What are PSD2 SCA exemptions and exclusions?

For developers: Find out how to use flags to request that a payment is exempt or excluded from Payment Services Directive 2 (PSD2) Strong Customer Authentication (SCA).

3-D-Secure version 2.x (2.1. onwards) enables you to flag payments as exempt or excluded (because they are out of scope) from having Payment Services Directive 2 (PSD2) Strong Customer Authentication (SCA) applied.

These flags only indicate a request for an exemption or exclusion. The final decision is made by the customer’s bank (Issuer). Even if a transaction has been flagged as exempt or excluded, the bank may determine that, due to their own risk rules, SCA is required.

We currently support requests for:

  • Exemptions:
    • Low value payments (Mastercard and Visa) on our Acquring platform only. (Low value payments are not supported yet on the Cashflows Gateway).
    • Recurring payments (Mastercard and Visa).
  • Exclusions (out of scope payments):
    • Merchant Initiated transactions (MITs) (Mastercard only).

Important: Although repeat payments initiated by Merchants (MITs / Continuous Authorisation Payments) are exempt/excluded, the first transaction in a series of recurring/repeat payments must have 3DS checks applied.

If you’re a developer working for a merchant, or one of our partners, you are responsible for:

Important: If a transaction does not require SCA, either because it is exempt or excluded, it must be correctly flagged. Otherwise, it may be declined.

For more information, visit: