3D Secure Authentication and Exemptions: A Guide for Online Card Payments

3D Secure Authentication and Exemptions: A Guide for Online Card Payments

This practical guide covers 3D Secure authentication and Strong Customer Authentication exemptions for online card payments. It details how card issuers and payment service providers handle transaction risk analysis, recurring payments, and low-value transactions. The analysis explains the processes that protect payment security and help merchants optimise their customer checkout flows.

Card-not-present transactions carry distinct security challenges that online merchants must address to maintain consumer trust. Effective payment authentication serves as a primary defence against digital fraud, preventing unauthorised transactions before they occur. Strict security checks can also introduce friction at checkout, causing buyers to abandon purchases. Achieving a correct balance between security and a smooth checkout flow is a major operational goal for modern businesses operating in the digital economy.

What is 3D Secure authentication and how does it work?

3D Secure authentication is a payment verification protocol that confirms a cardholder’s identity during online card transactions. It builds a secure communication link between the merchant, acquirer, card scheme, and issuer to verify legitimate usage.

The security protocol serves as a standard method for card payment authentication under the Second Payment Services Directive (PSD2). The regulation dictates that online card payments within Europe must use Strong Customer Authentication. The updated 3D Secure 2 protocol complies with these rules by supporting data-rich communication.

During a transaction, the merchant initiates verification. The payment service provider routes the merchant data to the card scheme, which directs it to the card issuer. The issuer evaluates the risk. If the transaction matches safe spending patterns, it proceeds via a frictionless flow with no customer input. If the risk is high, the issuer demands a challenge flow, prompting the customer to provide two-factor credentials.

ParticipantRole in 3D Secure authentication
CardholderInitiates the online card payment and provides the necessary credentials.
MerchantSubmits transaction details to request customer verification.
IssuerValidates identity credentials and authorises the transaction.
AcquirerCollects payment data and processes verified card transactions.
Card schemeRoutes authentication data between the acquirer and issuer.

Q&A: Does every online card payment require a 3D Secure challenge?

No. Payment service providers perform transaction risk analysis to route low-risk transactions through a frictionless flow. This process bypasses the manual authentication step completely.

Which SCA exemptions can apply to online card payments?

SCA exemptions are regulatory exclusions that allow payment service providers to bypass two-factor authentication for specific transactions. These rules help merchants speed up checkout processes while keeping fraud levels low.

Exemptions under PSD2 let businesses bypass strict verification under controlled scenarios. Low-value transactions below €30 are exempt, provided the cumulative spend does not exceed €100 or five consecutive payments. Transaction risk analysis (TRA) exemptions let providers skip authentication when their overall card fraud rates remain below strict regulatory thresholds.

Other exclusions include trusted beneficiary listings, recurring subscriptions, and merchant-initiated transactions for variable bills. Secure corporate payments using dedicated corporate systems also bypass these checks.

While a merchant or acquirer can submit an exemption request, only the card issuer holds the authority to grant an exemption approval. If the issuer rejects the request, the merchant must handle a step-up challenge.

  1. Low-value payments: Transactions under €30 or £25 with low cumulative totals.
  2. Transaction risk analysis: Exclusions based on low provider fraud rates.
  3. Recurring subscriptions: Standard scheduled payments after the first validation.
  4. Trusted beneficiaries: Merchants whitelisted by the specific cardholder.
  5. Secure corporate protocols: Commercial payments are executed via secure business channels.

According to the EBA-ECB payment fraud report, the application of Strong Customer Authentication has successfully held the overall fraud rate to a low level of 0.002% of total transaction value within the European Economic Area.

Q&A: Who bears the liability when an exempted payment is fraudulent?

When an exemption is applied, the merchant or the payment service provider assumes the financial liability for fraud. The cardholder remains protected from any loss.

Why can a 3D Secure exemption still lead to an authentication request?

An exemption request does not guarantee an automated approval. The card issuer maintains sole authority over payment authorisation and can demand full verification if its system flags potential security risks.

When a merchant requests an exemption, the card issuer executes an independent fraud-risk assessment. If the transaction data is incomplete or has low quality, the issuer’s security controls will prompt a step-up challenge.

