Our last post looked at what you need to know to get ready for Strong Customer Authentication (SCA). However, some transactions fall out of the scope of SCA. While other transactions can be granted exemptions.
By understanding what transactions fall out of scope and exercising exemptions when possible, merchants can optimize payment flows under SCA and ensure they’re delivering a frictionless payment experience.
Let’s first take a look at out of scope transactions under SCA.
Out of scope of SCA
Payments initiated by the merchant are classed as out of scope of SCA requirements. Therefore, no exemption is required. Merchant-initiated transactions are payments initiated by the merchant according to an agreement that the merchant has in place with the customer, allowing them to initiate payments on their behalf.
For a payment to be categorized as a merchant-initiated transaction, the merchant must:
- Be mandated by the customer to initiate the payment or a series of payments
- Be collecting payments for goods or services provided by the customer, and
- Initiate the payment without any specific action of the customer to trigger the initiation of the payment
In practice, this allows for more manageable regular payments to a merchant where the amount varies each time — such as utility bills, mobile bills, and retained professional services.
Note that the customer’s PSP (for example, the card issuer) will still need to authenticate the card, either when it's saved by the customer or upon the first payment.
Mail order/telephone order (MOTO).
This is also referred to as MOTO.
One leg out
These are when either the card issuer, acquirer or both are outside the European Economic Area or EEA, for example when a card issued in Japan is used at the website of a German merchant.
For example, prepaid gift cards issued without an identifiable cardholder name.
There are several SCA exemptions outlined below. Such exemptions only apply to payment services providers and concern the transaction amount, risk of the payment, recurrence of the transaction and payment channel used to execute the payment.
Transactions are considered a low risk of fraud based on the average fraud level of the payment provider and bank processing the transaction. The payment provider’s fraud rates should not exceed the thresholds below:
- 0.13% to exempt transactions below €100
- 0.06% to exempt transactions below €250
- 0.01% to exempt transactions below €500
These thresholds are converted to local equivalent amounts where relevant.
Payments below €30
Transactions below €30 are considered ‘low-value’ and may be exempt from SCA.
However, SCA will be required if:
- A customer makes five or more payments above €30; or
- The sum of previous exemptions exceeds €100.
The customer’s bank will keep track of such occurrences and will decide whether authentication is necessary or not.
Fixed recurring payments
For recurring payments of the same amount each time, such as subscriptions, loan and mortgage repayments, installments, SCA is only required for the first payment. However, if the amount changes, SCA will be required for each change.
Customers have the option to approve well-known merchants that they trust to their whitelist, which exempts authentication from future purchases from that merchant.
But two aspects make it hard to implement. First, the customer needs to be aware they can provide this permission, be comfortable doing so, and be bothered enough to follow through. Secondly, the PSP or bank needs to have a way of retaining these permissions and acting on them. It is to be seen whether there will be enough demand from the former for the latter to prioritize it.
Payments made with cards — where the card information was provided over the phone by the customer — are exempt from SCA.
Where a corporate card has been used, the payment shall be exempt. Examples include booking travel arrangements and buying stationery.
These exemptions are only as useful as your ability to exercise them. Doing that effectively relies on data to inform when an exemption is valid and automation to trigger the exemption.
And that means working with the right PSP. Those PSPs leading the charge understand that authentication is best done away from the rest of the payment process. Decoupling your authentication solution makes it easier and faster to deploy. And then there’s the benefit of focus. SCA and its exemptions are still at an early stage. We can expect more change to come. Best if your authentication solution is free to adapt when it needs to.