3DS Exemptions
On this page
Before implementing exemptions:
- Understand 3DS basics and liability shift
- Know your fraud rate for TRA eligibility
- Confirm processor support for exemption requests
Even when SCA is required (Europe) or you want liability shift, certain transactions can skip 3DS. Understanding exemptions is critical for optimizing conversion while maintaining compliance.
Exemption Types
| Exemption | Criteria | Who Decides |
|---|---|---|
| Low value | Under €30 (€100 cumulative limit) | Issuer |
| Low risk (TRA) | Based on fraud rate thresholds | Acquirer or Issuer |
| Recurring/MIT | After initial authenticated transaction | Merchant initiates (see subscriptions) |
| Corporate cards | Secure corporate payment process | Issuer (see B2B) |
| Trusted beneficiary | Cardholder whitelisted merchant | Cardholder/Issuer |
| Secure corporate | Dedicated payment processes | Varies |
Transaction Risk Analysis (TRA) Thresholds
TRA exemptions are based on your fraud rate. Lower fraud rate = higher exemption threshold.
| Your Fraud Rate | Exemption Threshold |
|---|---|
| Below 0.13% | Up to €100 |
| Below 0.06% | Up to €250 |
| Below 0.01% | Up to €500 |
Reality check: Most merchants can't claim TRA exemptions because they don't have the verified fraud rate data or the acquirer support.
TRA Eligibility Requirements
To qualify for TRA exemptions, you typically need:
- Verified fraud rate data over 90 days
- Acquirer that supports TRA requests
- Technical integration to request exemptions
- Monitoring for fraud rate drift
Exemption Decision Flow
Exemption Risks
| Risk | Description |
|---|---|
| Issuer decline | Issuer can reject exemption request |
| Liability stays with you | Exempted transactions = no liability shift |
| Ratio impact | Fraud on exempted transactions counts against you |
| Cumulative tracking | Low-value exemptions have limits |
The Liability Trade-off
When you request an exemption and it's approved:
- You skip the friction of 3DS
- You keep liability for fraud on that transaction
- If fraud occurs, it counts against your fraud rate
This is a conscious trade-off: better conversion in exchange for fraud liability.
When to Request Exemptions
| Request Exemption | Don't Request |
|---|---|
| Repeat customers with history | First-time high-risk orders |
| Low-value transactions | High-value orders |
| Low-risk profile | Any fraud signals present |
| Conversion-critical flow | When liability shift matters |
Good Exemption Candidates
- Subscription renewals - MIT after initial authenticated payment
- Low-value add-ons - Under €30 with established customer
- Trusted repeat customers - Multiple successful purchases, no disputes
- Corporate cards - Secure corporate payment processes
Bad Exemption Candidates
- New customers - No history to assess risk
- High-value orders - Fraud loss outweighs friction cost
- International transactions - Higher fraud risk
- Any fraud signals - Velocity, address mismatch, device risk
Implementation Notes
"Do you support 3DS exemption requests? Which exemption types can we request? How do we flag transactions for TRA?"
Not all processors support all exemptions. Verify:
- Which exemptions your processor can request
- How to flag transactions for exemption
- What data is required for TRA
- How declined exemptions are handled (fallback to full 3DS?)
Technical Implementation
Exemption requests are made during the 3DS authentication request:
| Processor | Typical Field |
|---|---|
| Stripe | payment_intent.payment_method_options.card.request_three_d_secure |
| Adyen | additionalData.scaExemption |
| Braintree | transactionSource + exemption flags |
Check your processor's documentation for exact implementation.
Exemption Strategy by Business Type
| Business Type | Recommended Approach |
|---|---|
| Subscriptions | Authenticate first payment, MIT exemption for renewals |
| High-frequency, low-value | Request low-value exemption, accept liability |
| High-value goods | Full authentication, don't exempt |
| Return customers | Trusted beneficiary (if supported) |
| Mixed | Segment by risk, exempt low-risk only |
Subscription Best Practice
- Initial signup: Full 3DS authentication
- First renewal: MIT exemption (prior consent established)
- Subsequent renewals: Continue MIT exemption
- Failed renewal retry: May need re-authentication
This pattern gives you liability shift on the initial high-risk transaction while removing friction from renewals.
Monitoring Exemption Performance
Track these metrics for exempted transactions:
| Metric | Target | Action if Exceeded |
|---|---|---|
| Fraud rate on exempted txns | Under 0.1% | Reduce exemption scope |
| Exemption approval rate | Over 90% | Check issuer compatibility |
| Conversion lift vs. 3DS | Over 2% | Keep exempting |
| Chargeback rate on exempted | Under 0.3% | Tighten exemption criteria |
If fraud on exempted transactions rises, you're exempting the wrong transactions.
Next Steps
- Check processor support → Verify which exemptions are available
- Know your fraud rate → Determine TRA eligibility
- Segment your transactions → Identify good exemption candidates
- Monitor results → Track fraud on exempted vs. authenticated
See Also
- 3DS Overview - Core 3DS concepts
- Subscriptions & Recurring - MIT implementation
- Fraud Metrics - Understanding your fraud rate
- Checkout Conversion - Optimizing checkout flow
- Processor Management - Working with processors
- B2B Commercial - Corporate card handling
- Network Programs - Threshold requirements