Strong Customer Authentication is obligatory and ensures that transactions are falling within certain types that can be exempted from going through the security protocols. These cases are divided into exceptions and exemptions.
The exception to the application of the SCA is provided for:
1. One-leg transactions. These are payments in any currency for which the acquirer or the issuer are based outside the EEA.
2. Mail Order/Telephone Order (MOTO). All transactions made without the presence of the cardholder, also known as card-not-present transactions.
3. Merchant Initiated Transactions (MIT). These are transactions for which the payment order is initiated by the merchant in the absence of the buyer, and is subject to a prior authorization.
4. Card on file. Payments in which authentication is previously carried out through a third party.
The cases in which it is possible to request an exemption from the SCA are:
Low-value transactions. Transactions of modest value, below 30 euros, which when summed together do not exceed 100 euros, or five consecutive single transactions exempted since the last time the SCA was carried out.
Low Risk Based Analysis or RBA. Transactions considered low-risk, for an amount between €30 and €500, for which exemption is possible in the event that the card issuer or acquirer who is managing the transaction has an equal or lower rate of fraud comparing with the rates established by regulations.
Recurring Payments. In the case of subscriptions or recurring payments with a fixed value and beneficiary, the SCA will be required only for the first transaction and if there are changes to the amount.
Whitelisting or trusted beneficiaries. Customers will be able to decide, according to the methods and availability established by the issuer, to add a company to the list of "Trusted Beneficiaries". The SCA will be applied only to the first payment made following the inclusion of the company in the list.
A useful tool for assessing the degree of risk of a transaction is the Transaction Risk Analysis (TRA), which aims to assess the degree of risk of a transaction by taking into consideration a series of parameters including:
the amount of the transaction;
the customer's habits (location, behavior etc.);
possible fraud scenarios;
any lists of information known as fraudulent (such as IBANs declared as fraudulent);
the possible compromise of the customer's device.
You can learn more about PSD2, SCA, 3DS protocols and TRA in the Axerve's whitepaper "Strong Customer Authentication in 2021".