Skip to main content
Strong customer authentication (SCA) was introduced as a requirement of the second Payment Services Directive (PSD2), which aimed at adding additional security to electronic payments. SCA applies to the European Economic Area and the United Kingdom. It requires banks to perform additional controls when cardholders make payments to confirm their identity. Banks can do this by asking for any combination of two forms of identification at checkout:
  • Knowledge — “something they know” (i.e., password or PIN)
  • Possession — “something they have” (i.e., mobile phone via one-time passcode)
  • Inherence — “something they are” (i.e., biometrics like fingerprints or the face)
This page outlines PSD2 articles 11 and 16, as put forth by the European Banking Authority (EBA), and how Marqeta enables you to be compliant with SCA rules.

Contactless payments

Article 11: contactless payments at point of sale

Article 11 of the second Payment Services Directive (PSD2) states that issuers shall be allowed to not apply strong customer authentication where the payer initiates a contactless electronic payment transaction, provided that the following conditions are met:
  • The individual amount of the contactless electronic payment transaction does not exceed €50;
    AND
  • The cumulative amount of previous contactless electronic payment transactions initiated by means of a payment instrument with a contactless functionality from the date of the last application of SCA does not exceed €150;
    OR
  • The number of consecutive contactless electronic payment transactions initiated via the payment instrument offering a contactless functionality since the last application of SCA does not exceed five.
Marqeta’s hosted solution provides customers with all the core functionality and requirements to allow customers to be compliant with SCA rules during contactless payments and allows customers outside of the PSD2 requirements to apply enhanced risk solutions to their transactions. It is advised that customers check the limits appropriate for their region and can use the configuration to set accordingly. Customers within the UK, where the Q4 2021 directive raised the single transaction contactless limit to £100, can use this functionality to increase this limit from the €50 PSD2 baseline. With this feature enabled, Marqeta monitors all incoming contactless transactions, evaluating and applying logic to these transactions for each cardholder. Customers can enable Marqeta-hosted contactless SCA controls via their Card Product configuration. Customers can set limits per Card Product in specific currencies. Marqeta converts transactional currencies, allowing customers to set the limits in EUR to assure PSD2 compliance.

Card product configuration

JSON
{
  "config": {
    "transaction_controls": {
      "strong_customer_authentication_limits": {
        "sca_contactless_transaction_limit": "50",
        "sca_contactless_cumulative_amount_limit": "150",
        "sca_contactless_transactions_count_limit": "5",
        "sca_contactless_transactions_currency": "EUR"
      }
    }
  }
}

Exemptions

What contactless transactions are exempt from SCA? In some instances, contactless transactions are exempt from the PSD2 mandate and any contactless logic on the Marqeta side. They are not declined and do not contribute to counters. These transactions include:
  • Mobile wallet payments (e.g., Apple Pay, Google Wallet), as they are already considered to be SCA secured.
  • Payment for transport fares or parking fees at an unattended terminal do not require SCA. These include MCC codes 4111, 4112, 4131, 4784, and 7523.

Contactless transactions

Marqeta’s webhook payload includes key information to allow customers to distinguish the events of that transaction. A typical contactless transaction appears as outlined in the example below. Whether limits are set on the Card Product or not, Marqeta provides you with contactless_exemption_counter and contactless_exemption_total_amount within the webhook payload to allow customers to host a contactless solution within their platform.
JSON
{
  "card" : {
    "contactless_exemption_counter" : 1,
    "contactless_exemption_total_amount" : 4.500000
  },
  "pos": {
    "pan_entry_mode": "CHIP_CONTACTLESS",
    "card_holder_presence": true,
    "card_presence": true,
    "pin_present": false
  }
}
With the limits applied, the Marqeta platform monitors transactions that meet the criteria and keeps a record of these for each card. Once a particular card breaches these limits, the transaction will be soft-declined. This prompts the merchant that they must apply SCA and reattempt the transaction. In most cases, this will be related to PIN. Marqeta uses one of the following response memos to decline these transactions, depending on which attribute has triggered the breach. The transaction continues to be declined until a point of sale (POS) authorization has been approved with SCA. Once approved, contactless counters are reset and contactless can be used for that card.
JSON
{
  "response": {
    "code": "1891",
    "memo": "Strong Customer Authentication — SCA contactless cumulative amount exceeded"
  }
}
CodeDescription
1891Strong Customer Authentication — SCA contactless cumulative amount exceeded.
1892Strong Customer Authentication — SCA contactless transaction count limit exceeded.
1893Strong Customer Authentication — SCA contactless transaction limit exceeded.

