The European Union’s Second Payment Services Directive (PSD2) was implemented to strengthen the security of the EU’s payment market and ultimately provide a smooth payment environment for both merchants and customers.
The heightened security that this directive demands has arguably led some EU and UK businesses to see massive, potentially destabilizing dropoffs in payment acceptance rates. This is because the Strong Customer Authentication (SCA) that is baked into the PSD2 cake includes a 3-D Secure gateway, a moment of high customer friction.
In an internal review of proprietary data, Barclay’s Bank reports that its UK merchants were losing over $2.3 million a day to payments that were potentially valid but routed through nonsecure channels and thus declined, while some industries report overall payment dropoffs of up to 40% after SCA implementation.
Rather than restructuring around a new profit model, carefully working around SCA exemptions is the clearest path to recouping ROI. The most popular and easily managed of these is called a TRA exemption.
What Is a Transaction Risk Analysis (TRA) Exemption?
A Transaction Risk Analysis (TRA) exemption is a guideline created to avoid routing traffic that poses a low risk through a high-friction security gateway like 3DS. It’s a way to implement a dynamic friction strategy, to ensure that the experience of legitimate customers isn’t weighed down by unnecessary friction. Instead, this will only happen to those customers we aren’t certain about.
For a transaction to qualify as TRA exempt, and thus to safely be routed around the inconvenience of 3DS, there are certain thresholds involving the risk level of the transaction and the payment environment that must be observed.
Broadly, the two halves of potential TRA exemption fall into the jurisdiction of the payment acquirer and the payment issuer.
Improve your risk management with SEON’s real-time data enrichment tools, behavioral checks, and deep device fingerprinting analysis.
Ask an Expert
What Is Required for a TRA Exemption for an Acquirer?
To qualify for a TRA exemption, the acquiring bank must maintain an acceptably low overall fraud rate and prove that it conducts real-time checks on transactions and users for signs of fraud. The maximum amount of money in a payment that can be TRA exempt also depends on the merchant’s overall fraud rate, while any transactions over €500 will always require an SCA check.
The overall fraud score is reported quarterly, while the European Banking Authority describes the necessary fraud prevention technology as being able to detect characteristics that indicate high fraud risk. To do so, the software will implement approaches such as:
- Behavioral analysis that answers questions such as, Is this behavior normal? Has this user’s activity suddenly changed? Fraud solutions like SEON have in place velocity checks and customizable rulesets that can be adjusted to look for transactions above average thresholds and other indicators.
- Device and browser fingerprinting to check if the devices accessing the website are already known to the system, as well as whether the person is using suspicious setups.
- Whether the transaction matches any known patterns of fraud. For example, if there are too many transactions with similar email addresses and passwords.
- Checking the location data for signs of high-risk or sanctioned countries involved in the payment chain. Is the delivery address, acquirer country, or digital registration location on a blacklist? Is it otherwise unusual? What does IP address data enrichment reveal? Do the card registration details, IP and delivery address match up, or could the latter be a drop address used by a criminal?
Should your risk analysis software pick up on any particular warning signs among these signals, a TRA exemption should not be requested nor granted. Allowing such a customer to check out without SCA would leave the company open to fines while also risking an increase in fraud events and the overall fraud rate.
Fraud rates are considered and balanced against the size of an individual transaction to determine whether or not they qualify. If the payment service provider’s fraud rate does go up, more of its transactions will have to pass through high-friction security checkpoints, potentially impacting individual merchants’ and acquirers’ levels of customer churn.
Of course, the merchant and PSP will want to check individual users for signs of fraudulent behavior as well. If they don’t do so, the likelihood is high that fraudsters will be allowed through the TRA exemption gateway, affecting their bottom line. This can be achieved with a fraud prevention solution. It is advisable to use such software to conduct real-time lookups.
Fraud Rate to Transaction Amount Thresholds
Issuer/Merchant Fraud Rate | Transaction Amount |
If your fraud rate is less than 0.13%… | transactions between €0–€100 can be SCA exempt |
If your fraud rate is less than 0.06%… | transactions between €0–€250 can be SCA exempt |
If your fraud rate is less than 0.01% | transactions between €0–€500 can be SCA exempt |
This table explains the transaction amount thresholds that are allowed based on the merchant’s current fraud rate. As it demonstrates, merchants and acquirers who maintain a low-fraud environment can invite more customers to a frictionless checkout experience – and thus reap the benefits.
Notably, transactions over €500 require SCA and 3DS regardless of risk analysis.
It is also important to note that a payment services provider’s fraud rate needs to be updated and refreshed every 90 days. When an acquirer requests a TRA exemption for a particular transaction, the liability for any crime or fraud that results from this exemption is the PSP’s.
What Is Required for a TRA Exemption for an Issuer?
On the other side of the coin, TRA exemptions can also be requested by the issuing bank without any particular requirements. Even if the merchant or payment services provider on the acquiring side has not requested a TRA exemption, the issuer can still request one.
