On this page:
Overview
During 3D Secure authentication, a Strong Customer Authentication (SCA) or a frictionless authentication challenge can take place. When you are eligible to bypass 3D-Secure authentication, you can use SCA Exemptions.
Eligibility
When you want to be exempt 3D Secure authentication, you should consult with your acquirer. They will best advise which, if any exemption suits your business needs.
We recommend that you leave the exemption handling to the card issuer and to always submit a 3D Secure authentication request as, with an exemption:
- Liability for chargebacks is automatically shifted to you (the merchant)
- There is an increased chance that transactions will be refused when the card issuer disagrees with the exemption.
Exemption Types
You can request to use the following SCA exemptions:
- Low value Transactions (LVT)
- Transaction Risk Analysis (TRA)
- Trusted Beneficiary
- Secure Corporate payment
- Delegated Authentication
Two other exemptions apply only to subsequent transactions. Learn more from the Credential on File section:
- Merchant Initiated Transactions (MITs)
- Recurring payments (refer to the Credential on File section).
With an exemption:
- Liability for chargebacks is automatically shifted to you (the merchant)
- There is an increased chance that transactions will be refused when the card issuer disagrees with the exemption.
Low Value Transaction (LVT)
When the cardholder uses their LVT exemptions on other merchants’ sites, you are unable to accurately apply this exemption. Only the card issuer will know if the LVT exemption counters have been reached.
Rules include:
- The transaction value must be 30 EUR or less.
- The exemption is permitted for a maximum of 5 consecutive LVTs or a maximum cumulative LVT amount of 100 EUR.
- On the sixth LVT or when the cumulative LVT amount is over 100 EUR, then 3D-Secure authentication must be performed.
Transaction Risk Analysis (TRA)
When you and your acquirer have a low number of chargebacks over a given number of transactions, you may be eligible to bypass 3D-Secure authentication using the TRA exemption.
TRA exemption for specified amounts are permitted when you or your acquirer’s fraud rate falls within thresholds. The level of TRA exemption your acquirer can provide will first depend on your acquirer’s overall fraud rate, and then yours.
There are 3 levels of TRA exemption listed in the following table. The maximum exemption amount is 500 EUR for very low fraud levels.
Fraud Rate | Exemption |
---|---|
Under or equal to 13 bps |
Up to 100 EUR |
Under or equal to 6 bps |
Up to 250 EUR |
Under or equal to 1 bps |
Up to 500 EUR |
Trusted Beneficiaries
You can use the Trusted Beneficiaries exemption if the cardholder has added you to a trusted beneficiaries list. Their card issuer can prompt the cardholder to add you to the list when they are logged into their bank account or during a challenge authentication flow.
Secure Corporate Payments
Secure corporate cards and virtual card numbers are exempt from 3D-Secure authentication. These payments are typically Business to Business payments (B2B) that have dedicated corporate processes and protocols in place.
Delegated Authentication
The Delegated Authentication exemption prevents 3D-Secure authentication taking place when you have already performed authentication.
To qualify, you must be accredited with the card schemes to perform 3D-Secure authentication: the card schemes delegate the 3D-Secure authentication to you.
Steps to use exceptions
Step 1. Speak to your acquirer
Consult with your acquirer to understand which one or more SCA exemptions you are permitted to use. Using an incorrect exemption will cause your transaction request to be declined.
Step 2. Submit a transaction request with a SCA exemption
To bypass 3D-Secure authentication for your Opayo Direct payment request, set the following:
- Apply3DSecure=2 (skip authentication).
- ThreeDSExemptionIndicator=nn. This is the exemption reason for skipping authentication, where nn is a value extracted from the following Table of Exemptions.
- Complete all mandatory fields including for 3D-Secure authentication fields such as ThreeDSNotificationURL, BrowserJavascriptEnabled, BrowserAcceptHeader, etc.
Providing the 3D-Secure authentication fields allows Opayo to handle soft declines automatically and on your behalf for scenarios where the card issuer disagrees with the SCA exemption reason. Refer to the Soft Declines section.
Table of Exemptions
The following values apply to the ThreeDSExemptionIndicator
Mandatory |
Values and Descriptions |
Valid Characters |
Max Length |
Allowed Values |
---|---|---|---|---|
Conditional on Apply3DSecure=2 |
|
Digits |
2 |
|
Examples
Example SCA exemption request
Amount=32.00 ApplyAVSCV2=1 BillingAddress1=23 BillingAddress2=BillAddress+Line+2 BillingCity=London BillingCountry=GB BillingFirstnames=John BillingPhone=+447700900077 BillingPostcode=10 BillingSurname=Doe BrowserAcceptHeader=text/html,application/xhtml+xml,application/xml BrowserColorDepth=24 BrowserJavaEnabled=1 BrowserJavascriptEnabled=1 BrowserLanguage=en-GB BrowserScreenHeight=1080 BrowserScreenWidth=1920 BrowserTZ=%2B300 BrowserUserAgent=Mozilla CV2=101 CardHolder=John+Doe CardNumber=412xxxxxxx2xx71 CardType=Visa ChallengeWindowSize=01 ClientIPAddress=10.10.10.10 Currency=GBP CustomerEMail=john.doe@opayo.com DeliveryAddress1=88 DeliveryAddress2=DelAddress+Line+2 DeliveryCity=London DeliveryCountry=GB DeliveryFirstnames=John DeliveryPhone=+447700900077 DeliveryPostcode=EC1X1XX DeliverySurname=Doe Description=vendor-transaction-description ExpiryDate=1220 ThreeDSNotificationURL=https://vendor.com/threeDSnotify TransType=01 TxType=PAYMENT VPSProtocol=4.00 Vendor=vendor-Name VendorTXCode=vendor-transaction-671294 ThreeDSExemptionIndicator=02 Apply3DSecure=2
Example SCA exemption response
Status=OK ExpiryDate=1220 DeclineCode=00 CV2Result=MATCHED PostCodeResult=MATCHED AddressResult=MATCHED AVSCV2=ALL MATCH TxAuthNo=9418 VPSTxId={19995439-CEC2-B13F-3C48-649284529604} VPSProtocol=4.00 3DSecureStatus=NOTCHECKED SecurityKey=VDD46HLS3A StatusDetail=0000 : The Authorisation was Successful. BankAuthCode=059AD8