SCA Exemptions

On this page:

Overview

During 3D Secure authentication, a Strong Customer Authentication (SCA) or a frictionless authentication challenge can take place. When you are eligible to bypass 3D-Secure authentication, you can use SCA Exemptions.

    Eligibility

    When you want to be exempt 3D Secure authentication, you should consult with your acquirer. They will best advise which, if any exemption suits your business needs.

    We recommend that you leave the exemption handling to the card issuer and to always submit a 3D Secure authentication request as, with an exemption:

    • Liability for chargebacks is automatically shifted to you (the merchant)
    • There is an increased chance that transactions will be refused when the card issuer disagrees with the exemption.

    Soft Declines

    When you provide a SCA exemption reason and the card issuer disagrees with it, they can return a 'soft decline' response (bankResponseCode:65 or bankResponseCode:1A). In this case, Opayo will automatically:

    • Submit a 3D Secure authentication and a new authorisation request on your behalf.
    • If the card issuer responds with a 'soft decline' message again, then this will be returned to you in the response to your transaction request.
    • You must then submit a new transaction request with 3D Secure authentication and request the cardholder performs SCA.

    For this reason the SCA exemption fields are within the strongCustomerAuthentication object as you must provide 3D Secure authentication data in your transaction request with an SCA exemption.

    Learn more about 3D Secure Authentication.

    Exemption Types

    You can request to use the following SCA exemptions:

    Two other exemptions apply only to subsequent transactions. Learn more from the Credential on File section:

    • Merchant Initiated Transactions (MITs)
    • Recurring payments (refer to the Credential on File section).

    Low value Transactions (LVT)

    When the cardholder uses their LVT exemptions on other merchants’ sites, you are unable to accurately apply this exemption. Only the card issuer will know if the LVT exemption counters have been reached. Rules include:

    • The transaction value must be 30 EUR or less.
    • The exemption is permitted for a maximum of 5 consecutive LVTs or a maximum cumulative LVT amount of 100 EUR.
    • On the sixth LVT or when the cumulative LVT amount is over 100 EUR, then 3D-Secure authentication must be performed.

    Trusted Risk Analysis (TRA)

    TRA exemption for specified amounts are permitted when you or your acquirer’s fraud rate falls within thresholds. The level of TRA exemption your acquirer can provide will first depend on your acquirer’s overall fraud rate, and then yours.

    There are 3 levels of TRA exemption listed in the following table. The maximum exemption amount is 500 EUR for very low fraud levels.

    Three levels of TRA exemption

    Fraud Rate Exemption

    Under or equal to 13 bps

    Up to 100 EUR

    Under or equal to 6 bps

    Up to 250 EUR

    Under or equal to 1 bps

    Up to 500 EUR

    Note: Generally, 1 bps = 1 chargeback out of 10,000 transactions.

    Trusted Beneficiary

    You can use the Trusted Beneficiaries exemption if the cardholder adds you to a trusted beneficiaries list. They can do this when prompted by their card issuer when they log into their bank account or during a challenge authentication flow.

    Secure Corporate payment

    Secure corporate cards and virtual card numbers are exempt from 3D-Secure authentication. These payments are typically Business to Business payments (B2B) that have dedicated corporate processes and protocols in place.

    Note: This exemption does not apply for personal corporate cards.

    Delegated Authentication

    The Delegated Authentication exemption prevents 3D-Secure authentication taking place when you have already performed authentication.

    To qualify, you must be accredited with the card schemes to perform 3D-Secure authentication: the card schemes delegate the 3D-Secure authentication to you and you can perform 3D Secure authentication independently of them.

    Steps to use exemptions

    Step 1. Speak to your acquirer

    Consult with your acquirer to understand which one or more SCA exemptions you are permitted to use. Using an incorrect exemption will cause your transaction request to be declined.

    Step 2. Submit a transaction request with a SCA exemption

    Within the transaction request provide the following key fields:

    1. apply3DSecure:Disable to advise you want to bypass 3D Secure.
    2. Provide the threeDSExemptionIndicator field and value found within the strongCustomerAuthentication object, to advise the reason for bypassing 3D Secure.

