Strong Customer Authentication – The 8 exemptions you should pay attention to

Article

strong-customer-authentication-–-the-8-exemptions-you-should-pay-attention-to

Under the new regulations, certain types of transactions will be exempted from Strong Customer Authentication (SCA) policies. These types of transactions are low-risk payments, usually defined by the cardholder’s bank. As SCA would force the inclusion of an authentication step, these exemptions can be very useful for creating a better friction-free customer experience wherever applicable.

These exemptions are detailed in the FCA’s Payment Services and Electronic Money Approach document. We’ve outlined some of the most relevant exemptions below.

1. Low-risk transactions

These apply when the payment provider’s or bank’s overall fraud rates for card payments do not exceed 0.13% for transactions up to €100, 0.06% for transactions up to €250, or 0.01% for transactions up to €500.

2. Payments below €30

Transactions below €30 will be considered low value. Therefore, they may be exempted from SCA. However, there is a condition – if the exemption has been used five times since the last successful authentication or if the sum of the previously-exempted payments is over €100, then SCA may be applied.

3. Fixed-amount subscriptions

If the customer is making a series of recurring payments to the same business for the same value, SCA will only be required for the first payment.

4. Merchant-initiated transactions

Similar to the previous exemption, this applies especially when the amount is variable. If the customer has saved the card that they’re making the payment with, these would qualify as merchant-initiated transactions, and would be exempted from SCA. In this case, the card need only be authenticated when it’s being saved or during first payment.

5. Trusted beneficiaries

Customers can declare specific businesses that they trust as a “trusted beneficiary”, which would allow for an exemption.

6. Phone sales

Using a phone to collect card details may fall outside the scope of SCA as well as it might be considered a MOTO (Mail Order and Telephone Order) transaction. This would depend on the cardholder’s bank’s decision.

7. Corporate payments

B2B payments made with a corporate card or one that uses a virtual card number may be exempted from SCA.

8. Inter-regional transaction

If the issuer or the acquirer of the card is not based in Europe, the transaction will not require SCA.

There are a few other transactions that are exempted that may bear paying attention to, such as:

  • Accessing account information (such as balance, or prior transactions made in the past 90 days)
  • Transactions made at unattended terminals for transportation and parking fees
  • Credit transfers between accounts held by the same person
  • Contactless payments made at point of sale where the individual transaction amount is less than €50. In this case, the customer must have also initiated five or fewer transactions, or the customer’s total payments have not exceeded €150 since the last time SCA was applied.

At Penser, we specialize in consulting in FinTech, payments and open banking. We are helping our clients navigate the new PSD2 regulation and supporting them through their transformation journeys. To learn more, check out our digital transformation service page.

Not sure what SCA is? Check out our introduction to Strong Customer Authentication!