Skip to content

Getting SCA exemptions right starts with a high-quality fraud management solution

How the High Street Can Remain Competitive in an Amazon World

Get “How the High Street Can Remain Competitive in an Amazon World”


Ecommerce, which has already been turned upside down by the COVID-19 pandemic, faces even more upheaval as new payment regulations are being enforced across much of Europe and will soon be required in the UK.

The regulation is ushering in a time of robust two-factor authentication, exemptions, step-ups, transaction legs that are either in or out — and a more secure ecommerce shopping experience for consumers. Opinion polls and anecdotal evidence indicate that for many, SCA payments, which stands for Strong Customer Authentication, might as well mean Something Causing Anxiety. Merchants and consumers know something is changing, but exactly what, for whom and when, well, that’s a little unclear.

We can help UK merchants and brands to embrace payment SCA by Sept. 14, the date on which the regulation will be fully enforced.

Some background: SCA is required under the sweeping digital payment regulation known as PSD2. The regulation is meant to better secure online checkout by requiring that shoppers be authenticated by two of three methods: something the user knows (such as a one-time passcode), something the user has (such as a mobile device) and something the user is (such as a fingerprint, facial recognition, typing behavior).

What you need to know
  • Ready or not SCA is coming. Despite years of talk and off-and-on worry, the UK’s time to manage strong customer authentication arrives on Sept. 14.
  • Retailers’ and brands’ key to maintaining a first-class customer experience is to understand and wisely deploy the regulation’s exemptions and exclusions.
  • The SCA era is no time to let down your fraud guard. It turns out, low fraud rates are the foundation for building a seamless checkout experience for customers under the new requirements.

Retailers who want to get SCA right need to conduct the required two-factor identification without adding inconvenience to the checkout process. That starts with understanding the exemptions and exclusions contained in the requirement and how those elements apply to your business. Deploying exemptions wisely will allow a significant percentage of transactions to be exempted from the regulation — under the right conditions.

Exemptions come with certain requirements

Maybe you’ve guessed that establishing those conditions has become more important than ever. It’s also important to remember that exemptions and exclusions benefit merchants and their customers, but control over whether they are available to a merchant is largely in the hands of a merchant’s payment service provider or a cardholder’s issuing bank.

In general exemptions — and their close cousins, exclusions — are available when an order meets certain conditions:

  • The order is low risk and low value.
  • The merchant and its bank have maintained a low fraud rate and the transaction meets certain value limits.
  • The transaction is considered “out of scope.” The list for these exclusions includes phone or email orders, prepaid card transactions and transactions when the acquiring bank or the issuing bank are outside the European Economic Area — or “one leg out” transactions.

One other exemption — the “Trusted Beneficiary” exemption — is available, but a consumer’s bank must agree to allow it in order for it to be applied. It can be applied when a consumer expressly tells the bank that issued their credit card that they don’t want extra scrutiny applied when they are buying from specific merchants. Again, the issuing bank can refuse to allow the exemption.

Another wrinkle:  In the case of a merchant-initiated transaction, a subscription for instance, SCA needs to be performed only once to authenticate the buyer.

For a specific list of exemptions and exclusions, turn to Visa’s guide, which provides a comprehensive summary.

Exemptions do come with strings attached

One thing that is evident from scouring the Visa list is that while exemptions are helpful, they are also limited. Consider low-value transactions for instance. It’s great that transactions below €30 can bypass SCA. But what if you sell jewelry, luxury watches, electronics, high fashion, home goods, sporting goods, groceries, auto parts or sell in any of the nearly limitless verticals that offer products or groups of products upon which consumers typically spend more than €30?

Oh and there is a catch: Even low-value transactions need to undergo SCA periodically — every five transactions under €30 must undergo SCA, as must an order once the cumulative value of low-value transaction reaches €100.

If you are among those grappling with the new requirements for Strong Customer Authentication (SCA), check out the Signifyd and Forrester webinar covering the regulation and what it means for retailers and their customers. The webinar, Creating a Winning SCA Strategy in 2021, features Signifyd Senior Product Manager, Payment Solutions Shagun Varshney and Forrester Senior Analyst eBusiness & Channel Strategy Jacob Morgan.

Or consider the “allow-listing” available under the Trusted Beneficiary exemption. First off, a consumer needs to be aware there is such a thing. A merchant might add a notice at checkout suggesting, “If you like shopping with us, ask your issuing bank to allow-list our store.” All of which leaves a consumer saying, “Ask my what to do what now?”

And even if consumer consciousness-raising is a success, think about the bank that issued the consumer’s credit card. If the bank accepts a consumer’s request to “allow-list” a particular merchant, the bank takes on liability for any fraudulent orders. So in one stroke, the bank allows the order to bypass increased scrutiny and agrees to be on the hook for orders that are not legitimate. That’s not a lot of incentive, to put it mildly.

None of which is to say that exemptions should be ignored. Exemptions are a powerful way to provide a seamless experience for customers. When an exemption is approved, the customer doesn’t have to worry about the transaction being stepped up by requiring two of the three SCA authentication methods. And so, retailers want to be in a position to take advantage of exemptions.

One more thing: It quickly becomes obvious that when merchants want to build a strategic exemption and exclusion strategy, they need to make sure they have a top-notch Ecommerce Fraud Management protection system and solution in place. Take the most obvious case: In order to take full advantage of the low-risk transaction exemption, a merchant needs to keep its fraud rate below an exceedingly low .01%. That clears the way for purchases under €500. Exemptions for purchases under €250 and under €100 are also available for merchants with fraud rates of .06% and .13% respectively.

A winning SCA strategy requires powerful fraud protection

It’s important, then, to include a powerful enterprise fraud protection solution in your overall SCA strategy. A low fraud rate is necessary to secure exemptions and exemptions are necessary to produce a top-flight customer experience.

Signifyd’s Commerce Protection Platform provides a modern machine-learning Ecommerce Fraud Solution that sifts fraudulent from legitimate orders in an instant while seamlessly scaling. And it offers a 100% financial guarantee for any approved order that turns out to be fraudulent. Furthermore, the platform’s payment optimization component considers a transaction’s characteristics and its SCA requirements before smartly routing it to the most efficient payment pathway.

Yes, doing away with SCA is one of the best things about exemptions, but it is also one of the worst things about exemptions. Sure, an exemption eliminates the potential friction added to the buying journey by two-factor authentication, but an exemption also sidelines the extra protection that step-ups provide an online seller.

A constantly learning automated fraud solution with a financial guarantee provides the protection needed to ensure good orders are shipped and fraudulent orders are declined.

Merchants and brands will want to be able to confidently pursue an aggressive exemption strategy without worrying about new vulnerabilities that fraud rings will look to exploit. Consider the irony of working so hard to maintain a low fraud rate in order to take advantage of exemptions, only to have those exemptions ultimately lead to a higher fraud rate.

In the end, as with so much in commerce, it’s best to take a holistic view when you’re considering how SCA and its exemptions fit into your entire risk management plan.

photo by Getty Images

Want to learn more about the role of fraud protection in the world of SCA? Let’s talk.

Shagun Varshney

Shagun Varshney

Shagun is a Signifyd senior product manager with vast experience developing strategy and deploying solutions that provide seamless strong customer authentication (SCA).