menu

Payment API

What's on this page

Online Payments / Payment Features / 3D-Secure 2 / Exemptions

Exemptions And Out Of Scope Transactions

The European Payment Services Directive 2 Regulatory Technical Standard (PDS2 RTS) requires that all card-based transactions apply Strong Customer Authentication (SCA) starting January 1st, 2021.

These regulations add additional friction to the payment flow in the form of authentication of a cardholder. Transactions are allowed to request an exemption to reduce friction as much as possible at the cost of fraud protection. The use of exemptions will speed up the checkout process significantly but will require time to settle. For example, issuers will need to learn the interactions between cardholders and merchants to apply for exemptions by themselves or approve requested exemptions. Furthermore, the implementation of exemptions by the payment industry is still ongoing.

Aside from exemptions, the directive also defines several use cases that are out of scope for SCA which do not require any form of authentication. For example, a monthly subscription must be able to continue without the interaction of the cardholder. The only new requirement is that the initial transaction must use SCA.

Quote from Visa November 2018:

SCA exemptions are defined based on the level of risk, amount, recurrence and the payment channel used for the execution of the payment. These exemptions allow PSPs to achieve the right balance between convenience of the payment experience and fraud reduction. The SCA exemptions are available only to PSPs. The SCA exemptions are not available to merchants, unregulated payment gateways or other unregulated entities. The Issuer retains the ability to take the ultimate decision on the application of the exemption.

In this guide, we provide an overview of the currently available exemptions and show you how they can be requested using our PSP. Also, we list the most common use cases for exemptions and out of scope transactions to help you decide which are most suited for your business case.

Account Setup

CCV Pay supports all SCA exemptions but some require additional configuration of your account. Contact onlinepayments@ccv.eu in case you have any questions or when you are instructed to by the documentation.

Authentication Exemptions

If a transaction can benefit from an exemption or the risk of fraud is low, an exemption can be requested.

Transaction Risk Analysis

Actively monitoring for fraud and have mechanisms in place to prevent fraud, resulting in a low fraud rate, allows for the use of the TRA exemption. The TRA informs the issuer of the card that the risk analysis is performed before requesting the authorisation. A merchant or acquirer can request this exemptions, CCV Pay will not apply the exemption on your behalf. The merchant needs approval of the acquirer to apply the exemption. Without approval the acquirer may discard the exemption before sending to the issuer, or worse, reject the authorisation request.

Low-Value Payment

Transactions below 30 euros do not require SCA. However, once every while, the issuer must verify the identity of the cardholder using SCA. The PSD2 RTS defines the frequency of these checks. The issuer is the one to confirm whether or not a transaction is subject to SCA. Using the LVP exemption is a last resort if you want to try to get an exemption for a payment.

Trusted Beneficiary

The Trusted Beneficiary exemption is applicable when a cardholder explicitly agrees to trust the merchant for future payments. Explicitly means that you must inform the cardholder what the intent of the request is and register the choice of the cardholder. Do not imply the choice of the cardholder e.g. using a hidden checkbox. By not clearly stating the request for trust, the risk of fraud or disputes can increase.

This exemption can also be applied by the issuer. The issuer can ask the cardholder during the authentication process to trust you. In the future, CCV Pay will add to the API if the issuer questioned the cardholder and the cardholder’s choice.

Mastercard and Visa require additional setup before you can use this exemption. Also, there are additional costs per scheme. If you would like to benefit from this exemption, contact our customer support with your request.

Secure Corporate Payment

A Secure Corporate Payment utilizes a corporate card. Identification of these cards are critical to apply for the exemption. These kind of cards are common in the travel and hospitality sector.

Acquirers and issuers can identify these cards and apply for the exemption on your behalf. They will be held liable in case of fraud.

Recurring & Instalment transactions

A recurring or instalment transaction is part of a sequence or chain initiated by the merchant. The initial transaction of the chain requires SCA to set up an agreement between the merchant and the cardholder. The merchant can use the agreement as a mandate for subsequent transactions.

Due to the similarities with a merchant initiated transaction, Visa and Mastercard define the same requirements for recurring/instalment.

Liability Shift

The new regulation has implications on the liability in case of a fraudulent transaction. In general, the following applies:

  • If no 3-D Secure is used, the merchant/acquirer is liable
  • If the merchant/acquirer applies for an exemption and
    • the issuer requests a challenge, the issuer is liable
    • the issuer acknowledges the exemption, the merchant/acquirer is liable
  • If the issuer applies for an exemption, the issuer is liable
  • If the transaction is a subsequent transaction (MIT/Recurring/Instalments), the acquirer is liable

How to request an exemption?

