VISA released rules and guidelines related to the SCP (Secure Corporate Payment) exemption in the context of PSD2 exemptions usage.
The SCP exemption has been available to use since 2019. This bulletin aims at establishing a set of rules and guidelines to process SCP exemptions. The effective date at the end of the page indicates start date of PSD2 mandate.
What do these changes mean?
Which transactions are applicable for SCP exemption?
As per VISA, SCP (Secure Corporate Payment) exemption could apply to transactions undertaken with commercial cards, specifically the ones used in a secure corporate environment (such as a travel management company booking tool or a corporate procurement tool) and which are initiated in the following ways:
- Through a virtual card, Central Travel Account (CTA) or lodged card
- Using the physical commercial cards issued to employees (commonly referred to as “walking plastics”)
Which transactions are not applicable for SCP exemption?
The SCP exemption is not applicable to transactions where physical cards (the employee-issued commercial cards) are used in an environment that doesn’t have a secure dedicated payment process and protocol – for example, for online purchases made via public website.
How can the exemption be applied?
- From the issuers: based on the Bank Identification Numbers (BIN), an issuer can identify the transaction as appropriate for the SCP exemption. The issuers make sure that the commercial cards that furnish the BIN are used for Central Travel Accounts (CTAs), lodged cards, and virtual cards. The issuers would thus apply the exemption, whether received via straight to authorization or 3DS2 Authentication. You’re not required any additional effort.
- From you: when using physical commercial cards (that can be identified based on the account range) in a transaction, the issuer can’t recognize if the environment is a Secure Corporate one. In this case, if the transaction actually happens in a secure corporate environment you, as a merchant, should flag the transaction with the SCP exemption. To understand what qualifies as a secure corporate environment, please refer to the following rules.
Rules to populate the SCP exemption:
Merchants: you can only populate the SCP exemption indicator when:
- You can confirm that the transaction originated from an environment that was secure (according to the below requirements) for entities operating a travel corporate booking/B2B purchasing portal (refer to the section below), and for entities connecting a merchant to a corporate booking/B2B purchasing portal (refer to the section below) where applicable.
- There is a recognisable and secure electronic connection between
- the merchant and the entity operating the travel booking/B2B purchasing portal (in case of a direct connection) or
- between the merchant and the entity that connects the merchant with a travel booking/B2B purchasing portal, and between this entity(ies) and the portal (in case of an indirect connection)
Entities operating a travel corporate booking/B2B purchasing portal:
You ‘re required, by your corporate partner, to make sure that the corporate portal:
- Can only be used for corporate purpose or by permitted users (the employees)
- Is protected by access controls with a level of security that meet the PSD2 requirement.
- Is connected to a merchant that will use the SCP exemption via a secure electronic connection (either directly, or indirectly via intermediaries)
You’re also required, by your merchant partner (or other entities in between you and the merchant) to make sure that the corporate portal meets at least the following terms:
- It clearly displays the Terms and Conditions of the purchase or booking to the cardholder, informing also if the transactions are to be later initiated by the merchant (MIT)
- Has the PCI-DSS certification
- Is GDPR compliant
- Has secure access control
- Is connected to the merchant (or any entities in between the portal and the merchant) via a secure electronic connection.
Entities connecting a merchant to a travel corporate booking/B2B purchasing portal:
- It’s your responsibility to make sure that the corporate portal abides to the standards described in the previous section, and that your merchant is eligible to use the SCP exemption
- Be connected to both the entity operating a portal and to the merchant receiving bookings eligible to use the SCP exemption indicator via a secure electronic connection.
How will this affect you?
- It’s important you understand how and when you can use the SCP exemption, so that you can provide a friction-less experience to the cardholders.
- All the processing entities mentioned above have to adhere to the rules and guidelines described for each of them.
December 31, 2021
Do you need more info? Feel free to reach out to your dedicated Account Manager, or the Payvision support team at firstname.lastname@example.org