SCA Exemptions Explained: How to Reduce Checkout Friction Without Breaking Compliance

SCA is mandatory under PSD2 for customer-initiated online card payments in the EEA and UK. But PSD2 also defines four exemption categories where the challenge step can be skipped without breaking compliance. Those exemptions are a direct conversion rate lever. Most teams either overuse them (absorbing fraud liability they have not modelled) or underuse them (adding friction they do not need).

This article covers each exemption type, how it interacts with 3DS, and what liability each one carries.

How exemptions work technically

An exemption does not mean the transaction skips authentication entirely. It means the merchant or acquirer requests that the challenge step be bypassed for a qualifying transaction. The request is signalled through the 3DS protocol using the challenge indicator field. The issuer's ACS then decides whether to honour the exemption or to override it and require a challenge anyway.

This last point is operationally important: the issuer always has the final say. A merchant can request an exemption; the issuer can decline it, triggering a soft decline that requires the merchant to resubmit with SCA. If your exemption strategy is generating high soft decline rates from certain issuers, this is feedback that should inform how aggressively you apply exemptions on that card population.

The four SCA exemptions

1. Low-value transaction exemption

Transactions below €30 (or local equivalent) may be exempt from SCA. However, velocity controls apply: the exemption is reset if five consecutive low-value payments have been exempted on the same card, or If the cumulative value of consecutive low-value exempt transactions exceeds €100. At either trigger, SCA must be applied before the cycle resets.

In practice, this exemption is most useful for subscription services, digital goods, and low-ticket e-commerce. It requires your system to track exemption velocity per card, a non-trivial implementation requirement if you are managing this outside your PSP's built-in tooling.

2. Transaction Risk Analysis (TRA) exemption

The TRA exemption is the most commercially valuable and the most technically demanding. It allows transactions to be exempt from SCA if the acquiring bank's fraud rate on that transaction tier is below defined thresholds:

• Sub-€100 transactions: Acquirer fraud rate must be below 0.13%.

• Sub-€250 transactions: Acquirer fraud rate must be below 0.06%.

• Sub-€500 transactions: Acquirer fraud rate must be below 0.01%.

The fraud rate thresholds apply to the acquirer, not the merchant individually. In practice, this means the TRA exemption is available to merchants through their acquirer, and the acquirer manages the fraud rate qualification and monitoring. If the acquirer's rate breaches the threshold, TRA exemptions above that tier are suspended until the rate recovers.

TRA is also available to issuers, who may unilaterally decide to grant a frictionless flow even when the merchant has not requested an exemption.

3. Trusted beneficiary exemption

After a cardholder completes a successful SCA-authenticated transaction with a merchant, the merchant can request to be added to the cardholder's trusted beneficiary list. If the cardholder confirms, subsequent transactions with that merchant are exempt from SCA challenges, effectively a pre-approved relationship.

The trusted beneficiary exemption is underused in most markets but is particularly powerful for high-frequency merchants where repeat purchase friction is a meaningful business metric. Implementation requires issuer support for the whitelist functionality, which varies across the card population.

4. Secure corporate payment exemption

Payments made using dedicated corporate cards through secure corporate processes and protocols may be exempt. This applies where a card is not assigned to a specific individual and authentication of a named cardholder is therefore impractical. Coverage is narrower than it might appear, the corporate card must be operating within a defined secure payment environment, not simply any B2B card transaction.

Out-of-scope transactions: different from exemptions

A category of transactions sits outside SCA scope entirely, these are not exemptions applied to in-scope transactions, but rather transactions that PSD2 never covered:

• Merchant-initiated transactions (MITs): Subsequent charges in a recurring series, installment payments, and other merchant-initiated debits, provided the initial mandate was set up with SCA. The initial setup transaction must be SCA-authenticated.

• MOTO payments: Mail-order and telephone-order transactions are currently out of scope, though this is under review in the PSD3 proposals.

• One-leg-out transactions: Where either the acquirer or issuer is outside the EEA/UK, SCA does not apply (though good practice suggests applying it regardless for fraud protection).

The liability tradeoff: what you give up when you apply an exemption

This is the single most important aspect of exemption strategy for payment and finance teams. When an exemption is applied to a transaction, whether low-value, TRA, or trusted beneficiary, and the issuer accepts it, the liability for any resulting fraud chargeback remains with the merchant or acquirer. There is no liability shift.

The liability shift mechanism is specifically tied to full SCA authentication. A transaction processed with an exemption is not authenticated; it has bypassed authentication. If a fraudulent chargeback follows, you absorb the loss.

This creates a direct trade off that should be modelled quantitatively: the conversion rate gain from applying an exemption (fewer abandoned checkouts) versus the expected fraud loss rate on exempt transactions (which will be higher than on fully authenticated ones, since the extra verification layer has been removed).

Rule of thumb: TRA exemptions make sense at scale where your acquirer qualifies and your average order value is below the relevant threshold. Low-value exemptions are generally safe in low-fraud product categories. Trusted beneficiary exemptions are a long-term loyalty play, not a quick conversion fix.