> ## Documentation Index
> Fetch the complete documentation index at: https://www.marqeta.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Managing SCA in Europe

> Learn how to manage Strong Customer Authentication (SCA) in Europe.

Strong customer authentication (SCA) was introduced as a requirement of the second Payment Services Directive (PSD2), which aimed at adding additional security to electronic payments. SCA applies to the European Economic Area and the United Kingdom. It requires banks to perform additional controls when cardholders make payments to confirm their identity.

Banks can do this by asking for any combination of two forms of identification at checkout:

* **Knowledge** — "something they know" (i.e., password or PIN)

* **Possession** — "something they have" (i.e., mobile phone via one-time passcode)

* **Inherence** — "something they are" (i.e., biometrics like fingerprints or the face)

This page outlines PSD2 articles 11 and 16, as put forth by the European Banking Authority (EBA), and how Marqeta enables you to be compliant with SCA rules.

<h2 id="_contactless_payments">
  Contactless payments
</h2>

<h3 id="_article_11_contactless_payments_at_point_of_sale">
  Article 11: contactless payments at point of sale
</h3>

Article 11 of the second Payment Services Directive (PSD2) states that issuers shall be allowed to not apply strong customer authentication where the payer initiates a contactless electronic payment transaction, provided that the following conditions are met:

* The individual amount of the contactless electronic payment transaction does not exceed €50;\
  **AND**

* The cumulative amount of previous contactless electronic payment transactions initiated by means of a payment instrument with a contactless functionality from the date of the last application of SCA does not exceed €150;\
  **OR**

* The number of consecutive contactless electronic payment transactions initiated via the payment instrument offering a contactless functionality since the last application of SCA does not exceed five.

Marqeta’s hosted solution provides customers with all the core functionality and requirements to allow customers to be compliant with SCA rules during contactless payments and allows customers outside of the PSD2 requirements to apply enhanced risk solutions to their transactions. It is advised that customers check the limits appropriate for their region and can use the configuration to set accordingly. Customers within the UK, where the Q4 2021 directive raised the single transaction contactless limit to £100, can use this functionality to increase this limit from the €50 PSD2 baseline.

With this feature enabled, Marqeta monitors all incoming contactless transactions, evaluating and applying logic to these transactions for each cardholder.

Customers can enable Marqeta-hosted contactless SCA controls via their Card Product configuration. Customers can set limits per Card Product in specific currencies. Marqeta converts transactional currencies, allowing customers to set the limits in EUR to assure PSD2 compliance.

<h3 id="_card_product_configuration">
  Card product configuration
</h3>

```json JSON lines wrap theme={null}
{
  "config": {
    "transaction_controls": {
      "strong_customer_authentication_limits": {
        "sca_contactless_transaction_limit": "50",
        "sca_contactless_cumulative_amount_limit": "150",
        "sca_contactless_transactions_count_limit": "5",
        "sca_contactless_transactions_currency": "EUR"
      }
    }
  }
}
```

<h3 id="_exemptions">
  Exemptions
</h3>

**What contactless transactions are exempt from SCA?**

In some instances, contactless transactions are exempt from the PSD2 mandate and any contactless logic on the Marqeta side. They are not declined and do not contribute to counters. These transactions include:

* Mobile wallet payments (e.g., Apple Pay, Google Wallet), as they are already considered to be SCA secured.

* Payment for transport fares or parking fees at an unattended terminal do not require SCA. These include [MCC](/core-api/mcc-groups/) codes `4111`, `4112`, `4131`, `4784`, and `7523`.

<h4 id="_contactless_transactions">
  Contactless transactions
</h4>

Marqeta’s webhook payload includes key information to allow customers to distinguish the events of that transaction. A typical contactless transaction appears as outlined in the example below. Whether limits are set on the Card Product or not, Marqeta provides you with `contactless_exemption_counter` and `contactless_exemption_total_amount` within the webhook payload to allow customers to host a contactless solution within their platform.

```json JSON lines wrap theme={null}
{
  "card" : {
    "contactless_exemption_counter" : 1,
    "contactless_exemption_total_amount" : 4.500000
  },
  "pos": {
    "pan_entry_mode": "CHIP_CONTACTLESS",
    "card_holder_presence": true,
    "card_presence": true,
    "pin_present": false
  }
}
```

