Striking a balance between security and seamless customer experiences has never been more challenging—or more vital for sustaining growth. As Strong Customer Authentication (SCA) requirements evolve under PSD2, businesses are being forced to figure out friction; while SCA helps reduce fraud, it can also add a security checkpoint at checkout, which may lead to increased cart abandonment.
In a recent webinar, experts from Sift and Nestlé discussed what it takes to stay compliant and secure while seizing growth opportunities and better serving trusted users. From strategically leveraging Transaction Risk Analysis (TRA) exemptions to integrating AI-powered tools like Sift’s RiskWatch, they covered what companies need to do now and down the road to protect their customers and boost conversions, without interrupting the customer journey.
TRA Exemptions: Stay Secure with Lower Friction
Under PSD2, SCA is mandatory for many online transactions in regulated markets, particularly for transactions above certain thresholds. SCA requires authentication through two of three factors: something the customer knows (a password), something the customer has (a device), or something that makes the customer who they are (a fingerprint). While this is excellent for security, it often disrupts the seamless user experience businesses strive to maintain.
TRA exemptions provide a solution. By leveraging AI-powered Transaction Risk Analysis, merchants can exempt low-risk transactions from SCA, allowing them to flow through without the additional 3D Secure (3DS) step. This not only reduces customer friction, but also improves authorization rates by ensuring that only risky transactions face additional scrutiny. However, many merchants still don’t fully capitalize on these exemptions due to uncertainty about what qualifies as low risk.
Brittany Allen, Senior Trust and Safety Architect at Sift, and Carmen Caballero, Digital Payments Platform Group Manager at Nestlé, highlighted how leveraging TRA exemptions effectively reduces the number of transactions sent through 3DS. This minimizes costs and improves customer satisfaction by keeping the checkout experience fast and frictionless.
As Caballero explained, Nestlé assesses the risk of every transaction before requesting exemptions for low-risk purchases. This automated process has allowed them to lower their reliance on 3DS, decrease overall fraud rates, and improve authorization rates.
Identifying Out-of-Scope and Exempt Transactions
“In-scope” transactions are normally subject to SCA requirements, while “out-of-scope” transactions are exempt from SCA. By correctly identifying out-of-scope transactions and applying exemptions, merchants can minimise friction and reserve SCA for when it’s necessary.
In-Scope
Transactions classified as “in-scope” fall under the SCA requirements and are generally subject to two-factor authentication. These include:
- Customer-initiated online payments: Most card-not-present (CNP) transactions, such as e-commerce payments.
- Transactions within the European Economic Area (EEA): Both the payer and payee are located within the EEA.
- High-risk transactions: Payments flagged as high-risk by fraud detection tools.
- New payment setups or changes: Adding new payees or modifying saved payment instructions.
Out-of-Scope
Transactions classified as “out-of-scope” are not subject to SCA, either due to their nature or specific exemptions outlined in PSD2. Examples include:
- Merchant-initiated transactions (MITs): Payments initiated by the merchant, such as subscriptions or installment payments, where no customer interaction occurs at the time of payment.
- Mail order and telephone order (MOTO) payments: These are explicitly excluded from SCA requirements.
- One-leg transactions: Payments where either the payer or the payee is outside the EEA.
- Anonymous transactions: Payments made using anonymous payment instruments, like prepaid cards.
Eligible for Exemptions
Some in-scope transactions may qualify for SCA exemptions based on certain criteria, assessed via TRA:
- Low-value payments: Transactions below €30, provided the cumulative limit of €100 or five consecutive transactions without SCA hasn’t been exceeded.
- Recurring transactions: Subsequent payments in a series after the first transaction, provided the payment amount remains the same.
- Trusted beneficiaries: Payments to merchants that customers have added to their trusted list through their bank or payment service provider.
- Low-risk transactions: Determined using TRA, where the payment service provider’s fraud rates meet specific thresholds.
