In his recent blog post, Mark Nelsen (Visa’s Senior Vice President for Open Banking) writes eloquently about the need to balance security and convenience for online shoppers—a message we’ve long been promoting at Cybersource.
Mark’s blog dovetails rather neatly with what I was planning to write about following my previous blog on the new strong customer authentication (SCA) requirements of PSD2. In that blog I made the case for a robust fraud detection program in the new regulatory environment. One subject I touched on was that of SCA exemptions, and it’s this topic I want to look at in more detail now.
Why exempt at all?
In the quest to deliver a better customer experience—more secure and more seamless—it’s important to be able to avoid burdening customers with additional authentication steps when the risk of fraud is known to be low. This is why PSD2 includes exemptions, and it’s good for everyone if these are intelligently applied.
The final decision over whether to initiate an exemption rests with issuers and acquirers. But of course, you’ll have your own opinions on which transactions you’d like to see exempted—or not exempted, if you want to retain the advantage of liability shift. Here are our suggestions on how to navigate the SCA exemptions, to ensure that you can keep fraud rates in check and your customer experience frictionless.
1. Understand the key SCA exemptions
The summary below will help you understand how the three most broadly applicable SCA exemptions work (there are a few other, less common, reasons to exempt):
| Exemption allowed if | Exemption applied by |
|---|---|
Transaction value is less than €30. But the issuer must overrule this exemption once a card:
or
|
Acquirer (PISP) at own behest or on behalf of the merchant or Issuer (ASPSP) |
| The beneficiary has been whitelisted by the paying customer through their card issuing bank. | Issuer (ASPSP) at own behest or at merchant request |
| After carrying out transaction risk analysis (TRA), the acquirer or issuer—meeting the relevant fraud thresholds—decides that the transaction doesn't need to be challenged. TRA may be applied to transactions up to €500. | Issuer (ASPSP) at own behest or at merchant request |
2. Take control of exemption application
If you read Mark Nelsen’s blog, you’ll realize that Visa is launching a new suite of solutions to support PSD2’s SCA requirements that meet consumer demand for safety and control of their money. These include tools for banks and merchants to identify low-risk transactions and initiate appropriate exemptions. As a Visa company, Cybersource is working closely with Visa to become an early adopter of these services for our merchant customers.
We’re developing a turnkey PSD2 solution with your needs in mind. You’ve told us you want to be able to influence SCA and exemption decisions—and that you’d love it if fraud management, payment authentication and payment authorization processes were smoothly integrated so that you can:
- Deliver the best fraud protection to your customers
- Smartly identify transactions that are at low risk of fraud
- Quickly identify any SCA exemptions applying to any given transaction
- Quickly identify any SCA exemptions applying to any given transaction
- Ask your acquirer to apply a relevant exemption or specifically ask for an exemption not to be applied
- Provide relevant information to acquirers and issuers in support of your exemption requests
- Apply intelligence to the authentication and authorization processes, to ensure an optimum three-way balance of fraud prevention, seamless customer experience and cost control of regulatory compliance
Our solution will address all of these. If you want to know more about our plans, or have questions about Visa or Cybersource services relating to PSD2, SCA or exemptions, please get in touch with us.