This page provides information on PSD2 SCA compliance and exemptions, to allow you to determine if they apply to you, and provides guidance on when and how to use the exemptions.
For information on how to comply with PSD2 SCA and claim exemptions (where applicable) via the Mastercard Payment Gateway, see integration guidelines for each of the 3-D Secure (3DS) integration models using the links below:
The Revised Payment Services Directive (PSD2) is legislation effective in the European Economic Area (EEA). PSD2 aims at driving market efficiency and integration, increasing consumer protection, creating competition, and improving security.
To achieve better consumer protection, PSD2 mandates that payment service providers implement Strong Customer Authentication (SCA) for e-commerce transactions. For card payments, you can achieve SCA by performing 3-D Secure Authentication (3DS). However, 3DS adds an additional step to the checkout flow, asking your payer to provide additional details during the authentication challenge. This is inconvenient to payers and potentially results in higher drop-off rates as payers abandon the checkout process.
Therefore, the PSD2 mandate includes a set of exemptions where SCA is not required, potentially allowing your payer to bypass this additional step during the checkout flow. A PSD2 exemption can be applied by the issuer (issuer exemption) or you or your acquirer can request it (acquirer exemption). The issuer may or may not apply the requested acquirer exemption.
If the issuer applies an exemption, the chargeback liability shifts to the issuer. If the issuer grants an exemption that you or your acquirer have requested, chargeback liability stays with you. An example of an issuer exemption is the exemption for low value transactions. Examples of acquirer exemptions are low value transactions and where the payer has whitelisted you with the issuer. For more details about the available exemptions, see sections below.
You can request an exemption on either the authentication or the payment request. For more details on the possible options, see sections below.
Before proceeding with a gateway integration for PSD2 SCA compliance, you may want to consider the following questions.
Strong Customer Authentication (SCA) requires the payer to provide two out of the following three factors during the authentication process:
For example, the payer may be asked to provide a one-time token that the issuer has sent to their mobile phone (something the payer has), and a password (something the payer knows).
PSD2 only applies to transactions where both the issuer and acquirer are located within European Economic Area (EEA) countries. This includes Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Monaco, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom.
If your acquirer is located outside the EEA, then PSD2 does not apply to you.
If your acquirer is located in the EEA, then PSD2 applies to your transactions where the payer's card was issued in the EEA. If you accept payments from payers both inside and outside the EEA, you should treat all your transactions as if PSD2 applies.
The PSD2 SCA mandate only applies to e-commerce transactions. The following transactions do not require SCA under PSD2:
For card payments, you can acheive PSD2 SCA compliance by performing 3-D Secure Authentication (3DS) or by applying a PSD2 SCA exemption.
When deciding if you should perform 3DS or request an exemption you may want to consider the following questions:
For an authentication or a payment, you can request one of the following exemptions:
| Exemption | Description |
|---|---|
| Low Risk | Issuers are allowed to apply SCA exemptions for transactions that are considered "low risk" transactions and where the amount is below a defined threshold. Issuers can consider transactions as low risk based on the average fraud rate of either the card issuer, the acquirer or both. Note that this fraud rate applies across all transactions for the card issuer/acquirer, not for you specifically. When your acquirer's fraud rate is below the threshold, but the card issuer's is above the threshold, the issuer is expected to decline the exemption. The applicable thresholds are:
If you request the low risk exemption and the issuer grans the exemption, the liability shifts to you. The exemption may be applied by the issuer, even if you or your acquirer did not request it (issuer exemption). In this case the chargeback liability shifts to the issuer. You can increase the chances of the exemption being applied by the issuer by providing additional payer information when initiating the authentication. * The limit may be subject to change by PSD2. |
| Low Value | Where the transaction amount is up to 30 EUR* (or equivalent amount in the transaction currency) you can request a low value exemption. If the issuer grants the exemption, the liability shifts to you. Issuers must track the use of this exemption for each card, including the number and the total value of all transactions since the payer was last authenticated. Where the number exceeds 5 and the total value exceeds 100 EUR* (or equivalent amount in the transaction currency) they must not apply the exemption and enforce SCA. As the thresholds do not only apply to payments that the payer makes with you, but any payments, you cannot rely on the exemption being granted. Also, because the issuer cannot perform the required checks when performing the authentication they may grant the exemption on the authentication but subsequently reject the payment. Because of the conditions applicable to this exemption, issuers may not support it altogether. For these reasons, it's recommended that where applicable, you consider requesting low risk exemption instead of the low value exemption. |