SCA exemptions are like all aspects of SCA only applicable for card and Google Pay payments. Bancontact does not support 3-D Secure 2. Requesting an exemption for Bancontact will have no impact.

There are 4 standardized exemptions as defined in the PSD2 RTS. See authentication exemptions for a detailed explanation.

Request an exemption for a payment by adding $details.authExemption to the request with one of the following values.

Name Description
TRANSACTION_RISK_ANALYSIS Choose to trigger the Risk analysis for each transaction or to disable the TRA from being applied.
LOW_VALUE Transactions with an amount lower than 30 EURO. Every 5 transactions authentication is required or if the total amount of 100 euro non authenticated transactions is exceeded.
SECURE_CORPORATE Business to Business.
TRUSTED_BENEFICIARY A cardholder can indicate that the merchant is trusted and that authentication is no longer required.

Using Card Payment Page

  1. Initiate a new transaction with the 3-D Secure 2 compliant data

    {
    "amount" : 10.99,
    "currency" : "eur",
    "method" : "card",
    "returnUrl" : "https://shop.merchant.com/return?order=123456",
    "merchantOrderReference" : "123456",
    "description" : "Order 123456",
    "language" : "nld",
    "billingAddress": "Westvoortsedijk",
    "billingCity": "Arnhem",
    "billingState": "GE",
    "billingPostalCode" :"6827 AT",
    "billingCountry": "NL",
    "billingHouseNumber": "55",
    "accountInfo": {
        "accountIdentifier": "7cec0016-0bf3-45c7-bc1a-7916750a39a2",
        "accountCreationDate": "20190101",
        "passwordChangeIndicator": "CHANGED_DURING_TRANSACTION",
        "email": "john.doe@ccvlab.eu",
        "workPhoneCountry": "31",
        "workPhoneNumber": "11193500",
        "authenticationMethod": "OWN_CREDENTIALS"
    },
    "merchantRiskIndicator": {
        "deliveryEmailAddress": "johny.doe@ccvlab.eu",
        "deliveryTimeframe": "SAME_DAY",
        "passwordChangeIndicator": "CHANGED_DURING_TRANSACTION",
        "shippingIndicator": "BILLING_ADDRESS"
    },
    "threeds2RequestInfo": {
        "challengeIndicator": "NO_PREFERENCE",
        "transactionType": "GOODS_AND_SERVICES_PURCHASE"
    },
    "details": {
        "authExemption": "TRANSACTION_RISK_ANALYSIS"
    }
}

  2. CCV Pay responds with a generated transaction containing a unique payUrl

    {
     "method": "card",
     "reference": "C200603121922297CB87E190.2",
     "currency": "eur",
     "created": 1591179562332,
     "language": "nld",
     "billingAddress": "Westvoortsedijk",
     "billingCity": "Arnhem",
     "billingPostalCode": "6827 AT",
     "billingCountry": "NL",
     "amount": 10.99,
     "billingState": "GE",
     "merchantOrderReference": "123456",
     "billingHouseNumber": "55",
     "returnUrl": "https://shop.merchant.com/return?order=123456",
     "payUrl": "https://onlinepayments.ccv.eu/card/payment.html?reference=C200603121922297CB87E190.2",
     "lastUpdate": 1591179562332,
     "cancelUrl": "https://onlinepayments.ccv.eu/card/cancel/merchant?reference=C200603121922297CB87E190.2",
     "description": "Order 123456",
     "status": "pending",
     "type": "sale"
}

  3. Redirect the customer to the payUrl

  4. The customer submits card data

  5. CCV Pay sends the authorisation including the requested exemption to the issuer

Multiple scenario’s are possible

  1. The issuer acknowledges and approves the authorisation: CCV Pay marks the transaction as a success and returns the customer to the returnUrl
  2. The issuer soft declines the authorisation: CCV Pay requests authentication including the exemption
    1. The issuer acknowledges the exemption: CCV Pay resubmits the authorisation with proof of authentication and returns the customer to the returnUrl
    2. The issuer requests a challenge: CCV Pay will show the challenge in a pop-up for the customer to complete. After completion, CCV Pay resubmits the authorisation with proof of authentication if authenticated and return the customer to the returnUrl
    3. The issuer denies the exemption: CCV Pay will mark the transaction as failed and return the customer to the returnUrl
  3. The issuer hard declines the authorisation: CCV Pay marks the transaction as failed and returns the customer to the returnUrl

Using Card On File

When using our vault to provide the cardholders card data, you can also use the exemptions as described above. The only addition is that you provide the details.vaultAccessToken as a reference to the card on file.