Get the edge on PSD2 mandate with Worldpay’s Exemption Engine for Strong Customer Authentication (SCA)
What is SCA?
SCA is an authentication process that verifies the user’s identity by requiring at least two of the following three elements:
- Possession — something the user has, like a credit card or mobile device
- Knowledge — something the user knows, like a password or PIN
- Inherence — something the user is, like a fingerprint or iris scan
For card payments, this generally means that payments need to go through 3DS2 with a step-up challenge. 3DS2 is a new approach that puts shoppers at the center of the authentication process and aligns with the latest technologies that shoppers use. For the time being, however, 3DS1 plus a one-time-password will also generally be accepted as SCA.
SCA is designed to reduce payment fraud. But submitting every online payment to 3DS2 which could lead to a step-up challenge will increase friction that leads to shopper abandonment.
But there’s good news. Worldpay’s Exemption Engine for Strong Customer Authentication (SCA) helps reduce friction at checkout by minimising step-up challenge requests. Read on to learn more about how this solution works.
Worldpay’s Exemption Engine filters all transactions so that any out-of-scope payments won’t be subject to SCA. Out-of-scope payments are EEA transactions that don’t fall under the PSD2 mandate, such as MIT, MOTO, and “one leg out” (those where either the payer or the payee is based outside of the EEA.
Transactions which are in-scope of SCA can still enjoy a frictionless check-out through the use of exemptions. As an acquirer, Worldpay can request payments to be exempt from SCA.
Issuers are incentivised to respond positively as the fraud liability shifts away from them. Exemptions can be applied in both authorisation and authentication.
When the merchant requests an acquirer exemption in authorisation through the Exemption Engine, the payment bypasses the 3DS2 protocol. Instead of the issuer, the acquirer will make the Transaction Risk Analysis (TRA) risk assessment. An issuer will still make a risk assessment using their existing risk systems. If the issuer does not want to honour the acquirer exemption, they can soft decline the transaction which informs the merchant to step up the transaction using 3DS.
When the merchant requests an acquirer exemption in authentication, the payment is still sent through the 3DS2 protocol and the issuer will make a risk assessment based on the available authentication data. If they honour the exemption, the payment will be authenticated frictionless, without a step-up challenge.
Selecting the best exemption strategy
The rules around exemptions are complex. Not every payment will be eligible for an exemption, and most payments will only be eligible for one particular exemption. The success rate of applying an exemption in authorisation depends on how issuers plan to implement their exemption acceptance policies. And with no established standard, issuers differ in their behaviour.
At Worldpay, we believe our merchants should not have to design, build and maintain the logic needed to use exemptions effectively. Instead, they should only have to tell us they’d like to be exempt from SCA, and we’ll take care of it.
Our Exemption Engine has a predictive model that determines and applies the best exemption strategy, tailored to the issuer that will receive the exemption request. This model is kept up-to-date with every interaction Worldpay has with the issuers.
In 2018, Worldpay processed 600 million transactions within the EEA— a volume no other acquirer can match. This gives us all the data we need to create a predictive model that provides our customers the highest SCA exemption rates possible— with the bonus of reducing friction at checkout. You couldn’t ask for a better scenario.