What you need to know: Exemptions for strong customer authentication (SCA)
Strong customer authentication (SCA) is a new requirement for European payment transactions that aims to reduce fraud and make online payments more secure. Strong customer authentication, nevertheless, requires an additional step in the payment process that can lower conversion rate and, in the worst case, result in aborted payment.
The EU Payment Services Directive PSD2 provides for exemptions for certain low-risk scenarios and specifies criteria that allow a transaction to take place without strong customer authentication. As a merchant, you stand to benefit from increased security thanks to strong customer authentication as well as from better conversion rates for low-risk transactions thanks to SCA exemptions.
In this blog post, you will learn when strong customer authentication is required and how and in which cases you can request exemptions.
What is strong customer authentication?
Remember that strong customer authentication requires all payment transactions – apart from the specified exemptions – to be strongly secured, and at least two of the following three factors must be used for this purpose:
Knowledge:
Password
PIN
Secret question
Numerical sequence
Possession:
Mobile phone
Wearable devices
Token
Smartcard
Inherence:
Fingerprint
Voice recognition
Iris recognition
Facial features
The cardholder’s bank then asks the cardholder to enter additional information during the payment process. This could, for example, be a unique code sent to his mobile phone or the fingerprint authentication via his mobile banking app.
What are the exemptions from strong customer authentication?
PSD2 provides for a number of exemptions for which, although the cardholder does not need to perform strong customer authentication, the transactions, nevertheless, undergo “full 3-D Secure authentication”. These SCA exemptions simplify the payment process for your customers, which in turn increases the conversion rate.
The following exemptions are relevant for you as a merchant:
Small amounts |
Recurring payments | Whitelisting | Low risk |
---|---|---|---|
Payments up to EUR 30 - up to the limit of EUR 100 in total or five consecutive payments. | From the second transaction on-going to the same recipient and the same amount. | The cardholder creates a whitelist for trusted merchants. | Risk assessment of a transaction with amounts within defined thresholds. |
How you can benefit from the strong customer authentication exemptions
As a Saferpay customer with an acquiring contract from Worldline, you can request exemptions for small amounts, recurring payments and low-risk transactions. Recurring transactions by Worldline customers are automatically identified and a corresponding exemption is requested if they are executed in accordance with the specification.
The cardholder’s bank decides whether an exemption request is granted or rejected. When requesting an exemption for a transaction that meets the specifications, you should take the following into account:
- The merchant bears the liability for this transaction.
- The cardholder’s bank can still reject the exemption and enforce SCA. The card issuer assumes liability in this case.
What is needed for an exemption request
You may request an SCA exemption under the following conditions:
- Your acquirer, if not Worldline, supports strong customer authentication exemptions.
- You have a contractual agreement with your acquirer the covers the execution of SCA exemptions.
- You can perform a real-time risk analysis of transactions.
- You ensure that SCA exemptions are only requested for transactions for which exemptions may be requested according to the PSD2 definition.
SCA is not mandatory in the following cases
There is no SCA obligation and thus no need to request exemptions in the following cases:
- Anonymous prepaid cards
- Mail orders and telephone orders (MOTO transactions)
- Interregional / “one leg” transactions (if the merchant’s registered office or the buyer’s address is outside the European Economic Area, EEA)
- Transactions initiated by the payee
Technical documentation
The SCA exemptions section of the Saferpay Integration Guide contains all necessary technical details on how to request transaction exemptions:
FAQ
Feedback
Did you enjoy this article? Did we answer any of your questions? Let us know:
we rely on your feedback to further develop our solutions and products and to align them even more closely with your requirements as a merchant, developer and end user. We know how valuable your time is, so we really appreciate it when you give us feedback. Whether you want to share an idea, a problem or a small success story with us.
We look forward to hearing from you!