If a transaction is under €30, the Acquirer may seek an exemption from SCA from the Issuer on the grounds that the transaction is of Low Value. On the face of it this seems great news, but there are a few catches within.
First are the caveats given by the EBA in Article 16 of the Regulatory Technical Standards (RTS):
Payment service providers shall be allowed not to apply strong customer authentication, where the payer initiates a remote electronic payment transaction provided that the following conditions are met:
- (a) the amount of the remote electronic payment transaction does not exceed EUR 30; and
- (b) the cumulative amount of previous remote electronic payment transactions initiated by the payer since the last application of strong customer authentication does not exceed EUR 100; or
- (c) the number of previous remote electronic payment transactions initiated by the payer since the last application of strong customer authentication does not exceed five consecutive individual remote electronic payment transactions.
Crucially, these running counters for cumulative amount and number of previous transactions are held by the Issuer of the payment instrument. This is a major problem as the Merchant has no idea for a given transaction whether or not the transaction will qualify for the Low Value exemption.
The second problem is that Low Value Transactions are not necessarily Low Risk. Fraudsters do not make exclusively high value purchases online, and since other SCA exemptions rely on having low fraud rates across the board neither Merchants nor Acquirers can risk hoping that all transactions under €30 will be fraud free.