What transactions are not impacted by the SCA?

The second Payment Services Directive (or PSD2) requires strong authentication but also describes cases that are considered outside the scope of this requirement and where transactions can be made without strong authentication.

These cases are:

  • Merchant initiated transactions (or “MIT”)

    That is, payments made without the online presence of the buyer (payment by file, payment by web services from server to server, duplication).

    For example, when the merchant manages the installments in case of a recurring payment with variable amounts and due dates.

    Nevertheless, strong authentication is mandatory when registering the payment method and when making the first payment of a series of recurring payments or a payment in installments.

  • Distance sale payments (“MOTO” - Mail Order Telephone Order)

    These are purchases initiated by post, e-mail or phone where the card data is entered by an operator.

  • Transactions outside the European Economic Area (or one-leg transactions)

    Payments where one of the payment actors, the acquirer or the issuer, is not located in the EU.