One key type of transactions that are out of scope of SCA, particularly for subscription businesses and those with recurring revenue, are merchant-initiated transactions:
A merchant-initiated transaction is a payment that is taken on an agreed upon date with the payer’s consent, and, as the name suggests, is initiated by the merchant collecting the payment.
If a transaction is merchant initiated, both fixed and variable payments will be exempt from SCA.
Unlike most transactions initiated by end customers, the payment flows of merchant-initiated transactions are frequently not instant. The end customer’s details are collected at one point in time and submitted to the end customer’s bank at another point in time. As such, the communication between the end customer, bank and payment provider does not happen in real-time. In SCA parlance, this is known as an asynchronous transaction. It would be impractical, and in some cases, impossible for SCA to be applied to these transactions.
However, note that for most merchant-initiated transactions, such as recurring card transactions, SCA will still need to be applied to the first payment if that is done with the involvement of the payer’s PSP (e.g.a card issuer).
Electronic ‘paperless’ Direct Debit mandates
One type of merchant-initiated transactions are electronic ‘paperless’ Direct Debits. In order to collect direct debits, a ‘mandate’ must be provided by the end customer from whom payments will be collected, to the merchant/PSP collecting those payments.
There has been a great deal of confusion as to whether SCA is required at the point of setup of the mandate by the payer - specifically, whether the action of setting up the mandate is an “action through a remote channel which may imply a risk of payment fraud or other abuses”.
On 7 June 2019, the EBA confirmed via its Q&A tool that Strong Customer Authentication (‘SCA’) is not required for the set up of electronic ‘paperless’ Direct Debit mandates provided in favour of merchant payees, so long as the end customer’s PSP (e.g. their bank) is not directly involved in that setup.
Specifically, the EBA confirmed:
“Mandates given by the payer to the payee set up without the direct involvement of the payer’s PSP are not subject to SCA.”‹ View table of contents Next page ›