Interviews, insight & analysis on digital media & marketing

SCA exemptions are a merchant’s best friend, but they don’t come without complications

By Shagun Varshney, Product Manager at Signifyd

When it comes to online commerce, much of Europe is living in a new payment regulation era of two-factor authentication, exemptions, step-ups, and a more secure ecommerce shopping experience for consumers. — and on 4th March 2022, the UK will follow.

Strong Customer Authentication (SCA) is required under the digital payment regulation known as PSD2, to better secure online checkouts. It requires shoppers be authenticated by two of three methods:

●      Something the user knows (such as a one-time passcode)

●      Something the user has (such as a mobile device)

●      Something the user is (such as a fingerprint, facial recognition, typing behaviour).

The key to getting SCA right is to conduct the required two-factor identification without disturbing the checkout process. And that starts with understanding exemptions and exclusions contained in the requirement and how those elements best apply to your particular business.

In general exemptions and, exclusions — are available when an order meets certain conditions:

●      The order is low risk and low value.

●      The merchant and its bank have maintained a low fraud rate and the transaction meets certain value limits.

●      The transaction is considered “out of scope.” The list for these exclusions includes phone or email orders, prepaid card transactions and transactions when the acquiring bank or the issuing bank are outside the European Economic Area

One other exemption is available, but a consumer’s bank must agree to allow it in order for it to be applied. It’s called the “Trusted Beneficiary” exemption. It can be applied when a consumer expressly tells the bank that issued their credit card that they don’t want extra scrutiny applied when they are buying from specific merchants. Again, the issuing bank can refuse to allow the exemption.

Similar to exemptions, “out of scope” transactions can also be processed without SCA. In some instances SCA simply does not apply. Think phone or email orders, prepaid card transactions and transactions when the acquiring bank or the issuing bank are outside the European Economic Area. In the case of a merchant-initiated transaction, a subscription for instance, SCA needs to be performed only once to authenticate the buyer.

Exemptions are a powerful way to provide a seamless experience for customers. When an exemption is approved, the customer doesn’t have to worry about the transaction being stepped up by requiring two of the three SCA authentication methods. And so, retailers want to be in a position to take advantage of exemptions.

In order to take full advantage of the low-risk transaction exemption, a merchant needs to keep its fraud rate below an exceedingly low .01%. That clears the way for purchases under €500. Exemptions for purchases under €250 and under €100 are also available for merchants with fraud rates of .06% and .13% respectively.

It’s important, then, to include a powerful fraud protection solution in our overall SCA strategy. A low fraud rate is vital to securing exemptions and exemptions are vital to producing a top-flight customer experience.

Merchants and brands need to have confidence in their exemptions strategy without worrying about new vulnerabilities that fraud rings will look to exploit. Consider the irony of working hard to maintain a low fraud rate in order to take advantage of exemptions, only to have those exemptions ultimately lead to a higher fraud rate.

As with many things in commerce, it’s best to take a holistic view when you’re considering how SCA and its exemptions fit into your entire risk management plan.