PSD2 is the second Payment Service Directive, designed to modernize the payment industry throughout countries of the European Union and the European Economic Area by encouraging payment innovation and boosting data security. One of the most crucial requirements of the PSD2 is Regulatory Technical Standards, or RTS, on Strong Customer Authentication, also known as SCA. Under PSD2, SCA requirements demand all payment service providers verify the customer’s identity with at least two out of three independent elements — such as a smartphone or token combined with a password or biometric feature, like fingerprints or facial recognition. The main aim of the PSD2 SCA is to reduce fraud and ensure that payment service providers and merchants in the EU and EEA are validating all digital payments. However, not every electronic transaction requires this advanced authentication from the customer. PSD2 includes exclusions and exemptions to the authentication requirements for specific types of digital transactions to improve the overall transaction experience by minimizing friction.
Even though PSD2 SCA requirements guarantee protection against frauds and security of consumers‘ financial and personal data, these advanced requirements also increase friction, which results in more purchase declines. To reduce cart abandonment due to difficulties completing the authentication process, merchants integrate a pre-authorization fraud solution and an exemption engine as part of the payment optimization solution. The main benefit of exemptions is the ability to make it easier for consumers to complete their purchases. PSD2 exemptions to SCA reduce friction and make the shopping experience better, boosting the possibility that the consumer will return in the future. Also, if merchants use a fraud prevention solution as an alternative for fraud protection provided by SCA, exemptions reduce their operational costs by minimizing the costs for additional authentication processes.
Exemptions allow some transactions to be excluded from the Strong Customer Authentication requirements of the PSD2. For qualifying transactions, financial service providers and merchants can request an exemption. To grant an exemption requested by the merchant, the acquirer must agree, and the issuer then must approve the request. The acquirers of the transaction are financial institutions that maintain a merchant's account to accept payment cards, authorize and process transactions, while issuers of the transaction are banks or other financial institutions that provide and validate payment cards to consumers and issue payments. When issuers approve exemptions, payment service providers or merchants can process specific transactions without SCA. Even though the issuer approves an exemption, the merchant that requested the particular exemption is liable for the chargeback due to fraud. To decide whether to apply for SCA or make an exemption, merchants and payment service providers use a specific tool known as an exemption engine that allows determining which transactions are suitable for an exemption and which type of exemption to request from the issuer. There are several types of transactions that are exempt from the SCA requirement, including the following: low-risk payments, low-value transactions, transactions with trusted merchants, recurring fixed-amount and merchant-initiated transactions, contactless payments, and secure corporate payment transfers. All these transactions that may not require SCA are explained in detail below.
The most well-known and used type of PSD2 exemption to SCA is called a Transaction Risk Analysis exemption, more commonly known as TRA exemption. Transaction Risk Analysis, or TRA, as defined by the PSD2 Regulatory Technical Standard, or RTS, is the method for identifying fraud by observing the risk scores and other account risk factors to ensure that no unusual spending or behavioral patterns of the consumer have been recognized. PSD2 TRA also involves checking real-time hints of malware installation, known fraud scenarios, analyzing the payers' location, device fingerprinting, networking context, etc. Even though TRA happens when consumers are making real-time payments, TRA is invisible to the payer. This real-time transaction risk analysis provides frictionless customer experience by allowing to categorize transactions into the high and low risk to avoid strong customer authentication for transactions of low risk. To put it differently, TRA permits payment service providers and merchants to assess the risk level of the transaction, which allows them to decide either to approve the exemption or apply authentication. Under PSD2, TRA exemption only applies for transactions that are considered low-risk of fraud. When TRA exemption is allowed, merchants and financial service providers can process low-risk transactions without additional verification methods. Also, it is crucial to mention that TRA exemption can be applied at both: the acquiring or issuing sides of the transaction. So, merchants or financial service providers cannot apply TRA exemption for real-time payments directly but can request it for low-risk transactions on the fraud levels of the card issuer or acquirer. If merchants or financial service providers want to use the PSD2 TRA exemption, they need approval from their acquirer to be able to apply for this exemption. When a TRA exemption for a low-risk transaction is requested by the merchant or its acquirer, the overall transaction amount and the acquirer’s fraud rate are considered to determine whether an exemption can be applied. Every card-issuing bank or other financial institution provides certain thresholds for the transaction amount and required fraud rate to determine if they can allow applying for a TRA exemption or not. Under PSD2, financial institutions from the European Union or the European Economic Area are required to provide evidence of their transaction fraud rates to their national regulator every three months. Also, under PSD2, if the acquirer’s fraud rate is higher than 0.13% or if the transaction is more than €500, regardless of the acquirer’s fraud rate, TRA exemption cannot be granted, and SCA must be applied. When merchants or payment service providers do not request their acquirer for a PSD2 TRA exemption, the issuing financial institution can ask for this exemption. Also, the issuing financial institutions consider the risk and amount of the transaction and apply that to their overall fraud rate on their payment card portfolio. Because TRA exemptions can be applied by issuers, SCA also no need to be performed, ensuring a low-friction transaction for the cardholder if the merchant or payment service provider does not qualify for TRA with their acquirer. Like issuers, acquirers can use the TRA exemption for a specific transaction by maintaining an overall quarterly fraud rate within the fraud rates set by the PSD2. Also, to be able to provide PSD2 TRA exemption, both the issuer or acquirer needs to build TRA solutions that are compliant with RTS and ensure fraud reporting capabilities that meet the requirements of their regulators. Using an exemption shifts the liability for fraud to the party that requests the exemption, which is why it is crucial for financial institutions and merchants to invest in fraud protection.