This is only advisable for the issuer if they feel they can trust the PSP, because the issuing bank – which issues the cards and transfers the funds – assumes full liability for that transaction. If the issuer allows fraud to occur, it will still be held accountable for any fines or reprimand.
In these cases, issuer-side TRA exemptions will immediately trigger a frictionless shopping experience for the customer, with no SCA required or applied.
Why Are TRA Exemptions Important in PSD2?
TRA exemptions allow banks and neobanks to both be compliant with PSD2’s SCA and minimize friction to the lowest possible safe degree in order to deliver a better customer experience and minimize losses from customer churn.
PSD2 was nominally designed to encourage economic innovation and control security for personal data and against crime and fraud. This might be a struggle for those companies trying to find the balance between staying afloat and staying compliant. In fact, fines for PSD2 noncompliance scale up all the way to €20 million.
While PSD2 was penned, SCA’s effects on both transaction approval and customer friction were measured, and lawmakers did not ignore the statistics. This is why TRA exemptions, among others, were created: to provide a low-friction path for PSPs to continue being a part of a healthy and safe digital economy.
Make no mistake – though SCA and 3DS may lead to lower returns, the writers of the mandates certainly define a healthy economy as a bustling one, hopefully leading to a better quality of life for all parties involved. This is why TRA exemptions exist, as well as other exemptions that allow merchants to keep friction low.
It is not yet known what changes PSD3 will bring into the fold.
What Other Exemptions Exist in PSD2?
Though TRA exemptions are certainly the widest tunnel through which to drive your ROI bus, SCA defines a number of additional exemptions that can help keep friction low and returns high, including low-value exemptions, whitelists and fixed-amount payments.
Specifically, other ways to exempt customers from SCA during transactions include:
- Low-value exemptions: These take place when the value of an individual sale is less than €30. However, if there are consecutive transactions that eventually total more than €100, SCA must be triggered.
- Whitelisting: Some card issuers will allow cardholders to whitelist merchants they trust – if they so choose. When shopping from them, the cardholder will not be asked to complete SCA again.
- Subscriptions and fixed-amount payments: Similarly, subscription payments and recurring fixed-amount payments can be added to an SCA exemption list with the card issuer, though only after the initial payment and SCA check are completed.
- Secure corporate payments: Verifiably secure corporate payments can be exempted from SCA, which includes industries like enterprise travel agencies and virtual card issuers.
- Delegated authentication: In this case, a company delegates its SCA responsibility to a responsible third party, often a fraud prevention consultancy or another authentication service.
Measuring exactly what transactions fall inside of these rules can be complicated, so leveraging a software product on the data is a crucial part of an efficient workflow.
Many fraud solutions offer such a service, as do exemption engines.
What Is an Exemption Engine?
Ultimately seeking to minimize UX friction, ecommerce companies can employ software called exemption engines to help automate which transactions qualify for TRA or other exemptions, and which ones need to be put through SCA.
Like many risk-based fraud solutions, exemption engines will analyze the profiles of users and their transactions for signs of malicious intent.
If the transaction falls within the acceptable threshold for exemption, the software must perform real-time checks on user behavior and potential risk signals.
From there:
- If the user’s overall risk score is low enough, they will be treated to a frictionless customer journey.
- If the user’s score is higher, they will be directed to the 3DS/SCA step.
Exemption software will categorically look to maximize the number of frictionless journeys because the intended outcome is cutting down on churn, minimizing cart abandonment, and saving on the costs associated with 3DS.
Some software also manages what type of 3DS will be applied to certain transactions, providing the lowest-friction option possible that is also compliant.
Read how you can use SEON to minimize friction, fight fraud, and maximize revenue while keeping PSD2 compliant.
PSD2 with SEON
How Can SEON Help With Transaction Risk Analysis (TRA) Exemptions?
SEON’s risk-based fraud analysis can be used to optimize TRA exemptions. The SEON platform can effectively be used as an exemption engine that does not just keep you safe but effectively minimize friction as much as possible without risking your revenue and growth.
Firstly, it will allow you to keep your overall fraud rate low, thus qualifying for more potential exemptions in the first place.
The metrics detailed above can all be added to SEON’s custom rulesets, so transactions that fall within the limits of TRA exemption can be handled in a compliant manner.
As well as this, the SEON blanket is woven with the real-time data lookups that the law requires, and it can, of course, be used to cover the risk signals mandated by PSD2.
Automating this process helps companies secure their returns by cutting down on costs from actual 3DS checks, decreasing cart abandonment, and, naturally, reducing losses to fraud and fraudulent chargebacks.
Sources
- Barclaycard: Strong Customer Authentication leads to drop in online card fraud, but non-compliant businesses miss out on £2.07 million in sales every day
- Nethone: The Countdown: PSD2 SCA is coming your way