PSD2: When Is Strong Customer Authentication Not Required?
Payment scenarios exempt from SCA requirements are generally determined by a transaction’s amount, recurrence, and the channel used to carry out the payment. Let’s take a more detailed look at each of these exemptions and their real-world applications.
The third chapter of the Regulatory Technical Standards (RTS) of Strong Customer Authentication (SCA) is dedicated to its exemptions — in other words, the cases in which the application of SCA is not required.
More specifically, articles 10-18 of the chapter lay out each type of exempted payment, while the final three articles (19-21) specify how each of these exemptions must be implemented and monitored by payment service providers. The purpose of these exemptions is to maintain a customer experience that’s as smooth as possible for specific payment scenarios.
Let’s first take a look at the articles that cover the nine scenarios in which payments may be exempt from SCA.
1. Payment Account Information
This article lays down the rules for how much information can be displayed in a payment account without SCA requirements being applied. In a nutshell, the user should be able to access:
a. The balance of the designated payment account
b. Transactions executed through the account during the last 90 days (to access account information older than 90 days, it’s imperative that SCA requirements are applied)
Importantly, this scenario is only exempt from SCA requirements when the user has been subject to SCA within the previous 90 days.
2. Contactless Payments at Point of Sale
When making in-store contactless transactions (think paying with your mobile phone at the grocery store), transactions less than 50 EUR can be exempt from SCA requirements. However, this is only valid if the following conditions are met:
a. The individual transaction in question doesn’t exceed 50 EUR
b. The total amount of contactless transactions without SCA requirements applied doesn’t exceed 150 EUR or there are no more than five consecutive contactless transactions executed without SCA requirements in place
3. Unattended Terminals for Transport Fares and Parking Fees
This one’s straightforward: Payment service providers aren’t required to apply SCA requirements when a payer initiates a payment transaction at an unattended payment terminal to pay a transport fare or a parking fee.
4. Trusted Beneficiaries
Users are allowed to initiate payment transactions to payees that are included in a list of the user’s trusted contacts (beneficiaries) without SCA requirements being applied. However, SCA is required when the user is first creating the list of trusted beneficiaries as well as any time that they make changes to the list.
5. Recurring Transactions
Similar to the previous article, recurring payments can be made without SCA requirements in place under certain circumstances. After a user creates, amends, or initiates a recurring payment for the first time with SCA requirements applied, they can then initiate the subsequent payments for the given recurring payment without being subject to SCA requirements. This article is relevant for payment scenarios like paying a gym membership or monthly subscription to a publication or service.
6. Credit Transfers Between Accounts Held by the Same Natural or Legal Person
For various reasons, people often need to make transfers between their own accounts. This exemption makes it possible for payers to initiate a transfer when the payer and payee are the same person (in the natural or legal sense) and both of the payment accounts in question are held by the same account servicing payment service provider (in other words, the institution providing both payment accounts must be the same).
7. Low-Value Transactions
In the same vein as the regulation of contactless payments, it’s possible to make low-value remote transactions without applying SCA requirements, provided that the following conditions are met:
a. The transaction’s value doesn’t exceed 30 EUR
b. The total amount of previous remote transactions without SCA requirements applied doesn’t exceed 100 EUR or there are no more than five consecutive remote transactions executed without SCA requirements in place
8. Secure Corporate Payment Processes and Protocols
For corporate users, there are dedicated payment processes and protocols in place that aren’t applicable to consumers that allow for the exemption of SCA requirements when secure corporate payments are being made.
In this payment scenario, payment service providers must be able to demonstrate that the transaction risk fits the requirements of the following article.
9. Transaction Risk Analysis
Payment service providers are exempt from applying SCA requirements when transactions are considered to be low risk. In order for a transaction be considered low risk, it must meet the following conditions:
a. The fraud rate for the type of transaction in question (either ‘Remote electronic card-based payments’ or ‘Remote electronic credit transfers) is equivalent to or below the respective reference fraud rates specified in the below table
b. The transaction’s amount doesn’t exceed the relevant exemption threshold value (ETV) specified in the below table:
c. When performing a real-time analysis, payment service providers don’t identify abnormal spending, location, or behavioral pattern of the payer, high-risk location of the payee, unusual information about the payer's device or software access, malware infection in any session of the authentication procedure, or a known fraud scenario in the provision of payment services
What’s more, any time that payment service providers intend to request an exemption for low-risk transactions, they must take the following risk-based factors into account:
a. Previous spending patterns of the individual payment service user
b. Payment transaction history of each of the payment service provider's payment service users
c. The location of the payer and of the payee at the time of the payment transaction in cases where the access device or the software is provided by the payment service provider
d. The identification of abnormal payment patterns of the payment service user in relation to the user's payment transaction history
This article concludes by stating that payment service providers must combine these risk-based factors into a holistic risk scoring assessment for each individual transaction. This assessment ultimately determines whether a specific payment should be allowed without strong customer authentication.
How Are SCA Exemptions Carried Out and Monitored?
In each of the payment scenarios above, it’s the responsibility of payment service providers (i.e. the account servicing bank) to determine if the exemption should apply when processing a payment. In practice, the customer’s bank assesses the given transaction’s level of risk and makes a decision to either approve the exemption or require authentication for the transaction.
Before applying the exemption, payment service providers must ensure that they’ve calculated the overall fraud rate for each type of transaction (covering both payment transactions authenticated through Strong Customer Authentication and those executed under any of the aforementioned exemptions). Article 19 lays out the exact equation for calculating fraud rates, a practice that payment service providers must carry out on a quarterly basis.
In the case that a transaction fails to meet the requirements laid out in the Transaction Risk Analysis section (for example, the fraud rate exceeds the levels laid out in the table above), payment service providers must immediately stop making use of the exemption. If they intend to make use of the exemption once again, payment service providers must notify the competent authorities in a reasonable timeframe and provide evidence of the restoration of compliance of their monitored fraud rate before its use can be resumed.
Finally, payment service providers are also responsible for monitoring and reporting on certain data related to payment transactions on a quarterly basis. This data should include the total value of all payment transactions and the resulting fraud rate, average transaction value, and the number of payment transactions in which each of the exemptions was applied and their percentage in respect of the total number of payment transactions. Payment service providers are responsible for making the results of this data available to competent authorities upon their request.
Here’s Why SCA Compliance Remains Paramount
Once you’ve taken the time to read and digest each of the exemptions from Strong Customer Authentication, it’s wise to think about how these exemptions relate to the larger concept and purpose of SCA itself.
While it’s important to understand the cases in which payments are exempt from Strong Customer Authentication, we’d like to emphasize the fact that these scenarios represent a small fraction of transactions handled by payment service providers. Because of this, it’s wise for payment service providers to work with solutions that are SCA compliant in order to prioritize both security and customer experience.
We’ve reached the penultimate post of our SCA series. Our final entry will explore the details of SCA registration and enrollment.
Want more from Wultra?
Make sure you stay looped in by subscribing to our newsletter.