Leveraging Exemptions and SCA
With the introduction of the new SCA mandate, new measures have been taken to help improve customer security. While SCA was due to come into force on 14 September 2019, the deadline for ecommerce compliance in the UK was moved to 14 September 2021. The new deadline for ecommerce compliance in Europe is 31 December 2020.
When SCA fully comes into effect, customers will be authenticated by providing at least two forms of identification when completing an online transaction. For further information on this, take a look at our article on Authentication v Authorisation.
However, not every payment will require authentication from the customer. Merchants are provided with a number of exemptions to SCA that are aimed to help improve the overall transaction experience whilst minimising friction and attrition. These exemptions include:
Low value transactions
Recurring transactions or subscriptions
Secure corporate payment
Trusted Risk Analysis (TRA)
Exemptions for Internet Businesses
In order to set up SCA exemptions, merchants will first need to contact their acquirer in order to be advised of suitable exemptions for their business model.
Once merchants have been advised it will then be possible to request an exemption on a per-transaction basis when submitting a transaction request to Opayo.
However, if merchants choose to use an exemption it is important to note that any chargeback liability is passed back to them for the transaction. Furthermore, card issuers may also not always agree with exemptions. If this were to happen, issuers may return a “soft decline” and request that two-factor authentication is undertaken.
SCA exemptions can apply for:
- Trusted beneficiaries - Card issuers will allow a merchant’s customer to add them as a trusted beneficiary. This can either happen during two-factor authentication or when they log into their card account. Once the merchant has been added as a trusted beneficiary, it will be possible to apply for this exemption so that it applies every time the customer shops with them.
- Low value transactions - Any remote transactions up to €30 (or the equivalent in other currencies) and contactless transactions up to €50 (or the equivalent in other currencies) will not require SCA up to a maximum of five consecutive transactions or a cumulative limit of €100 (€150 for contactless). If the cardholder initiates more than five low value payments or if the total payment value exceeds over €100 (€150 for contactless), SCA will be necessary. Please be aware that currently only Visa and Mastercard have released their requirements to support exemptions. Any monitoring of the consecutive transactions and cumulative limits will be the responsibility of the card issuer.
- Recurring transactions or subscriptions - After the initial set up, a membership or subscription fee consisting of repeat payments of the same amount to the same payee, i.e. direct debit, will be exempt from authentication. Since the customer will be off-session when the recurring transaction will be performed, they will not be expected to undertake any authentication. However, two-factor authentication must be performed for the first transaction in a recurring series when the customer is in-session.
- Delegated authentication - Merchants can only use this exemption if they have participated in a delegated authentication programme with the card schemes, where the card scheme approves the delegation of the authentication process back to the merchant.
- Secure corporate payment - If a customer is using a corporate card that is a lodged corporate card (most typically used to book travel for all employees of a company), then this exemption can be applied. Please note that it cannot be used for personal corporate cards.
- Trusted Risk Analysis (TRA) - This exemption can be used if a merchant has a low chargeback rate (typically between 1 and 13 chargebacks per 10,000 transactions). This can vary depending on the transaction amount value up to and including £430 (€500). Merchants cannot use this exemption for transaction values over £430 (€500). Please be aware that overall fraud rates for card payments must not exceed the following thresholds:
- 0.13% to exempt transactions below £90 (€100)
- 0.06% to exempt transactions below £215 (€250)
- 0.01% to exempt transactions below £430 (€500)
What will occur if an exemption fails?
We recommend paying close attention to the list of exemptions provided. If an exemption fails, it will be up to the customer’s bank to decide the validity of an exemption.
In the case of an exemption not being granted, the transaction will trigger a decline code. This can be rectified by the payment being resubmitted and authorised via SCA protocols.
If a merchant is impacted by SCA, Opayo would recommend preparing for a fallback in case of an exemption rejection where the customer needs to authenticate. Please be aware that this will particularly apply to merchants who charge customers when they are off-session and not actively in the checkout flow, where they need to return to the merchant website or application to authenticate.
Introducing SCA exemptions can help merchants not only help improve the overall payment experience for customers, but it can help lower the chances of cart abandonment and improve conversion rates.
Opayo is one of the UK’s most trusted payment service providers. We aim to help businesses expand while taking payments in a way that best suits your business. Whether you have a question about leveraging exemptions or would like to know how to become SCA compliant, our customer support team are available 24/7, 365 to ensure that we can advise you as quickly as possible. Contact us today online or call now on 0191 479 5922.