A quick reminder: enforcement of SCA is mandated by the ECB as of 31 December 2020. The exception is the UK, where SCA will be enforced on 14 September 2021.

Enforcement will not happen by the ECB itself but by the national authorities. The PSD2 mandate is for the banks, not for merchants. However, if a merchant does not support SCA, issuing banks will start to refuse their transactions. To avoid this, both Visa and Mastercard require merchants to support EMV 3DS 2.1 or above.

Merchants and their payment service providers need to support transactions where SCA is not applicable (out-of-scope/excluded of PSD2), not desired (exempted from SCA to avoid shopping cart abandonment), or not possible (when the cardholder is not interacting with the merchant’s platform).

Transactions excluded from the PSD2 mandate are:

Unless the merchant requests so, issuing banks will not apply strong authentication for the above transactions.

Both the acquirer and the issuer can initialize an exemption to the SCA mandate.

The following are exemptions applied by the issuer:

In the above cases, the merchant is best off by initializing a 3DS authentication. If an issuer exemption applies, the cardholder will not notice that 3DS authentication was initialized. Fraud liability lies with the issuer if the merchant has initialized 3DS authentication.

The following exemptions can be requested by the merchant:

Fraud liability lies with the merchant in these cases. It is up to the issuer to decide whether to accept these exemptions or not. The issuer may also soft decline a transaction by indicating this in the authorization response. In that case, the merchant should retry the transaction, but with SCA authentication. Ideally, the payment service provider will retry this automatically for the merchant.

In the case of transaction series where the subsequent transaction is not triggered by the cardholder (for example subscriptions, bill payments or additional charges) the SCA mandate applies only to the first transaction of the series. One-click purchases – where the card is stored on file for later usage triggered by the cardholder – are included in the PSD2 SCA mandate.

Fraud liability of a subsequent transaction depends on the status of the first transaction of the series. Therefore it is important to indicate that a transaction is the first of a series during the authentication. For subsequent transactions, the authentication value of the first transaction can be reused to get the liability shift from merchant to issuer.

The SCA authentication is not a standalone process, but also impacts authorization and clearing messages, and needs to be supported by your acquirer.