3D Secure 2.0 Exemptions
The 3D-Secure 2.0 process has been on every merchant’s mind lately as the deadline for compliance is fast approaching. While the general protocols regarding 3D Secure 2.0 are fairly straightforward there is some confusion regarding the exemptions which have been released along with the 3D-Secure mandate. There are three main categories for requesting an exemption to the Secure Customer Authentication (SCA) flow. The First is through the Transaction Risk Analysis, which is used by both Issuers and Merchants to apply for a frictionless flow. The second is a Trusted Beneficiaries which is created by the cardholder with their Issuer, and the last exemption which requires no initiation from any party is the Low-value exemption. While these exemptions seem appealing and many Merchant would like to make their customer experience as seamless as possible there are certain risks associated with each exemption which should be considered.
What is Transaction Risk Analysis (TRA)?
The TRA exemptions provide merchants with the ability to send certain transactions through for processing without having to subject them to secure customer authentication (SCA) step-up. The Transaction Risk Analysis exemptions work by providing a robust risk analysis on the transactions being applied for, if the Payment Service Providers (PSPs) meet the specific fraud threshold the exemption will be granted.
|Transaction Value Band||PSP Fraud Rate|
|100.00 – 250.00 Euro||6bps/0.06%|
|250 – 500.00 Euro||1bps/0.01%|
TRA exemptions are important for delivering a friction-free payment experience for low-risk transactions. TRA exemptions need to be applied for, this can be done by both the Issuer and the Acquirers as long as their fraud to sale rates meet the specific fraud threshold as outlined above. When it comes to TRA exempt transactions it is important to understand who is liable if the transactions turn out to be fraudulent, and based on VISA’s rules the party that applied for the TRA exemptions becomes liable for the transaction if the transaction is identified as fraud. This means that if the merchant applies for the TRA exemption on a transaction there is no liability shift and the merchant is held responsible for that specific transaction. Another thing to keep in mind is if a TRA exempted transaction results in fraud then not only will the liability be on that party that applied but the fraud will also affect their fraud count. Each party is responsible for determining its own fraud rates in accordance with the legal requirements of PSD2.
It is also important to know that just because a transaction meets the TRA requirements and the merchant applies for it does not mean the issuer is required to remove the SCA step-up. As long as the issuer is made aware of the TRA exemption request they can still apply an SCA step-up if they deem necessary. In all cases, the issuer makes the final decision whether to allow the payment through with an exemption flag, apply the SCA step-up, or even decline the transaction altogether. If the issuer decides they do not want to honour the acquirer’s request for an exemption and the SCA needs to be applied then the acquirer will need to resubmit the transaction for authentication. If the SCA is applied to a transaction then the liability shifts to the issuer and the acquirer is no longer responsible for any fraudulent transactions.
How does the Low-Value Exemption Work when the TRA is not applied?
Secure Customer Authentication is not required for transactions that are low in value as long as the transaction amount does not exceed 30 Euros and the cumulative amount of 100 Euro for recurring transactions. When it comes to the low-value exemption it’s important to understand what effect this exemption has on the merchants recurring structure. The SCA transaction which included the exemption can only allow for a maximum of 4 recurring transactions before the issuer applies SCA and the customer needs to re-authenticate. With this in mind, the issuer can still apply SCA at any time regardless of the number of transactions or the amount of each transaction if they feel required to. Unfortunately, acquirers typically do not have any visibility into the number of transactions or the cumulative amount of the transaction that qualifies for this exemption. As a merchant, this will be important to consider when attempting to apply for a low-value exemption with the issuer and they should be aware that SCA may be applied to any transaction where an exemption is requested.
Now that we have discussed the value-based exemptions which can be applied for with the new 3d Secure 2.0 mandate there is one last exemption to review. This is the Trusted Beneficiaries Exemption which can be applied by customers to their credit card for merchants they shop with frequently.
How does the Trusted Beneficiaries Exemption Work?
The Trusted Beneficiaries exemption is initiated by the customer and maintained by the issuers, the exemption was designed for cardholders who have specific merchants which they trust and shop with often in order to prevent the customer from always needing to complete a step-up transaction. When it comes to this exemption only the issuer can create and maintain the list of trusted beneficiaries on behalf of the customer. Even though the issuer maintains the list of trusted merchants, they can not add or remove merchants, the customer themselves can only do this. Issuers are not required to provide their customers with information regarding the capabilities however, there are benefits to both the customer and the merchants for supporting the flow of a smooth transaction. Even if the merchant has been added to the trusted beneficiaries list an Issuer can still choose to add the SCA step up if they determine that the transaction is at risk for fraud. While merchants can not apply for this exemption they can advise the customer of the benefits of using this exemption and provide the customer with details of how to enroll a merchant into the trusted beneficiaries program. With merchants and issuers working together in order to better the customer transaction flow and allow for seamless secure transactions.
Taking into consideration all the exemption types which can be applied, by the customer and the issuers what are the benefits of these exemptions. The benefit of applying for any of the exemptions is to create a seamless checkout flow for the customer while still maintaining a secure transaction and abiding by the Secure Custer Authentication guidelines. Each exemption has its pros and cons and some are easier to apply for than others, decisions regarding the exemption should be to benefit the customer, and can only be accepted by the issuer. As 3D Secure 2.0 continues to develop and grow as more and more merchants will begin to use them the exemptions will change as well it is thought that eventually, customers will be able to have trusted devices exempted from SCA but the mandate is not there yet. It’s important to continue to review the changes to 3DS 2.0 and the SCA mandate in order to stay compliant and up-to-date with the latest mandates in order to better reduce fraud and maintain customer security.