Exemption Engine (EE)

The Exemption Engine maximises a frictionless checkout by using transactional data to predict issuer behaviour. Request real-time risk analysis of transactions to exempt as many as possible fromSCA.

Prerequisite: You must be setup to use the EE with Worldpay. For more information, please contact your Relationship Manager. Additionally, please note the EE can currently only be used with aDirect Integration.

On this page:

Exemption Request

You can request an exemption for the following three paymentMethodMask values:

  • CARD-SSL
  • VISA-SSL
  • ECMC-SSL

Exemption types

You must submit an additional element of <exemption> with attributes type and placement (both required). You must include placement="AUTHORISATION" or placement="AUTHENTICATION". Failure to include this attribute results in an XML validation error with the following message: Attribute placement is required and must be specified for element type exemption.

AttributeValue
typePossible Values:
  • LV - Low value exemption (less than 30 EUR).
  • LR - Low risk exemption.
  • OP - Optimised exemption (highest probability of issuer acceptance determined by the EE).
placementPossible Values:
  • AUTHORISATION- Applies exemption in authorisation flow.
  • AUTHENTICATION - Applies exemption in authentication flow.
  • OPTIMISED - Applies the exemption placement that has the highest probability of issuer acceptance as determined by the EE.

An OPTIMISED placement allows the Exemption Engine to decide the optimal placement of the exemption, either in the AUTHORISATION or AUTHENTICATION flow, based on the highest probability of issuer acceptance. An OP exemption type results in an LV or an LR exemption, after the EE performs the Transaction Risk Analysis.

When requesting the authorisation as placement, the exemption is applied in the authorisation flow. When the issuer accepts the exemption, the payment proceeds without any form of authentication, which exempts the shopper from a step-up challenge.

Include placement="AUTHORISATION" if you want your exemption placed in authorisation. Include placement="AUTHENTICATION" if you want your exemption placed in authentication. We refer to an authentication with exemption as a frictionless authentication due to the fact that the shopper is exempt from a step-up challenge. For the authentication flow with exemption, you must be subscribed to our 3DS Flex Product – please refer to3DS Flex Brochure.

The following request example uses <exemption type="LV" placement="AUTHORISATION">:

Copied!
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE paymentService PUBLIC "-//WorldPay//DTD WorldPay PaymentService v1//EN" "http://dtd.worldpay.com/paymentService_v1.dtd" >
<paymentService version="1.4" merchantCode="YOUR_MERCHANT_CODE">
    <submit>
        <order orderCode='YOUR_ORDER_CODE'>
            <description>test order</description>
            <amount value="100" currencyCode="EUR" exponent="2"/>
            <orderContent>
                <![CDATA[]]>
            </orderContent>
            <paymentDetails>
                <CARD-SSL>
                    <cardNumber>4444********1111</cardNumber>
                    <expiryDate>
                        <date month="06" year="2020"/>
                    </expiryDate>
                    <cardHolderName>EE.HONOURED_ISSUER_HONOURED.AUTHORISED</cardHolderName>
                    <cvc>666</cvc>
                    <cardAddress>
                        <address>
                            <firstName>Mr Bert</firstName>
                            <address1>Worldpay</address1>
                            <address2>270-289 The Science Park</address2>
                            <address3>Milton Road</address3>
                            <postalCode>CB4 0WE</postalCode>
                            <city>Cambridge</city>
                            <countryCode>GB</countryCode>
                        </address>
                    </cardAddress>
                </CARD-SSL>
                <session shopperIPAddress="127.0.0.1" id="ssn194781884"/>
            </paymentDetails>
            <shopper>
                <shopperEmailAddress>sp@worldpay.com</shopperEmailAddress>
                <browser>
                    <acceptHeader>text/html</acceptHeader>
                    <userAgentHeader>Mozilla/5.0 ...</userAgentHeader>
                </browser>
            </shopper>
            <!-- Exemption -->
                 <exemption type="LV" placement="AUTHORISATION"/>
        </order>
    </submit>
</paymentService>

