WebsiteStatusSupportPostman workspacePricingDocumentation hub survey
Documentation
RSS feedSign up
Start typing to search…
  1. Server-to-Server, Mobile SDK, and COPYandPAY
  2. Guides
  3. 3-D Secure

Exemption management

Exemptions are transactions that don't need strong customer authentication, and they don't necessarily need explicit cardholder authentication. These transactions don't need prior authentication for authorisation or go through a frictionless authentication flow, meaning the cardholder does not need to authenticate themselves with the issuer.

Exemption types

These exemptions include transactions that are:

  • Low value
  • Low risk
  • Between cardholder and merchant, where the cardholder has allowlisted the merchant as a trusted beneficiary
  • Made with a corporate card

If you request an exemption:

  • The issuer has the authority to override exemption requests.
  • Some acquirers may not allow specific exemptions for their merchants. Merchants should consult with their acquirers to understand which exemptions they can use.

Request an exemption

You can request exemptions by setting the appropriate value in the threeDSecure.exemptionFlag field.

ValueExemption
01Low value exemption
02TRA exemption
03Trusted beneficiary exemption
04Corporate card payment exemption

Soft declines

If you request an exemption via authorisation (skipping the 3-D Secure call), the acquirer may reject the exemption request. In such cases, the transaction receives a soft decline, indicated by the 300.100.100 result code.

The correct action after a soft decline is to:

  1. Re-send the transaction to 3-D Secure authentication.
  2. After authentication, proceed to authorisation with the authentication result.

Soft declines could occur even after 3-D Secure authentication, for example, if you performed a frictionless authentication but you should have challenged the transaction.

Options for handling soft declines

  1. Manual handling:

    • The gateway can return the soft decline code to the merchant.
    • The merchant can either treat it as a decline or manually re-send the transaction.
    • For a manual retry, include the challengeIndicator=04 field in the request.

  2. Automatic retry: The gateway can automatically retry the transaction.

Retried transactions always involve a challenge flow for the customer.

Out-of-scope transactions

Certain transactions are out of scope from Strong Customer Authentication (SCA). Send these transactions directly for authorisation and the acquirer or issuer approves them. However, you must mark such transactions with the proper flags to qualify them as out of scope.

Transaction typeHow to flag
Mail order or telephone orderSet the field transactionCategory to MO or TO.
Recurring transactionsSet the field recurringType to REPEATED. This applies to merchant-initiated transactions (MIT), such as subscription agreements between consumer and merchant.
Merchant-initiated transactionsSet the field standingInstruction.source to MIT.

Updated about 7 hours ago