# Hosted Checkout Integration for PSD2 SCA
source: https://developer.mastercard.com/mastercard-gateway/documentation/security-and-fraud/authentication/psd2-sca-com-exem/hosted-checkout-int-psd2-sca/index.md

This page describes the integration effort to support PSD2 SCA compliance and exemptions for a Hosted Checkout integration. Before you proceed to build your integration, it is recommended that you familiarize yourself with [PSD2 SCA Compliance and Exemptions](https://developer.mastercard.com/mastercard-gateway/documentation/security-and-fraud/authentication/psd2-sca-com-exem/index.md).

## Supported exemptions {#supported-exemptions}

The gateway currently has support for the following exemptions:

* Low Risk
* Low Value
* Whitelisting
* Recurring Payments
* Secure Corporate Payments

## Prerequisites {#prerequisites}

To comply with PSD2 SCA requirements, you need to add [EMV 3-D Secure Authentication](https://developer.mastercard.com/mastercard-gateway/documentation/security-and-fraud/authentication/3d-secure-auth/index.md) support to Hosted Checkout.

To use the PSD2 SCA exemptions functionality through the gateway:

* Your merchant profile on the gateway must be enabled and configured for the PSD2 exemptions you want to use by your payment service provider.
* Do not configure any EMV 3-D Secure Transaction Filtering rules.
* You must have a Hosted Checkout integration to the gateway for [3DS2](https://developer.mastercard.com/mastercard-gateway/documentation/security-and-fraud/authentication/3d-secure-auth/index.md).
* Submit the [Initiate Checkout](https://developer.mastercard.com/mastercard-gateway/documentation/api-reference/v100/rest/api-ops/index.md#hosted-checkout) request to initiate the Hosted Checkout interaction.
* Submit as much payer and transaction information as possible when [initiating the authentication](https://developer.mastercard.com/mastercard-gateway/documentation/security-and-fraud/authentication/3d-secure-auth/3ds-payer-auth-api/index.md#step-2-authenticate-payer). This raises the probability of an exemption being granted or applied by the issuer.

## Claiming an exemption when requesting payer authentication {#claiming-an-exemption-when-requesting-payer-authentication}

You can claim an exemption by adding the field `authentication.psd2.exemption` to the [Initiate Checkout](https://developer.mastercard.com/mastercard-gateway/documentation/api-reference/v100/rest/api-ops/index.md#hosted-checkout) request with one of the following values:

* LOW_RISK
* LOW_VALUE_PAYMENT
* SECURE_CORPORATE_PAYMENT

If you are not enabled for the requested exemption, the request is processed as if you did not request an exemption. The issuer may:

* grant the exemption that you have requested,
* apply an issuer exemption, or
* deny the exemption that you have requested and not apply for an issuer exemption.

Special handling is applied if your acquirer or the scheme does not support exemptions.

|                    **Scenario**                    |                                                                                                                                                                  **Description**                                                                                                                                                                  |
|----------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Issuer Grants Acquirer Exemption                   | If the issuer grants the exemption you have requested, the payer will be presented with a frictionless checkout flow. The gateway will automatically add the authentication details provided by the issuer in the authentication response to the payment request submitted to the acquirer for processing.                                        |
| Issuer Applies Issuer Exemption                    | If the issuer applies an issuer exemption, the payer will be presented with a frictionless checkout flow. The gateway will automatically add the authentication details provided by the issuer in the authentication response to the payment request submitted to the acquirer for processing.                                                    |
| Issuer does not Grant or Apply an Exemption        | If the issuer neither grants nor applies an exemption, the payer will be presented with the EMV 3-D Secure challenge flow. The gateway will automatically add the authentication details provided by the issuer in the authentication response to the payment request submitted to the acquirer for processing.                                   |
| Acquirer does Not have Support for PSD2 Exemptions | If the acquirer does not support PSD2 exemptions, the gateway processes the authentication as if no exemption were requested. The payer will be presented with the EMV 3-D Secure challenge flow, and the gateway will automatically add the authentication details provided by the issuer in the authentication response to the payment request. |
| PSD2 Exemptions Not Supported for this Scheme      | If the gateway does not support PSD2 exemptions for a scheme (only supported for Mastercard and Visa), it proceeds without performing EMV 3-D Secure and will automatically request the exemption when submitting the payment for processing with the acquirer.                                                                                   |

## Claiming an exemption when submitting a payment {#claiming-an-exemption-when-submitting-a-payment}

Hosted Checkout does not have support for bypassing EMV 3-D Secure authentication and requesting an exemption on the payment. You can bypass EMV 3-D Secure authentication by submitting `interaction.action.3DSecure=BYPASS` in the [Create Checkout Session](https://developer.mastercard.com/mastercard-gateway/documentation/api-reference/v100/rest/api-ops/index.md#session) request. However, if the issuer does not grant the exemption and does not apply an issuer exemption, the payment will be unsuccessful. Hosted Checkout will not perform EMV 3-D Secure authentication when the payment fails because of missing payer authentication required under PSD2 SCA. The payer will be presented with a page telling them that the payment was not successful.

