Strong Customer Authentication (SCA) was introduced to improve the security of online transactions and reduce fraud.
When a transaction takes place, if both the customer’s bank and the merchant’s payment service provider are located in the European Economic Area (EEA) or the UK, SCA must be applied. Payment providers or banks that fail to apply SCA can face fines and even have their licenses revoked.
However, some transactions that take place in the EEA and UK are either exempt from SCA or fall outside its scope. That means you can give your customers a more frictionless payment experience without falling foul of your requirements.
In this article, we explain SCA exemptions and out of scope transactions and how Checkout.com can help your business improve approval rates while fighting fraud.
SCA Exemptions
There are several SCA exemptions outlined below. Such exemptions only apply to payment services providers and concern the transaction amount, risk of the payment, recurrence of the transaction and payment channel used to execute the payment.
Low-risk transactions
Transactions are considered at low risk of fraud based on the average fraud level of the payment provider and bank processing the transaction. The payment provider’s fraud rates should not exceed the thresholds below:
- 0.13% to exempt transactions below €100
- 0.06% to exempt transactions below €250
- 0.01% to exempt transactions below €500
These thresholds are converted to local equivalent amounts where relevant.
Low risk transactions are a useful exemption for businesses and can be taken advantage of by utilizing your payment provider’s risk-assessment tools to check whether a transaction falls below the thresholds.
Of course, fraud rates can differ between providers. So, for example, if the payment provider’s fraud rate falls below the threshold but the cardholder’s bank surpasses it, it’s likely that the bank would still require authentication.
Payments below €30
Transactions below €30 are considered ‘low-value’ and may be exempt from SCA.
However, SCA will be required if:
- A customer makes five or more payments above €30; or
- The sum of previous exemptions exceeds €100.
The customer’s bank will keep track of such occurrences and will decide whether authentication is necessary or not.
Contactless payments in the UK
Contactless payments in the UK are exempt from SA if they are either:
- A single payment of less than £100 in value
- Cumulative payments of less than £300 in value
This exemption is specific to individual cards. If multiple cards are used for a joint account, for example, each card can make separate contactless payments up to the thresholds without requiring SCA.
Fixed recurring payments
For recurring payments of the same amount each time, such as subscriptions, loan and mortgage repayments, and installments, SCA is only required for the first payment. However, if the amount changes, SCA will be required for each change.
Trusted beneficiaries
Customers have the option to approve well-known merchants that they trust to their whitelist, which exempts authentication from future purchases from that merchant.
But two aspects make it hard to implement. First, the customer needs to be aware they can provide this permission, be comfortable doing so, and be bothered enough to follow through. Secondly, the PSP or bank needs to have a way of retaining these permissions and acting on them. It is to be seen whether there will be enough demand from the former for the latter to prioritize it.
Telephone orders
Payments made with cards — where the card information was provided over the phone by the customer — are exempt from SCA.
Credit Transfers
As with low risk card payments, credit transfers that fall below certain fraud rate thresholds are also exempt from SCA.
Those thresholds are:
- 0.015% to exempt transactions below €100
- 0.01% to exempt transactions below €250
- 0.005% to exempt transactions below €500
Corporate payments
Where a corporate card has been used; the payment shall be exempt. Examples include booking travel arrangements and buying stationery.
Out of scope of SCA Payments
Not all transactions are subject to SCA, and thus, strong authentication is not necessary for them.
Merchant-initiated transactions
Payments initiated by the merchant are classed as out of scope of SCA requirements. Therefore, no exemption is required. Merchant-initiated transactions are payments initiated by the merchant according to an agreement that the merchant has in place with the customer, allowing them to initiate payments on their behalf.
For a payment to be categorized as a merchant-initiated transaction, the merchant must:
- Be mandated by the customer to initiate the payment or a series of payments
- Be collecting payments for goods or services provided by the customer, and
- Initiate the payment without any specific action of the customer to trigger the initiation of the payment
In practice, this allows for more manageable regular payments to a merchant where the amount varies each time — such as utility bills, mobile bills, and retained professional services.
Note that the customer’s PSP (for example, the card issuer) will still need to authenticate the card, either when it's saved by the customer or upon the first payment.
Learn more: What is a merchant-initiated authentication?
Mail order/telephone order (MOTO).
Mail order, or MOTO, payments, where a customer’s card details are collected over the phone, are out of scope of SCA as they are not classed as electronic payments. You should ensure that any mail order payment is properly flagged as MOTO to improve the chances that it is successfully authorized by the cardholder’s bank.
One leg out
These are when either the card issuer, acquirer or both are outside the European Economic Area or EEA, for example when a card issued in Japan is used at the website of a German merchant.
Anonymous transactions
Any transaction where an anonymous payment method is used, such as a prepaid gift card, is out of scope of SCA, because there are no identifiable cardholder details that could be used for authentication.
What happens if an exemption fails?
Even if a transaction is technically exempt from SCA, the cardholder's bank can still decide not to accept the exemption.
If you attempt an exemption and the bank returns a decline code indicating that the payment failed due to missing authentication, you’ll have to reattempt the payment with your customer but this time utilizing SCA.
Implementing exemptions
These exemptions are only as useful as your ability to exercise them. Doing that effectively relies on data to inform when an exemption is valid and automation to trigger the exemption.
And that means working with the right PSP. Those PSPs leading the charge understand that authentication is best done away from the rest of the payment process. Decoupling your authentication solution makes it easier and faster to deploy. And then there’s the benefit of focus.
SCA is as much an opportunity as it is a challenge for merchants. Check out our article on what you can do to make SCA work for you.
How Checkout.com can help businesses with Strong Customer Authentication
As your payments partner, Checkout.com can help you fight fraud while keeping your approval rates high.
With exemptions via authentication, you can request an SCA exemption before a transaction goes through 3DS, meaning more transactions are approved through frictionless authentication. The result? Fewer soft–declines, improved authorization rates, and a better authentication experience for your customers.
Find out more about how Checkout.com’s flexible authentication solution can help your business.