3DS exemptions
Last updated: January 25, 2023
To increase the likelihood of a frictionless transaction, you can request a 3D Secure (3DS) exemption for transactions that must be PSD2 compliant, provided that it meets the exemption's criteria.
If you want, you can submit exemptions directly in the authorization stage of the payment flow.
The exemptions available for you to use depend on which ones are supported by the Visa and Mastercard schemes, as well as on Checkout.com.
If the issuer does not support the exemption you've requested, Checkout.com will submit "challenge_indicator": "no_challenge_requested" by default.
Liability shift
If the customer's bank approves your exemption request, you do not benefit from liability shift if the transaction turns out to be fraudulent.
You will need to opt in to use exemptions. Transaction Risk Assessment (TRA) is only applicable to merchants with a low fraud rate. Contact your Customer Success Manager to enable this feature.
| Exemption | Description |
|---|---|
| Applies both to payments which the merchant would like to ensure a frictionless authentication for, and transactions that are not subject to Strong Customer Authentication (SCA) compliance |
| For payments where the amount does not exceed €30. SCA may still be requested by the issuer despite the payment satisfying the requirements for
|
| For payments that use secure corporate cards, which are exempt from 3DS authentication. |
| For payments that satisfy the authentication amount criteria set by Checkout.com.
|
| For payments where the cardholder has already added the merchant as a trusted merchant. |
| For payments where the merchant would like to prompt the cardholder to add them as a trusted merchant. |
If the issuer rejects the exemption, they will request a challenge, which the cardholder is required to complete.
Data sharing, a form of authentication exemption supported by Visa and Mastercard, guarantees a frictionless authentication experience and improves approval rates for payments that are not subject to SCA.
Information
To learn more about which transactions are subject to SCA, read the SCA compliance guide.
This feature allows you to share data through the authentication flow without requesting a full authentication. For example, through a challenge, which provides the issuer with additional risk data to inform their decision-making.
For example, instead of going straight to authorization, you can request data sharing exemptions. This allows you to add the authentication data without friction.
The standard data share flow is only supported on 3D Secure (3DS) 2.2. Mastercard has its own exclusive data share product, Mastercard Identity Check Insights, which is tailored for this exemption and supported on both 3DS 2.1 & 2.2.
The response you receive to the standard data share flow is different to the response you receive when you use Mastercard Identity Check Insights. You must support both response types.
In your API request, set challenge_indicator to data_share.
If your data_share exemption request was not accepted due to being unsupported by the issuer, the response will be the same as for a normal authentication flow. You should therefore handle the response in the same way.
If the standard data share flow was used, and it was successful and approved, you will receive the following:
"status": "approved""response_code": "I""cryptogram": "{value}""eci": "07"(Visa) or"06"(Mastercard)
You can then continue to the payment flow for authorization.
If Mastercard Identity Check Insights was used, and it was successful and approved, you will receive the following:
"status": "approved""response_code": "I""cryptogram": "{value}""eci": "04"
You can then continue to the payment flow for authorization.
If “status” is “declined” or “unavailable”, the authentication is deemed failed or declined. You should therefore treat it the same way as a failed or declined authentication.