Maintenance Work Notice!
Due to updates, this documentation may not be available between 12:00 and 12:30 CET on 11/06/2025. Thank you for your understanding.
SCA will be required when:
As a rule of thumb, when cardholder authentication was performed through 3-D Secure, merchants are typically protected against e-commerce fraud-related disputes and liability shifts from the merchant / acquirer to the issuer. There are exceptions to merchant dispute protection though. In the context of 3-D Secure 2.0 merchants are regularly not protected if granted exemptions according to PSD2 RTS were actively requested by merchant / acquirer.
The following diagram depicts options and liabilities under PSD2 RTS requirements according to MasterCard.
Cardholders must be provided with detailed information about how their data is collected, used and processed. This can be ensured via a Privacy Notice including at a minimum the types of data being processed, the purposes of their processing, data uses, etc. Card organizations and Issuers will not use EMV 3-D Secure data for other purposes than fraud prevention and authentication. It excludes the usage of personal data for other purposes, such as sales, marketing and data mining (other than fraud prevention as purpose) activities.
There are some important exemptions to SCA according to the regulatory technical standards (RTS) that may apply in various conditions which are depicted in the following diagram.
An acquirer may be allowed to not apply SCA due to to low fraud rates and TRA. For these exemptions there are various processing options available as depicted in the diagram below.
As a standard, Pay-Jet Cockpit will submit (where supported) applicable exemptions through the EMV 3-D Secure authentication flow to the issuer to achieve best possible authorization approval rates.
EBA-Op-2018-04, Paragraph 47 - Clarification on PSP (Acquirer Fraud Rates)
To handle the amount of additional non-payment data and to maintain downward compatibility as much as possible Pay-Jet decided to version its Cockpit card interface via the additional data element MsgVer. The upgraded API is still based on key-value pairs but relies heavily on Base64 encoded JSON objects to aid readability and client-side scripting.
Merchants will still be able to use our classic interface for requests even with 3-D Secure 2.0 but there are some limitations:
For these reasons it is highly recommended to upgrade to version 2.
In case a transaction is missing SCA, issuers might respond with so-called soft declines. This means that the transaction authorization request is declined by the issuer, however, the same transaction can be initiated again. The main reason for soft declines emerging in the context of 3D Secure is that issuers are not accepting SCA exemptions requested by the merchant when such is sent directly to authorization or when the merchant requests payment without authentication being carried out beforehand. The best practice is to restart the payment including 3-D Secure.
With Automated Soft Decline Handling feature, configuration based, Pay-Jet Cockpit will react to the soft decline response by automatically restarting the payment forcing SCA. Pay-Jet Cockpit will then automatically create a new payment on behalf of the merchant and include 3-D Secure flow.
A cardholder might opt to add a merchant to a list of trusted beneficiaries maintained at the issuer to exempt this particular merchant from SCA with future payments. This will usually occur during a cardholder challenge but cardholder's might also be able to manage a list of trusted beneficiaries through their banking app for instance.
Merchants may benefit from a whitelist exemption if requested and if a cardholder challenge is not required otherwise.
Recurring transactions are a series of transactions processed following an agreement between a cardholder and a merchant where the cardholder purchases goods or services over a period of time and through a number of separate transactions with the same amount. The initial transaction must be authenticated (i.e. cardholder initiated transaction (CIT)). Subsequent recurring payments are out of scope of RTS SCA since they are regularly merchant initiated (i.e. without customer being in session).
Issuers may exempt transactions from SCA provided that the following conditions are met:
Please note that low-vale exemptions must be requested to be considered for a frictionless authentication flow.
Acquirers and issuers are allowed not to apply SCA provided the overall fraud rate is not higher than the reference fraud rate for the exemption threshold value (ETV) specified in the table below and where the risk-based assesment of each individual transaction can be considered as low risk.
ETV | Card-based payments |
---|---|
EUR 500 | 1 bps |
EUR 250 | 6 bps |
EUR 100 | 13 bps |
One-leg out transactions are such transactions where either the payer’s payment service provider or the payee’s payment service provider are located outside the European Union.
Payment service provider in the context of a card based transaction and in the spirit of the PSD2 are regularly acquirer and issuer.
Thus, neither the nationality of the cardholder nor the merchant's business location are relevant for the assessment whether a transaction is out of scope due to the 'one-leg out' rule.