PSD2 SCA Compliance and Exemptions
The Revised Payment Services Directive (PSD2) is legislation effective in the European Economic Area (EEA). PSD2 aims at driving market efficiency and integration, increasing consumer protection, creating competition, and improving security.
This page provides information on PSD2 SCA compliance and exemptions, to allow you to determine if they apply to you and provides guidance on when and how to use the exemptions.
For information on how to comply with PSD2 SCA and claim exemptions, where applicable, through the Mastercard Gateway, see integration guidelines for each of the integration models using the following links:
- Hosted Checkout Integration for PSD2 SCA
- Authentication API Integration for PSD2 SCA
- 3DS JavaScript API Integration for PSD2 SCA
Overview
PSD2 only applies to transactions where both the issuer and acquirer are located within European Economic Area (EEA) countries.
If your acquirer is located outside the EEA, then PSD2 does not apply to you.
If your acquirer is located in the EEA, then PSD2 applies to your transactions where the payer's card was issued in the EEA. If you accept payments from payers both inside and outside the EEA, you should treat all your transactions as if PSD2 applies.
To achieve better consumer protection, PSD2 mandates that payment service providers implement Strong Customer Authentication (SCA) for e-commerce transactions. For card payments, you must achieve SCA by performing 3-D Secure Authentication (3DS). However, 3DS adds an additional step to the checkout flow, asking your payer to provide additional details during the authentication challenge. This is inconvenient to payers and potentially results in higher drop-off rates as payers abandon the checkout process.
Therefore, the PSD2 mandate includes a set of exemptions where SCA is not required, potentially allowing your payer to bypass this additional step during the checkout flow. A PSD2 exemption can be applied by the issuer (issuer exemption) or you or your acquirer can request it (acquirer exemption). The issuer may or may not apply the requested acquirer exemption.
If the issuer applies an exemption, the chargeback liability shifts to the issuer. If the issuer grants an exemption that you or your acquirer have requested, chargeback liability stays with you. An example of an issuer exemption is the exemption for low value transactions. Examples of acquirer exemptions are low value transactions and where the payer has whitelisted you with the issuer. For more details about the available exemptions, see sections below.
You can request an exemption on either the authentication or the payment request. For more details on the viable options, see sections below.
Understanding PSD2 SCA compliance and exemptions
Before proceeding with a gateway integration for PSD2 SCA compliance, you may want to consider the following questions.
What is SCA?
Strong Customer Authentication (SCA) requires the payer to provide two out of the following three factors during the authentication process:
- Something only they know, for example, a password
- Something only they have, for example, a mobile phone
- Something they are, for example, their fingerprint or face ID
For example, the payer may be asked to provide a one-time token that the issuer has sent to their mobile phone (something the payer has), and a password (something the payer knows).
Does the PSD2 SCA mandate apply to all my transactions?
The PSD2 SCA mandate only applies to e-commerce transactions. The following transactions do not require SCA under PSD2:
- Card present, mail order, telephone order, voice response, and call centre transactions
- Transactions for anonymous cards, for example, prepaid cards and gift cards
- Transactions that are not initiated by the payer, for example, recurring and installment transactions do not require SCA under PSD2. Note that specific requirements apply to cardholder-initiated payments in a series of recurring payments. For more details, see below.
How can I comply with the PSD2 SCA mandate?
For card payments, you can achieve PSD2 SCA compliance by performing 3-D Secure Authentication (3DS) or by applying a PSD2 SCA exemption.
When deciding if you should request 3DS Authentication or request a PSD2 exemption, you may want to consider the following questions:
- Do I require chargeback protection? If 3DS authentication is a success and the issuer exemption is granted, the chargeback liability shifts to the issuer. If you request an acquirer exemption (and the issuer grants the exemption) chargeback liability stays with you.
- How likely is the payer to drop out during the checkout flow, if they are presented with the 3DS challenge? For a larger transaction amount the payer may consider this step important whereas on a transaction with a low amount they may decide that the effort to go through the 3DS challenge is too much of an ask.
- How likely is the issuer to grant the exemption or apply an issuer exemption? If the issuer does not grant the exemption that you have requested or does not apply an issuer exemption, you will need to perform 3DS to proceed with the payment. This adds latency to the checkout process, and you may have to pay fees for two transaction requests.
- What is my fraud rate? The issuer is less likely to grant the exemption if you have a high fraud rate. High fraud rates may affect your standing with the card scheme.
