Learn about how to manage exemptions.
For merchants performing standalone authentications, we support the exemptions listed as requestorChallengeIndicator in the API reference. For merchants performing integrated authentications and using the PXP card service, only LVP and TRA can be applied in authentication/authorisation requests. Recurring payment exemptions are applied automatically by PXP when the transaction is flagged properly using the recurring.processingModel field in the initiate transaction request.
We'll configure exemption thresholds for your organisation during the onboarding process. These are applied at the merchant group level and can't be edited by you. You can view your organisation's thresholds by going to Settings > Exemptions.
When you make a pre-initiation request, the response includes an applicableExemptions field. This field contains a list of the exemptions that can be applied in a transaction request. Exemptions can only be applied if SCA is mandated. Otherwise, they're ignored.
{
"authenticationId": "9180c811-ae68-4b40-8910-bfe74a26d65a",
"state": "PendingClientData",
"scaMandated": false,
"applicableExemptions": "LVP,TRA",
"threeDSecureVersion": "2.2.0",
"threeDSecureFingerprintUrl": "https://api-services.test.pxp.io/mock/3ds-access-control-server-mock/fingerprint",
"threeDSecureFingerprintData": "eyJ0aHJlZURTU2VydmVyVHJhbnNJRCI6IjkxODBjODExLWFlNjgtNGI0MC04OTEwLWJmZTc0YTI2ZDY1YSIsInRocmVlRFNNZXRob2ROb3RpZmljYXRpb25VUkwiOiJodHRwczovL3d3dy50ZXN0LTAzIn0=",
"threeDSecureSupported": true,
"recommendedChallengeIndicator": null
}Only one exemption can be applied at a time. If both LVP and TRA are returned as in the example above, we recommended applying TRA.
If you decide to skip authentication and apply an exemption directly during authorisation, you accept the risk of a transaction soft decline.
You can request exemption in the authentication request by sending requestorChallengeIndicator = 05 (TRA) or 10 (LVP).
You can verify whether the requested exemption has been granted during authentication by checking the value of the exemptionGranted field in the authentication response. Once exemption is granted during authentication, you can proceed with authorisation by sending the authenticationId in the initiate transaction request. PXP will automatically apply the granted exemption during this authorisation.
{
"acsUrl": null,
"cardholderInfo": null,
"challengeData": null,
"electronicCommerceIndicator": "06",
"exemptionGranted": true,
"exemptionGrantedByIssuer": null,
"state": "AuthenticationSuccessful",
"stateData": null,
"transactionStatus": "I",
"uniqueId": "393c26d1-f4f5-4be0-94fe-ec63b5c2d5fd"
}The exemptionGrantedByIssuer field currently returns null. It will be populated once we adopt 3DS 2.3.
We use the requestorAuthenticationIndicator field in the pre-initiation request to determine whether you're setting up an agreement with the cardholder to store their card credentials.
We'll recognise that you're going to authenticate the initial card-on-file (COF) transaction if you supply one of these values:
02: Initial recurring payment.03: Initial COF for subsequent MITs.04: Initial COF for subsequent CITs.
Exemption isn't applicable if the transaction is used for the initial COF payment (for future MITs, including recurring payment and CITs). All initial COF payments must be authenticated with challenge, as stipulated by PSD2. This means we won't return applicable exemptions. Instead, we'll return recommendedChallengeIndicator: "04" (in most of the cases) or "03". Note that Visa stipulates that if the initial COF payment is for subsequent CITs, authentication with challenge is just recommended rather than required. In this case, we'll return recommendedChallengeIndicator: "03".
If you decide to apply an exemption, you accept the risk of:
- A soft decline of the initial COF transaction.
- Even if authorised, having future transactions using the stored credentials be declined or soft-declined.