The following request example uses <exemption type="LR" placement="AUTHENTICATION">:

Copied!
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE paymentService PUBLIC "-//WorldPay//DTD WorldPay PaymentService v1//EN" "http://dtd.worldpay.com/paymentService_v1.dtd">
<paymentService version="1.4" merchantCode="YOUR_MERCHANT_CODE">
    <submit>
        <order orderCode="YOUR_ORDER_CODE">
            <description>test order</description>
            <amount value="100" currencyCode="EUR" exponent="2"/>
            <orderContent>
                    <![CDATA[]]>
              </orderContent>
            <paymentDetails>
                <CARD-SSL>
                    <cardNumber>4000********1000</cardNumber>
                    <expiryDate>
                        <date month="06" year="2023"/>
                    </expiryDate>
                    <cardHolderName>AUTHORISED</cardHolderName>
                    <cvc>666</cvc>
                    <cardAddress>
                        <address>
                            <firstName>A</firstName>
                            <address1>Worldpay</address1>
                            <address2>270-289 The Science Park</address2>
                            <address3>Milton Road</address3>
                            <postalCode>CB4 0WE</postalCode>
                            <city>Cambridge</city>
                            <countryCode>GB</countryCode>
                        </address>
                    </cardAddress>
                </CARD-SSL>
                <session shopperIPAddress="127.0.0.1" id="ssn873087168"/>
            </paymentDetails>
            <shopper>
                <shopperEmailAddress>sp@worldpay.com</shopperEmailAddress>
                <browser>
                    <acceptHeader>text/html</acceptHeader>
                    <userAgentHeader>Mozilla/5.0 ...</userAgentHeader>
                </browser>
            </shopper>
            <shippingAddress>
                <address>
                    <firstName>A</firstName>
                    <lastName>Customer</lastName>
                    <address1>1 A Place</address1>
                    <address2>A Town</address2>
                    <address3>Maybe</address3>
                    <postalCode>CB1 0EE</postalCode>
                    <city>Somewhere</city>
                    <countryCode>GB</countryCode>
                    <telephoneNumber>00000000000</telephoneNumber>
                </address>
            </shippingAddress>
            <echoData>141825580765685</echoData>
            <additional3DSData dfReferenceId="ABCDEFG" challengeWindowSize="250x400" challengePreference="challengeRequested"/>
            <exemption type="LR" placement="AUTHENTICATION"/>
        </order>
    </submit>
</paymentService>

Exemption Response

The response message contains information about the exemption result, type of exemption (if applied), and outcome. The table below explains the various fields and attributes associated with the exemption response message.

Keep in mind that an issuer may reject an exemption request. If the issuer rejects an exemption applied in the authentication, the rejection results in a challenge request from the issuer. Please refer to our3DS Flex guidefor additional information.

If the issuer rejects an exemption applied in the authorisation, the rejection results in a soft decline. In this case, you must re-submit the payment with an authentication request in order to be authorised by the issuer. We advise you to authenticate without an exemption request in this scenario.

Responses for AUTHENTICATION placement:

Response Message - HONOURED

The issuer honoured the exemption and authorised the payment.

Copied!
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE paymentService PUBLIC "-//WorldPay//DTD WorldPay PaymentService v1//EN"
                                "http://secure.worldpay.com/dtd/paymentService_v1.dtd">
<paymentService version="1.4" merchantCode="YOUR_MERCHANT_CODE">
    <reply>
        <orderStatus orderCode='YOUR_ORDER_CODE'>
            <payment>
                <paymentMethod>VISA_CREDIT-SSL</paymentMethod>
                <amount value="100" currencyCode="EUR" exponent="2" debitCreditIndicator="credit"/>
                <lastEvent>AUTHORISED</lastEvent>
                <balance accountType="IN_PROCESS_AUTHORISED">
                    <amount value="100" currencyCode="EUR" exponent="2" debitCreditIndicator="credit"/>
                </balance>
                <cardNumber>4444********1111</cardNumber>
            </payment>
            <!-- Exemption -->
            <exemptionResponse result="HONOURED" reason="ISSUER_HONOURED">
                <exemption type="LV" placement="AUTHENTICATION"/>
            </exemptionResponse>
        </orderStatus>
    </reply>
</paymentService>

Identifying soft declines

Worldpay returns a <lastEvent> value of REFUSED. Additionally we are sending an element of <ISO8583ReturnCode> with attributes code="65" and description="AUTHENTICATION REQUESTED".

