Article
Updated:

TRA Exemptions in PSD2 to Reduce Friction and Boost Your ROI

Agnes Csoka

The Second Payment Services Directive (PSD2) introduced mandatory Strong Customer Authentication (SCA) across the EU’s payment market — and with it, a friction problem. Routing transactions through a 3-D Secure (3DS) gateway keeps payments secure, but it also disrupts legitimate customers. Some industries reported payment dropoffs of up to 40% after SCA implementation.

TRA exemptions exist to solve that. They let merchants and payment service providers route low-risk transactions around 3DS entirely, keeping the checkout experience clean without compromising compliance.

What Is a Transaction Risk Analysis (TRA) Exemption? 

A Transaction Risk Analysis (TRA) exemption is a guideline created to avoid routing traffic that poses a low risk through a high-friction security gateway like 3DS. It’s a way to implement a dynamic friction strategy, to ensure that the experience of legitimate customers isn’t weighed down by unnecessary friction. Instead, this will only happen to those customers we aren’t certain about.

For a transaction to qualify as TRA exempt, and thus to safely be routed around the inconvenience of 3DS, there are certain thresholds involving the risk level of the transaction and the payment environment that must be observed.

Broadly, the two halves of the potential TRA exemptions fall into the jurisdiction of the payment acquirer and the payment issuer.

TRA-compliant risk decisions aren’t binary rule checks — they require contextual understanding of user behaviour, payee legitimacy and transactional anomalies at the exact moment a payment is initiated.

Nauman Abuzar, Director of AML & Risk Solutions

How Can An Acquirer Qualify for a TRA Exemption?

To qualify for a TRA exemption, the acquiring bank must maintain an acceptably low overall fraud rate and prove that it conducts real-time checks on transactions and users for signs of fraud. The maximum amount of money in a payment that can be TRA-exempt also depends on the merchant’s overall fraud rate, while any transactions over €500 will always require an SCA check.

The overall fraud score is reported quarterly, while The European Banking Authority describes the necessary fraud prevention technology as capable of detecting characteristics indicative of high fraud risk — the kind of real-time signal processing PSPs must now operationalise at scale.

To do so, the software will implement approaches such as:

  • Behavioral analysis that flags sudden changes in user activity, transactions above average thresholds and other anomalies through velocity checks and customizable rulesets.
  • Device fingerprinting that identifies whether the device accessing the platform is already known to the system or is running a suspicious configuration.
  • Pattern matching that detects repeated use of similar email addresses, passwords or transaction details indicative of coordinated fraud.
  • Location checks that use IP fraud scores to verify whether the IP address, delivery address and card registration details align and to flag high-risk or sanctioned countries in the payment chain.

Should your fraud management tool identify any particular warning signs among these signals, a TRA exemption should neither be requested nor granted. Allowing such a customer to check out without SCA would expose the company to fines while also increasing fraud events and the overall fraud rate.

Fraud rates are considered and balanced against the size of each transaction to determine whether they qualify. If the payment service provider’s fraud rate increases, more of its transactions will have to pass through high-friction security checkpoints, potentially affecting individual merchants’ and acquirers’ customer churn rates.

Of course, the merchant and PSP will want to check individual users for signs of fraudulent behavior as well. If they don’t do so, the likelihood is high that fraudsters will be allowed through the TRA exemption gateway, which will affect their bottom line. This can be achieved with a fraud prevention solution. It is advisable to use such software to conduct real-time lookups.

Fraud Rate to Transaction Amount Thresholds

Issuer/Merchant Fraud RateTransaction Amount
If your fraud rate is less than 0.13%…transactions between €0–€100 can be SCA exempt
If your fraud rate is less than 0.06%…transactions between €0–€250 can be SCA exempt
If your fraud rate is less than 0.01%transactions between €0–€500 can be SCA exempt

This table explains the transaction amount thresholds that are allowed based on the merchant’s current fraud rate. As it demonstrates, merchants and acquirers who maintain a low-fraud environment can invite more customers to a frictionless checkout experience – and thus reap the benefits.

