Strong Customer Authentication (SCA) exemptions
Strong Customer Authentication (SCA) applies to customer-initiated electronic payments—online and contactless—within the UK or Europe. By default, card payments and bank transfers must use SCA unless an exemption applies or the transaction is out of scope (e.g., merchant-initiated payments such as direct debits). For online card payments, SCA is required when both the merchant and the cardholder’s bank are located in the European Economic Area (EEA).
Exemptions to Strong Customer Authentication in 3D-Secure
Not every payment falls under SCA’s multi-factor authentication. Some transactions qualify for regulatory exemptions, while others are out of scope entirely such as merchant-initiated transactions. If you request an exemption and the cardholder’s bank (issuer) accepts it, liability for any fraudulent disputes remains with the merchant.
The most relevant exemptions for businesses that accept online payments are:
Low-risk transactions
This is one of the most useful exemptions for merchants and one of the most widely supported by issuers. Payment providers perform transaction risk analysis (TRA) to determine whether to apply this exemption to a transaction and is often based on the payment providers overall rates for card payments.
Low-value transactions
Transactions below €30 or £25 may apply for this exemption, however there are some rules that are applied. Issuers must request SCA once the low-value exemption has been used five times since the cardholder’s last successful authentication, or when the cumulative total of exempted payments since then exceeds €100/£85. The issuer tracks these counters and decides when to step up to authentication.
Because the thresholds are so strict, this exemption won’t apply to many transactions. That said, we do support our users requesting it.
Recurring transactions
This exemption applies to recurring payments of the same amount to the same merchant. The customer must complete SCA for the first payment; subsequent charges can then be exempt. It’s particularly helpful for subscriptions and is widely supported by European issuers.
Merchant-initiated transactions
Payments using a stored card when the customer isn’t in the checkout may qualify as merchant-initiated transactions (MITs). MITs are technically out of scope for SCA, but in practice flagging a payment as MIT functions much like requesting an exemption—and the issuer still decides whether to require authentication.
To use MITs, you must:
- authenticate the card either when it’s first saved or on the first payment, and
- obtain the customer’s agreement (a mandate) to charge the card later.
This is essential for models with delayed charges, variable-amount subscriptions, or add-ons. It’s supported by most European issuers when the transaction is assessed as low risk.
Phone and mail order transactions
Card details taken by phone are out of scope for SCA and don’t require authentication. These payments are known as Mail Order/Telephone Order (MOTO). As with other exemptions, you must flag the transaction as MOTO, and the issuer ultimately decides whether to approve or decline it.
This is a key scenario for businesses that accept phone payments and is broadly supported by issuers.
Corporate payments
This exemption applies to payments made with lodged cards—for example, a corporate card kept on file by an online travel agent for employee travel—and to corporate payments using virtual card numbers (also common in travel).
Because the scope is very narrow, it has limited use outside the travel sector. Only the issuer (the cardholder’s bank) can request this exemption; merchants and payment providers can’t reliably determine whether a card fits these categories.
How to request SCA exemptions using Evervault's 3D-Secure solution
By using Evervault's 3D-Secure solution, you can apply for the above SCA exemptions in a number of ways as outline in the following sections.
Low-value and low-risk transactions
When creating a customer-initiated 3D-Secure session with Evervault, you can apply exemptions for low-value and low-risk transactions by setting the challenge.preference field to no-challenge-requested and setting the challenge.reason field to low-value or low-risk in the request. As outlined above, there is no guarantee that these exemptions will be applied and SCA may still be requested by the issuer.
Recurring, MOTO, and merchant-initiated transactions
As outlined above, for the first payment in a series of recurring or subscription payments, the customer must complete SCA. When creating the session, set the payment.type field to recurring or installment in the request and fill out the rest of the fields required by following our documentation on creating a recurring or installment payment.
Any subsequent transactions may be marked as merchant-initiated by setting the initiator.type field to merchant and the initiator.reason to the appropriate reason as outlined in our documentation. You will also need to set the initiator.initialSession field to the Evervault 3D-Secure session ID of the first payment when the customer completed SCA.
Corporate payments
Requesting the secure corporate payment (SCP) exemption is different to the other exemptions due to the nature of the environment the transaction takes place in. As there is often no cardholder available to complete SCA as the system may be automated, Evervault handles this use case differently.
For customer initiated transactions, after creating a session you typically mount the Evervault 3D-Secure modal in your frontend but as there is often no cardholder in this case, an authentication attempt will be performed when the session is created (similar to MITs) if the following conditions are met:
- The
initiator.typefield is set tocustomer - The
challenge.preferencefield is set tono-challenge-requestedand thechallenge.reasonfield is set tosecure-corporate-payment
The issuer will request the exemption if the issuer is participating in this exemption and the transaction fits this category. You will not be required to mount the modal if the exemption is applied as indicated by the ECI value returned in the response.