| Whitelisting | If you allow your payer to create an account with you, so that they do not have to enter information like their card details, billing, or shipping address details every time they shop with you, then you may want to consider the whitelisting exemption. You can ask the issuer that during the authentication (when SCA is performed) they offer the payer the option to add you to a whitelist. In this case, the payer will able to add you to the whitelist for this card that is maintained by the issuer. As a result, the issuer will not require SCA on subsequent payments the payer makes with this card when making a purchase from your website. This applies regardless of the transaction amount or how often the payer shops with you. The payer will be able to manage the whitelist for their card with the issuer (or a service provider that offers this service on behalf of the issuer). Whitelisting may not be supported by the issuer and so far adoption of whitelisting by issuers has been slow. If you want to offer whitelisting, you will need to keep track of a payer having whitelisted you so that you can request the whitelisting exemption when submitting a payment for processing. For cardholder-initiated payments with stored card details, if the payer has not whitelisted you, SCA is required for every individual payment triggered by the payer, even if you are using the payer's stored payment details |
| Merchant-Initiated Payments including Recurring Payments (Variable Amount) |
If you have an agreement with your payer that allows you to periodically submit merchant-initiated payments (not covered under Recurring Payments (Fixed Amount) below) for the provision of goods or services, these payments are exempt from the PSD2 SCA requirements. This includes, for example, utility bill payments (e.g., electricity bills), pay TV and mobile phone subscriptions, car/bike sharing transactions, digital services subscriptions, insurance premium payments, installment payments and automatic account top-ups. It also includes Authorization updates, for example when you extend the Authorization validity or update the Authorization amount. For recurring payments with fixed amount, see Recurring Payments (Fixed Amount) exemption below. You only need to perform SCA when you store the payment details on the initial cardholder-initiated payment in the series. For the subsequent merchant-initiated payments in the series you can request a merchant-initiated payment exemption. Note that this is not technically an exemption, but you are indicating that this is a merchant-initiated payment that falls outside the scope of PSD2 SCA. And just like for any other exemption, it is still the issuer that decides whether authentication is required. Where the issuer grants the merchant-initiated payment exemption, SCA is not required and the chargeback liability shifts to the issuer. If the issuer does not grant the exemption, you are required to submit a cardholder-initiated payment and perform SCA for this payment. If the card details used for this agreement change, you must submit another cardholder-initiated payment and perform SCA for this payment. It is a prerequisite that you correctly identify the payment as a merchant-initiated payment. For more details, see merchant-initiated transactions.
|
| Recurring Payments (Fixed Amount) | If you have an agreement with the payer for recurring payments, i.e., a subscription with a fixed amount, you only need to perform SCA when you store the payment details or submit the initial cardholder-initiated payment in the series. For the subsequent merchant-initiated payments in the series you can request a recurring payment exemption. If the issuer grants the recurring payment exemption, SCA is not required and the chargeback liability shifts to the issuer. If the amount or the card details used for the recurring payment agreement change, you must submit another customer-initiated payment and perform SCA for this payment. For recurring payments with a fixed amount, claim the recurring exemption than a merchant-initiated payment exemption (described above) because issuer approval rates for recurring payment exemptions are likely to be higher than for merchant-initiated transactions. It is a prerequisite that you correctly identify the payment as a merchant-initiated payment. For more details, see merchant-initiated transactions.
|
| SCA Delegation | Where you have already authenticated the payer using a mechanism that is PSD2 SCA compliant, you may be able to claim an SCA delegation exemption. To be able to do this, the schemes require you to provide evidence of the payer authentication. However, the schemes are still finalizing their solutions for verifying the provided authentication data to achieve exemption from the SCA mandate. Therefore, the SCA delegation exemption functionality is not yet supported in the gateway. |
| Secure Corporate Payments | If you are a Business to Business (B2B) merchant, all or some of your payments may be exempt from the PSD2 SCA mandate. The Secure Corporate Payments exemption covers payments made through a dedicated corporate payments process or protocol initiated by businesses that is not available for consumers. These include payments made through central travel accounts, lodged corporate/commercial cards, virtual cards, and secure corporate cards. However, the exemption does not automatically include all B2B payments. Corporate cards that are not processed using the additional security methods, such as traditional employee corporate purchase cards, require SCA under the PSD2 mandate. The Secure Corporate Payment is an issuer exemption, meaning that the issuer decides if it can be applied. If you have a way of recognizing that the exemption applies to a transaction, you can simply submit the payment and the issuer will apply the exemption. Where a secure corporate channel was used, indicate this by requesting the Secure Corporate Payment exemption on the authentication or payment request. This is critical for physical corporate cards since in this case the issuer cannot identify a Secure Corporate Payment transaction solely based on the card number. If you wish to make use of this exemption, your need to contact your your payment service provider or acquirer. They must ensure your payments meet the fraud mitigation threshold required for transactions that are not exempt from SCA and regularly report to the national regulator to be able to offer this exemption. |
No, you can only claim a single exemption on either an authentication or payment request.