Note: You must have extended response codes enabled to identify soft declines.

FieldAttributeDescription
lastEventN/AThis field reflects either the status of the payment as AUTHORISED or REFUSED
exemptionResponseresultOne of the following values:
  • HONOURED
  • REJECTED
  • OUT_OF_SCOPE
exemptionResponsereasonOne of the following values based upon result attribute (bold)

HONOURED
  • ISSUER_HONOURED

OUT_OF_SCOPE
  • MIT
  • MOTO
  • CONTACTLESS
  • OLO

REJECTED
  • ISSUER_REJECTED
  • HIGH_RISK
  • INVALID
  • UNSUPPORTED_SCHEME
  • NOT_SUBSCRIBED
  • UNSUPPORTED_ACQUIRER
  • UNAVAILABLE
  • FRAUDSIGHT_OVERRIDE

Response Message - HONOURED

The following example shows a message with <exemptionResponse> result of HONOURED and a reason of ISSUER_HONOURED. In this case, the EE honoured the request and the issuer authorised the payment.

Copied!
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE paymentService PUBLIC "-//WorldPay//DTD WorldPay PaymentService v1//EN"
                                "http://secure.worldpay.com/dtd/paymentService_v1.dtd">
<paymentService version="1.4" merchantCode="YOUR_MERCHANT_CODE">
    <reply>
        <orderStatus orderCode='YOUR_ORDER_CODE'>
            <payment>
                <paymentMethod>VISA_CREDIT-SSL</paymentMethod>
                <amount value="100" currencyCode="EUR" exponent="2" debitCreditIndicator="credit"/>
                <lastEvent>AUTHORISED</lastEvent>
                <balance accountType="IN_PROCESS_AUTHORISED">
                    <amount value="100" currencyCode="EUR" exponent="2" debitCreditIndicator="credit"/>
                </balance>
                <cardNumber>4444********1111</cardNumber>
            </payment>
            <!-- Exemption -->
            <exemptionResponse result="HONOURED" reason="ISSUER_HONOURED">
                <exemption type="LV" placement="AUTHORISATION"/>
            </exemptionResponse>
        </orderStatus>
    </reply>
</paymentService>

Response Message - OUT_OF_SCOPE

The following example shows a message with <exemptionResponse> result of OUT_OF_SCOPE and a reason of OLO. The EE determines the OUT_OF_SCOPE condition (result/response), but the issuer can still return values of AUTHORISED or REFUSED for <lastEvent>.

Copied!
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE paymentService PUBLIC "-//WorldPay//DTD WorldPay PaymentService v1//EN"
                                "http://secure.worldpay.com/dtd/paymentService_v1.dtd">
<paymentService version="1.4" merchantCode="YOUR_MERCHANT_CODE">
    <reply>
        <orderStatus orderCode='YOUR_ORDER_CODE'>
            <payment>
                <paymentMethod>VISA_CREDIT-SSL</paymentMethod>
                <amount value="100" currencyCode="EUR" exponent="2" debitCreditIndicator="credit"/>
                <lastEvent>AUTHORISED</lastEvent>
                <balance accountType="IN_PROCESS_AUTHORISED">
                    <amount value="100" currencyCode="EUR" exponent="2" debitCreditIndicator="credit"/>
                </balance>
                <cardNumber>4444********1111</cardNumber>
            </payment>
             <!-- Exemption -->
            <exemptionResponse result="OUT_OF_SCOPE" reason="OLO"/>
        </orderStatus>
    </reply>
</paymentService>

Response Message - REJECTED

The following example shows a message with <exemptionResponse> result of REJECTED and a reason of HIGH_RISK. The EE determines the REJECTED condition (result/reason), but the issuer can still return values of AUTHORISED or REFUSED for <lastEvent>.

