SCA Exemptions

On this page:

Overview

During 3D Secure authentication, a Strong Customer Authentication (SCA) or a frictionless authentication challenge can take place. When you are eligible to bypass 3D-Secure authentication, you can use SCA Exemptions.

    Eligibility

    When you want to be exempt 3D Secure authentication, you should consult with your acquirer. They will best advise which, if any exemption suits your business needs.

    We recommend that you leave the exemption handling to the card issuer and to always submit a 3D Secure authentication request as, with an exemption:

    • Liability for chargebacks is automatically shifted to you (the merchant)
    • There is an increased chance that transactions will be refused when the card issuer disagrees with the exemption.

    Exemption Types

    You can request to use the following SCA exemptions:

    Two other exemptions apply only to subsequent transactions. Learn more from the Credential on File section:

    • Merchant Initiated Transactions (MITs)
    • Recurring payments (refer to the Credential on File section).

    With an exemption:

    • Liability for chargebacks is automatically shifted to you (the merchant)
    • There is an increased chance that transactions will be refused when the card issuer disagrees with the exemption.
    Note: The card schemes advise exemption amount values in EUR. You should convert other currencies using the exchange rate of the day. For example, 30 EUR converts to 25 GBP when the foreign exchange rate for 1 GBP is 1.2 EUR.

    Low Value Transaction (LVT)

    When the cardholder uses their LVT exemptions on other merchants’ sites, you are unable to accurately apply this exemption. Only the card issuer will know if the LVT exemption counters have been reached.

    Rules include:

    • The transaction value must be 30 EUR or less.
    • The exemption is permitted for a maximum of 5 consecutive LVTs or a maximum cumulative LVT amount of 100 EUR.
    • On the sixth LVT or when the cumulative LVT amount is over 100 EUR, then 3D-Secure authentication must be performed.

    Transaction Risk Analysis (TRA)

    When you and your acquirer have a low number of chargebacks over a given number of transactions, you may be eligible to bypass 3D-Secure authentication using the TRA exemption.

    TRA exemption for specified amounts are permitted when you or your acquirer’s fraud rate falls within thresholds. The level of TRA exemption your acquirer can provide will first depend on your acquirer’s overall fraud rate, and then yours.

    There are 3 levels of TRA exemption listed in the following table. The maximum exemption amount is 500 EUR for very low fraud levels.

    Three levels of TRA exemption
    Fraud Rate Exemption

    Under or equal to 13 bps

    Up to 100 EUR

    Under or equal to 6 bps

    Up to 250 EUR

    Under or equal to 1 bps

    Up to 500 EUR
    Note: Generally, 1 bps = 1 chargeback out of 10,000 transactions.

    Trusted Beneficiaries

    You can use the Trusted Beneficiaries exemption if the cardholder has added you to a trusted beneficiaries list. Their card issuer can prompt the cardholder to add you to the list when they are logged into their bank account or during a challenge authentication flow.

    Secure Corporate Payments

    Secure corporate cards and virtual card numbers are exempt from 3D-Secure authentication. These payments are typically Business to Business payments (B2B) that have dedicated corporate processes and protocols in place.

    Note: This exemption does not apply for personal corporate cards.

    Delegated Authentication

    The Delegated Authentication exemption prevents 3D-Secure authentication taking place when you have already performed authentication.

    To qualify, you must be accredited with the card schemes to perform 3D-Secure authentication: the card schemes delegate the 3D-Secure authentication to you.

    Steps to use exceptions

    Step 1. Speak to your acquirer

    Consult with your acquirer to understand which one or more SCA exemptions you are permitted to use. Using an incorrect exemption will cause your transaction request to be declined.

    Step 2. Submit a transaction request with a SCA exemption

    To bypass 3D-Secure authentication for your Opayo Direct payment request, set the following:

    1. Apply3DSecure=2 (skip authentication).
    2. ThreeDSExemptionIndicator=nn. This is the exemption reason for skipping authentication, where nn is a value extracted from the following Table of Exemptions.
    3. Complete all mandatory fields including for 3D-Secure authentication fields such as ThreeDSNotificationURL, BrowserJavascriptEnabled, BrowserAcceptHeader, etc.

    Providing the 3D-Secure authentication fields allows Opayo to handle soft declines automatically and on your behalf for scenarios where the card issuer disagrees with the SCA exemption reason. Refer to the Soft Declines section.

    Table of Exemptions

    The following values apply to the ThreeDSExemptionIndicator

    ThreeDSExemptionIndicator values

    Mandatory

    		 Values and Descriptions

    Valid Characters

    Max Length

    Allowed

    Values

    Conditional on

    Apply3DSecure=2
    • 01 = Low Value Transaction (LVT)
    • 02 = TRA exemption
    • 03 = Trusted beneficiaries exemption
    • 04 = Secure corporate payment
    • 05 = Delegated authentication
    • 06 to 99 = Reserved for future use

    Digits

    2
    • 01
    • 02
    • 03
    • 04
    • 05
    • 06 to 99

     

    Examples

    Example SCA exemption request

    Amount=32.00
ApplyAVSCV2=1
BillingAddress1=23
BillingAddress2=BillAddress+Line+2
BillingCity=London
BillingCountry=GB
BillingFirstnames=John
BillingPhone=+447700900077
BillingPostcode=10
BillingSurname=Doe
BrowserAcceptHeader=text/html,application/xhtml+xml,application/xml
BrowserColorDepth=24
BrowserJavaEnabled=1
BrowserJavascriptEnabled=1
BrowserLanguage=en-GB
BrowserScreenHeight=1080
BrowserScreenWidth=1920
BrowserTZ=%2B300
BrowserUserAgent=Mozilla
CV2=101
CardHolder=John+Doe
CardNumber=412xxxxxxx2xx71
CardType=Visa
ChallengeWindowSize=01
ClientIPAddress=10.10.10.10
Currency=GBP
CustomerEMail=john.doe@opayo.com
DeliveryAddress1=88
DeliveryAddress2=DelAddress+Line+2
DeliveryCity=London
DeliveryCountry=GB
DeliveryFirstnames=John
DeliveryPhone=+447700900077
DeliveryPostcode=EC1X1XX
DeliverySurname=Doe
Description=vendor-transaction-description
ExpiryDate=1220
ThreeDSNotificationURL=https://vendor.com/threeDSnotify
TransType=01
TxType=PAYMENT
VPSProtocol=4.00
Vendor=vendor-Name
VendorTXCode=vendor-transaction-671294
ThreeDSExemptionIndicator=02
Apply3DSecure=2

    Example SCA exemption response

    Status=OK
ExpiryDate=1220
DeclineCode=00
CV2Result=MATCHED
PostCodeResult=MATCHED
AddressResult=MATCHED
AVSCV2=ALL MATCH
TxAuthNo=9418
VPSTxId={19995439-CEC2-B13F-3C48-649284529604}
VPSProtocol=4.00
3DSecureStatus=NOTCHECKED
SecurityKey=VDD46HLS3A
StatusDetail=0000 : The Authorisation was Successful. 
BankAuthCode=059AD8