3DS Authentication and SCA Exemptions

Read a condensed guide to SCA and understand when SCA applies and when it does not.

3DS

Issuer performed risk and identity check, giving both liability shift and SCA compliance.

Enable 3DS in our Payments API

Payments API icon

Add 3DS authentication as part of an orchestrated Payments API request.

Use our standalone 3DS API

3DS API icon

Send a separate 3DS authentication API request and receive a response with the authentication details. Apply this in the Access Card Payments API or other payment gateways/acquirers as part of external MPI.

SCA Exemptions

Worldpay performed risk checks and granting of TRA (Transaction Risk Analysis) exemptions. Reduce 3DS checkout friction.

Enable SCA Exemptions in our Payments API

Payments API icon

Ask for an SCA Exemption to be applied automatically as part of our Payments API

Coming Soon

Use our standalone SCA Exemptions API

Send a separate SCA Exemptions API request and receive a outcome containting a granted exemption. Apply this in the Card Payments API.

A condensed guide to SCA (Strong Customer Authentication)

SCA is an EU regulation under the second Payment Services Directive (PSD2). The aim is to add more layers of security to online payments and reduce fraud.

When SCA applies

SCA applies to countries in the EEA (European Economic Area) and is required for certain transaction types.

Scenario	Description
Customer Initiated Transaction (CIT)	Online card payment where the customer is present
Recurring order - setup of agreement (CIT)	Applies to the first Customer Initiated Transaction (CIT) in a Merchant Initiated Transaction (MIT) series, for example: Initial payment is made, then a monthly charge (monthly subscription e.g. Spotify) No initial payment is made until the first monthly instalment (free trial subscription e.g. Netflix). For this you can use an account verification to apply the 3DS authentication details, as there is no initial payment. The `challenge.preference` in the 3DS authentication request must be set to `challengeMandated`
Add card to account	Strong recommendation to use when adding new cards to an online account (e.g. add a card to Amazon/Ebay account without a payment). The `challenge.preference` in the 3DS authentication request must be set to `challengeMandated`.

When SCA does not apply

Scenario	Description
lowRisk/lowValue (See SCA Exemption)	Under certain conditions you can bypass the need for 3DS whilst still remaining SCA compliant `lowValue` - Order is under €30 `lowRisk` - Transactions through Worldpay (acquirer) are maintained below a set fraud threshold Note Liability is shifted to the Exemption provider (e.g. Worldpay) instead of the issuer for this case. You should only request exemptions for Customer Initiated Transaction (CIT) where no initial card storage is taking place. For example: Guest card payment - a one-off payment Subsequent payment using previously stored card details
MIT (Merchant Initiated Transations)	Recurring payments where the customer is not present, do not require SCA The intial setup of the agreement which is CIT, is in scope see table above
MOTO Payments	e.g. telephone, in-store
One Leg Out	If the issuing bank or acquirer (e.g. Worldpay) is outside the EEA (European Economic Area)
Corporate Payments	Virtual cards, used for things such as booking travel
Whitelist (trusted Businesses)	Cardholder can whitelist a merchant to avoid future 3DS checks

Liability Shift

Liability shifts to the issuer if:

3DS authentication is successful using either a frictionless flow (issuer only performs a risk check) or
a challenge flow (additional identity check), and the proof of a successful 3DS authentication is applied to the payment request (successfully authorized)