Copied!
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE paymentService PUBLIC "-//WorldPay//DTD WorldPay PaymentService v1//EN" "http://secure.worldpay.com/dtd/paymentService_v1.dtd">
<paymentService version="1.4" merchantCode="YOUR_MERCHANT_CODE">
    <reply>
        <orderStatus orderCode='YOUR_ORDER_CODE'>
            <payment>
                <paymentMethod>VISA_CREDIT-SSL</paymentMethod>
                <amount value="100" currencyCode="EUR" exponent="2" debitCreditIndicator="credit"/>
                <lastEvent>REFUSED</lastEvent>
                <ISO8583ReturnCode code="65" description="Authentication requested"/>
            </payment>
            <!-- Exemption -->
            <exemptionResponse result="REJECTED" reason="HIGH_RISK"/>
        </orderStatus>
    </reply>
</paymentService>

Response Message - REJECTED + ISSUER_REJECTED

It is also possible that the EE honoured the exemption request, but the issuer rejected the transaction.

Copied!
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE paymentService PUBLIC "-//WorldPay//DTD WorldPay PaymentService v1//EN" "http://secure.worldpay.com/dtd/paymentService_v1.dtd">
<paymentService version="1.4" merchantCode="YOUR_MERCHANT_CODE">
    <reply>
        <orderStatus orderCode='YOUR_ORDER_CODE'>
            <payment>
                <paymentMethod>VISA_CREDIT-SSL</paymentMethod>
                <amount value="100" currencyCode="EUR" exponent="2" debitCreditIndicator="credit"/>
                <lastEvent>REFUSED</lastEvent>
                <ISO8583ReturnCode code="65" description="Authentication requested"/>
            </payment>
            <!-- Exemption -->
            <exemptionResponse result="REJECTED" reason="ISSUER_REJECTED">
                <exemption type="LV" placement="AUTHORISATION"/>
            </exemptionResponse>
        </orderStatus>
    </reply>
</paymentService>

Testing Exemption Engine

The following two sections provide information about testing the Exemption Engine in various scenarios.

When you use OP in our secure test environment, we decide the exemption type or placement based on the amount as defined in the below table:

AmountExemption TypePlacement
<=15LVAUTHORISATION
>15 <= 30LVAUTHENTICATION
>30 <= 100LRAUTHORISATION
>100LRAUTHENTICATION

Authorisation Flow

Submit the values from the magic value column in the <cardHolderName> field to test the EE in the authorisation flow and receive known responses. The system returns the response data shown in the last column.

Subscribed to EE

Low Risk
Magic ValueOverviewResponse Data
EE.HONOURED_ISSUER_HONOURED.AUTHORISED
The gateway honoured the exemption and the issuer AUTHORISED the payment.
Exemption: Any
Risk: Low
Path: Happy
lastEvent = AUTHORISED
result = HONOURED
reason = ISSUER_HONOURED
EE.REJECTED_ISSUER_REJECTED.SOFT_DECLINED
The gateway honoured the exemption, but the issuer REFUSED (soft declined) the payment.
Exemption: Any
Risk: Low
Path: Unhappy
lastEvent = REFUSED
result = REJECTED
reason = ISSUER_REJECTED
High Risk
Magic ValueOverviewResponse Data
EE.REJECTED_HIGH_RISK.AUTHORISED
The gateway rejected the exemption for high risk, but the issuer AUTHORISED the payment.
Exemption: Any
Risk: High
Path: Happy
lastEvent = AUTHORISED
result = REJECTED
reason = HIGH_RISK
EE.REJECTED_HIGH_RISK.SOFT_DECLINED
The gateway rejected the exemption for high risk and the issuer REFUSED (soft declined) the payment.
Exemption: Any
Risk: High
Path: Unhappy
lastEvent = REFUSED
result = REJECTED
reason = HIGH_RISK

