Introduction to SCA Exemptions

🚧

Early access mode

SCA Exemptions is in early access. If you are interested in gaining access then please contact us via our support page

Our SCA Exemptions API provides the ability to assess whether an exemption can be applied to a ecommerce transaction before completing checkout. The following exemptions are covered by the API:

• Low value (Article 16) - LOV
• Recurring transaction (Article 14) - REC
• Merchant initiated transactions - MIT
• Transaction Risk Analysis (Article 18) - TRA
• One leg out (issuer/acquirer outside EEA) - EEA

📘

Features

The following features are available today:

• Evaluate transaction for SCA exemption
• Provide data for SCA exemption engine - this is used to data following a successful payment to help train the model for future exemption checks

Background on Strong Customer Authentication (SCA)

On October 8th 2015, the European Parliament adopted the European Commission (EC) proposal of the revised Directive on Payment Services (PSD2). PSD2 had to be transposed into national legislature by European (EU) member states no later than January 13th 2018.

The key PSD2 regulatory requirements for debit or credit card processing are as follows:

Introduce Strong Customer Authentication (SCA). SCA is mandated for electronic payment transactions and requires authentication by two or more factors.

The factors are:

• Knowledge (something only the user knows, i.e. a password)
• Possession (something only the user possesses, i.e. a token or mobile phone)
• Inherence (something the user is, i.e. biometrics)

The European Banking Authority (EBA) defined the regulatory technical standards (RTS) for SCA in January 2017.

The RTS allow several exemptions from SCA. In ecommerce business (remote electronic payments) SCA is mostly performed by EMVCO 3DS v2.X architecture. When an exemption is applied to a payment transaction by the acquirer payment service provider then mostly 3DS processing is skipped and the transaction is directly sent to authorisation switches.

The following exemptions are applicable for remote electronic payments:

• Low value (Article 16)
• Recurring transaction (Article 14)
• Merchant initiated transactions
• Transaction Risk Analysis (Article 18)
• One leg out (issuer/acquirer outside EEA)

In order to apply Article 18 exemptions the acquirer payment service provider is in need of a related risk tool that offers a transaction risk analysis of the payment and performs multiple fraud checks. To allow an Article 18 exemption, the acquirer's fraud rate must be taken into consideration.

Functionalities the API provides

This API offers merchants and PSP of configured acquirers access to the Fiserv SCA exemption solution, not only for TRA exemption but also for the other possible exemptions such as low value and MIT.

In general the PSP can send SCA exemption requests to the API and will receive not only the evaluation if an exemption to SCA can be applied, but also additional information such as:

• Risk Score
• Exemption that was applied (TRA, LOV, REC, MIT, EEA)
• Short explanation why exemption can be applied / not applied

With that information the merchant/PSP can go for 3DS processing or directly into authorisation process.

This API currently provides:

1. SCA exemption scoring for acquiring ecommerce payment transactions on debit and credit cards.
2. Information on which exemption was applied as part of the response message to be used for the authorisation and 3DS process.
3. For payments where no SCA exemption check is required, the API consumer can send a message containing all payment data that will help to train the model for future exemption checks.