SCA Exemptions
What Are SCA Exemptions? Definition and How They Work
Definition
SCA exemptions are specific categories defined under PSD2 that allow qualifying electronic payment transactions to be processed without full two-factor Strong Customer Authentication, enabling lower-friction checkout experiences while maintaining regulatory compliance.
How it works
PSD2's SCA requirement applies to customer-initiated electronic payments within the EEA, but the regulation defines categories of transactions that are explicitly out of scope or eligible for exemption. Using exemptions correctly allows merchants to reduce authentication friction on low-risk transactions without violating SCA obligations.
The main SCA exemption categories are: low-value transactions under 鈧30 (subject to cumulative limits of 鈧100 total or 5 consecutive transactions); transaction risk analysis (TRA), where the acquirer or issuer has assessed the transaction risk in real time and it falls below defined fraud rate thresholds; recurring transactions with a fixed amount to the same merchant after an initial authenticated setup; transactions initiated by the merchant rather than the cardholder (merchant-initiated transactions, or MITs); and transactions where the cardholder has whitelisted the merchant as a trusted beneficiary.
Exemptions are requested through the 3DS 2.x protocol or through authorisation flags. The merchant or acquirer requests an exemption; the issuer decides whether to grant it. If the issuer declines the exemption and soft-declines the transaction, the merchant must retry with full SCA authentication. This is the soft decline recovery flow.
Liability is the key trade-off: for transactions where the acquirer applies a TRA exemption and the issuer accepts it, fraud liability rests with the acquirer (and ultimately the merchant). Authenticated transactions shift liability to the issuer. Merchants using exemptions extensively in higher-value segments are accepting more fraud liability in exchange for lower friction.
Why it matters
TRA exemption eligibility depends on the acquirer's fraud rate: TRA exemptions are only available to acquirers whose fraud rates for the transaction category are below EBA-defined thresholds. Merchants whose acquirer's fraud rate is above threshold cannot access TRA exemptions through that acquirer, regardless of their own fraud rates.
Low-value exemption limits are per-transaction and cumulative: the 鈧30 low-value exemption resets after the 鈧100 cumulative limit is reached or after 5 consecutive successful exemptions. Issuers track cumulative exemption usage per card and will decline the exemption when limits are reached, requiring full SCA.
MIT exemptions only apply to transactions that qualify as merchant-initiated: a transaction is MIT when the merchant initiates it on a stored credential without real-time cardholder involvement, subscription renewals and usage-based charges being the clearest examples. Incorrectly flagging customer-initiated transactions as MITs is a scheme rule violation.
Exemption strategy affects conversion and fraud loss simultaneously: the optimal exemption strategy applies exemptions to transactions where the probability of frictionless authentication would be high anyway (low risk) and routes higher-risk transactions through full SCA. Using exemptions broadly without risk tiering increases fraud losses from the liability shift without proportional conversion gain.
With PXP
PXP supports the full range of SCA exemption types in its 3DS integration, including low-value, TRA, recurring, and MIT flags. Exemption logic is configurable per merchant and per transaction segment. PXP's TRA exemption eligibility is maintained based on PXP's network-level fraud rates. Soft decline recovery flow is handled automatically.
Frequently asked questions
What is the difference between an SCA exemption and a frictionless 3DS outcome?
An SCA exemption means the transaction is processed without going through SCA authentication at all, no 3DS request is made, based on an exemption flag. A frictionless 3DS outcome means SCA authentication did happen, but the issuer completed it in the background without presenting a challenge. Both result in no visible friction for the cardholder, but frictionless 3DS provides authenticated status and issuer liability shift; exemptions typically do not.
Who decides whether an SCA exemption is granted?
The issuer makes the final decision. The merchant or acquirer requests an exemption through the authorisation or 3DS flow; the issuer evaluates whether it is willing to accept the exemption. If the issuer rejects the exemption request, it should return a soft decline code indicating authentication is required. The merchant must then retry the transaction with full SCA. Issuers are not obligated to accept exemption requests.
What happens when an issuer rejects an exemption request?
The issuer returns a soft decline with a reason code indicating SCA is required. The merchant must retry the transaction, this time initiating a full 3DS authentication flow. The cardholder is then presented with the authentication step (OTP, biometric, etc.). This retry flow must be handled correctly in the merchant's payment system; merchants who do not implement soft-decline recovery will simply lose those transactions.
Can merchants apply SCA exemptions to all their transactions?
No. Each exemption type has specific eligibility criteria. Low-value exemptions are subject to cumulative per-card limits. TRA exemptions require the acquirer's fraud rates to be below EBA thresholds, and individual transactions must fall below risk score thresholds. MIT exemptions only apply to genuinely merchant-initiated charges. Applying exemptions outside their qualifying criteria is a scheme rule violation.
Revolutionize your business with PXP
Take complete control of your commerce and payments with one platform.
Get Started