Exemptions: What are they and what can they do for you

June 2, 2020

Exemptions: What are they and what can they do for you

Exemptions are a hot topic when it comes to PSD2 SCA. They can be useful because issuers and merchants can use exemptions to mitigate friction and not present SCA to the cardholder when applicable. There can be a lot of benefits, but there is also a lot of complexity surrounding them. You need to know the facts, and that is where we can help. 

PSD2, as most of you know, is the European Banking Authority’s (EBA) 2nd Payment Service Directive, designed to drive payment innovation and data security. PSD2 has a requirement for Strong Customer Authentication (SCA). SCA is required on each digital transaction which means a cardholder must be challenged (a step-up occur) with their issuer.  Exemptions, when specific criteria are met, can reduce the need for SCA if used correctly and the risk of fraud is minimal.

The first step is to know if you are eligible. If your acquirer supports exemptions, and if the card issuers, whose consumers buy on your digital sites, are participating, you may qualify for some exemptions.

Let’s highlight a couple:

Low-Value Exemptions:

  • Low-value exemptions are classified as remote digital transactions under €30. 
  • Each transaction per PAN must be below €30.
  • There is a stipulation to this exemption:
    • If the cumulative total of up to five transactions exceeds €100, SCA must be applied.
    • After the fifth transaction, or when the cumulative total goes over €100, SCA must be applied.

For example, if the first low-value transaction is subject to SCA, and the next four transactions are also low value (meaning each is less than €30 and all five don’t total €100 combined), then bingo - those transactions are exempt from SCA.

One thing to note - the acquirer/merchant is liable for any fraud from the exempted transactions since they are requesting the exemption. So that’s something to keep in mind. In addition, this exemption is only available with EMV® 3-D Secure: Visa Secure: v2.2 and Mastercard Identity Check: v2.1 extension.

Whitelisting (WL) / Trusted Beneficiaries (TB):

  • Whitelisting, also known as trusted beneficiaries, aims to deliver enhanced security, improve fraud performance, and minimize the possibility of transaction declines.
  • When participating, an issuer can offer their cardholders an enrollment process that allows them to add their trusted merchants to the issuer’s whitelist to not present SCA when buying from that merchant in the future. SCA is required on the initial enrollment and PAN for a merchant to be whitelisted.
  • For subsequent transactions, if a merchant qualifies for the programs and chooses to send the trusted beneficiaries exemption flag, SCA is likely to not be performed on the transaction.

Just like low-value exemptions, whitelisting is only available when using EMV 3DS: Visa Secure v2.2 and Mastercard Identity Check v2.1 extension. This is a nice way for a consumer to express trust for their favorite merchants and not worry about a challenge when they make their next purchase. It reduces friction and adds to the seamless experience merchants are looking for – and hopefully more sales down the road.

Low-value exemptions and whitelisting are just two of the exemptions available for merchants and issuers to take advantage of. Our goal is to give you every opportunity to succeed in these ever-changing times. If you want to learn more about the two exemptions we discussed, or about others available, let’s talk. Reach out any time, we are here to help.

Related news + trends

industry news

The latest version of EMV® 3-D Secure – a deeper dive

EMV 3DS can help manage PSD2 SCA’s exemptions. See if they’ll work for you.

read more
our stories

2020 What is happening and what is to come at Cardinal

At Cardinal, our 2020 resolution is all about building our existing capabilities and expanding our reach in the latest protocols. See what we've got planned for 2020.

read more
case study

Clothing and Footwear Benchmark

Learn how authentication affects Card-not-Present authorization rates and key statistics on fraud in the clothing and footwear industry.

read more

Is your shopping cart ready for PSD2 SCA?

Authentication is core to payment processing in Europe, so if your digital transactions are not authenticated, you will be expected to implement a solution before your business is impacted.

read more