What PSD2 SCA exemptions can I request?
For an authentication or a payment, you can request one of the following exemptions:
Exemption | Description | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Low-Risk | Issuers are allowed to apply SCA exemptions for transactions that are considered "low risk" transactions and where the amount is below a defined threshold. Issuers can consider transactions as minimal risk based on the average fraud rate of either the card issuer, the acquirer or both. Note that this fraud rate applies across all transactions for the card issuer/acquirer, not for you specifically. When your acquirer's fraud rate is below the threshold, but the card issuer's is above the threshold, the issuer is expected to decline the exemption. The applicable thresholds are:
If you request the low-risk exemption and the issuer grans the exemption, the liability shifts to you. The exemption may be applied by the issuer, even if you or your acquirer did not request it (issuer exemption). In this case the chargeback liability shifts to the issuer. You can increase the chances of the exemption being applied by the issuer by providing additional payer information when initiating the authentication. * The limit may be subject to change by PSD2. |
||||||||||||
Low Value | Where the transaction amount is up to 30 EUR* (or equivalent amount in the transaction currency) you can request a low value exemption. If the issuer grants the exemption, the liability shifts to you. Issuers must track the use of this exemption for each card, including the number and the total value of all transactions since the payer was last authenticated. Where the number exceeds five and the total value exceeds 100 EUR* (or equivalent amount in the transaction currency) they must not apply the exemption and enforce SCA. As the thresholds do not only apply to payments that the payer makes with you, but any payments, you cannot rely on the exemption being granted. Also, because the issuer cannot perform the required checks when performing the authentication, they may grant the exemption on the authentication but subsequently reject the payment. Because of the conditions applicable to this exemption, issuers may not support it altogether. For these reasons, it is recommended that where applicable, you consider requesting low-risk exemption instead of the low value exemption. |
||||||||||||
Whitelisting | If you allow your payer to create an account with you, so that they do not have to enter information like their card details, billing, or shipping address details every time they shop with you, then you may want to consider the whitelisting exemption. You can ask the issuer that during the authentication (when SCA is performed) they offer the payer the option to add you to a whitelist. In this case, the payer will be able to add you to the whitelist for this card that is maintained by the issuer. As a result, the issuer will not require SCA on subsequent payments the payer makes with this card when making a purchase from your website. This applies regardless of the transaction amount or how often the payer shops with you. The payer will be able to manage the whitelist for their card with the issuer (or a service provider that offers this service on behalf of the issuer). Whitelisting may not be supported by the issuer and so far, adoption of whitelisting by issuers has been slow. If you want to offer whitelisting, you will need to keep track of a payer having whitelisted you so that you can request the whitelisting exemption when submitting a payment for processing. For cardholder-initiated payments with stored card details, if the payer has not whitelisted you, SCA is required for every individual payment triggered by the payer, even if you are using the payer's stored payment details |
||||||||||||
Merchant-Initiated Payments including Recurring Payments (Variable Amount) |
If you have an agreement with your payer that allows you to periodically submit merchant-initiated payments (not covered under Recurring Payments (Fixed Amount) below) for the provision of goods or services, these payments are exempt from the PSD2 SCA requirements. This includes, for example, utility bill payments (e.g., electricity bills), pay TV and mobile phone subscriptions, car/bike sharing transactions, digital services subscriptions, insurance premium payments, installment payments and automatic account top-ups. It also includes Authorization updates, for example when you extend the Authorization validity or update the Authorization amount. For recurring payments with fixed amount, see Recurring Payments (Fixed Amount) exemption below. You only need to perform SCA when you store the payment details on the initial cardholder-initiated payment in the series. For the subsequent merchant-initiated payments in the series, you must request a merchant-initiated payment exemption. Note that this is not technically an exemption, but you are indicating that this is a merchant-initiated payment that falls outside the scope of PSD2 SCA. And just like for any other exemption, it is still the issuer that decides whether authentication is required. Where the issuer grants the merchant-initiated payment exemption, SCA is not required, and the chargeback liability shifts to the issuer. If the issuer does not grant the exemption, you are required to submit a cardholder-initiated payment and perform SCA for this payment. If the card details used for this agreement change, you must submit another cardholder-initiated payment and perform SCA for this payment. It is a prerequisite that you correctly identify the payment as a merchant-initiated payment. For more details, see merchant-initiated transactions.