Unusual customer spending patterns, unfamiliar locations, or high-value amounts will trigger exemption rejections. In these cases, the issuer forces customer authentication requests to prevent payment fraud. This process means merchants and acquirers must prioritise high-quality data transmission to secure frictionless checkouts. If data is lacking, a transaction decline or mandatory challenge flow remains highly likely.

ScenarioExemption requestedPossible issuer response
Low-value paymentLow-value transaction exemptionThe issuer approves frictionless flow or demands validation if limits are breached.
Recurring paymentRecurring payment exemptionThe issuer bypasses the check after verifying the original transaction history.
TRA assessmentTransaction risk analysis exemptionIssuer denies request due to anomalous user location or device.

In the UK, Financial Conduct Authority data confirms that 75% of consumers remember using Strong Customer Authentication during online purchases, indicating wide familiarity with secure checkouts.

Q&A: Can card issuers bypass SCA rules for high-risk purchases?

No. Regulation forbids card issuers from ignoring authentication mandates when transactions exceed safe risk limits or when fraud risk analysis detects clear signs of abuse.

How can Wallester White-Label support 3D Secure authentication for card programmes?

Wallester White-Label enables businesses to launch proprietary card programmes with comprehensive support for 3D Secure authentication. Its infrastructure provides the necessary controls to manage and secure online card transactions effectively.

Establishing a custom card offering requires compliant systems that align with Visa security rules. The Wallester White-Label solution provides a complete Visa card issuing infrastructure, giving companies complete programme-level payment oversight. Through seamless API integration, organisations can issue physical or virtual cards with custom payment security controls.

The service provides back-office controls that allow companies to monitor cardholder authentication processes easily. This technology manages the secure routing of transaction data to card schemes during remote card payments. While Wallester acts as the technical system provider for card-programme management, the final choice to approve an exemption request rests with the card issuer.

FAQ

Is 3D Secure the same as Strong Customer Authentication?

3D Secure is not identical to Strong Customer Authentication, though they are closely related. Strong Customer Authentication is a regulatory mandate under European and UK rules requiring two-factor validation for online card transactions. 3D Secure is the technical protocol developed by card schemes to implement this requirement. It enables the exchange of security data between merchants, card networks, and card issuers, acting as the primary mechanism to achieve compliance with regulatory standards.

Can a business request an SCA exemption for every transaction?

A business can request an exemption for any eligible transaction, but it cannot apply exemptions universally. Only specific low-risk, low-value, or recurring transactions meet the strict regulatory criteria for exemptions. The card issuer holds the ultimate authority to accept or reject any request. Merchants must supply complete transaction details to allow issuers to assess the risk properly, meaning that some transactions will always require full customer authentication to prevent fraud.

What is the difference between a frictionless flow and a challenge flow?

The main difference lies in whether the customer must actively verify their identity. During a frictionless flow, the card issuer reviews background transaction data and authorises the payment without requiring any customer interaction. Conversely, a challenge flow occurs when the issuer identifies potential risks. The customer must then complete a two-factor verification step, such as entering a passcode sent to their phone or using biometric authentication on their mobile device, before the payment can proceed.

Do SCA exemptions apply outside the UK and the European Economic Area?

Strong Customer Authentication exemptions are specific to the UK and the European Economic Area under PSD2 rules. For card transactions where either the cardholder’s issuer or the merchant’s acquirer is located outside these regions, the rules do not apply directly. These payments are classed as one-leg-out transactions. While security protocols like 3D Secure remain highly recommended globally to prevent transaction fraud, merchants operating outside Europe do not have to follow these specific regulatory exemption processes.

Are corporate cards always exempt from Strong Customer Authentication?

Corporate cards are not automatically exempt from Strong Customer Authentication rules. Only specific corporate payment instruments, such as central billing accounts, virtual cards, or cards used within secure corporate payment processes, qualify for exemptions under the regulations. Regular corporate credit or debit cards issued to individual employees for business travel or general expenses must undergo standard two-factor authentication unless they meet other criteria, such as low-value exemptions or transaction risk analysis thresholds managed by the issuer.

Related Articles

Please, improve your experience!

You’re using an unsupported web browser. As Wallester supports the latest versions, we highly recommend you use an up-to-date version of one of these browsers:

Chrome
Download
Firefox
Download
Safari
Download
Opera
Download
Edge
Download