How can I prepare for PSD2 SCA exemptions and exclusions?

Information for business owners who are using our Acquiring platform rather than the Cashflows Gateway, and what to expect with 3-D Secure version 2.2.

All UK businesses that take online payments must apply Strong Customer Authentication (SCA) as a requirement of Payment Services Directive 2 (PSD2) unless transactions are correctly flagged as exempt or excluded.

Important:  If a transaction is not authenticated and not correctly flagged as exempt or excluded, it may be declined. 

Here’s a table that shows which details we need for an authenticated payment request according to the version of 3-D Secure (3DS).

Data Version
1.0 2.x
DSTransId N Y
ThreeDSecureversion Y Y*

Important: If we don’t receive the ThreeDSecureversion, we assume version 1.0.

We recommend that all customers use 3DS version 2.2 as soon as possible as this uses all the new data to allow transactions to be correctly flagged. Additionally, 3DS version 1.0 is being switched off from October 2022.

If you’re using version 1.0 you need to be prepared for the changes that version 2.x brings. One of the features of 3DS version 2.2 is the option to flag payments as exempt or excluded from 3DS checks.

Exemptions can be requested for:

  • Low value payments (Mastercard and Visa) on our Acquring platform only. (Low value payments are not supported yet on the Cashflows Gateway).
  • Recurring payments (Mastercard and Visa).

Exclusions can be requested for:

  • Merchant Initiated transactions (MITs) (Mastercard only).

Your 3DS provider is responsible for testing. You need to confirm that your 3DS provider can provide these details for your developer to include in your payment requests to our APIs.

For information about using our test integration environments and test cards, see How can I test a payment request?

If you need advice or recommendations for a 3DS provider, you can email our implementations team:

Soft declines

A soft decline is a temporary authorisation failure. Exemption flags only indicate a request for an exemption. The final decision to exempt a payment is made by the customer’s bank (Issuer). If the bank does not honour an exemption, the payment can be soft declined, and you will receive one of the following decline codes in your response:







Additional customer authentication required

('x' can represent: 0, 1 or 2). Applicable Acquirer response codes may be:

·         D049

·         D149

·         D249

The payment will need to undergo SCA before you can resubmit it to us for authorisation (together with the 3DS data). Therefore, you need to confirm that your 3DS provider is prepared to handle declines of this type.