One of the objectives of the PSD2 is enhancing competition and with this in mind there are some transactions that may be exempt from Strong Customer Authentication (SCA). It is vitally important to understand that whilst the below exemptions exist, ultimately it is the cardholders bank that will decide whether or not to accept a transaction with an exemption and no SCA.
AIBMS recommend that any merchants planning to submit transactions with exemptions, are also planning and building processes to handle situation where cardholders banks (issuers) decline transactions due to no SCA. In these situations merchants will need to manage the cardholder experience in order to support the initial decline and present the cardholder with the ability to authenticate the transaction using SCA and resubmit the transaction for approval.
Low Value Transactions
Transactions below €30 will be considered as ‘Low Value’ and therefore may be exempt from SCA. However, if a cardholder has used the exemption five times since the last successful authentication or if previously exempt payment value exceeds €100, SCA will be required.
Fixed amount Recurring Payments such as subscriptions to the same merchant are exempt, but it is important to note that SCA will be required for the cardholders 1st payment, and all subsequent may be exempt from SCA.
Whitelisting / Trusted Beneficiaries
Cardholders can ‘whitelist’ merchants that they trust or add them to their trusted beneficiaries list which is held and managed by the cardholders bank (issuer). To add a merchant SCA will be required, so that future payments will be exempt from SCA. The cardholders bank (issuer) will manage the associated criteria and how this solution is offered to each cardholder to manage will likely differ by issuer.
Secure Corporate Payments
Where a legal person initiating electronic payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers. A good example would be lodged corporate cards, which are used for employee travel and managed directly by a travel agent.
Transaction Risk Analysis (TRA)
Subject to the prior approval from the acquirer (AIBMS) the Transaction Risk Analysis (TRA) exemption may be applied based on the Payment Provider (in this case AIBMS) or the cardholders banks fraud rates.
- 13% to exempt transactions below €100
- 06% to exempt transactions below €250
- 01% to exempt transactions below €500
In this case, the exemption will allow an acquirer to request an exemption if they deem the transaction to be low risk and the acquirer fraud rate is within the required thresholds to support the exemption. The TRA exemption is different to that of the Low Value Transaction, as transactions below €30 may still apply the exemption from SCA. It is important to note, the cardholders bank (issuer) still has the ability to decline the exemption and ask for transactions to be supplied with SCA.
Similarly with Low Value Transactions, Contactless payments made at a point of sale will be exempt up to a maximum value of €50. The exemption is for up to for up to five consecutive transactions or an accumulated value up to €150. The maximum limit of €50 within the Directive may vary from country to country based on local application.
Transactions made at unattended terminals which typically apply to transport fares or parking fees will be exempt from SCA