Strong Customer Authentication (SCA) ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments. It requires cardholder data from at least two of the following categories to be provided during the authentication process:
Something you know
Something only the customer knows:
Something you own
Something only the customer owns:
Something you are
Something only the customer is:
SCA is mandatory for all e-commerce transactions although there are a number of exclusions (out of scope transactions) and exemptions.
Even if a merchant flags a transaction as exempt, the issuer still has the final say and may require the transaction to be authenticated. This is called a challenge flow and requires additional cardholder data to be provided so that SCA can be performed.
3DS2 reduces the risk of fraud and makes payments more secure as businesses and their payment provider are submitting additional data in each transaction to the cardholder’s bank (the issuer). It also allows frictionless processing through use of exemptions although the issuer may still require SCA. Overall it enables a better customer experience regardless of payment device type / payment channel. Further information on the expected benefits include:-
Transactions where the Payment Service Provider (PSP) of either the payer (i.e. the issuer) or of the payee (i.e. the acquirer) are located outside of the EEA.
MOTO transactions are not considered to be electronic payments, and therefore are out of scope of the regulation.
A series of payments with a fixed or variable amounts that the merchants performs without direct involvement of the cardholder e.g. subscriptions.
e.g. anonymous prepaid card.
For some exclusions (out of scope transactions), acquirers and issuers may decide to apply SCA to the transaction, and the final decision is taken by the issuer.
Based on the risk, amount and payment channel, acquirers and issuing banks may apply certain SCA exemptions to balance payment experience convenience and fraud reduction.
For all exemptions, the issuer makes the final decision. Therefore, if the acquirer/ merchant requests an exemption, the final decision is taken by the issuer. Notably the entity (Acquirer / Issuer) that requests the SCA exemption bears the fraud liability risk. More detail on the exemptions is listed in the table below.
Please refer to the exemptions table below and the supporting materials which describe the changes required.
|Exemption||Description||What action is needed by merchant|
|Low value||Remote transactions up to and including 30 EUR may receive an SCA exemption, however this exemption is limited to a maximum of 5 consecutive transactions, or a cumulative limit of 100 EUR.||Merchants may need to make changes depending on e-Commerce product type and integration method (see your relevant implementation guide).
Only the issuer can determine when the transaction counter or cumulative limit is reached and (if yes) will request authentication.
|TRA||The TRA exemption allows for certain remote transactions to be exempted from SCA subject to a real-time risk check and depending on the transaction value and acquirer’s fraud rate. It is therefore also referred as the “low risk” exemption. TRA is key to delivering frictionless payment experiences for low-risk remote transactions. Issuers and Acquirers can both apply the TRA exemption if they meet certain requirements, including achieving fraud rates according to the thresholds below:
|This exemption relies heavily on the data provided for a transaction, so that the issuer / acquirer can assess the risk of a transaction properly. Therefore, it is highly recommended to provide all the information on a transaction as well as the cardholder. The information you as a merchant or your PSP has to provide depends on your integration method. This is explained in the relevant guide from EVO or your 3rd party gateway.
EVO is planning to offer this acquirer exemption type from April 2022.
|Recurring Transactions||Applicable when the customer makes a series of recurring payments for the same amount, to the same business. SCA is required for the customer’s first payment – subsequent charges however may be exempted from SCA.
Note: Visa does not consider recurring payments an exemption as they are part of their MIT network and thus in their opinion they are out of scope of SCA.
|The transactions must be flagged as a recurring transaction according to your PSP’s specifications in order to qualify for an exemption application. You also need to provide the trace ID of the first payment.|
|Mastercard: White Listing
Visa: Trusted Beneficiaries
|Cardholders may add a merchant to a list of whitelisted/trusted beneficiaries held by their Issuer. Subsequent payments to such merchants do not require SCA.||This is primarily an issuer exemption as the information needed is stored by the issuer. The flagging of the granted issuer exemption in the authorisation is managed by your PSP – no action needed.
|Secure corporate payments||Payments made through dedicated corporate processes and protocols (e.g. lodge cards, central travel accounts and virtual cards) which are initiated by business entities, not available to consumers and which already offer high levels of protection from fraud may be exempted from SCA, subject to the view of the relevant competent authorities.
Lodge Cards, Central Travel Accounts and Virtual Cards that are not associated with an individual cardholder and are used within a secure dedicated corporate payment process are examples that may fall into this category.
|This is primarily an issuer exemption as the needed information is stored by the issuer. The flagging of the granted issuer exemption in the authorization is managed by your PSP – no action needed.|
|Exclusion / Out of Scope||Description||Note: Merchants must ensure that transactions are coded, flagged or validated correctly for all out of scope payment scenarios to ensure correct treatment and processing|
|Anonymous prepaid cards||Due to their very nature, payments made through the use of anonymous payment instruments, such as anonymous prepaid (e.g. gift) cards, are not subject to the obligation of strong customer authentication.
