When it comes to who is affected by SCA, it is important to be aware of what payments are exempt from additional validation.

These are generally classed as ‘low risk’ payments and certain providers will be able to process these without having to look for additional validation – leaving it to the discretion of the bank to decide whether SCA authentication is required.

Types of transactions that are exempt include:

Corporate Transactions

These are generally made with a pre-approved or ‘lodged’ card. These are most commonly used for travel expenses for a range of users and, resultingly, will not require validation.

Low Risk Transactions

Arguably the most common exemption, this is defined as a transaction that falls below a bank or carrier’s thresholds for fraud. This does create a situation where a payment provider’s rate is beneath the required threshold, but it is above the cardholder’s bank – resulting in a cancelled payment.

‘Merchant Initiated’ Transactions

Used for businesses that traffic in ‘delayed payments’, these are outside of the remit of SCA as the card is authenticated when the first payment is made. Once a mandate is provided by the cardholder, the merchant can continue to charge subscriptions or pre-agreed billing.

Small Payments

Any payment or transaction below 30€ will generally be exempt from SCA. This will be limited if the card is used a number of times since the last on-record authentication or if the payment total within the previous window totals more than 100€.

Standing Subscriptions

Ongoing subscription payments will bypass SCA provided that the first payment is fully authenticated and that the subscription payments do not increase or change. If subscriptions do change, the customer will be required to validate the change or provide consent.

Telephone Sales

Some providers will allow for the creation of trusted entities or – as with platforms such as PayPal – designate a small payment to a ‘trusted’ individual. Once added to the system, the user will be placed on a list of trusted bodies and not run into issues when making future payments.

How Can 10Duke Help?

SCA compliance is a necessity for any modern business that is transacting online.

Regardless of who you choose to use to accept online payments, if you’re using the 10Duke Identity Provider as your customer identity management solution, it can help to ensure you comply with your obligations under SCA.

10Duke Identity Provider works no matter who your provider is, Stripe, Adyen, Braintree, or PayPal.

Supporting a variety of incremental authentication triggers that can help to confirm a users decision to initiate an online payment or further protect access to sensitive data or features within an application, the 10Duke Identity Provider allows you to tailor those aspects of your customer journey that require enhanced authentication, such as that mandated by PSD2.

If you want to take the pain out of your SCA compliance, read about 10Duke Enterprise. Additionally, If you want to get in touch and discuss a light-touch bespoke solution for your business, please do not hesitate to contact us and let us know how we can help.