With the limits applied, the Marqeta platform monitors transactions that meet the criteria and keeps a record of these for each card. Once a particular card breaches these limits, the transaction will be soft-declined. This prompts the merchant that they must apply SCA and reattempt the transaction. In most cases, this will be related to PIN. Marqeta uses one of the following response memos to decline these transactions, depending on which attribute has triggered the breach. The transaction continues to be declined until a point of sale (POS) authorization has been approved with SCA. Once approved, contactless counters are reset and contactless can be used for that card.

```json JSON lines wrap theme={null}
{
  "response": {
    "code": "1891",
    "memo": "Strong Customer Authentication — SCA contactless cumulative amount exceeded"
  }
}
```

| Code   | Description                                                                        |
| ------ | ---------------------------------------------------------------------------------- |
| `1891` | Strong Customer Authentication — SCA contactless cumulative amount exceeded.       |
| `1892` | Strong Customer Authentication — SCA contactless transaction count limit exceeded. |
| `1893` | Strong Customer Authentication — SCA contactless transaction limit exceeded.       |

<h2 id="_e_commerce_low_value_payments">
  E-commerce low value payments
</h2>

<h3 id="_article_16_low_value_transactions">
  Article 16: low value transactions
</h3>

Article 16 of the second Payment Services Directive (PSD2) communicates that SCA is not mandated for remote electronic low value transactions, provided that the following conditions are met:

* The amount of the remote electronic payment transaction does not exceed €30;\
  **AND**

* The cumulative amount of previous remote electronic payment transactions initiated by the payer since the last application of SCA does not exceed €100;\
  **OR**

* The number of previous remote electronic payment transactions initiated by the payer since the last application of SCA does not exceed five consecutive electronic payment transactions.

Marqeta’s hosted solution provides customers with all the core functionality and requirements to allow customers to be compliant with SCA rules during e-commerce payments, and it allows customers outside of the PSD2 requirements to apply enhanced risk solutions to their transactions. It is advised that customers check the limits appropriate for their region and can use the configuration to set accordingly.

With this feature enabled, Marqeta monitors all incoming unsecured e-commerce transactions, evaluating and applying logic to these transactions for each cardholder.

Customers can set limits per Card Product in a specific currency. Marqeta converts transactional currencies into the currency configured in the Card Product before evaluation, so Marqeta suggests utilizing the values in EUR as they come from the PSD2 directive.

<h3 id="_card_product_configuration_2">
  Card product configuration
</h3>

```json JSON lines wrap theme={null}
{
  "config": {
    "transaction_controls": {
      "strong_customer_authentication_limits": {
        "sca_lvp_transaction_limit": "30",
        "sca_lvp_cumulative_amount_limit": "100",
        "sca_lvp_transactions_count_limit": "5",
        "sca_lvp_transactions_currency": "EUR"
      }
    }
  }
}
```

<h3 id="_exemptions_2">
  Exemptions
</h3>

**What e-commerce transactions are exempt from SCA limits?**

In some instances, e-commerce transactions are exempt from the PSD2 mandate. Therefore, these will be exempt from any SCA logic on the Marqeta side. These transactions include:

* Mobile wallet payments (e.g., Apple Pay, Google Wallet), as they are already considered to be SCA secured.

* Transactions that have been through 3D Secure, as the cardholders have provided verification.

* Acquirer exemption is present, as this states that SCA is not required/cannot be completed for this transaction.

<h4 id="_unsecured_transactions">
  Unsecured transactions
</h4>

Marqeta’s transaction payload includes key information to allow customers to distinguish between different types of transactions. Using various fields, you can determine which transactions are secured, which are not, and which are exempt. A typical unsecured e-commerce transaction with no 3DS authentication is shown below.

```json JSON lines wrap theme={null}
{
  "cardholder_authentication_data": {
    "electronic_commerce_indicator": "no_authentication"
  },
  "transaction_metadata": {
    "payment_channel": "ECOMMERCE"
  }
}
```

An e-commerce transaction can be exempted in one of two ways: via an acquirer exemption or via issuer exemption (within the grounds of the Card Product limits). These show as unsecured. However, additional fields are provided to determine the reason why and the exemption that was applied.

<h4 id="_acquirer_exemptions">
  Acquirer exemptions
</h4>

An Acquirer Exempted Transaction occurs when the acquirer has stated that there is no need for authentication and, therefore, liability shifts to the merchant on the transaction (if approved). For this reason, any acquirer exemption that is provided is respected, allowing the authorization to proceed without requiring authentication. Moreover, the authorization does not count towards the Marqeta low value payment (LVP) SCA limits set in the Card Product.

```json JSON lines wrap theme={null}
{
  "cardholder_authentication_data": {
    "electronic_commerce_indicator": "no_authentication",
    "acquirer_exemption": [
      "TRANSACTION_RISK_ANALYSIS"
    ]
  },
  "transaction_metadata": {
    "payment_channel": "ECOMMERCE"
  }
}
```