Out-of-Scope Payment Types

Magic ValueOverviewResponse Data
EE.OUT_OF_SCOPE_MIT.AUTHORISED
The gateway excludes the exemption, because it was identified as MIT, but the issuer AUTHORISED the payment.
Exemption: Any
Payment Type: MIT
Path: Happy
lastEvent = AUTHORISED
result = OUT_OF_SCOPE
reason = MIT
EE.OUT_OF_SCOPE_RECURRING.AUTHORISED
The gateway excludes the exemption, because it was identified as RECURRING, but the issuer AUTHORISED the payment.
Exemption: Any
Payment Type: RECURRING
Path: Happy
lastEvent = AUTHORISED
result = OUT_OF_SCOPE
reason = RECURRING
EE.OUT_OF_SCOPE_OLO.SOFT_DECLINED
The gateway excludes the exemption, because it was identified as One-Leg-Out and the issuer REFUSED (soft declined) the payment.
Exemption: Any
Payment Type: Any
Path: Unhappy
lastEvent = REFUSED
result = OUT_OF_SCOPE
reason = OLO

Incorrect Exemption Request

Magic ValueOverviewResponse Data
EE.REJECTED_INVALID.AUTHORISED
The gateway rejected the exemption, because it was an invalid exemption, but the issuer AUTHORISED the payment.
Exemption: LV
Path: Happy
lastEvent = AUTHORISED
result = REJECTED
reason = INVALID
EE.REJECTED_INVALID.SOFT_DECLINED
The gateway rejected the exemption, because it was an invalid exemption and the issuer REFUSED (soft declined) the payment.
Exemption: Any
Path: Unhappy
lastEvent = REFUSED
result = REJECTED
reason = INVALID

Not Subscribed to the Exemption Engine

Magic ValueOverviewResponse Data
EE.REJECTED_NOT_SUBSCRIBED.AUTHORISED
The gateway rejected the exemption, because you are not subscribed to the EE, but the issuer AUTHORISED the payment.
Exemption: Any
Path: Happy
lastEvent = AUTHORISED
result = REJECTED
reason = NOT_SUBSCRIBED
EE.REJECTED_NOT_SUBSCRIBED.SOFT_DECLINED
The gateway rejected the exemption, because you are not subscribed to the EE, and the issuer REFUSED (soft declined) the payment.
Exemption: Any
Path: Unhappy
lastEvent = REFUSED
result = REJECTED
reason = NOT_SUBSCRIBED

Unsupported Scheme

Magic ValueOverviewResponse Data
EE.REJECTED_UNSUPPORTED_SCHEME.AUTHORISED
The gateway rejected the exemption, because of unsupported scheme, but the issuer AUTHORISED the payment.
Exemption: Any
Path: Happy
lastEvent = AUTHORISED
result = REJECTED
reason = UNSUPPORTED_SCHEME
EE.REJECTED_UNSUPPORTED_SCHEME.SOFT_DECLINED
The gateway rejected the exemption, because of unsupported scheme and the issuer REFUSED (soft declined) the payment.
Exemption: Any
Path: Unhappy
lastEvent = REFUSED
result = REJECTED
reason = UNSUPPORTED_SCHEME

Authentication Flow

Submit the values from the magic value column in the <cardHolderName> field to test the EE in the authentication flow and receive known responses. The system returns the response data shown in the last column.

Subscribed to EE and Risk Management

Prerequisite: You must submit 3DS data to solicit these responses.

