Last updated: March 16th 2023, @ 11:23:55 am
Merchants operating in the European Economic Area (EEA) are mandated to support Strong Customer Authentication (SCA) on ecommerce transactions to meet the Payments Service Directive 2/Regulatory Technical Standards (PSD2/RTS) regulations.
The new rules stipulate that Strong Customer Authentication (SCA) be performed on all transactions, with a limited set of exceptions.
How exemption to SCA works
Merchants may request an exemption prior to the authorization using 3D Secure. When requested, the same exemption must be provided in the authorization. Issuers may use SCA exemption indicators to help decide whether or not to approve an authorization request. Issuers may still decline indicating that additional cardholder authentication is required.
Exemption reason descriptions:
- Secure Corporate Payment (SCP): Secure corporate or Business-to-Business (B2B) payments over dedicated payment processes and protocols are exempted from SCA.
- Transaction Risk Analysis (TRA): Transactions are eligible for SCA exemption if transaction fraud rates are below established thresholds defined by PSD2/RTS.
- Low Value Payment (LVP): Transactions are eligible for SCA exemption when the transaction amount is below the limit established by PSD2/RTS.
- Merchant Initiated Transaction (MIT): Transactions processed within the Merchant-Initiated Transaction (MIT) framework are exempt from SCA. The initial transaction must meet strong customer authentication requirements.
- Recurring Payment (RP): Transactions are eligible for SCA exemption. The initial transaction must met strong customer authentication requirements.
- SCA Delegation (SD): Transactions are eligible for SCA exemptions when an Issuer has delegated authentication responsibility to a third-party wallet provider or to a merchant.
- Trusted Merchant (TM): Transactions are eligible for SCA exemption when a customers has added the merchant to a trusted list, where SCA is generally only required on the initial transaction.
Payflow currently supports SCA Exemptions for the following processors:
- American Express
- Chase Paymentech Salem
- FISERV North
How to send SCA exemption data
After you've integrated with an 3D Secure MPI, you can use SCA exemptions to exempt future transactions from having to do additional 3D Secure calls by passing the required parameters outlined in this documentation. For example, customer orders a product online where you validate with 3D Secure and then they set up a monthly renewal where you bill them using a merchant initiated (MIT) or recurring (RP) exemption.
SCAEXEMPTIONshould be used in conjunction with 3D Secure and Card on File (CoF).
Important: For American Express you must use
CARDONFILE. If both parameters are not passed in your request the exemption will not be sent.
|Field||Description||Data type/max length||Processor support|
|Value to flag exemption status.|
Only one of the following values can be sent:
See descriptions above.
Merchant initiated (MIT) and recurring (RP) transactions must contain the original settlement date which is received from the initial Cardholder Initiated (CITI) transaction response.Format: MMDD
|alphanumeric, 4||FISERV North|
Visa Merchant Authentication ID assigned by Visa EU.If
|alphanumeric, 8||FISERV North|
VERBOSITYto HIGH to make sure you receive all the data returned in the response.
- Visa, general information.
- MasterCard, general information.
- UK Financial, for basic information and rollout.