Low-value transactions are remote electronic payments under €30 that can be exempted from SCA requirements until they reach a particular cumulative limit. However, financial institutions cannot apply for low-value exemptions and need to request authentication on every sixth payment under €30 or when the sum of the previous exempted from SCA transactions exceeds €100. To put it differently, when the number of previously made payments up to €30 exceeds 5, or if the combined value of several payments goes over €100 since the last successful authentication, the consumer must undergo SCA again. The customer’s bank can choose to limit either the number of transactions or the total value. The merchant or its acquirer can request the low-value exemption. They are also liable if any fraud happens. Meanwhile, the issuer is in charge of counting transactions and the total amount to comply with the conditions required to grant the low-value exemption. Also, even though the merchant sends a transaction for authentication, issuing financial institutions can apply their own low-value or TRA exemptions.
Trusted payees are merchants added by consumers to their whitelist maintained by the consumers‘ issuing bank or financial service provider after completing SCA for a payment. Merchants that are enrolled in this list of trusted beneficiaries are allowed to bypass SCA for future purchases made by the consumer. However, SCA is required on the initial enrollment on a card account number for a merchant to be included in the list held by the issuing financial institution. When buying from the merchant included in the list, SCA is not performed on the following purchases. In other words, whitelisting, or trusted beneficiaries, allows the consumers to complete the subsequent transactions with the same merchant without the need to fill out their information again, making repeat purchases or subscriptions more convenient for customers. It is crucial to mention that only issuers can create and maintain lists of trusted sellers on the behalf of the consumers and apply for the trusted beneficiaries exemption. Also, only cardholders have the right to choose to enroll or remove sellers to or from a list of trusted merchants or consent with the addition or removal of sellers suggested by the issuer. Merchants and their acquirers cannot apply trusted beneficiaries exceptions and set up lists for this exemption. By allowing merchants added to the list to transact without SCA, this exemption ensures enhanced security and reduces the possibility of transaction declines.
When consumers sign up for a subscription or recurring transactions with the same amount and the same merchant, only the first fixed amount subscription or payment requires SCA. As long as the amount stays the same, subsequent charges can be exempted from SCA. However, if the amount differs or the value changes, the consumer again must complete the transaction under SCA for each and every change. To put it differently, recurring fixed amount transaction exemption allows consumers to complete the first fixed-amount transaction under full SCA and process the subsequent purchases from the same seller under the exemption if there are any changes to the amount.
When using a merchant-initiated payment method, transactions are initiated by the payee with saved cards without any interaction or involvement of the cardholder. From a technical perspective, this payment method is out of the scope of the PDS2. However, it can be treated as an SCA exemption. If consumers use merchant-initiated transactions, cardholders need to authenticate their card when it is being saved or on their first payment. Also, merchants need to get an agreement to charge consumers‘ cards in the future. Both fixed and variable amount transactions initiated by the merchant without the involvement of the cardholder can be exempt from SCA. Merchant-initiated transaction exemption allows sellers to charge variable amount subscriptions or bill for add-ons without the need to repeat SCA when consumers agree to the conditions.
PSD2 also grants SCA exemption for secure corporate transactions, which are payments initiated by business entities through dedicated processes or protocols. These corporate payment transfers are not available for consumers and offer high levels of protection from fraud. Secure corporate payments that can be exempted from SCA requirements include transactions made through central travel accounts, lodged or virtual cards, and corporate cards, utilized in access-controlled corporate travel management or corporate purchasing systems. These accounts and cards are not associated with an individual cardholder and are used only by the company. Corporate payment exemption cannot be applied for personal corporate cards. Also, secure corporate payment exemption can only be requested by the card-issuing financial institution. The businesses and payment service providers cannot detect whether a card permits to make secure corporate payment transfers with SCA exemption.
Individual contactless transactions below €50 do not require SCA up to a maximum of five consecutive payments or a cumulative limit of €150. If the cardholder initiates more than five low-value payments since the last application of SCA or if the total payment value exceeds €150, SCA is required once more. Also, this exemption is specific to each card utilized by the consumer. So, for joint accounts, this exemption applies to every card associated with the consumer‘s account. Also, the card-issuing financial institution is responsible for the monitoring of consecutive transactions and cumulative limits.
In addition to the exclusions mentioned above, there are other types of PSD2 SCA exemptions. These PSD2 exemptions to SCA included in RTS are available for access to payment account information or transfers made between two accounts held at the same financial institution by the same consumer and transactions for transport fares or parking fees at an unattended terminal. When the consumer uses a third-party provider for account information services to access their account balance for the first time, SCA must be applied. Also, consumers must authenticate the access to third-party providers in order to see details of all transactions processed on an account for the first time. However, for the subsequent access to the account balance, SCA is not needed. Also, the consumer is not required to verify his identity to a third party if the consumer accesses the historical transaction data within three months of the last application of SCA.
Regardless of whether an exemption applies or not to the specific transaction, the card-issuing financial institution makes the final decision whether to accept or decline a particular exemption. When card-issuing financial institutions decide not to grant an exemption, they return new decline codes for transactions that failed due to missing authentication. These failed transactions have to be resubmitted to the customer with a request for SCA. Also, merchants, especially those who charge consumers without their involvement in the checkout flow, must be prepared for a fallback if the card-issuing financial institution declines the exemption.
Using exemptions for qualifying payments decreases the number of times a consumer needs to authenticate payment and reduce friction. Businesses that apply exemptions can ensure a better consumer experience by eliminating SCA requirements while maintaining PSD2 compliance.
We frequently share industry news and Nordigen product updates to our closest friends, fintech innovators and industry experts. Sign up to our newsletter to hear more from us.
By providing your email, you accept