Successful Frictionless Authentication

Magic ValueOverviewResponse Data
EE_3DS.HONOURED_ISSUER_HONOURED.AUTHORISED

The gateway honoured the exemption and the issuer AUTHORISED the payment
Cardholder authenticatedlastEvent = AUTHORISED
result = HONOURED
reason = ISSUER_HONOURED

3SD2 Frictionless Authentication Unavailable

Magic ValueOverviewResponse Data
EE_3DS_SCA.REJECTED_HIGH_RISK.AUTHORISED

The gateway rejected the exemption, a step-up challenge was requested and the issuer AUTHORISED the payment
Challenge requiredlastEvent = AUTHORISED
result = REJECTED
reason = HIGH_RISK
EE_3DS_SCA.REJECTED_ISSUER_REJECTED.AUTHORISED

The gateway honoured the exemption but the issuer rejected the exemption. A step up challenge was requested and the Issuer AUTHROISED the payment
Challenge requiredlastEvent = AUTHORISED
result = REJECTED
reason = ISSUER_REJECTED
EE_3DS_SCA.REJECTED_INVALID.AUTHORISED

The gateway rejected the exemption because it was an invalid. An exemption step up challenge was requested and the issuer AUTHORISED the payment
Challenge requiredlastEvent = AUTHORISED
result = REJECTED
reason = INVALID

ThreatMetrix Integration

ThreatMetrix collects and sends device fingerprint data and geo-location data that relates to a shopper’s payment. You use JavaScript to send all this data to ThreatMetrix. The Device Session ID (generated by you) accompanies the device fingerprint and geo-location data sent to ThreatMetrix.

Device Session ID example:

The Device Session ID is used in the element <deviceSession> and child element <sessionID>.

The Device Session ID is in the UUID format 8-4-4-4-12:

Copied!
...
    <deviceSession>
        <sessionId>55f9c219-4e98-4130-972e-8c8b2f3c2125</sessionId>
    </deviceSession>
...

Submit this within your payment request XML. ThreatMetrix gets the Device Session ID when the data is sent. Worldpay gets the Device Session ID when the payment request is made. Worldpay uses this Device Session ID to retrieve the shopper device data in subsequent calls from ThreatMetrix.

The data that Worldpay retrieve is visible in the FraudSight UI. Ask your Worldpay Relationship Manager or Support colleague for access.

Full Payment Request example

Copied!
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE paymentService PUBLIC "-//WorldPay//DTD WorldPay PaymentService v1//EN" "http://dtd.worldpay.com/paymentService_v1.dtd" >
<paymentService version="1.4" merchantCode="YOUR_MERCHANT_CODE">
    <submit>
        <order orderCode='YOUR_ORDER_CODE'>
            <description>test order</description>
            <amount value="100" currencyCode="EUR" exponent="2"/>
            <orderContent>
                <![CDATA[]]>
            </orderContent>
            <paymentDetails>
                <CARD-SSL>
                    <cardNumber>4444********1111</cardNumber>
                    <expiryDate>
                        <date month="06" year="2020"/>
                    </expiryDate>
                    <cardHolderName>EE.HONOURED_ISSUER_HONOURED.AUTHORISED</cardHolderName>
                    <cvc>666</cvc>
                    <cardAddress>
                        <address>
                            <firstName>A</firstName>
                            <address1>Worldpay</address1>
                            <address2>270-289 The Science Park</address2>
                            <address3>Milton Road</address3>
                            <postalCode>CB4 0WE</postalCode>
                            <city>Cambridge</city>
                            <countryCode>GB</countryCode>
                        </address>
                    </cardAddress>
                </CARD-SSL>
                <session shopperIPAddress="127.0.0.1" id="ssn194781884"/>
            </paymentDetails>
            <shopper>
                <shopperEmailAddress>a.shopper@worldpay.com</shopperEmailAddress>
                <browser>
                    <acceptHeader>text/html</acceptHeader>
                    <userAgentHeader>Mozilla/5.0 ...</userAgentHeader>
                </browser>
            </shopper>
            <!-- Exemption -->
                 <exemption type="LV" placement="AUTHORISATION"/>
                 <deviceSession>
                   <sessionId>55f9c219-4e98-4130-972e-8c8b2f3c2125</sessionId>
                 </deviceSession>
        </order>
    </submit>
</paymentService>

Reports

Reports are generated in the Merchant Admin Interface (MAI). Use these reports to review the performance of Exemption Engine and refine your experience with us.

See the MAI guide for