SCA Exemptions: What are they and how do they simplify payments
Online payments are part of our everyday lives, but with the rise in online shopping, security is more important than ever. That’s why the European Union introduced the Revised Payment Services Directive (PSD2), which includes Strong Customer Authentication (SCA) for online transactions. While SCA is great for security, it can sometimes slow down the checkout process. This is where SCA exemptions come in handy, allowing businesses to simplify payments while keeping them safe. Let’s explore how these exemptions work, how to use them, and how CatalystPay can help your business apply them effectively.
What is Strong Customer Authentication (SCA)?
SCA, or Strong Customer Authentication, is a rule that requires customers to verify their identity during an online payment. This usually involves using at least two of the following: something they know (like a password), something they have (like a smartphone), or something they are (like a fingerprint).
SCA is required when both the customer’s bank and the business’s payment service provider are located in the European Economic Area (EEA) or the UK. Because of this, most payments in these regions need an extra step of verification to make sure they’re secure. Not following these SCA rules can result in fines and could even risk the licenses of banks and payment providers.
The challenge for merchants is to follow these rules without making the payment process too complicated. That’s where SCA exemptions come in—they help make payments easier for customers while still keeping everything secure.
How Does SCA Work?
SCA varies depending on the payment method used. Here’s a look at a couple of common scenarios:
Credit and Debit Cards
One of the most common ways to implement SCA for card payments is through 3D Secure. You might recognize this as the extra step during checkout where you receive a one-time password on your phone or need to confirm the payment in your banking app. This step shifts the responsibility for any fraud from the business to the bank, adding a layer of security.
Local Payment Methods and Digital Wallets
In addition to 3D Secure, local payment methods and digital wallets like Apple Pay and Google Pay offer their own secure, easy-to-use authentication processes. For example, Bancontact Mobile in Belgium and iDEAL in the Netherlands both provide fast, user-friendly ways for customers to make payments securely.
What Are SCA Exemptions?
SCA exemptions allow certain payments to skip the extra verification steps, making the checkout process quicker (aka frictionless transactions). Under PSD2, some payments meet specific conditions that let them bypass SCA while still keeping transactions secure. However, it's important to note that while merchants or their payment providers (acquirers) can request these exemptions, it’s ultimately up to the customer’s bank (issuer) to decide whether to grant them. If the issuer applies an exemption, the chargeback liability shifts to them. Conversely, if a merchant or acquirer requests the exemption and it is granted, the liability generally stays with the merchant.
Types of SCA Exemptions
The table below provides a breakdown of the main types of SCA exemptions, including their criteria, details, and examples:
|
Exemption Type |
Criteria |
Details |
Example |
|
Low-Value Transactions |
Payments under €30. |
Transactions below €30 can often skip SCA. However, if a customer makes five payments in a row without SCA, or if the total amount exceeds €100, SCA is required for the next payment. If the issuer applies the exemption, the liability shifts to them. If the acquirer requests it and it is granted, the liability stays with the merchant. |
If a customer buys a digital product for €15, they can skip SCA. But if they keep making small purchases that add up to over €100, they’ll need to verify their identity. |
|
Fixed Amount Subscription Payments |
Recurring transactions of the same amount to the same merchant. |
For subscriptions with a fixed monthly fee (like a streaming service), SCA is only needed for the first payment. Future payments of the same amount don’t require SCA unless the payment amount or recipient changes. |
A customer subscribing to a magazine for €10 per month goes through SCA for the first payment. After that, the monthly payments continue without additional verification. |
|
Whitelisted Beneficiaries |
Merchants added to the customer's trusted list (whitelist) with their bank. |
Customers can add trusted merchants to a whitelist managed by their bank, allowing future transactions to bypass SCA. However, whitelisting adoption has been slow, and not all banks support it. Merchants need to track if customers have whitelisted them and request this exemption when processing payments |
A frequent shopper can whitelist their favorite online store. Future purchases from this store will skip SCA, making checkout faster. |
|
Transaction Risk Analysis (TRA) |
Low-risk transactions based on the acquirer’s fraud levels. |
If the payment provider maintains a low fraud rate, certain transactions can be exempt from SCA. Fraud rate thresholds include: ≤ 0.13% for transactions up to €100 ≤ 0.06% for up to €250 ≤ 0.01% for up to €500. If the acquirer's fraud rate is too high, the issuer is expected to decline the exemption. |
A retail site using a payment provider with a low fraud rate can process a €75 purchase without requiring SCA. |
|
Secure Corporate Payments |
Payments made through secure corporate payment processes. |
Payments using secure corporate systems, like virtual corporate cards, can skip SCA. This mostly applies to B2B payments. |
A company booking flights through a corporate travel account can process payments without triggering SCA, as long as they use an established, secure system. |
Out of Scope of SCA Payments
Some payments don’t require SCA at all. These include:
- Merchant-Initiated Transactions (MITs): Payments started by the merchant, such as subscriptions with varying amounts. Note that merchants must correctly identify these payments as MITs to fall outside the scope of SCA.
