Business model | Initial payment | Later payment(s) | ||
---|---|---|---|---|
recurringProcessingModel |
shopperInteraction |
recurringProcessingModel |
shopperInteraction |
|
One-off payments SCA can be required depending on regulations and scheme rules. |
CardOnFile | Ecommerce | CardOnFile | ContAuth |
Subscriptions SCA is required for the initial payment. |
Subscription | Ecommerce | Subscription | ContAuth |
Automatic top-ups and other non-fixed schedule contracts SCA is required for the initial payment. |
UnscheduledCardOnFile | Ecommerce | UnscheduledCardOnFile | ContAuth |
SCA is also required for subscriptions and non-fixed schedule contracts when the initial payment takes place at the point of sale. Cardholder authentication is done through the card and the PIN.
SCA exemptions
For transactions within the scope of PSD2, you or Adyen can request an SCA exemption if the transaction meets any of the criteria in the following list. The issuer decides if the exemption is granted or not. For some types of transaction, the issuer can grant an exemption without you or Adyen requesting it.
By default Adyen sends a request for the most suitable exemption type on your behalf. If Adyen has requested an exemption for a transaction, you receive an additionalData.scaExemptionRequested
field in the payment response, containing the type of exemption.
If you want to manage exemption requests on your own, see Managing PSD2 compliance.
You can request exemptions for the following types of transactions:
- Low Value: Transactions under EUR 30 do not require SCA but the issuing bank will keep track of certain counters such as the number of transactions or the sum of transaction amounts. If the shopper's transactions for one card exceed the counter, for example, after five consecutive transactions or if the sum exceeds EUR 100, the issuing bank will require SCA.
- Low Risk / Transaction Risk Analysis (TRA): Issuing banks can consider transactions as low risk based on the average fraud levels of the card issuer, or of the acquirer processing the transaction, or of both.
TRA has two kinds of implementation:- TRA exemption request from you or your acquirer: You can request the issuer for a TRA exemption if your fraud levels are below fraud thresholds. If the exemption is granted, the chargeback liability stays with you.
- TRA exemption from the issuer: The card issuer can apply the TRA exemption even if you or your acquirer did not request for it. Send additional information in your payment request to maximize the probability of getting the exemption. The chargeback liability shifts to the issuer.
- Allowlisted Merchants or Trusted Beneficiaries: After a strongly authenticated payment session, shoppers can add the merchant to an allowlist for the issuer. In 3D Secure 2, shoppers will be able to select a checkbox to add the merchant to an allowlist. The issuing bank will not require SCA on the next payments for the same merchant. However, note that this exemption depends on whether the issuer supports allowlisting.
- Secure corporate payments: These are payments made through dedicated corporate processes initiated by businesses and not available for consumers. Examples are payments made through central travel accounts, lodged cards, virtual cards, and secure corporate cards, such as those used in a corporate travel management system.
Recurring transactions was previously included in the exemptions list. We have removed this because by default, Adyen includes the recurring or MIT indicators, making these out-of-scope transactions.
Schemes and available exemptions
Scheme | lowValue | transactionRiskAnalysis | secureCorporate |
---|---|---|---|
American Express | |||
Cartes Bancaires | |||
CUP | |||
Mastercard | |||
Visa |
For technical implementation, see SCA requirements based on business models. If you have further questions on exemptions and out-of-scope transactions, contact Support Team.