SCA is not required for:
- Businesses that are not located in a PSD2 country (the EEA, Monaco, and the UK).
- Businesses that are located in a PSD2 country, but don't have customers in any of the PSD2 countries.
- If a business is located in a PSD2 country and has customers both within and outside the PSD2 countries, then SCA only applies to payments made for customers within a PSD2 country.
- Zero-value authorizations for card validation.
Zero-value authorizations to set up merchant-initiated transactions, for example subscriptions, do require SCA.
- Point-of-sale payments made with a secure payment terminal. SCA applies to online payments, that is, payments where the shopper is not present in person. As such, point-of-sale payments do not fall under the scope of SCA.
- Out-of-scope transactions
Out-of-scope transactions are transactions not covered by the PSD2 mandate. The issuing bank will not apply any strong authentication and guarantees that shoppers will not be presented with an authentication challenge, unless you specifically ask for 3D Secure in your payment request.
Out-of-scope transactions include:
- Interregional transactions: Payments where the card was issued outside of Europe or where the country you are acquiring from is outside of Europe. Some European issuing banks are expected to require SCA anyway even if a payment is acquired outside of Europe.
- Merchant-Initiated Transactions (MIT) and Direct Debits: A payment or a series of payments with fixed or variable amounts that the merchant performs without direct involvement of the shopper. Examples are subscriptions, automatic account top-ups, and installments. The initial transaction should have gone through SCA and the shopper should have agreed to the terms and conditions of the succeeding MITs. To ensure that your transaction is accurately classified as MIT, see SCA requirements based on business models for more information on MIT implementation. Authorisation adjustments are also considered MIT.
- Mail Order and Telephone Orders (MOTO): MOTO transactions are not considered to be electronic payments, so these are out of the scope of the regulation.
- Anonymous cards: This type of cards can only be identified by the issuing bank. For example, anonymous prepaid cards.