<h4 id="_issuer_exemptions">
  Issuer exemptions
</h4>

Issuer exemptions are those exemptions that Marqeta has applied. The Marqeta platform exempts those transactions which fall within the LVP limits set in the Marqeta card product, allowing unsecured e-commerce authorizations to be approved. These exempted transactions are tracked by the Marqeta platform, ensuring that once the limits are reached, issuer exemptions are no longer applied.

```json JSON lines wrap theme={null}
{
  "cardholder_authentication_data": {
    "electronic_commerce_indicator": "no_authentication",
    "issuer_exemption": "LOW_VALUE_PAYMENT"
  },
  "transaction_metadata": {
    "payment_channel": "ECOMMERCE"
  }
}
```

Once a particular card breaches these limits, the transaction is soft-declined, which informs the merchant that Marqeta does not allow the authorization to proceed until authentication has been completed. Therefore, the merchant should apply SCA before reattempting the transaction.

Marqeta uses one of the following response memos to decline these transactions, depending on which attribute has triggered the breach. Once an authenticated authorization is approved, counters are reset and issuer exempted e-commerce transactions can occur for that card.

```json JSON lines wrap theme={null}
{
  "response": {
    "code": "1897",
    "memo": "SCA LVP cumulative amount exceeded."
  }
}
```

| Code   | Description                               |
| ------ | ----------------------------------------- |
| `1897` | SCA LVP cumulative amount exceeded.       |
| `1898` | SCA LVP transaction count limit exceeded. |
| `1899` | SCA LVP transaction limit exceeded.       |

<h3 id="_cardholder_authentication_data">
  Cardholder authentication data
</h3>

Visa’s Cardholder Authentication Verification Value (CAVV) or The accountholder authentication value (AAV) for Mastercard uses the Universal Cardholder Authentication Field accountholder authentication value (AAV) within authorization messages. These tokens are generated by Marqeta’s access control server (ACS) and provide evidence that cardholder authentication was successful, or that the merchant has attempted authentication.

The SCA mandate is complemented with limited exemptions that aim to support a "frictionless" cardholder experience when the transactional risk is low. Merchants can provide exemptions during the authorization message to detail the reasons why SCA is not required. This is shown in the `acquirer_exemption` field in the Marqeta transaction JIT and webhook payloads. For further reference, please see `cardholder_authentication_data` here.

The `verification_result` field provides the result of a network comparison between authentication and authorization data elements. This is separate and distinct from the authentication result, which is reported in the `electronic_commerce_indicator` field. Please note that `authentication_status` is only present when the network provides CAVV data. Therefore, the `electronic_commerce_indicator` field must be used to determine SCA status.

```json JSON lines wrap theme={null}
{
  "cardholder_authentication_data": {
    "electronic_commerce_indicator": "authentication_successful",
    "verification_result": "not_verified",
    "verification_value_created_by": "issuer_acs",
    "three_ds_message_version": "2.2.0",
    "authentication_method": "BIOMETRIC",
    "authentication_status": "SUCCESSFUL"
  }
}
```

<h3 id="_jit_decline">
  JIT decline
</h3>

Using the information provided in the `cardholder_authentication_data` object, customers can choose to approve or decline a transaction based on its e-commerce security. In some regions, local/country regulations require customers to decline all non-secure e-commerce transactions, which can be achieved via this method.

The only way for a Marqeta customer to soft-decline an authorization and prompt for SCA is by using the `decline_reason` shown below.

```json JSON lines wrap theme={null}
{
  "jit_funding": {
    "token": "b23fd310-3001-4723-8f7b-e6843b5fe1e6",
    "method": "pgfs.authorization",
    "user_token": "4997F7AA-5CD7-4FB9-9335-62CE17330390",
    "acting_user_token": "4937F7AA-5CD2-4FB9-9735-62CE97130390",
    "amount": 2109.85,
    "decline_reason": "SOFT_DECLINE_AUTHENTICATION_REQUIRED"
  }
}
```


## Related topics

- [About SCA in Europe](/docs/developer-guides/mq-eu-about-sca.md)
- [3D Secure in Europe](/docs/developer-guides/mq-eu-3ds.md)
- [Marqeta in Europe: Troubleshooting and Best Practices](/docs/developer-guides/mq-eu-troubleshooting.md)
- [Marqeta in Europe Overview](/docs/developer-guides/marqeta-in-europe-landing-page.md)
- [Card Products in Europe](/docs/developer-guides/mq-eu-card-products.md)
