PSD2: The European Payments Revolution? Part 2c: A Guide to SCA Exemptions
Strong Customer Authentication (SCA) is a mandate introduced as part of PSD2 to reduce fraud and make card transactions safer for consumers.
In our previous blog post, we discussed some of the issues retailers were facing in relation to SCA and how that is fuelling some of the high rates of transaction failure we are seeing across Europe.
We continue our review of PSD2 in this blog with an overview of transactions that can be exempt from two-factor authentication as part of SCA.
Why are exemptions important?
As discussed during our first blog post on SCA, SCA introduces friction to payments. This is particularly problematic for retailers operating online where relatively small amounts of friction can lead to consumer cart or transaction abandonment resulting in huge losses in potential sales. As such, ecommerce retailers spend a lot of time and effort crafting smooth checkout experiences to avoid customer cart abandonment. Therefore, given the friction introduced, SCA regulation would naturally result in a loss in potential sales for ecommerce retailers. Fortunately, the regulation allows for transactions where SCA is either exempt or out of scope allowing certain transactions to avoid the added friction of two-factor authentication.
As part of the PSD2 regulation, the European Commission tasked the European Banking Authority (EBA) with preparing Regulatory Technical Standards (RTS) on security aspects of payments (See Article 98 of Directive (EU) 2015/2366; Commission Delegated Regulation (EU) 2018/389. These were published in March 2018 and provided details on instances where SCA would not be required on certain transactions. The following table provides details of the various instances where an exemption to the SCA mandate is allowed.
While these exemptions are an important step in trying to find the right balance between managing fraud and minimising transaction failure, merchants are still facing issues (as discussed in our last blog post).
Strong Customer Authentication was expected to introduce further friction to payments. As a result, the EBA produced Regulatory Technical Standards that included guidance on transactions that would be exempt from SCA. While the inclusion of exemptions in the regulation is welcomed, retailers are still experiencing a number of issues in relation to the usage of certain exemptions (as discussed during our previous blog post). Furthermore, even with the inclusion of these exemptions in the regulation, the proportion of transactions requiring SCA across Europe is still extremely high, leading to high levels of transaction failure.
In our next blog post, we will focus on the ban on surcharging introduced as part of the Second Payment Services Directive (PSD2).