Home > Blog >
Payment frauds: Strong Customer Authentication and Acquirer Exemptions
Payment frauds: Strong Customer Authentication and Acquirer Exemptions
Akash Kamble
Published on: Jan 09 2024

The revised Payments Service Directive, commonly known as PSD2, is a regulatory framework by the European Union that dictates common guidelines for payment service providers in the European Economic Area (EEA). The aim is to promote innovation, competition and security in the payments industry. The PSD2 guidelines came into force from September 14, 2019.

One of the key elements of PSD2 was the Strong Customer Authentication (SCA) mandate for eligible electronic payments in the EEA region. SCA is focused on enhancing the security of electronic payments. It requires additional authentication for certain online transactions to reduce the risk of fraud.

SCA mandates the use of at least two out of three authentication factors:

  • Knowledge: Something only the user knows (e.g., passwords or PINs).
  • Possession: Something only the user possesses (e.g., a mobile device or smart card).
  • Inherence: Something the user is (e.g., biometrics like fingerprints or facial recognition).

These factors must be independent such that if one factor is compromised, the reliability of the other factor remains intact.

With great Security comes great Friction

For complying with SCA requirements, the cardholders need to go through an authentication step. This can lead to some friction during the checkout, inconsistent user experience across devices and some user dropouts. Even though the 3DS 2.0 protocol tries to solve these problems to different extents, the end-goals are still afar. With 3DS 2.0, the issuers analyze risk of each transaction and offer two flows for the user -

1. Challenge flow - Where the user needs to authenticate themself with an OTP, password, or biometric challenge, etc. This happens when the issuer deems the transaction risky.

2. Frictionless flow - Where the user need not go through any challenge, the issuer approves the transaction. This is also called silent authentication.

Merchants expect zero to least friction for their cardholders, but at the same time they expect the liability shift for fraud protection. To strike a balance between these mutually conflicting objectives, the issuers, the networks and PSPs are constantly coming up with innovative solutions. There are multiple programs by the networks that make use of different frameworks and technologies and have different UX and liability implications. One of the provisions is of Exemptions under PSD2, that we will be breaking down in this article.

Exemptions Simplified

The major assumption behind providing exemptions under PSD2 is that the merchants know their customers and have the first touchpoint with them. Hence, to some extent, the merchants can analyze the risk of the transaction and help step down the challenge to offer a frictionless checkout for a few transactions. Merchants need to contact their acquirers and decide on their exemptions strategy as these exemptions are generally requested by the acquirers on behalf of their merchants.

  • The acquirers can make use of the exemptions and directly request authorization (without authentication).
  • The acquirers can request exemption during the 3DS authentication.
  • The acquirers can simply not request any exemption and rely on issuers 3DS decision.

Under PSD2, the acquirers can make use of any ONE of these exemptions per transaction -

  • Low Value Transactions: This exemption is successfully applied when -
    (a) the transaction amount is less than 30 €.
    (b) The issuer can allow this exemption if the total number of consecutive transactions for that particular cardholder since the last SCA are less than 5 or the cumulative value of all the transactions since last SCA is less than 100 €.
    The major drawback of this exemption is that the merchants do not have any visibility on the number of SCA transactions of the cardholder or their amounts.
  • Transaction Risk Analysis (TRA): This exemption should be used only if the acquirer has the capability of doing the risk assessment. If the acquirers fraud rate is below a certain threshold, the acquirers can request this exemption. The fraud thresholds are:
    0.13% for amounts between 0 € to 100 € 
    0.06% for amounts between 100 € to 250 € 
    0.01% for amounts between 250 € to 500 € 
    The exemption cannot be applied for amounts greater than 500 €. The acquirers need to constantly monitor the fraud rates and report all the fraud related chargebacks to the National Competence Authority.
  • Recurring transactions: The acquirers can request this exemption for recurring payments for the same cardholder for the same amount. However, the first transaction of the series has to be SCA.

As with merchant/ acquirer exemptions under PSD2, there are also quite a few Issuer exemptions like Trusted Beneficiaries (whitelisting a merchant by the cardholder) and Secure Corporate payments. Some of the transaction categories that are out of scope from the SCA mandate are:

  • Anonymous Prepaid cards
  • MOTO - Mail Order/ Telephone Order payments, as these are not electronic card payments
  • One-leg transactions - Transactions that involve either the acquirer, issuer or the cardholder out of EEA, Monaco, or the UK.
  • MITs - Merchant initiated transactions, where the payment is taken from a saved card with the customer’s prior consent on an arranged date. The payment can be of a fixed or variable value. The first payment of the series, also called the CIT, Customer initiated Transaction, has to be an SCA transaction.

Liability implications

Merchant/ Acquirer Action Issuer Action Cardholder Experience Liability Implications
*Initiates a NO-3DS transaction or merchant not enabled for 3DS Applies non 3DS flow Frictionless - Cardholder not authenticated via 3DS Merchant
Initiates a 3DS transaction Applies 3DS flow Either a challenge flow or frictionless flow under 3DS Issuer
Initiates a 3DS transaction *Cardholder/ Issuer not 3DS enabled Frictionless - Cardholder not authenticated via 3DS Issuer
Initiates a 3DS transaction with acquirer exemption Issuer accepts the exemption Frictionless - Cardholder not authenticated via 3DS Merchant
Initiates a 3DS transaction with acquirer exemption Issuer rejects the exemption and applies 3DS flow Either a challenge flow or frictionless flow under 3DS Issuer
Initiates a 3DS transaction Issuer uses Issuer Exemptions Frictionless - Cardholder not authenticated via 3DS Issuer

*No-3DS transaction initiation or merchant/ issuer non enablement for 3DS is a non compliant under PSD2 and not possible in the EEA + UK region. The issuer will decline the transaction in that case. This case is only possible in USA and non-2FA markets.

Conclusion

While streamlining the payment experience enhances user convenience, strategically leveraging liability shift provides essential fraud protection. While most of the acquirers will analyze data and apply these exemptions as appropriate, it is also important for the merchants to understand these exemptions and recalibrate their fraud strategy with the help of their acquirers.

Resources

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018R0389&from=EN

https://www.eba.europa.eu/sites/default/documents/files/documents/10180/1761863/314bd4d5-ccad-47f8-bb11-84933e863944/Final%20draft%20RTS%20on%20SCA%20and%20CSC%20under%20PSD2%20%28EBA-RTS-2017-02%29.pdf

https://www.netcetera.com/payment-news-and-trends-webinars/2020_06_22_acquirer_exemptions_delegated_auth.html

https://www.cybersource.com/content/dam/documents/en/cybersource-sca-exemptions-guide.pdf

https://support.stripe.com/questions/liability-shift-post-sca-enforcement-%28uk%29