Strong Customer Authentication (SCA) - 3DS & Exemptions

SCA is an EU regulation under the second Payment Services Directive (PSD2). The aim being to add more layers of security to online payments and reduce fraud. There are two products to help you with compliance:

Learn when SCA applies and when it does not

There are two products to give you compliance:

3DS

Issuer perform risk and identity check, giving both liability shift and SCA compliance.

Enable 3DS in our Payments API

Add a 3DS authentication as part of our orchestrated payments API. Enable as part of configuration in the API.

Use our standalone 3DS API

Send a dedicated 3DS authentication API request and receive a response with the authentication details. Apply this in the Access Card Payments API or other payments gateways as part of external MPI.

SCA Exemptions

Worldpay performed risk check, removing the checkout friction caused by 3DS challenges.

Enable SCA Exemptions in our Payments API

Ask for an SCA Exemption to be applied automatically as part of our Payments API

Coming Soon

Use our standalone SCA Exemptions API

Send a dedicated SCA Exemptions API request and receive a outcome containting a granted exemption. Apply this in the Access card payments API.

Liability Shift

Liability for fraudulent transactions passes to the issuer when 3DS is applied. A successful frictionless/challenge outcome is only an indication of liability shift. The shift itself happens when the 3DS data is applied in the payment request.

When SCA applies

SCA applies to countries in the EEA (European Economic Area) and is required for certain transaction types.

Scenario	Description
Customer Initiated Transaction (CIT)	e.g. online card payment
Recurring order	Applies to the first Customer Initiated Transaction (CIT) in a Merchant Initiated Transaction (MIT) series, for example: Initial payment is made then a monthly charge (online delivery of household supplies e.g. milk/bread) No initial payment is made until the first monthly instalment (Free trial subscription e.g. Spotify/Netflix). For this an account verification can be used to apply the 3DS authentication details as there is no initial payment. The `challenge.preference` in the 3DS authentication request must be set to `challengeMandated`
Add card to account	Strong recommendation to use when adding new cards to an online account (e.g. add a card to Amazon/Ebay account). The `challenge.preference` in the 3DS authentication request must be set to `challengeMandated`

When SCA does not apply

Scenario	Description
SCA Exemption	Under certain conditions you can bypass the need for 3DS whilst still remaining SCA compliant Low Value - Order is under €30 Low Risk - Transactions through Worldpay (acquirer) are maintained below a set Fraud threshold Liability is shifted to the Exemption provider (e.g. Worldpay) instead of the issuer for this case.
Recurring payments (after initial CIT, see table above)	Recurring payments where the customer is not present do not require SCA
MOTO Payments	e.g. Telephone, In-store
One Leg Out	If the issuing bank or acquirer is outside the EEA (European Economic Area)
Corporate Payments	Virtual cards, used for things such as booking travel.
Whitelist (trusted Businesses)	Cardholder can whitelist a merchant to avoid future 3DS checks