3DS (Three-Domain Secure) is an authentication protocol for online card payments developed by major card networks. The protocol enables cardholders to authenticate transactions online, while also gathering data about the payment which the merchant can then provide to the issuing bank (that is, the cardholder’s bank). This data helps issuing banks determine whether or not to authorise a payment.
The second version, 3DS2, is also specifically designed to meet the regulatory technical standards of the European Union's revised Payments Services Directive (PSD2). PSD2 aims to create a more open and competitive payments landscape while also ensuring security and combating fraud for both businesses and individuals.
PSD2 introduces strong customer authentication (SCA) for online payments, which requires cardholders to authenticate using two factors from three categories:
- a knowledge element - something only they know, like a password
- a possession element - something only they have, like their phone
- an inherence element - something only they are, like their fingerprint
The regulatory technical standards of PSD2 apply to all customer-initiated online payments within Europe. These in-scope transactions meet two criteria:
- The customer initiates the transaction, meaning that they are online at the moment of payment. In contrast to these on-session payments, off-session transactions initiated by the merchant are out of scope – this includes some recurring payment models, such as subscriptions and rentals.
- The issuing bank and the acquiring bank are both in the European Economic Area (EEA). If either actor is outside the EEA (a one-leg payment), the payment is out of scope.
The regulatory technical standards of PSD2 allow for transactions to be exempted from SCA. These exemptions are requested by acquirers and are based on the transactional data which can be collected thanks to 3DS2. Issuers can challenge the transaction and force SCA or allow a frictionless flow for customers because of the exemption requested.
Principles of exemption
Exemptions to SCA are based on four basic principles.
- Not automatic: they need to be requested and justified with sufficient information
- Only for acquirer and issuer: merchants cannot request an exemption
- One exemption maximum can be requested per transaction
- Issuer makes the final decision to apply or refuse the exemption
Types of exempted transaction
The regulatory technical standards of PSD2 identify types of transactions which may be exempted from SCA.
Cardholders can declare to their issuing bank that they trust the merchant, an option which is usually made available to payers during authentication. Subsequent transactions with that merchant are then exempted.
Anonymous cards, such as prepaid cards, give no visibility on the identity of the cardholder. These transactions are exempted.
Transactions under €30 may be exempted from SCA until they reach one of the following limits:
- A maximum of five consecutive transactions may be exempted
- A maximum of €100 in cumulated transactions may be exempted
These limits have no timeframe and transactions with any payment service provider (PSP) count towards the limts.
Transactions may be exempted from SCA thanks to a transaction risk analysis (TRA) of payment service providers calculated on a rolling quarterly basis. The TRA takes into account certain information regarding transactions, such as delivery address, IP address, basket details. The regulatory technical standards define reference fraud rates under which certain transaction amounts may be exempted:
- 0.13%: < €100
- 0.06%: €100–250
- 0.01%: €250–500
Summary of acquirer exemptions