Exemptions are a hot topic when it comes to PSD2 SCA. They can be useful because issuers and merchants can use exemptions to mitigate friction and not present SCA to the cardholder when applicable. There can be a lot of benefits, but there is also a lot of complexity surrounding them. You need to know the facts, and that is where we can help.
PSD2, as most of you know, is the European Banking Authority’s (EBA) 2nd Payment Service Directive, designed to drive payment innovation and data security. PSD2 has a requirement for Strong Customer Authentication (SCA). SCA is required on each digital transaction which means a cardholder must be challenged (a step-up occur) with their issuer. Exemptions, when specific criteria are met, can reduce the need for SCA if used correctly and the risk of fraud is minimal.
The first step is to know if you are eligible. If your acquirer supports exemptions, and if the card issuers, whose consumers buy on your digital sites, are participating, you may qualify for some exemptions.
Let’s highlight a couple:
- Low-value exemptions are classified as remote digital transactions under €30.
- Each transaction per PAN must be below €30.
- There is a stipulation to this exemption:
- If the cumulative total of up to five transactions exceeds €100, SCA must be applied.
- After the fifth transaction, or when the cumulative total goes over €100, SCA must be applied.
For example, if the first low-value transaction is subject to SCA, and the next four transactions are also low value (meaning each is less than €30 and all five don’t total €100 combined), then bingo – those transactions are exempt from SCA.
One thing to note – the acquirer/merchant is liable for any fraud from the exempted transactions since they are requesting the exemption. So that’s something to keep in mind. In addition, this exemption is only available with EMV® 3-D Secure: Visa Secure: v2.2 and Mastercard Identity Check: v2.1 extension.
Whitelisting (WL) / Trusted Beneficiaries (TB):
- Whitelisting, also known as trusted beneficiaries, aims to deliver enhanced security, improve fraud performance, and minimize the possibility of transaction declines.
- When participating, an issuer can offer their cardholders an enrollment process that allows them to add their trusted merchants to the issuer’s whitelist to not present SCA when buying from that merchant in the future. SCA is required on the initial enrollment and PAN for a merchant to be whitelisted.
- For subsequent transactions, if a merchant qualifies for the programs and chooses to send the trusted beneficiaries exemption flag, SCA is likely to not be performed on the transaction.
Just like low-value exemptions, whitelisting is only available when using EMV 3DS: Visa Secure v2.2 and Mastercard Identity Check v2.1 extension. This is a nice way for a consumer to express trust for their favorite merchants and not worry about a challenge when they make their next purchase. It reduces friction and adds to the seamless experience merchants are looking for – and hopefully more sales down the road.
Low-value exemptions and whitelisting are just two of the exemptions available for merchants and issuers to take advantage of. Our goal is to give you every opportunity to succeed in these ever-changing times. If you want to learn more about the two exemptions we discussed, or about others available, let’s talk. Reach out any time, we are here to help.