Notably, transactions over €500 require SCA and 3DS regardless of risk analysis. 

It is also important to note that a payment services provider’s fraud rate needs to be updated and refreshed every 90 days. When an acquirer requests a TRA exemption for a particular transaction, the liability for any crime or fraud that results from this exemption is the PSP’s.

What Is Required for a TRA Exemption for an Issuer?

Issuers can request a TRA exemption independently, even if the acquiring side has not. There are no mandatory requirements to meet, but the issuer assumes full liability for any fraud that results from the exemption, regardless of whether the PSP is at fault.

When an issuer grants the exemption, the transaction bypasses SCA entirely, giving the cardholder a frictionless checkout experience.

Why Are TRA Exemptions Important in PSD2?

PSD2’s SCA requirement was designed to reduce fraud, but it introduced a direct tradeoff with conversion. Routing every transaction through 3DS protects the payment chain; it also adds friction that legitimate customers abandon. TRA exemptions address that tension, giving PSPs a compliant path to frictionless checkout for transactions that don’t warrant the additional step.

The stakes for getting compliance wrong are real. Fines for PSD2 noncompliance have reached €20 million, underscoring that exemptions aren’t just a conversion tool but part of a sound compliance strategy.What comes next is still open. PSD3 is in progress, and its treatment of SCA exemptions and TRA thresholds will likely reshape how PSPs approach this balance.

What Other Exemptions Exist in PSD2?

TRA exemptions cover the most ground, but SCA defines several additional exemptions worth knowing:

  • Low-value exemptions apply to individual transactions of less than €30. Once a cardholder’s cumulative exempt transactions reach €100, or after five consecutive exempt transactions, SCA is required.
  • Whitelisting allows cardholders to designate trusted merchants with their card issuer. Subsequent transactions with those merchants bypass SCA automatically.
  • Subscriptions and fixed-amount recurring payments can be exempted after the initial transaction, provided the transaction completes a full SCA check before the exemption applies.
  • Secure corporate payments made through dedicated business payment processes, such as those used by enterprise travel agencies or virtual card issuers, can qualify for exemption.
  • Delegated authentication allows a merchant or third party to handle SCA on behalf of the issuer, provided they meet the required security standards.

Determining which transactions qualify across these categories in real time is where exemption engines add practical value, automating the routing logic so the right transactions get the frictionless path without manual intervention.

Cut Friction Without Cutting Corners

TRA exemptions only work if your fraud rate qualifies. See how SEON’s real-time risk scoring and device intelligence keep you within thresholds — and flag the transactions that shouldn’t be exempt.

Speak with an Expert

How Can SEON Help With Transaction Risk Analysis (TRA) Exemptions?

SEON’s fraud prevention platform functions as an exemption engine, running real-time risk checks required by PSD2 while keeping your overall fraud rate low enough to qualify for TRA exemptions in the first place.

Device intelligence, behavioral analysis and IP fraud scoring feed directly into customizable rulesets, so low-risk transactions are automatically routed around 3DS, and high-risk ones aren’t. The result is fewer unnecessary authentication steps, less cart abandonment and a fraud rate that stays within exemption thresholds.

Every signal SEON surfaces maps to the risk indicators mandated by the European Banking Authority, meaning compliance and conversion optimization run on the same logic, not in opposition to each other.

Sources

  • Barclaycard: Strong Customer Authentication leads to drop in online card fraud, but non-compliant businesses miss out on £2.07 million in sales every day
  • Nethone: The Countdown: PSD2 SCA is coming your way
Share
Share
Share

Table of Contents

You Might Be Interested In

SEON 2026's G2 top-rated fraud prevention platform

Take the First Step Toward Transformative Fraud Prevention

Book time with our experts