Strong Customer Authentication

What is SCA?

Strong Customer Authentication (SCA) is a PSD2 regulatory requirement that aims to make online payments more secure. It requires card issuers to use two-factor authentication to verify electronic transactions. For card payments, the challenge part of a 3-D Secure authentication is a compliant way to complete SCA and verify electronic card transactions.

It is limited to the EEA and UK

What are SCA exemptions?

SCA exemptions are specific situations where businesses are not required to use two-factor authentication to verify online transactions. For card payments, it is possible for the acquirers to apply for an SCA exemption, but responsibility to accept an exemption lies with the issuers.

Though acquirers apply for an exemption, the merchant or their payment service provider can request the acquirer to consider an exemption on their behalf. Speak to your payment provider or acquirer to determine whether SCA exemptions are being applied to your payments or not.

Types of SCA exemptions that BR-DGE supports:

There are a range of SCA exemptions available. BR-DGE currently support the following;

TRA (Transaction Risk Analysis)

TRA can be carried out on a payment to determine the likelihood of it being fraudulent. It will produce a risk score, taking into account various factors, including but not limited to location, time and spending habits.

If the score crosses a certain threshold, PSD2 regulation dictates SCA must be used to authenticate the cardholder is making the payment.

If the score is below a certain threshold, it is possible for a payment to bypass SCA authentication.

It is the responsibility of either the acquirer or the issuer to apply the TRA exemption to a payment. In the event the acquirer applies TRA, the issuer’s decision to accept it comes down to the acquirer’s fraud rates. Here is a breakdown of the fraud rates required for a payment to be exempted from SCA. Speak to your acquirer to find out more about their TRA strategy.

Transaction AmountAcquirer Fraud Rate
€0 - €100Up to 0.13%
€0 - €250Up to 0.06%
€0 - €500Up to 0.01%
+ €500SCA is typically required

In the event the issuer applies their own TRA exemption, the same fraud rules apply.

If you are carrying out your own TRA and request for the exemption to be applied to a payment then this can help the acquirer’s TRA exemption decision making process, assuming your acquirers are trusting of your fraud screening processes.

Should you wish to apply the TRA SCA exemption, you can do so using BR-DGE’s Rest API POST /payments endpoint.

{
    "amount": 1000,
    "currencyCode": "GBP",
    "customerOrderCode": "TRA_EXEMPTION_ORDER_CODE",
    "orderDescription": "Taxi fare",
    "paymentInstrument": {
        "type": "card",
        "nameOnCard": "John Doe",
        "pan": "4000000000001000",
        "expiryDate": "03-30"
    },
    "scaExemption":"TRA"
}

Low-value transactions

Transactions below €30 are considered ‘low-value’ and may be exempt from SCA. However, SCA will be required if:

  • A customer makes five or more payments above €30;
    or
  • The sum of previous exemptions exceeds €100.

The card issuer (customer’s bank) will keep track of such occurrences and will decide whether authentication is necessary or not.

Should you wish to apply the low value SCA exemption, you can do so using BR-DGE’s Rest API POST /payments endpoint.

{
    "amount": 1000,
    "currencyCode": "GBP",
    "customerOrderCode": "TRA_EXEMPTION_ORDER_CODE",
    "orderDescription": "Taxi fare",
    "paymentInstrument": {
        "type": "card",
        "nameOnCard": "John Doe",
        "pan": "4000000000001000",
        "expiryDate": "03-30"
    },
    "scaExemption":"LOW_VALUE"
}

SCA Exemption Payment and 3-D Secure

SCA exemptions can be applied both with or without 3-D Secure, if the payment processor allows. This can be useful should you want to optimise your checkout experience for your consumer by removing 3-D Secure completely from your checkout process.

A successful 3-D Secure payment moves liability to the issuers. Without 3-D Secure authentication liability for a payment remains with the merchant.

SCA Exemption with 3-D Secure:

{
    "amount": 1000,
    "currencyCode": "GBP",
    "customerOrderCode": "1234",
    "orderDescription": "Taxi fare",
    "paymentInstrument": {
        "type": "card",
        "nameOnCard": "John Doe",
        "pan": "4000000000001000",
        "expiryDate": "03-30"
    },
    "scaExemption":"LOW_VALUE",
    "threeDSecureRequired":true
}

In this example, the merchant is providing an exemption from the challenge flow. This can be useful should you want to remove a 3-D Secure challenge from your checkout process whilst moving liability to the card issuer.

Ultimate decision on whether to honour the SCA exemption lies with the card issuer. Should they accept the SCA exemption, frictionless 3-D Secure authentication will be carried out only.

SCA Exemption with 3-D Secure

{
    "amount": 1000,
    "currencyCode": "GBP",
    "customerOrderCode": "1234",
    "orderDescription": "Taxi fare",
    "paymentInstrument": {
        "type": "card",
        "nameOnCard": "John Doe",
        "pan": "4000000000001000",
        "expiryDate": "03-30"
    },
    "scaExemption":"LOW_VALUE",
    "threeDSecureRequired":false
}

In this example, the merchant is providing an exemption from SCA and requesting to bypass 3-D Secure entirely. This can be useful if you are comfortable taking liability for a payment and wanting to make your checkout process streamlined by removing 3-D Secure authentication from it entirely.

SCA exemptions are currently only available in the BR-DGE POST /payments API. Check our PSP integrations to see which PSPs use BR-DGE’s SCA exemption feature with 3-D Secure and without.

Benefits of SCA exemptions

  • Reduced friction for customers

  • Increased conversion rates

  • Improved customer satisfaction

Risks of SCA exemptions

  • Increased risk of fraud

  • Potential for chargebacks

Best practices for using SCA exemptions

  • Use exemptions only when appropriate

  • Monitor transactions for fraud

  • Implement additional security measures to mitigate the risk of fraud