An acquirer exemption is an exemption that either you or your acquirer have requested. However, it is ultimately up to the issuer to decide whether an exemption can be applied. If the issuer grants the acquirer exemption, the payment does not require SCA. The payer will experience a frictionless flow.
Where the issuer declines the acquirer exemption, they may still apply an issuer exemption. In this case, the payment does not require SCA. The payer will experience a frictionless flow. If the issuer declines the acquirer exemption and does not apply an issuer exemption, the payment requires SCA. The payer will be presented with a challenge flow.
An issuer exemption can be applied by the issuer, even if you or your acquirer have not requested it. This only applies to the low value, low risk, whitelisting and Secure Corporate Payments exemptions.
Where SCA is performed, the chargeback liability shifts to the issuer.
When you claim an acquirer exemption and the issuer grants the exemption, SCA is not performed and the liability stays with you. When the issuer applies an SCA exemption (issuer exemption), SCA is not performed but the liability shifts to the issuer.
You can either claim an exemption when performing the authentication or bypass the authentication and claim an exemption when submitting the payment for processing. Listed below are the possible options available to you.
If the issuer grants the exemption, your payer will experience a frictionless flow for 3DS, meaning they do not have to go through any additional steps related to payer authentication. The authentication response will contain details indicating that the exemption was granted. The authentication details must be submitted to the issuer on the payment request.
If the issuer does not grant the requested exemption and does not apply an issuer exemption, your payer will be presented with the challenge flow.
If you request an exemption on the authentication request to the issuer, you maximize the chance of SCA being performed straight away, where it's required. And, when an exemption is applied by the issuer, the payer does not have to go through an additional step during the checkout process.
However, for some exemptions, where the issuer grants the exemption during the authentication process, the payment may subsequently be rejected because SCA is required. This applies, for example, to the low value exemption, where the necessary checks can only be performed by the issuer when the payment is made.
If you request the exemption on the payment request, where the exemption is granted by the issuer or where the issuer applies an issuer exemption, the payment will proceed without an authentication step. However, if the issuer determines that SCA is required, the payment is rejected (with a response code indicating that SCA is required). You must then perform the authentication and resubmit the payment with the authentication details. This adds latency to the checkout process for the payer, and fees may apply for the authentication and two payment requests.
The schemes only support PSD2 SCA exemptions for 3DS2 payer authentication.
If the issuer is not ready for 3DS2, the card scheme may respond on behalf of the issuer — this is called stand-in processing or attempts processing. The scheme will not grant any acquirer exemptions but may apply an issuer exemption and return authentication details accordingly. If the scheme does not apply an issuer exemption, it will not authenticate the payer. The scheme will return authentication details that indicate authentication was attempted.
Regardless of whether the scheme applied an issuer exemption, if you submit those authentication details on the payment request, the issuer can either apply an issuer exemption or reject the payment because SCA is required but has not been performed. Therefore, the schemes recommend that if you receive an attempts response for a 3DS2 authentication, you should not proceed with the payment but attempt to authenticate the payer using 3DS1.
Note that the gateway does not currently automatically detect an attempts response and perform 3DS1.
If the issuer does not support a PSD2 SCA exemption, e.g., if the issuer is ready for 3DS2, but not ready for one or more PSD2 SCA exemptions, the issuer will never grant this type of exemption when you or your acquirer request it (acquirer exemption) and will never apply this exemption (issuer exemption).
Note that this may apply to all or some of the exemptions. If the issuer does not support any SCA exemptions, SCA will be enforced on all transactions for cards for this issuer, meaning the payer will always be presented with the challenge flow.
If the issuer cannot be contacted, the scheme may respond on behalf of the issuer. The scheme will not grant any acquirer exemptions or apply any issuer exemptions.
The scheme will return authentication details that you must submit to the issuer on the payment request. The issuer will either apply an issuer exemption and process the payment or reject the payment because SCA is required. If the payment is successful, the liability shifts to the issuer because of the issuer’s inability to be contacted during the authentication process.
Device payments, such as Apple Pay and Google Pay, require the payer to authenticate using their phone (something they have) and either a password (something they know) or fingerprint or face ID (something they are). Therefore, they already comply with the PSD2 SCA mandate.
Browser payments, such as PayPal and common European payment methods like iDEAL or Multibanco, mostly already comply with the PSD2 SCA mandate, or have made changes to their checkout flow to be compliant.