As online shopping continues to grow, so does the risk of online payment fraud. In response to this, the European Union introduced the Second Payment Services Directive (PSD2), which mandates strong customer authentication (SCA) for online transactions.
However, implementing Transaction Risk Analysis, which is an element of the PSD2 regulations that allows certain transactions to avoid SCA, can reduce friction and cart abandonment rates.
In this article, we’ll explain how TRA exemptions can help your business and how Checkout.com's authentication solution can help you comply with PSD2 while improving your customers' checkout experience.
Transaction Risk Analysis (TRA) is used to evaluate the risk scores and various account risk factors – such as location, time, and spending habits – ensuring that the payer has no unusual spending or behavioral patterns.
As outlined by the Regulatory Technical Standard (RTS) within the PSD2 regulations, any transaction that relays information outside of the established norm for these factors will trigger an alert system, requiring further authentication from the payer.
Under the PSD2 SCA, TRA exemptions can be implemented on either the acquiring or issuing side of the transaction.
TRA exemptions are a form of SCA (Strong Customer Authentication) exemption applied to low-risk transactions below a certain threshold. Under PSD2, these low-risk transactions don't have to be authenticated, allowing low-risk merchants to process transactions without additional verification methods, such as 3DS.
TRA exemptions are part of a dynamic friction strategy that ensures legitimate customers don’t face unnecessary obstacles while only applying additional friction to uncertain customers.
To qualify for a TRA exemption and be safely directed around the inconvenience of 3DS, you must meet certain thresholds regarding the transaction’s risk level and the payment environment. According to Visa Europe, it’s estimated that about 40-50% of E-commerce transactions by volume could be exempt from SCA if certain criteria are met.
In general, the responsibility for implementing potential TRA exemptions falls under both the payment acquirer and the payment issuer.
As a merchant, if one of your transactions is qualified as low risk, your acquiring payment service provider (PSP) may request a TRA exemption. In this process, the RTS looks at the overall transaction amount and the acquirer’s fraud rate to determine whether an exemption is valid.
Here’s a breakdown of what’s required for a TRA exemption:
If the acquirer’s fraud rate is higher than 0.13%, or if the transaction totals more than €500, SCA will be enforced, which are important figures to remember when building your SCA exemption strategies
The overall fraud score is reported on a quarterly basis by the European Banking Authority. For TRA exemptions they also require acquirers to use fraud prevention technology that can detect characteristics that indicate a high fraud risk by conducting strategies, including:
To take advantage of the exemptions, your acquirer should monitor and provide you with the necessary information, including your overall fraud rate, PSP/Issuer fraud rate, and transaction amount.
You also need to work with your acquirer(s) to ensure that you’re eligible for the exemptions, and you need to find out whether your acquirer plans to use them. However, keep in mind that you or the acquirer (whomever takes up the request) is responsible for any fraud that results from the exemption.
Finally, it’s worth noting that the TRA exemption is only available for EMV 3DS, specifically Visa Secure v2.2 and Mastercard Identity Check v2.1 extension or v2.2.
If you don’t request an acquirer TRA, or any other exemption, the issuer can request it instead. The issuer will evaluate the transaction's risk and amount, then factor it into their card portfolio's overall fraud rate.
SCA isn’t required where an issuer successfully requests a TRA exemption, which means the cardholder can enjoy a smoother buying experience. It’s worth noting that the issuer must follow the same fraud rate to transaction amount ratio that the acquirer uses.
As of January 1st, 2021, merchants who cater to EU or EEA customers are required to comply with PSD2, and the role of exemptions has become critical. Online fraud is on the rise in Europe, with over 73% of fraud resulting from online transactions, and PSD2 aims to combat this trend by enhancing safety in the European payment market.
For merchants, one of the most significant aspects of PSD2 is the Strong Customer Authentication (SCA) requirement. Before this came into effect, issuers and acquiring banks could choose to use 3DS1, 3DS2, or no additional verification method. However, now that PSD2 is here, you're required to route all traffic through 3DS unless exemptions are granted.
Of course, the use of 3DS can increase friction, making it more difficult for consumers to complete the checkout process and leading to higher cart abandonment rates. But it’s important to note that cart abandonment isn’t always due to authentication difficulties – it can also happen when customers have more time to reconsider their purchases, which is something that 3DS significantly increases.
If you want to reduce consumer friction and improve your websites' checkout experience, you must integrate a pre-authorization fraud solution and an exemption engine into your payment optimization solutions. We also recommend that you request exemptions whenever possible.
With Checkout.com, TRAs have never been easier to implement. Our Fraud Detection Pro tool automatically directs transactions for you, depending on whether they’re viable for TRA exemption, which means you can simply create your own decision tree and let our software do the rest. Important to know for merchants that if there is a high fraud rate, the TRA is not possible as it could affect how the PSP fraud rate is calculated.
With this unified approach, you can build a smooth customer journey, ensuring only high-risk transactions get extra verifications. Better yet, you can use our authentication solution either independently or as part of the Checkout.com platform.
With the standalone product, authentication and authorization can be managed separately, and authentication needs can be handled across multiple acquirers.
But you also have the option to use a hosted or non-hosted presentation. By choosing the non-hosted option, you have complete control over the authentication experience, including customization of the front end, device fingerprinting, and payment flow.
Our standalone authentication product also enables browser-based authentication on web and mobile, as well as native mobile authentication for iOS and Android through our mobile software development kit.