Maximizing Exemptions and Eclipsing Competition with RiskWatch
The key to successfully implementing a TRA exemption strategy lies in understanding which transactions qualify as low-risk. For many merchants, this remains a challenge, as accurately determining risk requires sophisticated technology that can assess each transaction in real-time.
This is where RiskWatch, one of Sift’s patent-pending innovations, comes in. RiskWatch acts as an “intelligent cruise-control” for fraud teams, automatically calculating the risk level of transactions and applying the appropriate exemptions. For example, if a qualifying transaction’s risk score is lower than 80% of all transactions processed, it is deemed low risk and bypasses 3DS authentication.
By automating this process, RiskWatch allows fraud teams to focus on higher-risk interactions while ensuring that legitimate customers don’t face unnecessary friction. Fraudsters are constantly evolving their tactics, often using tools to bypass 3DS authentication. But RiskWatch, combined with Sift’s broader AI-powered fraud decisioning, ensures that businesses can stay one step ahead of these evolving threats by analyzing transaction patterns in real-time and making data-backed decisions.
Real-World Results: How Nestlé Streamlined its Fraud Strategy
Nestlé faced the challenge of balancing security with customer convenience, especially in regions where SCA is mandated. During the webinar, Caballero shared how Nestlé pre-screens transactions before authorization, requesting TRA exemptions only for low-risk transactions. This pre-authorization fraud detection system not only reduced the number of transactions sent to 3DS, but also enhanced customer experience by minimizing friction at checkout.
Nestlé saw significant improvements in both their fraud rate and authorization rates over time. By automating fraud screening and leveraging AI to assess risk, they could optimize their exemption strategy and deliver a smooth, secure shopping experience. The results were tangible: lower transaction costs, fewer customer drop-offs, and higher approval rates.
While Nestlé’s use case is primarily focused on physical goods, the lessons learned are equally applicable to businesses handling digital goods and services; the principles of optimizing TRA exemptions, automating fraud detection, and minimizing 3DS reliance hold true across industries.
Best Practices for Optimizing Your TRA Strategy
Optimizing your TRA exemption strategy requires more than just AI-driven fraud detection; it also involves carefully selecting your payment service providers (PSPs) and acquirers, as different PSPs offer varying levels of support for TRA and SCA compliance.
This choice can significantly impact your ability to request exemptions, not only improving authorization rates, but also reducing friction for customers, leading to higher conversion rates and increased revenue.
The webinar also highlighted the importance of automation in optimizing exemptions. Businesses that automate their fraud decisioning processes are better equipped to manage high transaction volumes while keeping fraud rates low. By reducing the number of transactions sent through 3DS, businesses can lower their costs, improve authorization rates, and ultimately drive more revenue. Other main takeaways included:
- Compliance and customer experience are not mutually exclusive. By using AI-powered tools like RiskWatch, businesses can maintain compliance while delivering a frictionless checkout experience.
- Maximizing exemptions reduces friction. The fewer transactions that are sent through 3DS, the fewer opportunities for cart abandonment.
- Authorization rates improve as fraud rates decrease. Issuing banks are more likely to approve transactions from merchants with clean fraud records, making it critical to keep fraud rates low.
- Choosing the right acquirer matters. A PSP that supports your TRA exemption strategy is key to maximizing exemptions and reducing costs.
Building a successful TRA exemption strategy requires a combination of advanced fraud detection, strategic automation, and the right partnerships. By leveraging AI-powered solutions like RiskWatch, businesses can apply SCA only when necessary, reduce reliance on 3DS, and ultimately boost their conversion rates while maintaining compliance.
For businesses looking to streamline their fraud prevention processes and improve authorization rates, the insights from Nestlé’s use case offer a roadmap to success. By following best practices and leveraging cutting-edge tools, you can deliver a seamless customer experience that keeps fraud at bay and conversions high.
Book a demo to see how Sift’s AI-powered platform can help optimize your SCA strategy.