The Issuer is the only one able to identify this type of card. The Acquirer will not be able to identify from the primary account number that the product is an anonymous product.
|Managed by card issuer – no action needed.|
|Mail Order/Telephone Order – MOTO
|Payments transacted by email or telephone are not considered to be electronic payments, and are deemed out of scope for SCA.
|Ensure your MOTO transactions are correctly coded for all cardholder purchase / payment scenarios.|
|“One-leg” transaction||SCA regulations apply only to transactions made entirely within the EEA. If issuer or acquirer is domiciled outside the EEA (“One-leg out”), no SCA mandates apply. The nationality of the cardholder nor the merchant’s business location are relevant for the assessment as to whether a transaction is out of scope due to the “one-leg” rule. EVO Risk policy and systems can influence if SCA should be applied in such instances.||Managed by your PSP – no action needed. Issuers and acquirers may still require SCA to be applied to one-leg transactions. EVO’s current policy will require SCA for one-leg transactions.
|Merchant initiated transactions – MIT
|SCA is required for the customer’s first payment where the cardholder agrees to the terms and conditions of later subsequent charges. These subsequent charges however are excluded from SCA, provided that the cardholder is not present in the check-out flow (sometimes referred to as off-session) at the time when the charge occurs. This category also includes subsequent recurring payments.||The transactions must be flagged as a Recurring or MIT according to your PSPs specifications/ MIT framework in order to be approved by the Issuer’s as not requiring SCA. You also need to provide the ID of the first (Cardholder initiated & SCA authenticated) payment|
An SCA exemption means that the merchant / acquirer requests an exemption (aiming to achieve a frictionless transaction without SCA) and the issuer then decides whether SCA is required. If yes, the issuer will trigger the authentication (challenge request) flow to authenticate the cardholder. An exclusion (“out of scope” transaction) does not require SCA / authentication obligation, provided it is flagged correctly.
No. Mail order and telephone order (MOTO) / Virtual Terminal (VT) transactions are out of scope for SCA, as they are not considered to be electronic payments. Merchants should continue to process these as they do today.
When SCA is applied to a transaction, merchants/acquirers avail of protection in the event that a fraud-related dispute occurs. When SCA is not applied and the transaction results in a fraud related dispute, the merchant/acquirer is liable for the fraudulent transaction.
Please note: 3DS protects against fraud related disputes. It does not protect against all chargeback disputes i.e. non-fraud related disputes such as goods / service not being as described or non-delivery related disputes.
The following diagram shows the merchant and issuer options and merchant-issuer liability for each option:
BOIPA will support all acquirer exemptions subject to relevant risk policies and assessments e.g. for the local market, specific business types, individual merchant risk as applicable. BOIPA will be implementing a TRA exemption in 2022 and will advise you when this becomes available.
No, it applies to the acquirer and issuer – depending on who wants to request the exemption. BOIPA is planning to use the TRA exemption and will confirm when this becomes available.
Note: You may need to enlist the support of your web developer to make these changes.
You may need to make changes to your EVO gateway integration in order to provide the data that is required for 3DS2. To help you with this we are providing you with a list of business scenarios or “use cases.” For each use case we have defined the fields that are required to be sent for authentication. The changes required will vary depending on your integration type and the business scenarios that you support.
For the majority of merchants, the number of mandatory and recommended changes for standard payments are minimal. Details of the use cases and changes can be found below:-
• If you host your own payment page / form (Direct API) please click here.
• If you have an EVO Hosted Payment Page please click here.
All available data should be provided wherever possible to ensure an optimal cardholder and merchant experience and reduce transaction friction (challenge rate). The more information you include, the greater the chance that the issuer will not challenge the cardholder with SCA, as it leads to a more informed decision making process.
Whilst the benefit of SCA will be to reduce online card payment fraud levels, it is expected that the changes may also affect conversion rates of people using their card online. If you do not implement the changes needed to support 3DS2 you will see an increase in declined transactions by card issuers.
As with any new technology, it may take time for cardholders to become familiar with the process and SCA may lead to an increased number of abandoned transactions in the short term whilst the number of transactions requiring authentication is expected to decline. Over time 3DS2 is expected to increase consumer confidence in buying on-line reduce fraud and reduce abandonment rates due to enhanced data flows.
If you are in any doubt, please contact our support team by emailing ecommerce@BOIPA.com immediately.
You can read more on SCA and its features on Visa and MasterCard’s websites
Send our support team an email below.