Help Exceptions to PSD2

For online payment transactions under 30 euros, the regulator does not require two-factor authentication. However, the card-issuing financial institution keeps an eye on the number of transactions and the cumulative purchase value. Only when the total amount of payments without two-factor authentication on the card exceeds 150 euros is strong authentication required. Alternatively, the card-issuing institution can decide to request two-factor authentication for every sixth transaction.

Low-risk transactions are also exempt starting from strong customer authentication. A payment is classified as low-risk based on the average fraud rates of the card issuer and the acquirer processing the transaction. In this case, it is possible to waive strong customer authentication between 30 and 500 euros, provided that the legally defined fraud rates are not exceeded. If the merchant wants to make use of the transaction risk analysis, the acquirer determines together with the payment service provider which payment methods may be marked accordingly in the security protocol in order to keep fraud rates as low as possible.

Subscriptions or recurring transactions with a fixed amount are also exempt from the second transaction. Only the first transaction requires strong customer authentication. Recurring payments with different amounts and payments where the cardholder is not present when the payment is initiated (for example, subscription payments initiated by the merchant) are also exempt from two-factor authentication.

Customers can put merchants they frequently visit on a so-called whitelist, i.e. a positive list of trustworthy payees, which is maintained by their bank or savings bank. Whitelist merchants are exempt from strong customer authentication under regulatory law. Online retailers should therefore make even more efforts to attract loyal customers and make it as easy as possible for them to whitelist them. With the help of the EMV 3D-Secure protocol, merchants can check which card issuers offer whitelisting. From specification 2.2 of the security protocol, the merchant also receives information as soon as a cardholder places him on the whitelist.

The exceptions also apply to B2B transactions, for example, if centralized company accounts are debited or a company card is used that is not used by just one person. This also affects lodge cards as well as virtual cards. Often, these payments are made in the travel industry.

Retailers with low fraud rates can activate their own exemptions with individual risk indicators – for example, if the customer is known and goods have already been delivered to him. In these cases, however, retailers must assume the liability risk.

With the new security protocol, merchants and banks can share more security-related data for authentication and thus make better risk decisions, resulting in significantly higher approval rates among online merchants. To achieve this, merchants must ensure in their systems that the necessary database for an optimal risk-based authentication analysis is transmitted to the card issuer via the payment service provider. Only when banks receive the enhanced data can they make a realistic risk assessment and decide whether to allow the exemptions from the regulatory technical standards (RTS).

There are still payments that are completely exempt from strong customer authentication. These are payments that are initiated by the merchant (Merchant Initiated Payments) or carried out over the telephone or in writing by email (Mail or Telephone Order). It also includes payments with anonymous prepaid cards and "one leg out" transactions where either the card issuer or the acquirer is located outside the European Economic Area (EEA).