The SCA exemptions only apply to payment service providers. They relate to payment transaction amount, risk of the payment, recurrence of the payment transaction and the payment channel used for the execution of the payment. They include:
Are Merchant-initiated transactions exempt?
Merchant-initiated transcations are classes as out of scope of SCA requirements, so do not need to be 'exempted'. Get more information on this here.
Fixed recurring transactions and subscriptions
When using a payer-initiated payment method, such as standing orders, only the first payment of a fixed subscription will require SCA. As long as the amount paid stays the same, further transactions will not require SCA.
However, should the amount change, which many usage-based subscriptions do, SCA will be required again for each and every change.
Contactless payments that meet either of the following conditions will be exempt from the application of SCA:
- Individual contactless payments below €50; or
- Five or more payments below €50
Where cumulative payments totalling €150 have been made since the last application of SCA, SCA will be required once more.
The exemption is specific to each card used, so for joint accounts, the exemption applies for each card associated with the account.
Transactions below €30
Similar to contactless payments (but with a lower value), payments below €30 will also be exempt from strong customer authentication.
However, SCA will be required if an end customer makes:
- Five or more payments below €30; or
- If a combination of multiple low value payments totals more than €100
These thresholds are not merchant specific, i.e. those five transactions that add up to €100 or more could be payments to different companies.
Trusted beneficiaries (whitelisting)
Customers will have the option to assign well-known businesses to a list of ‘Trusted Beneficiaries’.
This list will be updated and maintained by the ASPSP (Account Servicing Payment Service Provider), who also has authority to remove trust beneficiaries. A merchant’s PSP may build mechanisms to ‘suggest’ trusted beneficiaries to the ASPSP on behalf of the end customer.
For example, Mastercard hints that as a customer goes through an online checkout flow, at the point of payment setup, there may be a checkbox that requests that the end customer adds the merchant to their ASPSP’s trusted beneficiary list. This request will be passed to the ASPSP, who will then require the end customer to go through SCA in order to approve the trusted beneficiary listing. The end customer will also be able to manage their list of trusted beneficiaries direct with their ASPSP.
Note that ASPSPs do not necessarily need to provide the trusted beneficiary list themselves - they can outsource this, and companies such as Visa are developing products as a result.
If a business is on an end customer’s ‘whitelist’ then SCA will not be required, regardless of the amount, frequency or variation of any purchases.
While an appealing way of potentially navigating SCA, uptake of the process by banks has so far been irregular, and there are still many questions as to exactly how it will work in practice. It is suspected that whitelisting won’t become a viable tactic until well after September 2019.
It’s important to note though, that in addition to whenever a trusted beneficiary is added to an exemption list, SCA must be applied if there are changes or made to a trusted beneficiary or if removal of a listing is requested by a merchant’s PSP. .
3D Secure 2 (version 2.2) will provide whitelisting as an available option to merchants.
Payments made directly between two corporate companies will be exempt from SCA, but only if the payment method used is a dedicated B2B method e.g. access-controlled corporate travel management or corporate purchasing system.
According to UK Finance: “SCA is not required for payments initiated in respect of legal persons using dedicated payment processes or protocols that are limited to end customers who are not consumers (e.g. host to host, some SWIFT services and some corporate card products).”
The RTS also expands on exactly what will or will not fall under this exemption:
- It expects “the use of proprietary automated host-to-host (machine-to-machine) restricted networks, lodged or virtual corporate cards, such as those used within access-controlled corporate travel management or corporate purchasing system, would potentially be within the scope of this exemption”.
- The use of physical corporate cards issued to employees for business expenditure in circumstances where a secure dedicated payment process and protocol is not used (e.g where online purchases are made via a public website) would not fall within the scope of this exemption.
Low risk transaction exemptions
Assuming SCA would normally apply to a transaction, payment providers will have the authority to evaluate transactions and choose not to apply SCA protocols to those deemed as a ‘low risk’ of fraud.
Payment service providers will be subject to strict thresholds to be granted the ability to evaluate risk rates of transactions in real-time. The payment provider’s fraud rates (as a whole - not just for a specific merchant) must be lower than the following thresholds for the specific payment type being used and value of transaction being processed:
|Exemption threshold value (i.e. value of payment being processed)||Card based payments*||Credit transfers*|
*Fraud Rate must be no greater than these amounts, for the exemption to be applied
Both the payee’s PSP and the end customer’s PSP (e.g. a card issuer) may apply this exemption (based upon their own overall fraud rates for that payment type). However, the ASPSP may decide whether or not to accept the application of that exemption. So, for example, a card acquirer (the merchant’s PSP) may apply the exemption, but the card issuer may overrule that exemption.
In practice, we expect the merchant’s PSP’s request to stand, as liability for any resulting fraudulent payment will rest with the PSP that applied the exemption.
Unattended transport and parking terminals
Payment for transport fares or parking fees at an unattended terminal do not require SCA.
Payment account information
Where an end customer uses a TPP providing account information services to access their payment account data, SCA must be applied where that customer is:
- Accessing the balance of a payment account for the first time; and
- Accessing more sensitive information, such as details of all transactions processed on an account for the first time
However, SCA does not then need to be applied:
- Where the account balance is accessed again; or
- Where the historical transaction data is accessed within 90 days of the last application of SCA
For transfers made between (for example) a current account to a savings account, where both accounts are held at the same bank, by the same person, SCA does not need to be applied.‹ View table of contents Next page ›