What are Out of Scope PSD2 Transactions?

Out of scope PSD2 transactions are specific types of digital payments that legally fall outside the regulatory perimeter of the European Union’s Revised Payment Services Directive (PSD2). Because the legal mandate does not apply to these specific payment flows, merchants are not required to enforce Strong Customer Authentication (SCA) or route the customer through a 3D Secure 2.0 (3DS2) step-up challenge to process the authorization.

Defining the Out-of-Scope Perimeter

The primary objective of PSD2 is to secure electronic payments initiated by consumers within the European Economic Area (EEA). If a transaction does not fit the strict definition of an EEA-centric, consumer-initiated electronic payment, it is generally considered out of scope.

The most common out of scope scenarios for enterprise merchants include:

• One-Leg Out (OLO) Transactions: PSD2's SCA mandate explicitly applies only to "two-leg in" transactions—meaning both the merchant's acquiring bank and the cardholder's issuing bank must be located within the EEA. If a US-based buyer purchases software from a German merchant (or vice versa), it is a One-Leg Out transaction and is completely out of scope.

• Mail Order and Telephone Order (MOTO): Payments collected manually over the phone or via postal mail are not considered "electronic" payments under the directive. Therefore, MOTO transactions do not require multi-factor authentication.

• Merchant-Initiated Transactions (MIT): In a B2B SaaS or recurring billing model, the initial card-on-file setup requires the customer to authenticate. However, all subsequent recurring charges are initiated by the merchant, not the cardholder. Because the customer is technically "off-session," these subsequent billing events are out of scope for SCA.

• Anonymous Prepaid Cards: Transactions made with anonymous, non-reloadable prepaid cards where the issuer cannot mathematically identify the cardholder are naturally excluded from SCA requirements.

Out of Scope vs. SCA Exemptions

A critical distinction for enterprise risk teams is understanding the difference between a transaction being out of scope versus qualifying for an SCA exemption.

When a transaction is out of scope (like a One-Leg Out payment), the PSD2 legislation simply does not apply. You do not need to ask the issuer for permission to bypass 3DS2.

When a transaction is in scope, but you request an SCA Exemption (such as a Low-Value Exemption for a €20 purchase or a Transaction Risk Analysis exemption), the PSD2 legislation does apply. You are legally asking the issuing bank to waive the step-up challenge based on low risk. Crucially, the issuing bank has the legal right to reject an exemption and force a "soft decline," but they generally cannot enforce a soft decline on an out-of-scope payment.

Orchestrating Global Volume with the Hellgate Hub

While out-of-scope transactions do not legally require 3DS2, legacy payment gateways frequently mishandle them. Often, a rigid gateway will aggressively apply 3DS2 to all transactions, needlessly introducing checkout friction to US or Asian buyers who are not subject to European laws. Conversely, some European issuers will incorrectly decline an out-of-scope OLO transaction if it lacks specific digital flags.

The Hellgate Composable Payment Architecture (CPA) eliminates these cross-border friction points through dynamic, payload-aware routing.

Enterprise engineering teams utilize the Hellgate Hub as their central orchestration fabric. When a payment is initiated, the Hub instantly analyzes the geographic BIN (Bank Identification Number) of the issuing bank and the location of the acquiring bank.

If the Hub identifies a One-Leg Out or MOTO transaction, the Link PSP abstraction layer automatically flags the API payload with the correct out-of-scope indicators and routes it to the optimal global acquirer, ensuring the payment is authorized smoothly without triggering unnecessary 3DS2 challenges.

For subscription merchants, the Guardian tokenization vault mathematically ensures your recurring revenue is protected. By vaulting the initial SCA-authenticated credential as an agnostic network token, Guardian automatically applies the correct MIT flags to all future billing cycles. This signals to the European issuer that the charge is out of scope, preventing involuntary churn and preserving your authorization rates.

Frequently Asked Questions (FAQ)

Why do some issuing banks decline One-Leg Out (OLO) transactions? Even though OLO transactions are out of scope, a European issuing bank might still view a foreign, unauthenticated transaction as highly suspicious based on their own internal risk models. To prevent this, merchants should utilize a payment orchestration platform to cleanly flag the transaction as OLO, or utilize dynamic routing to process the payment through a local acquiring bank.

Are B2B corporate cards out of scope for PSD2? They are generally exempt, but not always entirely out of scope. Payments made with secure corporate cards (like lodged travel cards or virtual cards generated via a corporate purchasing platform) qualify for a specific Secure Corporate Payment exemption, allowing them to bypass retail-level SCA friction.

Can I voluntarily apply 3DS2 to an out-of-scope transaction? Yes. Even if a transaction is One-Leg Out, a merchant can choose to route the payment through 3DS2 to take advantage of the fraud liability shift. However, this must be balanced against the likelihood of introducing friction and causing cart abandonment for non-European buyers who are not accustomed to biometric step-up challenges.

Ready to optimize your cross-border routing and eliminate unnecessary checkout friction? Explore the Hellgate Developer Docs to learn how to architect intelligent PSD2 routing logic, or get in touch with our team to schedule a technical demonstration of the Composable Payment Architecture.