PSD2 requirement introduced Strong Customer Authentication (SCA) as a means of safer online payment authentication. With SCA also came SCA exemptions; scenarios that do not require an additional authentication step, allowing the cardholder to enjoy an entirely frictionless experience. A part of the exemptions is Merchant Whitelisting, a convenient feature included in the 3D Secure 2.2. upgrade.
The latest PSD2 directive enforced Strong Customer Authentication (SCA) as an additional layer of security for online payment processing. To fight fraud, cardholders need to confirm their identity using two-factor authentication (2FA). This includes authenticating themselves using two out of three security elements:
This approach was not welcomed by issuers and merchants, raising concerns regarding the overall traffic impacted by the added authentication step. In the cardholder's eyes, SCA means more friction, and more friction is an inconvenience for the end-user. In order to address this issue, PSD2 also includes SCA exemptions.
SCA exempted scenarios include transactions that do not require an additional authentication step in order to process the payment. It is a clever concept for mitigating friction when applicable. The given transaction must meet specific criteria regarding the risk level and some predefined types of transactions to be classified as an exemption. SCA exemptions are the following:
Merchant Whitelisting, also known as Trusted Beneficiaries, enables cardholders to choose known merchants whom they trust in order to skip the additional authentication step and enjoy a genuinely frictionless online payment experience. Regardless of the transaction amount or merchant/issuer fraud rate, SCA is not necessary. Of course, not all merchants are eligible for whitelisting. The selection of merchants that a cardholder is able to whitelist is under the issuing bank's control. Based on preselected criteria regarding the industry type of the merchant, level of risk, and cardholder's transaction history, the issuer proposes a list of merchants eligible for whitelisting based on the cardholder's request.
The process of whitelisting a merchant involves transaction authentication. The cardholder who is about to make an online purchase can enroll the merchant to their whitelist. This is done through the authentication interface that contains a checkbox indicating the possibility of whitelisting a particular merchant. By checking the box and applying SCA for the given transaction, both transaction and whitelisting verification are successful and PSD2 & RTS compliant.
This means that every future purchase made by the cardholder won't require SCA, i.e., unless the cardholder decides to remove the merchant from the whitelist at some point.
The cardholder is the one in control of the whitelisting. Merchants have no information if they are either on the whitelist or removed from the whitelist by the cardholder. Also, merchants can't apply themselves for whitelisting evaluation on the issuer side. Based on the cardholder's proposal for a particular merchant to be whitelisted, the issuer conducts further risk evaluation and either approves or denies merchant inclusion on the eligible merchant list.
Regardless of the fact that the merchant is previously whitelisted by the cardholder, each transaction is sent for authentication. This happens because merchants have no idea if they are on the white list by the cardholder or not. In case the merchant was previously successfully enrolled on the cardholders whitelist, and this was verified with the initial SCA necessary for MWL enrollment, ACS skips risk analysis and processes a frictionless transaction.
According to Mastercard liability rules are the following:
'' The liability shift applies to 3DS independently of the program protocol version (3DS 1.0 or EMV 3DS). If the Merchant does not support 3DS or uses Data Only (refer to section Acquirer SCA Exemptions), liability in case of fraud is with the Acquirer/Merchant. In all other cases, the Issuer is liable if no Acquirer PSD2 SCA exemption applies or if the Issuer has delegated SCA to the Merchant. If the Merchant applies an Acquirer exemption through 3DS and the Issuer accepts it, then the Merchant is liable. If the Issuer goes through SCA without accepting an Acquirer exemption, the Issuer is liable.''
Initial 3D Secure liability shift states that for transactions authenticated using 3D Secure, liability shifts to the issuer. The same goes for MWL transactions. Since the issuer deemed a merchant eligible for merchant whitelisting, for any transaction that proves to be a fraudulent one, liability stays on the issuer side.
3D Secure v2.2. brings a number of new features aiming to make the solution even more flexible. By introducing SCA exemptions (Merchant Whitelisting being one of them), issuers and merchants get a sense of relief regarding SCA requirement for two-factor authentication. Enhanced risk analysis enabled the application of SCA exemptions such as low-value payments (LVP) and merchant whitelisting (MWL). This results in a more user-friendly experience and makes the authentication process straightforward. A more detailed summary of EMV 3DS2 features is available in our recent blog post.