Whilst PSD2 sets rules on when SCA is required, it has also defined cases where exemptions can be applied to the transactions that fall into the scope of SCA.
Out of SCA scope transactions
SCA rules state that all online transactions initiated by consumers require SCA, therefore there are certain types of transactions that are out of scope of SCA. Out of scope transactions include:
- Phone sales (MOTO): Transactions where customers call the merchant and give their card details via phone. Here, the merchant representative initiates the transaction.
- Anonymous transactions: Transactions made with payment cards that are not directly linked to the individual consumer, for example transactions made with prepaid cards and gift cards.
- One-Leg-Out transactions: Cross border transactions where either the card issuer or your acquirer is located outside the European Economic Area (EEA).
- Merchant initiated transactions (MIT): Transactions where the customers play no active role. Instead, the transaction is initiated by the merchant by using saved card details based on the agreement made between the consumer and merchant. The most common MITs include:
- Recurring Payment: A transaction in a series of transactions using saved card details for a fixed amount and that are processed at regular time intervals, and where the consumer has provided consent for the merchant to initiate one or more future transactions. For example TV streaming subscription with the same monthly bill.
- Unscheduled card-on-file (UCOF): A transaction using saved card details for a fixed or variable amount and/or that are processed at regular or variable time intervals, and where the consumer has provided consent for the merchant to initiate one or more future transactions. For example a mobile phone subscription where the bill changes depending on the usage of minutes or an automatic top-up agreement for a railcard when the consumer drops below a certain stored value.
- Delayed charge: A transaction performed to process a supplemental account charge after original services have been rendered and respective payment has been processed. For example when a hotel charges minibar expenses from the consumer after they have already paid the original bill and checked out from the hotel.
- No-show: A transaction occurring when merchant and consumer have an agreement for a purchase, but the consumer does not meet the terms of the agreement. For example when the consumer has booked a hotel room but doesn't show up and cancel the reservation according to the hotel's cancellation policy. The hotel may then perform a no-show transaction to charge the consumer a penalty for a guaranteed reservation.
Note that the initial transaction of MIT, i.e. when the consumer registers their card and creates a mandate for ongoing payments, is in-scope of SCA and needs to go through SCA. Also be aware that MITs will be scrutinised for misuse and only merchants whose business require to flag their transactions as MIT are entitled to use it.
Whilst PSD2 sets rules on when SCA is required, it has also defined cases where exemptions can be applied to the transactions that fall into the scope of SCA. The most common exemptions include:
- Low value transactions: Transactions under 30 EUR. However, note that the card issuers keep track on certain counters; SCA must be applied again after 100 EUR of cumulative spending or on every 5 low-value transactions. Low risk transactions: Transactions where the card issuer or your acquirer carries out a real-time Transaction Risk Analysis (TRA) and assesses a transaction to have a low risk of fraud.
- Delegated authentication (DA): Merchants can be granted the role of SCA authenticator on behalf of the card issuer. This is mainly used for merchants having in-app payments. Note that DA is not an actual exemption, but just passing the authentication responsibility to the merchant and technically SCA will happen on every single transaction.
Note that the card issuers hold the ultimate responsibility for SCA and thus decide if the exemption is granted or not. Even if a transaction qualifies for an exemption, the consumer might still have to go through SCA if the card issuer requires it.
In case you request an exemption, ensure you have implemented the soft decline functionality to get the consumer redirected to 3D Secure (or equivalent) authentication if the card issuer soft declines your transaction. Also note that you may need to get a permission from your acquirer before using certain exemption.