemption and the SCA is mandatory. The payment has status Open in the response. The customer accesses the RedirectURL form the response and is redirected to the 3D Secure page to authenticate the transaction.

    Response:

    HTTP/1.1 201 Created
    Content-Type: application/json; charset=utf-8{
      "Payment": {
        "ID": 172498,
        "ClientIP": null,
        "SkinID": 200,
        "Created": "20190913075654",
        "MerchantTransactionID": "s2ptest_m10",
        "OriginatorTransactionID": null,
        "Amount": "100",
        "Currency": "EUR",
        "CapturedAmount": "0",
        "ReturnURL": "http://demo.smart2pay.com/redirect.php",
        "Description": "silviu test",
        "StatementDescriptor": "Static Description",
        "MethodID": 6,
        "MethodOptionID": null,
        "SiteID": 1010,
        "NotificationDateTime": null,
        "Customer": null,
        "BillingAddress": null,
        "ShippingAddress": null,
        "Articles": null,
        "Card": {
          "HolderName": "Test Person",
          "Number": "VISA-6852",
          "ExpirationMonth": "05",
          "ExpirationYear": "2021",
          "IssuingBankCountry": null
        },
        "CreditCardToken": null,
        "Status": {
          "ID": 1,
          "Info": "Open",
          "Reasons": []
        },
        "MethodTransactionID": null,
        "AuthorizationCode": null,
        "PaymentTokenLifetime": 10,
        "Capture": false,
        "RedirectURL": "http://85.186.26.139:58938/v1/Payments/FillCardDetails?PaymentToken=172500.1006.5CD50C1B1707FB83EAA7655F9B21D42E9&SkipLandingPage=true",
        "3DSecure": true,
        "3DSecureData": null,   
        "ScaExemption": "MerchantInitiatedTransaction",
        "CardOnFile": null,
        "Fraud": null
      }
    }