The revised Payments Service Directive, commonly known as PSD2, is a regulatory framework by the European Union that dictates common guidelines for payment service providers in the European Economic Area (EEA). The aim is to promote innovation, competition and security in the payments industry. The PSD2 guidelines came into force from September 14, 2019.
One of the key elements of PSD2 was the Strong Customer Authentication (SCA) mandate for eligible electronic payments in the EEA region. SCA is focused on enhancing the security of electronic payments. It requires additional authentication for certain online transactions to reduce the risk of fraud. SCA mandates the use of at least two out of three authentication factors:
These factors must be independent such that if one factor is compromised, the reliability of the other factor remains intact.
For complying with Strong Customer Authentication(SCA) requirements, the cardholders need to go through an authentication step. This can lead to some friction during the checkout, inconsistent user experience across devices and some user dropouts. Even though the 3DS 2.0 protocol tries to solve these problems to different extents, the end-goals are still afar. With 3DS 2.0, the issuers analyze risk of each transaction and offer two flows for the user -
1. Challenge flow - Where the user needs to authenticate themself with an OTP, password, or biometric challenge, etc. This happens when the issuer deems the transaction risky.
2. Frictionless flow - Where the user need not go through any challenge, the issuer approves the transaction. This is also called silent authentication.
Merchants expect least to zero friction for their cardholders, but at the same time they expect the liability shift for fraud protection. To strike a balance between these mutually conflicting objectives, the issuers, the networks and PSPs are constantly coming up with innovative solutions. There are multiple programs by the networks that make use of different frameworks and technologies and have different UX and liability implications. One of the provisions is of Exemptions under PSD2, that we will be simplifying for merchants in this article.
The major assumption behind providing exemptions under PSD2 is that the merchants know their customers and have the first touchpoint with them. Hence, to some extent, the merchants can analyze the risk of the transaction and help step down the challenge to offer a frictionless checkout for a few transactions. Merchants need to contact their acquirers and decide on their exemptions strategy as these exemptions are generally requested by the acquirers on behalf of their merchants.
Under PSD2, the acquirers can make use of any ONE of these exemptions per transaction -
1. Low Value Transactions - This exemption is successfully applied when -
(a) the transaction amount is less than 30 €.
(b) The issuer can allow this exemption if the total number of consecutive transactions for that particular cardholder since the last Strong Customer Authentication(SCA) are less than 5 or the cumulative value of all the transactions since last SCA is less than 100 €.
The major drawback of this exemption is that the merchants do not have any visibility on the number of Strong Customer Authentication transactions of the cardholder or their amounts.
2. Transaction Risk Analysis (TRA) - This exemption should be used only if the acquirer has the capability of doing the risk assessment. If the acquirers fraud rate is below a certain threshold, the acquirers can request this exemption. The fraud thresholds are
The exemption cannot be applied for amounts greater than 500 €. The acquirers need to constantly monitor the fraud rates and report all the fraud related chargebacks to the National Competence Authority.
3. Recurring transactions - The acquirers can request this exemption for recurring payments for the same cardholder for the same amount. However, the first transaction of the series has to be SCA.
As with merchant/ acquirer exemptions under PSD2, there are also quite a few Issuer exemptions like Trusted Beneficiaries (whitelisting a merchant by the cardholder) and Secure Corporate payments. Some of the transaction categories that are out of scope from the SCA mandate are:
1. Anonymous Prepaid cards
2. MOTO - Mail Order/ Telephone Order payments, as these are not electronic card payments
3. One-leg transactions - Transactions that involve either the acquirer, issuer or the cardholder out of EEA, Monaco, or the UK.
4. MITs - Merchant initiated transactions, where the payment is taken from a saved card with the customer’s prior consent on an arranged date. The payment can be of a fixed or variable value. The first payment of the series, also called the CIT, Customer initiated Transaction, has to be an SCA transaction.
Strong Customer Authentication is designed to enhance the security of electronic transactions by requiring multi-factor authentication. When SCA is properly implemented, it may provide evidence that the transaction was authorized by the legitimate account holder, making it more challenging for customers to dispute transactions as unauthorized (friendly fraud).
While streamlining the payment experience enhances user convenience, strategically leveraging liability shift provides essential fraud protection. While most of the acquirers will analyze data and apply these exemptions as appropriate, it is also important for the merchants to understand these exemptions and recalibrate their fraud strategy with the help of their acquirers.