## Using the gateway for authentication only {#using-the-gateway-for-authentication-only}

Hosted Checkout does not support performing payer authentication only, without proceeding to the payment. If you want to use the gateway for authentication only, you must use Direct Payment integration.

## Whitelisting {#whitelisting}

Hosted Checkout does not provide support for asking the issuer to offer the payer to add you to their whitelist (for the card). However, if you know that the payer has whitelisted you, you can request the application of the whitelisting exemption by adding `authentication.psd2.exemption=WHITELISTED_MERCHANT` to the [Initiate Checkout](https://developer.mastercard.com/mastercard-gateway/documentation/api-reference/v100/rest/api-ops/index.md#hosted-checkout) request.

The issuer will validate that the payer has whitelisted you and either:

* grant the exemption (frictionless flow for the payer) and return authentication details for a successful authentication, or
* not grant the exemption and present the payer with the challenge flow. If the payer has whitelisted you, and you proceed to the payment without authenticating the payer, the issuer may grant the exemption or reject the transaction request.

## Merchant-initiated payments {#merchant-initiated-payments}

If you are required to comply with PSD2 SCA requirements, you cannot use Hosted Checkout for a cardholder-initiated payment in a series of merchant-initiated payments (including recurring payments with a fixed amount). For these payments, you must enforce payer authentication with the EMV 3-D Secure challenge.

## Testing your integration {#testing-your-integration}

You can test your integration using your test merchant profile (your merchant ID prefixed with "TEST"). The following sections provide details about the test card numbers that can be used to trigger a specific response.

To trigger a response indicating that the issuer granted an exemption that you have requested:

1. Submit an [Initiate Checkout](https://developer.mastercard.com/mastercard-gateway/documentation/api-reference/v100/rest/api-ops/index.md#hosted-checkout) request with the following:

* `apiOperation`=CREATE_CHECKOUT_SESSION
* `authentication.psd2.exemption` set to one of the following:
  * LOW_RISK
  * LOW_VALUE_PAYMENT
  * SECURE_CORPORATE_PAYMENT

2. During the SRC interaction, select one of the following test cards: **5506900140100107 (Mastercard), 4532249999999388 (Visa)**

3. This results in an order with an authentication transaction with:

* `authentication.psd2.exemption` set to the value provided in the request, in other words, one of the following:
  * LOW_RISK
  * LOW_VALUE_PAYMENT
  * SECURE_CORPORATE_PAYMENT
* `transaction.authenticationStatus=AUTHENTICATION_EXEMPT`
* `response.gatewayRecommendation=PROCEED`
* `response.gatewayCode=APPROVED`
* `order.status=AUTHENTICATION_NOT_NEEDED`
* `authentication.3ds2.transactionStatus=N` (Mastercard) or N (Visa)
* `authentication.3ds2.statusReasonCode=81` (Mastercard only)
* `authentication.3ds2.statusReasonCode=89` (Visa only)
* `authentication.3d.acsEci=06` (Mastercard) or `07`(Visa)
* `authentication.3ds.authenticationToken`

4. The Authorize or Pay transaction on this order will be successfully processed.

## FAQs {#faqs}

If you have an existing integration with the gateway using the gateway's legacy API for 3DS1, you need to upgrade to [EMV 3-D Secure Authentication](https://developer.mastercard.com/mastercard-gateway/documentation/security-and-fraud/authentication/3d-secure-auth/index.md) and then follow the integration steps described on this page.

EMV 3-D Secure 1 is only considered compliant with the PSD2 SCA mandate if the issuer sends a one-time password to the payer's phone when authenticating the payer, not where the issuer assigns a static password to the payer.

As not all issuers use one-time passwords, it is not recommended to rely on 3DS1 if you are required to comply with the PSD2 SCA mandate.
You do not need to authenticate the payer for such an agreement again. The schemes have rules for the transition period. The gateway ignores the exemption contained in the session when the order has a payment that has been rejected by the issuer because it is not PSD2 SCA compliant. Hence, it is not required that you remove the exemption from the session before performing the EMV 3-D Secure authentication for the order and resubmit the payment. When searching for an order or transaction in Merchant Administration through the Order and Transaction Search, you can use the search term:

* "Payer Authentication Status":"Authentication Successful" to find all successfully authenticated orders
* "Payer Authentication Status":"Authentication Exempt" to find all orders where an exemption was requested or applied The authentication status of the order is displayed on the Order and Transaction Details page in Merchant Administration in the field "Payer Authentication Status" in the "Payer Authentication Details" section. The field has the value "Authentication Exempt" if an exemption has been requested or applied to the order.

The authentication status of the transaction is displayed on the Order and Transaction Details page in Merchant Administration in the section "Transactions". Select "View" for the transaction that you want to view. The field 'Payer Authentication - Authentication Status' will have the value 'Authentication Exempt' if an exemption has been requested or applied to the transaction.