PSD2 SCA

October 20, 20205 min read

A lot has been written about PSD2 and Strong Customer Authentication (SCA). This blog post provides insight into transactions where SCA does not apply. A quick reminder: enforcement of SCA is mandated by the ECB as of 31 December 2020. The exception being the UK, where SCA will be enforced per 14 September 2021.

Enforcement will not happen by the ECB itself, but by the national authorities. The PSD2 mandate is for the banks, not for merchants. However, if a merchant does not support SCA, issuing banks will start to refuse their transactions. To avoid this, both Visa and Mastercard require merchants to support EMV 3DS 2.1 or above.

Merchants and their payment service providers need to support transactions where SCA is not applicable (out-of-scope/excluded of PSD2), not desired (exempted of SCA to avoid shopping cart abandonment), or not possible (when the cardholder is not interacting with the merchant’s platform).

Exclusions (SCA not applicable)

Transactions excluded from the PSD2 mandate are:

  • Transactions initiated by mail or telephone order (MOTO transactions).
  • Transactions with a card issued outside the European Economic Area (EEA) acquired from within the EEA or vice versa (one-leg transactions).
  • Transactions where an anonymous pre-paid card is used.

Unless the merchant requests so, issuing banks will not apply strong authentication for the above transactions.

Exemptions (SCA not desirable)

Both the acquirer and the issuer can initialize an exemption to the SCA mandate.

The following are exemptions applied by the issuer:

  • Transactions from merchants whitelisted by the cardholder.
  • Secure corporate transactions.
  • Low risk transactions (depending on issuer fraud levels).
  • Low value transaction (below 30 euro), but not exceeding counter and volumes limits.

In the above cases the merchant is best off by initializing a 3DS authentication. If an issuer exemption applies, the cardholder will not notice that 3DS authentication was initialized. Fraud liability lies with the issuer if the merchant has initialized 3DS authentication.

The following exemptions can be requested by the merchant:

  • Low risk transactions (depending on acquirer fraud levels).
  • Low value transaction (below 30 euro), but not exceeding counter and volumes limits.
  • Delegation of SCA (for example by a wallet provider like Apple Pay or Samsung Pay).

Fraud liability lies with the merchant in these cases. It is up to the issuer to decide whether to accept these exemptions or not. The issuer may also soft decline a transaction by indicating this in the authorization response. In that case the merchant should retry the transaction, but with SCA authentication. Ideally the payment service provider will retry this automatically for the merchant.

Recurring Transactions and Merchant Initiated Transactions (SCA not possible)

In the case of transaction series where the subsequent transaction is not triggered by the cardholder (for example subscriptions, bill payments or additional charges) the SCA mandate applies only to the first transaction of the series. One-click purchases – where the card is stored on file for later usage triggered by the cardholder – are included in the PSD2 SCA mandate.

Fraud liability of a subsequent transactions depends on the status of the first transaction of the series. Therefore it is important to indicate that a transaction is the first of a series during the authentication. For subsequent transactions the authentication value of the first transaction can be reused to get the liability shift from merchant to issuer.

The SCA authentication is not a standalone process, but also impacts authorization and clearing messages, and needs to be supported by your acquirer.