E-commerce low value payments

Article 16: low value transactions

Article 16 of the second Payment Services Directive (PSD2) communicates that SCA is not mandated for remote electronic low value transactions, provided that the following conditions are met:
  • The amount of the remote electronic payment transaction does not exceed €30;
    AND
  • The cumulative amount of previous remote electronic payment transactions initiated by the payer since the last application of SCA does not exceed €100;
    OR
  • The number of previous remote electronic payment transactions initiated by the payer since the last application of SCA does not exceed five consecutive electronic payment transactions.
Marqeta’s hosted solution provides customers with all the core functionality and requirements to allow customers to be compliant with SCA rules during e-commerce payments, and it allows customers outside of the PSD2 requirements to apply enhanced risk solutions to their transactions. It is advised that customers check the limits appropriate for their region and can use the configuration to set accordingly. With this feature enabled, Marqeta monitors all incoming unsecured e-commerce transactions, evaluating and applying logic to these transactions for each cardholder. Customers can set limits per Card Product in a specific currency. Marqeta converts transactional currencies into the currency configured in the Card Product before evaluation, so Marqeta suggests utilizing the values in EUR as they come from the PSD2 directive.

Card product configuration

JSON
{
  "config": {
    "transaction_controls": {
      "strong_customer_authentication_limits": {
        "sca_lvp_transaction_limit": "30",
        "sca_lvp_cumulative_amount_limit": "100",
        "sca_lvp_transactions_count_limit": "5",
        "sca_lvp_transactions_currency": "EUR"
      }
    }
  }
}

Exemptions

What e-commerce transactions are exempt from SCA limits? In some instances, e-commerce transactions are exempt from the PSD2 mandate. Therefore, these will be exempt from any SCA logic on the Marqeta side. These transactions include:
  • Mobile wallet payments (e.g., Apple Pay, Google Wallet), as they are already considered to be SCA secured.
  • Transactions that have been through 3D Secure, as the cardholders have provided verification.
  • Acquirer exemption is present, as this states that SCA is not required/cannot be completed for this transaction.

Unsecured transactions

Marqeta’s transaction payload includes key information to allow customers to distinguish between different types of transactions. Using various fields, you can determine which transactions are secured, which are not, and which are exempt. A typical unsecured e-commerce transaction with no 3DS authentication is shown below.
JSON
{
  "cardholder_authentication_data": {
    "electronic_commerce_indicator": "no_authentication"
  },
  "transaction_metadata": {
    "payment_channel": "ECOMMERCE"
  }
}
An e-commerce transaction can be exempted in one of two ways: via an acquirer exemption or via issuer exemption (within the grounds of the Card Product limits). These show as unsecured. However, additional fields are provided to determine the reason why and the exemption that was applied.