    Environments

    Example SCA exemption request for the TRA exemption

        "purchaseInstalData":"002",
        "threeDSRequestorAuthenticationInfo":{
          "threeDSReqAuthData":"data",
          "threeDSReqAuthMethod":"LoginWithThreeDSRequestorCredentials",
          "threeDSReqAuthTimestamp":"201810011445"
        },
        "threeDSRequestorPriorAuthenticationInfo":{
          "threeDSReqPriorAuthData":"data",
          "threeDSReqPriorAuthMethod":"FrictionlessAuthentication",
          "threeDSReqPriorAuthTimestamp":"201901011645",
          "threeDSReqPriorRef":"2cd842f5-da5d-40b7-8ae6-6ce61cc7b580"
        },
        "acctInfo":{
          "chAccAgeInd":"MoreThanSixtyDays",
          "chAccChange":"20180925",
          "chAccChangeInd":"MoreThanSixtyDays",
          "chAccDate":"20180925",
          "chAccPwChange":"20180925",
          "chAccPwChangeInd":"MoreThanSixtyDays",
          "nbPurchaseAccount":"5",
          "provisionAttemptsDay":"123",
          "txnActivityDay":"2",
          "txnActivityYear":"123",
          "paymentAccAge":"20180925",
          "paymentAccInd":"MoreThanSixtyDays",
          "shipAddressUsage":"20190409",
          "shipAddressUsageInd":"MoreThanSixtyDays",
          "shipNameIndicator":"FullMatch",
          "suspiciousAccActivity":"NotSuspicious"
        },
        "merchantRiskIndicator":{
          "deliveryEmailAddress":"valid@email.com",
          "deliveryTimeframe":"OvernightShipping",
          "giftCardAmount":"123456789012345",
          "giftCardCount":"1",
          "giftCardCurr":"GBP",
          "preOrderDate":"20180925",
          "preOrderPurchaseInd":"MerchandiseAvailable",
          "reorderItemsInd":"Reordered",
          "shipIndicator":"CardholderBillingAddress",
          "threeDSExemptionIndicator":"TransactionRiskAnalysis"
        }
      }
    }

    Example Responses

    Example response where authorisation is successful

    {
      "transactionId":"DB79BA2D-05DA-5B85-D188-1293D16BBAC7",
      "transactionType":"Payment",
      "status":"Ok",
      "statusCode":0,
      "statusDetail":"The Authorisation was Successful.",
      "retrievalReference":9493946,
      "bankResponseCode":0,
      "bankAuthorisationCode":999777,
      "avsCvsCheck":{
        "status":"AllMatched",
        "address":"Matched",
        "postalCode":"Matched",
        "securityCode":"Matched"
      },
      "paymentMethod":{
        "card":{
          "merchantSessionKey":"90BDF208-3C19-40AC-858B-3F4054DCD1C0",
          "cardIdentifier":"cardTokenUUID",
          "reusable":false
        }
      },
      "amount":41000,
      "currency":"GBP"
    }
    

    Example response where authorisation has been 'soft declined'

    When you provide a SCA exemption reason and the card issuer disagrees with it, they can return a 'soft decline' response (bankResponseCode:65 or bankResponseCode:1A). In this case, Opayo will automatically:

    • Submit a 3D Secure authentication and a new authorisation request on your behalf.
    • If the card issuer responds with a 'soft decline' message again, then this will be returned to you in the response to your transaction request (similar to the following example).
    • You must then submit a new transaction request with 3D Secure authentication and request the cardholder performs SCA by including apply3DSecure:Force and removing the threeDSExemptionIndicator field a.
    Note: The value for the bankResponseCode can also be 1A, it's possible some acquirers may return another value here.
    {
      "transactionId":"DB79BA2D-05DA-5B85-D188-1293D16BBAC7",
      "transactionType":"Payment",
      "status":"NotAuthed",
      "statusCode":2022,
      "statusDetail":"The Authorisation was Declined by the bank. SCA required.",
      "retrievalReference":9493946,
      "bankResponseCode":65,
      "avsCvsCheck":{
        "status":"NotChecked",
        "address":"NotChecked",
        "postalCode":"NotChecked",
        "securityCode":"NotChecked"
      },
      "paymentMethod":{
        "card":{
          "merchantSessionKey":"90BDF208-3C19-40AC-858B-3F4054DCD1C0",
          "cardIdentifier":"cardTokenUUID",
          "reusable":false
        }
      },
      "amount":41000,
      "currency":"GBP"
    }