|
||||||||||||
Recurring Payments (Fixed Amount) | If you have an agreement with the payer for recurring payments, that is, a subscription with a fixed amount, you only need to perform SCA when you store the payment details or submit the initial cardholder-initiated payment in the series. For the subsequent merchant-initiated payments in the series, you must request a recurring payment exemption. If the issuer grants the recurring payment exemption, SCA is not required, and the chargeback liability shifts to the issuer. If the amount or the card details used for the recurring payment agreement change, you must submit another customer-initiated payment and perform SCA for this payment. For recurring payments with a fixed amount, claim the recurring exemption than a merchant-initiated payment exemption (described above) because issuer approval rates for recurring payment exemptions are likely to be higher than for merchant-initiated transactions. It is a prerequisite that you correctly identify the payment as a merchant-initiated payment. For more details, see merchant-initiated transactions.
|
||||||||||||
SCA Delegation | Where you have already authenticated the payer using a mechanism that is PSD2 SCA compliant, you may be able to claim an SCA delegation exemption. To be able to do this, the schemes require you to provide evidence of the payer authentication. However, the schemes are still finalizing their solutions for verifying the provided authentication data to achieve exemption from the SCA mandate. Therefore, the SCA delegation exemption functionality is not yet supported in the gateway. |
||||||||||||
Secure Corporate Payments | If you are a Business to Business (B2B) merchant, all or some of your payments may be exempt from the PSD2 SCA mandate. The Secure Corporate Payments exemption covers payments made through a dedicated corporate payments process or protocol initiated by businesses that is not available for consumers. These include payments made through central travel accounts, lodged corporate/commercial cards, virtual cards, and secure corporate cards. However, the exemption does not automatically include all B2B payments. Corporate cards that are not processed using the additional security methods, such as traditional employee corporate purchase cards, require SCA under the PSD2 mandate. The Secure Corporate Payment is an issuer exemption, meaning that the issuer decides if it can be applied. If you have a way of recognizing that the exemption applies to a transaction, you can simply submit the payment and the issuer will apply the exemption. Where a secure corporate channel was used, indicate this by requesting the Secure Corporate Payment exemption on the authentication or payment request. This is critical for physical corporate cards since in this case the issuer cannot identify a Secure Corporate Payment transaction solely based on the card number. If you wish to make use of this exemption, your need to contact your payment service provider or acquirer. They must ensure your payments meet the fraud mitigation threshold required for transactions that are not exempt from SCA and regularly report to the national regulator to be able to offer this exemption. |
||||||||||||
Authentication Outage | Authentication outage is a PSD2 exemption, which can be submitted when the authentication is not possible due to a technical outage. The"May Submit PSD2 exemptions for Authentication outage" is a new privilege which is required for merchants to submit the Authentication outage exemption.
This exemption can not be submitted for the Recurring or Merchant-Initiated transactions. The following table lists the various error codes and their results. When the response for Authenticate Payer has
order.status "AUTHENTICATION_UNAVAILABLE", you can submit the Authentication outage exemption in the subsequent Authorize or Pay request.
Special handling is applied if your acquirer or the scheme does not support exemptions.
|
Can I claim more than one PSD2 SCA exemption?
No, you can only claim a single exemption on either an authentication or payment request.
What is the difference between an acquirer and an issuer PSD2 SCA exemption?
An acquirer exemption is an exemption that either you or your acquirer have requested. However, it is ultimately up to the issuer to decide whether an exemption can be applied. If the issuer grants the acquirer exemption, the payment does not require SCA. The payer will experience a frictionless flow.
Where the issuer declines the acquirer exemption, they may still apply an issuer exemption. In this case, the payment does not require SCA. The payer will experience a frictionless flow. If the issuer declines the acquirer exemption and does not apply an issuer exemption, the payment requires SCA. The payer will be presented with a challenge flow.
An issuer exemption can be applied by the issuer, even if you or your acquirer have not requested it. This only applies to the low value, low-risk, whitelisting and Secure Corporate Payments exemptions.
Does the liability shift to the issuer when a PSD2 SCA exemption is applied?
Where SCA is performed, the chargeback liability shifts to the issuer.
When you claim an acquirer exemption and the issuer grants the exemption, SCA is not performed, and the liability stays with you. When the issuer applies an SCA exemption (issuer exemption), SCA is not performed but the liability shifts to the issuer.
How do I claim a PSD2 SCA exemption?