Acquirer exemptions

An Acquirer Exempted Transaction occurs when the acquirer has stated that there is no need for authentication and, therefore, liability shifts to the merchant on the transaction (if approved). For this reason, any acquirer exemption that is provided is respected, allowing the authorization to proceed without requiring authentication. Moreover, the authorization does not count towards the Marqeta low value payment (LVP) SCA limits set in the Card Product.
JSON
{
  "cardholder_authentication_data": {
    "electronic_commerce_indicator": "no_authentication",
    "acquirer_exemption": [
      "TRANSACTION_RISK_ANALYSIS"
    ]
  },
  "transaction_metadata": {
    "payment_channel": "ECOMMERCE"
  }
}

Issuer exemptions

Issuer exemptions are those exemptions that Marqeta has applied. The Marqeta platform exempts those transactions which fall within the LVP limits set in the Marqeta card product, allowing unsecured e-commerce authorizations to be approved. These exempted transactions are tracked by the Marqeta platform, ensuring that once the limits are reached, issuer exemptions are no longer applied.
JSON
{
  "cardholder_authentication_data": {
    "electronic_commerce_indicator": "no_authentication",
    "issuer_exemption": "LOW_VALUE_PAYMENT"
  },
  "transaction_metadata": {
    "payment_channel": "ECOMMERCE"
  }
}
Once a particular card breaches these limits, the transaction is soft-declined, which informs the merchant that Marqeta does not allow the authorization to proceed until authentication has been completed. Therefore, the merchant should apply SCA before reattempting the transaction. Marqeta uses one of the following response memos to decline these transactions, depending on which attribute has triggered the breach. Once an authenticated authorization is approved, counters are reset and issuer exempted e-commerce transactions can occur for that card.
JSON
{
  "response": {
    "code": "1897",
    "memo": "SCA LVP cumulative amount exceeded."
  }
}
CodeDescription
1897SCA LVP cumulative amount exceeded.
1898SCA LVP transaction count limit exceeded.
1899SCA LVP transaction limit exceeded.

Cardholder authentication data

Visa’s Cardholder Authentication Verification Value (CAVV) or The accountholder authentication value (AAV) for Mastercard uses the Universal Cardholder Authentication Field accountholder authentication value (AAV) within authorization messages. These tokens are generated by Marqeta’s access control server (ACS) and provide evidence that cardholder authentication was successful, or that the merchant has attempted authentication. The SCA mandate is complemented with limited exemptions that aim to support a “frictionless” cardholder experience when the transactional risk is low. Merchants can provide exemptions during the authorization message to detail the reasons why SCA is not required. This is shown in the acquirer_exemption field in the Marqeta transaction JIT and webhook payloads. For further reference, please see cardholder_authentication_data here. The verification_result field provides the result of a network comparison between authentication and authorization data elements. This is separate and distinct from the authentication result, which is reported in the electronic_commerce_indicator field. Please note that authentication_status is only present when the network provides CAVV data. Therefore, the electronic_commerce_indicator field must be used to determine SCA status.
JSON
{
  "cardholder_authentication_data": {
    "electronic_commerce_indicator": "authentication_successful",
    "verification_result": "not_verified",
    "verification_value_created_by": "issuer_acs",
    "three_ds_message_version": "2.2.0",
    "authentication_method": "BIOMETRIC",
    "authentication_status": "SUCCESSFUL"
  }
}

JIT decline

Using the information provided in the cardholder_authentication_data object, customers can choose to approve or decline a transaction based on its e-commerce security. In some regions, local/country regulations require customers to decline all non-secure e-commerce transactions, which can be achieved via this method. The only way for a Marqeta customer to soft-decline an authorization and prompt for SCA is by using the decline_reason shown below.
JSON
{
  "jit_funding": {
    "token": "b23fd310-3001-4723-8f7b-e6843b5fe1e6",
    "method": "pgfs.authorization",
    "user_token": "4997F7AA-5CD7-4FB9-9335-62CE17330390",
    "acting_user_token": "4937F7AA-5CD2-4FB9-9735-62CE97130390",
    "amount": 2109.85,
    "decline_reason": "SOFT_DECLINE_AUTHENTICATION_REQUIRED"
  }
}

Related topics

Cardholder and Card Management in EuropeAbout SCA in EuropeManaging Tokenization RiskMarqeta in Europe: Troubleshooting and Best PracticesLimits and Controls in Europe