Are there exemptions from SCA?

For transactions that fall into the scope of SCA, there are still opportunities to limit the friction those transactions imply for consumers. Exemptions to SCA are optionally provided by Issuers, and they maintain full control over whether they approve or decline those exemption requests from Acquirers. The most common exemptions to SCA that can be provided are:


Low value payments

Online or remote transactions below €30 are considered low value and can be exempted from authentication. However, SCA will apply again on the fifth transaction if the customer initiates more than five consecutive low value payments, or if the value of the total payments exceeds €100.


Recurring payments

A series of payments of the same value to the same merchant (for example subscriptions and membership fees) at fixed intervals, are exempt from SCA once they have been set up. Setting up the recurring payment will still require SCA authentication, but all the following transactions will not. Existing agreements for Recurring payments and MITs do not need a new SCA. However, an Acquirer must be able to reference previous transactions (through Transaction IDs) in the chain to validate the status.


Payments that are made periodically to the same payee, but where the value changes each time (such as a utility bill), are not exempt from SCA.


Transaction Risk Analysis (TRA)

Where a transaction is assessed as having a low risk of fraud, in real time, by the issuer or acquirer, they may exempt the transaction from SCA. All transactions that qualify for an exemption won’t be automatically exempted. For card transactions, for example, it’s the card issuing bank that decides if an exemption is approved or not. So, even if a transaction qualifies for an exemption the customer might still have to make a strong customer authentication, if the card issuing bank requires it.


Whitelisting/trusted beneficiary

Customers can ‘whitelist’ a merchant they trust. The first authentication needs to be completed using SCA, but subsequent transactions with that merchant should not then need authentication. This exemption is managed between the Cardholder and their Bank only.