You can either claim an exemption when performing the authentication or bypass the authentication and claim an exemption when submitting the payment for processing. Listed below are the viable options available to you.
Exemptions in an Authentication Request
- You can request an exemption when submitting an authentication request to the issuer.
If the issuer grants the exemption, your payer will experience a frictionless flow for 3DS, meaning they do not have to go through any additional steps related to payer authentication. The authentication response will contain details indicating that the exemption was granted. The authentication details must be submitted to the issuer on the payment request.
If the issuer does not grant the requested exemption and does not apply an issuer exemption, your payer will be presented with the challenge flow.
- If you are not claiming an exemption on the authentication, the issuer may still apply an exemption. In this case, the payer will experience a frictionless flow for 3DS. The authentication response will indicate that the authentication was successful.
If the issuer does not apply an exemption, the payer will be presented with the challenge flow.
Exemptions in a Payment Request
- You can submit a payment request with the authentication details for either a successful, attempted authentication, or a granted exemption. This indicates to the issuer that you are PSD2 SCA compliant.
- You can submit a payment request without the authentication details and instead request an exemption. This means you proceed directly to the payment without attempting to authenticate the payer. However, if the PSD2 SCA requirement applies to the transaction, the issuer will reject the payment unless either you request an exemption and the issuer grants the exemption, or the issuer applies an issuer exemption.
If you claim an exemption and the issuer grants the exemption, the transaction will be processed without SCA. If the issuer does not grant the requested exemption and does not apply an issuer exemption, the transaction will be rejected by the issuer. The response code will indicate that payer authentication is required. You can perform the payer authentication and resubmit the request.
Should I request a PSD2 SCA exemption when performing the authentication or when submitting the payment?
If you request an exemption on the authentication request to the issuer, you maximize the chance of SCA being performed straight away, where is required. And, when an exemption is applied by the issuer, the payer does not have to go through an additional step during the checkout process.
However, for some exemptions, where the issuer grants the exemption during the authentication process, the payment may subsequently be rejected because SCA is required. This applies, for example, to the low value exemption, where the necessary checks can only be performed by the issuer when the payment is made.
If you request the exemption on the payment request, where the exemption is granted by the issuer or where the issuer applies an issuer exemption, the payment will proceed without an authentication step. However, if the issuer determines that SCA is required, the payment is rejected (with a response code indicating that SCA is required). You must then perform the authentication and resubmit the payment with the authentication details. This adds latency to the checkout process for the payer, and fees may apply for the authentication and two payment requests.
What happens if the issuer is not ready for 3DS2?
If the issuer is not ready for 3DS2, the card scheme may respond on behalf of the issuer — this is called stand-in processing or attempts processing. The scheme will not grant any acquirer exemptions but may apply an issuer exemption and return authentication details accordingly. If the scheme does not apply an issuer exemption, it will not authenticate the payer. The scheme will return authentication details that indicate authentication was attempted.
What happens if the issuer does not support PSD2 SCA exemptions?
If the issuer does not support a PSD2 SCA exemption, for example, if the issuer is ready for 3DS2, but not ready for one or more PSD2 SCA exemptions, the issuer will never grant this type of exemption when you or your acquirer request it (acquirer exemption) and will never apply this exemption (issuer exemption).
Note that this may apply to all or some of the exemptions. If the issuer does not support any SCA exemptions, SCA will be enforced on all transactions for cards for this issuer, meaning the payer will always be presented with the challenge flow.
What happens if I request a PSD2 SCA exemption and the issuer cannot be contacted (connectivity issue)?
If the issuer cannot be contacted, the scheme may respond on behalf of the issuer. The scheme will not grant any acquirer exemptions or apply any issuer exemptions.
The scheme will return authentication details that you must submit to the issuer on the payment request. The issuer will either apply an issuer exemption and process the payment or reject the payment because SCA is required. If the payment is successful, the liability shifts to the issuer because of the issuer's inability to be contacted during the authentication process.
What does PSD2 SCA mean for device payments?
Device payments, such as Apple Pay and Google Pay, require the payer to authenticate using their phone (something they have) and either a password (something they know) or fingerprint or face ID (something they are). Therefore, they already comply with the PSD2 SCA mandate.
What does PSD2 SCA mean for browser payments?
Browser payments, such as PayPal and common European payment methods like iDEAL or Multibanco, mostly already comply with the PSD2 SCA mandate, or have made changes to their checkout flow to be compliant.