- Mail Order and Telephone Orders (MOTO): Payments made by mail or phone.
- Anonymous Prepaid Cards: Transactions using anonymous prepaid cards.
- One-Leg Transactions: Payments where either the customer’s bank or the merchant’s provider is outside the EEA or UK.
SCA Exemption Strategies
Effectively using SCA exemptions can significantly improve the checkout experience for your customers and boost conversion rates. Here’s how to make the most of these exemptions with practical strategies tailored to different business scenarios:
1. Dynamic Exemption Management
Managing exemptions dynamically helps streamline payments. Work with a payment provider that assesses each transaction in real-time to determine if an exemption applies. This way, authentication is only requested when absolutely necessary.
- What You Can Do:
Use risk-based tools from your payment provider to automatically decide when to apply an exemption based on customer behavior and transaction history. For example, regular customers making low-risk purchases can benefit from a smoother, faster checkout process.
2. Make the Most of Low-Value Exemptions
Low-value transactions (under €30) are a straightforward way to speed up small purchases. However, they come with a limit: if the total of consecutive transactions without SCA exceeds €100 or five consecutive exemptions, authentication will be required.
- What You Can Do:
Monitor small transactions to ensure they don’t exceed the exemption limits. For businesses selling low-cost items, encourage customers to purchase items individually rather than bundling them, allowing more transactions to qualify for the low-value exemption. Keep in mind that since issuers track these payments, you cannot rely on the exemption being granted every time.
3. Encourage Customers to Whitelist Your Business
Customers can add your business to their bank’s "trusted list" or whitelist, allowing future transactions to bypass SCA. While not all banks offer this feature, it can be a game-changer for frequent customers.
- What You Can Do:
Inform customers about the option to add your business to their bank’s whitelist. Providing a simple guide or step-by-step instructions in-app or via email can help customers complete this process and enjoy faster checkout.
4. Offer Fixed-Amount Subscriptions
For businesses with recurring payments, fixed subscriptions can reduce the impact of SCA. With SCA required only for the first payment, subsequent payments of the same amount to the same merchant are exempt.
- What You Can Do:
Set up subscriptions with consistent billing amounts. Secure the first payment with SCA and ensure that future payments meet the exemption criteria. Communicate to customers that once the initial payment is verified, future payments will be seamless.
5. Leverage Transaction Risk Analysis (TRA)
TRA allows low-risk transactions to be exempt from SCA, but it depends on the payment provider’s fraud rate.
- What You Can Do:
Choose a payment provider with a strong fraud detection system and a low fraud rate. Providers that fall below certain thresholds (e.g., a fraud rate under 0.13% for €100 transactions) can apply TRA to exempt payments. If the acquirer’s fraud rate is higher than the issuer's threshold, the issuer may decline the exemption.
6. Collaborate Closely with Your Payment Provider
Your payment provider plays a crucial role in implementing and managing SCA exemptions. Providers like CatalystPay offer advanced tools to dynamically apply exemptions and ensure your business stays compliant.
- What You Can Do:
Regularly review your exemption strategies with your provider to stay updated on any changes in PSD2 regulations and how they may affect your exemption requests. Work together to refine your payment process, utilizing insights from data analysis to improve exemption success rates and provide a smoother checkout experience for your customers.
Conclusion
SCA exemptions are a key tool for reducing friction during the checkout process while maintaining security. However, effectively using these exemptions requires an understanding of how they work and the ability to navigate the nuances of PSD2 regulations. By implementing thoughtful strategies—like dynamic exemption management, encouraging whitelisting, and collaborating closely with your payment provider—you can simplify payments for your customers and increase conversion rates.
CatalystPay is here to support you in navigating the complexities of SCA requirements and exemptions. Our solutions are designed to help you make the most of these exemptions, ensuring compliance while offering a seamless payment experience. Contact us today to learn how we can help your business optimize its payment process.