SCA Exemptions

Last updated: March 16th 2023, @ 11:23:55 am

Merchants operating in the European Economic Area (EEA) are mandated to support Strong Customer Authentication (SCA) on ecommerce transactions to meet the Payments Service Directive 2/Regulatory Technical Standards (PSD2/RTS) regulations.

The new rules stipulate that Strong Customer Authentication (SCA) be performed on all transactions, with a limited set of exceptions.

How exemption to SCA works

Merchants may request an exemption prior to the authorization using 3D Secure. When requested, the same exemption must be provided in the authorization. Issuers may use SCA exemption indicators to help decide whether or not to approve an authorization request. Issuers may still decline indicating that additional cardholder authentication is required.

Exemption reason descriptions:

  • Secure Corporate Payment (SCP): Secure corporate or Business-to-Business (B2B) payments over dedicated payment processes and protocols are exempted from SCA.
  • Transaction Risk Analysis (TRA): Transactions are eligible for SCA exemption if transaction fraud rates are below established thresholds defined by PSD2/RTS.
  • Low Value Payment (LVP): Transactions are eligible for SCA exemption when the transaction amount is below the limit established by PSD2/RTS.
  • Merchant Initiated Transaction (MIT): Transactions processed within the Merchant-Initiated Transaction (MIT) framework are exempt from SCA. The initial transaction must meet strong customer authentication requirements.
  • Recurring Payment (RP): Transactions are eligible for SCA exemption. The initial transaction must met strong customer authentication requirements.
  • SCA Delegation (SD): Transactions are eligible for SCA exemptions when an Issuer has delegated authentication responsibility to a third-party wallet provider or to a merchant.
  • Trusted Merchant (TM): Transactions are eligible for SCA exemption when a customers has added the merchant to a trusted list, where SCA is generally only required on the initial transaction.

Supported processors

Payflow currently supports SCA Exemptions for the following processors:

  • American Express
  • Braintree
  • Chase Paymentech Salem
  • FISERV North
  • PayPal

How to send SCA exemption data

After you've integrated with an 3D Secure MPI, you can use SCA exemptions to exempt future transactions from having to do additional 3D Secure calls by passing the required parameters outlined in this documentation. For example, customer orders a product online where you validate with 3D Secure and then they set up a monthly renewal where you bill them using a merchant initiated (MIT) or recurring (RP) exemption.

Note: SCAEXEMPTION should be used in conjunction with 3D Secure and Card on File (CoF).

Important: For American Express you must use SCAEXEMPTION with CARDONFILE. If both parameters are not passed in your request the exemption will not be sent.

Payflow fields

FieldDescriptionData type/max lengthProcessor support
SCAEXEMPTIONValue to flag exemption status.
Only one of the following values can be sent:
See descriptions above.
alphanumeric, 3All
CITDATEMasterCard only
Merchant initiated (MIT) and recurring (RP) transactions must contain the original settlement date which is received from the initial Cardholder Initiated (CITI) transaction response.

Format: MMDD
alphanumeric, 4FISERV North
VMAIDVisa only
Visa Merchant Authentication ID assigned by Visa EU.

If SCAEXEMPTION value is either TM or SD then VMAID is required.
alphanumeric, 8FISERV North

Sample request

Note: Set VERBOSITY to HIGH to make sure you receive all the data returned in the response.


Additional information