7 Exemptions of Strong Customer Authentication (SCA) under PSD2 Regulation
All businesses that do online sales need to comply with the new European legislation. However, there are 7 exemptions to Strong Customer Authentication (SCA) under PSD2 regulation that businesses can avail of.
There are certain types of low-risk payments that may be exempted from Strong Customer Authentication (SCA) under the new PSD2 regulation.
The payment providers can request these exemptions from the cardholder’s bank when they are processing a payment. Ultimately, it will be the cardholder’s bank that will either approve or reject these requests after they have assessed the risk level of a transaction and decide whether SCA is still necessary or not.
Below we outline the most relevant exemptions of SCA for e-Commerce:
Payments are considered low-risk based on the average fraud level of both the payment provider and the bank processing the transaction. The fraud rates should not exceed the thresholds below:
· 0.13% to exempt transactions below €100
· 0.06% to exempt transactions below €250
· 0.01% to exempt transactions below €500
Above thresholds may change depending on local currency.
If either the fraud rate of the payment provider or the cardholder’s bank is above thresholds, it is expected that the bank will decline exemption and SCA will be required.
Transactions under the value of €30 may also be exempted from SCA as they are considered “low value”.
In this case, if this exemption has been used over 5 times since the last successful authentication or if the sum of previous exemptions exceeds €100, banks will need to request authentication.
This, however, is something that the cardholder’s bank will keep a track of and decide whether authentication is necessary or not.
3. Fixed-amount subscriptions
Customers, who make a series of recurring payments of the same value, to the same business, may be exempted from SCA. However, SCA will still be required for the payment.
4. Merchant-initiated transactions
Customer-initiated transactions may be exempted in the case of their card details being saved. Authentication will be requested for the first time before a card has been saved.
But again, it will be up to the cardholder’s bank to decide whether to request authentication or not for any transactions that may follow.
Customers have the option to add a business they trust to their whitelist which means that for any future purchases, authentication for payments may be exempted.
Businesses that have been whitelisted will be considered as “trusted beneficiaries” and maintained by the customer’s bank or payment service provider.
6. Phone sales
Over the phone, transactions fall outside the scope of SCA and will not require authentication. Such payments are often referred to as Mail Order and Telephone Orders, aka MOTO, and should be flagged as such.
This will allow the cardholder’s bank to make the final decision whether to approve or not the transaction.
Finally, payments, where a corporate card has been used to manage employee travel expenses, may be exempted.
What happens if an exemption fails?
Regardless of whether an exemption applies or not, it’s ultimately and solely the cardholder’s bank that will make the final decision whether to approve an exemption or not.
In case of failed payment, banks will return decline codes and such payments will need to be resubmitted with a request for Strong Customer Authentication.