Skip to main content
Authentication is designed to reduce fraud, and strong customer authentication (SCA) is the preferred term and method of authentication. Due to an inherent conflict between security and the cardholder experience, there are authentication exemptions. This page describes Marqeta’s SCA offering and how Marqeta enables you to be compliant. To learn about the technical requirements for Strong Customer Authentication in Europe, see Managing Strong Customer Authentication.

Contactless authorizations

The frictionless nature of contactless transactions is baked into the term “tap and go”. However, the security implications of a stolen card are clear. The European Banking Authority (EBA) regulation 11 is designed to protect everyone in the chain from fraudulent card activity. However, in some instances, contactless transactions are exempt from the second Payment Services Directive (PSD2) mandate and any contactless logic on the Marqeta side. They are not declined and do not contribute to counters. These transactions include:
  • Mobile wallet payments (i.e., Apple Pay, Google Wallet) – considered to be SCA secured by default.
  • Payment for transport fares or parking fees at an unattended terminal.
There is a gateway (€50 / £100) that limits the initial use of contactless. This is expected to be enforced at the point of sale (POS), however, extra-country usage can lead to conflicts between regional limits. Consequently, Marqeta allows you to set the limit above, in which SCA is required. Once past the raw amount gateway, a certain number of sequential contactless transactions can trigger SCA enforcement. Marqeta allows you the flexibility to choose either the amount or count of preceding transactions, or both. For a consistent cardholder experience, both Marqeta and the EBA recommend that you choose one limit. Marqeta’s role is to decline the transaction with an appropriate network decline code. The cardholder experience is variable, based on the terminal. It is possible for the POS to simply decline the transaction, and this process expects the cardholder to initiate a new Chip + Pin transaction. Alternatively, the POS may prompt the cardholder to step up to the terminal and input their PIN. However, Marqeta will display both completed flows the same, as a declined contactless, followed by an approved chip transaction.

E-commerce authorizations

All e-commerce authorizations above the gateway (€30) are expected to be authenticated according to PSD2 regulation 16. Under €30 authorizations may be approved without authentication. Similar to contactless logic, sequential unauthenticated transactions must at some point be challenged.
Tip
Although you may configure the amounts in your card product, we strongly recommend that you adhere to the EBA limits exactly.
Some e-commerce transactions are exempt from SCA limits.
  • As per contactless, mobile wallet payments (i.e., Apple Pay, Google Wallet) are already considered to be SCA secured.
  • On Three Domain Secure Authentication 2 (3DS2), acquirer exemptions are present and SCA is not required/cannot be completed for this transaction.
    • Merchant Initiated Transaction (MIT) – This is not triggered by the cardholder but by the merchant without direct, discrete cardholder involvement.
    • Acquirer transaction risk analysis (TRA) – This is where the low-fraud acquirer determines that the transaction represents low risk.
    • These acquirer exemptions incorporate a liability shift to the acquirer. However, please note that your fraud rates dictate whether you may apply exemptions at all.

Authentication versus authorization

Immune to abbreviations, these are two separate, distinct flows. Authentication is designed by the financial industry essentially as a bolt-on process prior to e-commerce authorization. Once authentication is completed, the merchant will initiate the authorization. To be explicit, both flows must be initiated by the merchant. There is no process by which Marqeta can trigger either flow autonomously. It is possible for a merchant to choose, regardless of any rules, exemptions or amounts to skip authentication and directly request authorization of the transaction. Once an unauthenticated authorization is commenced, there is no path to authentication for that transaction if required. Therefore, the only method for Marqeta to “request” authentication is to “soft decline” the transaction. This is a hard decline with a special code to indicate a preference that SCA should be completed before Marqeta allows authorization of that transaction. Merchants should then request Three Domain Secure Authentication (3DS) authentication (or apply an exemption) for this transaction when they reattempt.

Marqeta 3DS technologies

There are two options for decisioning built into our Domain Secure Authentication (3DS) solution.
  • Automated — This is where Marqeta has built a decisioning engine to decide when to challenge and when to exempt transactions, based on the required mandates from the networks.
  • Delegated — This is where Marqeta delegates the choices to you and allows you to choose when to exempt and when to challenge.

Related topics

Managing SCA in EuropeMarqeta in Europe OverviewError Handling in EuropeAbout Powered By Marqeta in Europe3D Secure in Europe