Introduction

Ease of use and better security are two of the most essential characteristics for an online payment transaction. Keeping this in mind, SCA i.e, the Strong Customer Authentication, which came into force from January 2021 in the EU and was enforced in the UK by March 2022, provides a principle mechanism that works on ‘establishment of trust’. It incentivises the merchants to improve the transaction rate and volume related to their customers, which would decrease the number of requisite authentication steps in the said process.

Officially, the PSD2 exempts certain payments from the requirements of the SCA. Various acquirers can then request these exemptions when they are processing a certain payment which effectively further automates the entire process. To put it briefly, by using the provision of 3DS 2.0 exemptions, merchants can reduce the number of times they are required to authenticate a cardholder, which essentially reduces friction at the checkout and immensely lowers the customer-drop rate.

How can I apply for these exemptions?

There are primarily two ways of applying for exemptions under the 3DS 2.0 –

1. Application by the Acquirer: In this case, it is important to note that one loses their fraud liability protection. This means that the merchant will have no protective cover in case of a fraudulent purchase made through a customer’s card. Although, in the application for exemptions by an acquirer, one can seemingly reduce friction caused due to adherence to SCA rules, it places the entire liability on the merchant.

2. Application by the Cardholder’s Issuer: In this case, the payment flow certainly becomes largely frictionless along with the liability of the risk shifting to the issuer itself. Although, this seems like a rather favourable scenario, it shifts the control entirely to the issuer. Since, they have the responsibility of both granting the exemption and adhering to the following requirements, one can’t be sure of the application. It is not advisable to completely rely on them for the same.
Apart from the general exemptions that depend on the volume and value of transactions being conducted by a merchant or being performed on a personal level by the consumer, it is important to discuss the applicability of trusted beneficiaries. The Trusted Beneficiaries Exemption essentially is initiated by the customer himself, but maintained by the issuer. It is designed keeping in mind the principle of ‘establishment of trust’ as the cardholders can list specific merchants that they regularly interact and shop with to prevent the need for a complete 3DS set-up transaction. Although a merchant added to the list of trusted beneficiaries can be put under the scrutiny of an added SCA step by the issuer, it largely allows for a smoother transaction. The issuer however, as stated, retains the decision of terming it as a risky transaction and applying the SCA regulation.

Defining the Scope of exemptions

It is essential to note that the SCA rules in general, apply only to transactions when both the cardholder’s issuing bank and the merchant’s acquirer are located in the European Economic Area. If either of these involved parties does not fulfil this requirement, then the regulations do not apply. Given the detailed nature of this provision, it is probable for the issuers to not have the requisite filtering mechanism, which could lead to declines. Since the SCA does not apply to these transactions, these transactions are out of the scope for the applicability of the exemptions as well.
In cases of Merchant Initiated Transactions (MITs), where the merchants have a certain type of transaction being performed on a regular basis with their customers, the standard recurring exemption does not apply. However, it does provide for a separate type of opportunity to avoid multiple authentication requests.
Also, even low-risk and low-value transactions are excluded from the scope of exemptions. These shall include the TRA (transaction risk analysis) transactions where the value of a transaction should be between €0 and €500, and the acquirer and issuer processing it must have low average fraud levels. This is a widely supported provision to avoid friction at the checkout, although not being an exemption per se. For the low-value transactions, a customer can spend up to €30 without requiring additional authentication, for five consecutive transactions. It also applies for a cumulative expenditure value of €100 since the last application of SCA. Although not as widely used, it makes for an important exempt provision.

Assessing the pros and cons of 3DS exemption

The primary advantage of availing transactions is the reduction in friction at the checkout time which makes the interface much easier to use for the customer. Better user-experience essentially guarantees customer retention and better opportunities for the parties managing the backend of online payments i.e., the acquirers, issuers and even payment platforms.
However, it is not all sunshine and rainbows when it comes to the 3DS 2.0 exemptions you can claim. The authentication processes are kept in place to reduce the number of illegitimate transactions and however cumbersome it may seem on the face; it is to protect the end-user. The disadvantages of applying for exemptions is that one is completely liable for the fraud-related chargebacks on exempted transactions. It cannot be shifted to the user itself. The onus of responsibility increases on the parties managing the transactions, as the European Payments Council has elucidated –
“The payer can claim full reimbursement from their PSP in case of an [unauthorised] payment if there was no SCA measure in place and if the payer did not act fraudulently.”
Therefore, although the exemptions provide for a generally useful way to improve customer likeability and retention, merchants should be duly aware of the risks and the responsibility that comes along with it.