3DS2 + SCA Step-Up Optimisation: From 38% Frictionless to 73% Without Lifting Fraud

Rebuilt the 3DS2 + SCA exemption programme for a regional acquirer-processor, moved from portfolio-wide TRA flagging to per-issuer, per-merchant, per-amount-band exemption profiles; deployed the full PSD2 exemption suite (TRA, low-value, recurring, trusted beneficiary, MIT); and shipped step-up abandon-recovery flows. Lifted frictionless rate from 38% to 73% over three quarters, while holding the portfolio fraud rate below the band-2 TRA ceiling (6 bps) on routed traffic, and moving the qualifying merchant cohort into band 3 in the final quarter. Delivered +5.4 points portfolio CNP authorisation-rate lift, with the largest gains on iOS Safari + cross-border combinations.

The platform was operating in TRA band 2 (€250 ceiling, 6 bps fraud floor) with a portfolio frictionless rate of 38%, well below regional peers. CNP authorisation rate trailed the regional benchmark by 4 points. The step-up flow was either always-on (high friction, high abandonment) or off (no exemption strategy at all) depending on the merchant. Recurring subscriptions stepped up on every charge; MIT flags were inconsistently set; trusted-beneficiary lookups were not in the flow. The scheme account manager had quietly warned that the band-2 status was at risk of slipping to band 1 if fraud trends did not improve. The team needed a complete rebuild of the exemption + step-up surface, with no acceptable trade-off on the fraud rate.

• Pre-auth exemption scoring service: scores every CNP transaction against the five PSD2 exemptions and picks the highest-value applicable path
• Per-issuer override map: 180+ issuer + BIN-range combinations with observed exemption-honour rates, step-up override rates, and per-amount-band TRA ceilings
• Per-merchant exemption profile: each merchant's typical transaction mix, fraud band, and exemption preferences captured as a config
• MIT indicator pipeline: end-to-end correctness on the MIT flag at authorisation (not capture), including back-fill for recurring subscriptions
• Recurring exemption with token persistence: token-backed subscriptions retain the first-CIT-authentication anchor; amount-drift detection re-arms SCA only when amount changes materially
• Trusted-beneficiary lookup in the auth flow (per-issuer; honoured where issuers expose the signal)
• Step-up abandonment recovery: OTP resend, push notification re-prompt, fallback to alternative payment method, post-abandonment outreach via merchant
• Real-time fraud-rate dashboard: per-band visibility against TRA ceilings (€100 / €250 / €500); auto-tightens exemption flagging when rolling rate approaches threshold

• Exemption-scoring runs as a synchronous pre-auth service: < 80ms p95 added latency; cached per-issuer profile + per-merchant config + transaction risk score
• Per-issuer scoring updates monthly from observed honour rates; weighted toward last 30 days of behaviour; manual override allowed for known-issuer changes
• MIT pipeline keyed on a prior-authentication-reference table: every MIT request lookups the originating CIT and includes its authentication evidence in the auth request
• Step-up abandonment recovery sequenced: client-side OTP resend (zero latency), then alternative method offer, then session-recovery email for merchants who opt in
• Fraud-rate guard-rails are first-class: real-time portfolio rate + per-merchant rate + per-issuer rate; exemption ceiling tightens automatically when any segment approaches the band ceiling
• Reconciliation: every exemption decision and step-up outcome is logged; available for scheme audit replay and per-merchant performance reporting

• Weekly 3DS2 health review: frictionless rate, step-up rate, abandonment, fraud rate, by merchant tier, by network, by issuer cohort
• Monthly per-issuer profile refresh: re-score the 180+ issuer combinations based on observed behaviour from the last 30 days
• Quarterly merchant exemption-strategy review with top 30 merchants: their fraud band, their exemption mix, their step-up abandonment, the auth-rate impact
• Real-time alerting when any merchant's fraud rate crosses 70% of its band ceiling; programme tightens automatically and notifies the merchant-success team
• Annual scheme audit prep: exemption-decision logs, fraud-rate evidence per band, attestation of TRA programme controls

Owned the 3DS2 + SCA programme end-to-end as Product & Program lead, exemption-scoring architecture, per-issuer scoring model, MIT pipeline correctness, recurring-token integration, abandon-recovery flows, fraud-rate guard-rails and the scheme-audit posture. Direct accountability for frictionless rate, fraud rate, auth-rate lift, and TRA band maintenance.

• Lifted portfolio frictionless rate from 38% to 73% in three quarters
• Cut step-up rate from 62% to 27% on the same traffic
• Recovered ~11% of step-up abandonment via OTP resend + alternative-method fallback
• Held portfolio fraud rate below 6 bps on routed exemption traffic, preserved TRA band 2 throughout and moved into band 3 on the qualifying merchant cohort in quarter 4
• Delivered +5.4 points portfolio CNP authorisation-rate uplift, with +3-4 pts on iOS Safari + cross-border combinations
• Closed two outstanding scheme audit observations on exemption documentation
• Established the per-issuer profile as a permanent monthly artefact, not a project deliverable

• Built per-issuer scoring as a 180+ combination map rather than a model, heavier ops cadence (monthly refresh) than a self-learning model would need; saved a year of model-tuning time and produced interpretable decisions that scheme audits accept
• Required ~80ms pre-auth latency budget for the exemption-scoring service, added P95 latency on the auth path; recovered the latency in lower step-up rate and lower abandonment
• Built abandon-recovery as a full surface (OTP resend, alternative-method, post-abandon outreach) rather than just OTP resend, heavier engineering; produced the 11% recovery rate that other platforms with single-mode resend do not see
• Held a strict portfolio-fraud-rate floor (auto-tighten on approach to band ceiling), accepted that some merchants temporarily lost frictionless coverage in bad weeks; protected the TRA band from drift

• Exemption strategy without per-issuer scoring is portfolio guesswork. Two acquirers running identical TRA logic see different frictionless rates because their merchant mix sends them to different issuer pools.
• Step-up abandonment recovery is part of the exemption programme, not separate from it. A step-up that abandons is worse than a frictionless decline; the recovery flow is where 10–15% of would-be losses come back.
• Fraud-rate guard-rails belong on the OKR slate as floors, not as dashboards. Programmes that ship without auto-tighten logic re-enter the bad-quarter spiral every fraud spike.
• MIT pipeline correctness is invisible until the chargeback arrives 60 days later. Build the prior-authentication-reference table early; verify the MIT flag is set at auth, not at capture; instrument the entire pipeline.
• Per-merchant exemption profiles are not optional. Portfolio defaults produce mediocre frictionless rates everywhere; per-merchant profiles produce category-best on the cohorts where the merchant mix supports it.

Every acquirer in any market where SCA applies (Europe, UK, MENA increasingly, parts of LATAM) carries this exact problem. The frictionless-rate gap between band-3 acquirers (70%+) and band-1 acquirers (35-45%) is worth multiple basis points of merchant-level auth rate, which translates directly to merchant retention. The programme is non-trivial, per-issuer scoring, MIT pipeline correctness, abandon-recovery, fraud-rate guard-rails, but it is the highest-leverage CNP product investment available at most mid-size acquirers. This is the playbook.