On This Page 
    Why Payer Authentication Is Needed
    As e-commerce developed, the number of fraudulent transactions also grew, taking
            advantage of the difficulty authenticating a cardholder during a transaction when the
            card is not present. To create a standard for secure payment card processing, Europay,
            Mastercard, and Visa collaborated as EMV. Other card providers wanted input on creating
            new payment standards, so a consortium called EMVCo was formed to enable equal input
            from Visa, Mastercard, 
JCB, 
 China UnionPay, 
Discover,
            and American Express.EMVCo developed 
3-D Secure
 as the protocol to provide customer
            authentication during an online transaction. EMV 3-D Secure
 reduced
            chargebacks to merchants, and when the buyer was authenticated, the issuing bank assumed
            any liability when a chargeback occurred. The same need to reduce fraud prompted Europe to develop a standard called Strong
            Customer Authentication (SCA) to regulate authentication during electronic payments. The
            use of SCA is mandated by the European Banking Authority in the Payment Services
            Directive (PSD2) that took effect in 2018 to promote and regulate the technical aspects
            of financial transactions between merchants and their customers in Europe. SCA requires
            two-factor authentication. A customer must be able to authenticate by providing two of
            these three factors:
- Something the customer knows (such as a password, PIN, or challenge questions)
- Something the customer has (such as a phone or hardware token)
- Something the customer is (biometric data, such as fingerprint or face recognition)
Although SCA is required for almost all online transactions, some exceptions are allowed.
            If a payment is considered low risk, you can request an exemption from SCA to bypass
            authentication of the customer. The issuing bank must approve the exemption before the
            transaction can be exempted from SCA. Although an exemption from SCA results in a
            frictionless transaction, liability is not shifted to the issuing bank, and the merchant
            assumes responsibility for any chargeback that occurs. An exemption from SCA might apply
            to these types of transactions: 
- Payer authentication is unavailable because of a system outage.
- Payment cards used specifically for business-to-business transactions are exempt.
- Payer authentication is performed outside of the authorization workflow.
- Follow-on installment payments of a fixed amount are exempt after the first transaction.
- Follow-on recurring payments of a fixed amount are exempt after the first transaction.
- Fraud levels associated with this type of transaction are considered a low risk.
- Low transaction value does not warrant SCA.
- Merchant-initiated transactions (MITs) are follow-on transactions that are also exempt.
- Stored credentials were authenticated before they were stored, so stored credential transactions are exempt.
- Trusted merchants registered as trusted beneficiaries, are exempt.
For additional information about transactions that are exempt from SCA,
            see the Payments Developer Guide.
EMV 
3-D Secure
 meets the SCA mandate for authenticating the customer during
            e-commerce transactions.