How merchants can reduce checkout friction after implementing Strong Customer Authentication
To make things easier for both businesses and cardholders, PSD2 exempts some types of payment from the requirements of Strong Customer Authentication (SCA). This means that, for applicable transactions, a customer won’t have to go through the extra authentication steps to confirm that they are who they say they are.
At this point, it’s worth noting that 3DS 2.0 exemptions are only supported in the 3DS.2 protocol, and not in the 3DS.1 protocol.
Exemptions don’t need to put extra strain on your operations, either.
Acquirers, like Credorax, can request these exemptions when processing the payment, making the whole process effectively automatic and invisible for the merchant. The issuer will then receive the request, evaluate the risk of the transaction, and decide if the exemption should be granted, or if SCA is still needed.
3DS 2.0 exemptions mean less friction
The downside of building multiple authentication layers into your checkout process in order to be SCA-compliant is that the extra steps can cause friction and increase customer abandonment rates. By using exemptions to reduce the number of times you need to authenticate a cardholder, merchants can massively reduce friction at the checkout, and limit customer drop-offs.
How to get it and who to get it from…
It’s important to understand the advantages and disadvantages of who sources your exemptions. There are two main bodies that can apply them on your behalf: your acquirer and the cardholder’s issuer.
When an acquirer applies on your behalf, you will lose fraud liability protection, but you’ll have a much better chance of avoiding an SCA challenge.
Currently, the average challenge flow rate in the EEA is ~60% and the cardholder abandonment rate is ~10%.
On the other hand, if the issuer applies for an exemption on their customer’s behalf, you’ll see a frictionless flow and the liability for fraud risk will shift onto the issuer. This seems ideal, but it is completely dependent on the issuer applying the exemption – something which you can’t know in advance that they’ll do. And since issuers are currently prone to challenging exemptions at extremely high rates rather than granting them, it is not advisable to rely on issuers to do your exempting for you.
Leave your cookie cutter in the drawer
Before diving into exemption strategies in depth, it’s imperative to note that one size does not fit all. This is largely because each merchant’s appetite for risk and customer base is unique.
So, without further ado, here are all the different types of exemption available to ecommerce merchants.
1. Exclusions: when 3ds 2.0 exemptions may not apply at all
Although these aren’t exemptions per se, they are relevant here and important for you to understand. Certain types of transaction are considered ‘out of scope’, meaning that neither SCA nor an exemption will be required. Such out-of-scope transactions can be submitted directly for authorisation, but must be properly indicated so the issuer will know not to require SCA.
2. Low-risk transactions (TRA)
For a transaction to be considered low risk, it will need to meet multiple conditions. For example, it must be between €0 and €500, and the acquirer and issuer processing it must have low average fraud levels. To best meet these criteria, you should opt to work with an acquirer who has a real-time risk assessment tool to show that the transaction is low risk.
Credorax is constantly assessing new fraud trends, innovating its fraud solutions, and working to reduce fraud levels to give our merchants greater flexibility in applying for this exemption. We also provide a real-time risk tool, SmartGuard, to support this exemption.
The schemes recommend that TRA exemptions should generally be the first choice for qualifying standard transactions – prioritised over low-value exemptions.
We expect this to be one of the most useful exemptions for businesses and the one most widely supported by banks – EEA issuers are mandated to support risk-based authentication. Initial data from the schemes shows that around 50% of all exemptions are TRA.
3. Low-value transactions
This option means that a consumer can spend up to €30 without requiring additional authentication, for five consecutive transactions or a cumulative value limit of €100 since the last application of SCA. This can minimise friction at the checkout as, according to Visa, around 60% of transactions are below €30. That said, low-value exemptions should only be used when TRA cannot.
The reason we don’t advise relying on low-value exemptions is that the issuer cannot assess if the transaction qualifies at the time of the authentication. Rather, we recommend applying the low-value ‘direct to authorisation’ (without the 3DS mechanism) exemption. Submitting directly for authorisation can have the benefit of reducing friction, allowing you to retain control of the user experience.
We only recommend considering this approach if the transaction is low risk, you are comfortable accepting the fraud liability, and the cardholder can still be available for authentication if requested.
Early data from the schemes suggests that around 10% of all current exemptions are low value.
4. Merchant-initiated transactions (MIT)
This is for transactions where the cardholder plays no active role. The transaction is initiated by the merchant, using card details that have been saved by agreement with the consumer.
MIT transactions include variable subscriptions. There must be an agreement in place between the merchant and cardholder regarding how much should be charged, for what product or service, and when. However, the first transaction must go through SCA, even if the payment amount is zero. In practice, marking a payment as an MIT will be similar to requesting an exemption. For Credorax merchants, we can set a mechanism that automatically flags MIT transactions.
For help building the perfect exemption strategy to help you optimise 3DS2.0, increase your approval rates, and reduce challenge events, talk to us: