TRA exemption
What is a TRA exemption?
Transaction Risk Analysis (TRA) exemption is a provision under the EU's revised that lets a payment provider skip on a remote card payment when its real-time risk scoring rates that transaction as low risk.
The exemption applies inside the European Economic Area (EEA). Instead of sending every cardholder through a 3DS challenge, the provider scores each payment against signals such as the amount, transaction frequency, and the cardholder's historical behavior, then decides whether the payment can clear without an extra authentication step. How much it can exempt is capped by its own fraud performance: the lower the fraud rate, the higher the payment value it's allowed to wave through.
Key facts
- Also known as: transaction risk analysis exemption, TRA exemption
- Governed by: PSD2 Regulatory Technical Standards (Commission Delegated Regulation (EU) 2018/389), Article 18
- Applies to: remote, card-not-present electronic payments in the EEA
- Set by: the Exemption Threshold Value (ETV), the highest payment amount a provider can exempt at its current fraud rate
The exemption threshold value rises as the provider keeps its reference fraud rate lower:
| Reference fraud rate | Maximum exempted value (ETV) |
| ≤ 0.13% | €100 |
| ≤ 0.06% | €250 |
| ≤ 0.01% | €500 |
How the TRA exemption works
- Measure the fraud rate – The provider (the acquiring bank or the issuing bank) tracks its remote-payment fraud rate over the reference period defined by the RTS.
- Match the value band – The payment amount has to fall within the ETV tied to that fraud rate: €100, €250, or €500.
- Score the payment – At checkout, the provider runs real-time risk analysis on signals like amount, location, device, spending pattern, and known fraud scenarios.
- Request the exemption – If the payment passes, the provider flags the exemption in the authorization request so the cardholder skips the SCA step.
- Issuer decides – The issuing bank can accept the exemption and approve, or override it and route the payment into a anyway.
Why it matters
Every extra authentication step costs conversions. Cardholders drop out when a 3DS challenge fails, times out, or asks for a one-time code they can't find. The TRA exemption removes that step for payments the provider can already vouch for, so low-risk customers check out without interruption.
It also changes who carries the fraud. Applying the exemption means the provider gives up the that SCA would have transferred to the issuer, so a fraudulent exempted payment is the provider's loss.
Common issues
- Fraud-rate breach – If the provider's fraud rate climbs above a band, it loses the right to exempt payments at that value until the rate recovers.
- Issuer override – Issuing banks run their own risk models and can reject an exemption request, sending the payment to SCA regardless of what the provider asked for.
- Scope limits – The exemption covers remote card payments in the EEA. It doesn't apply to the first payment in a recurring series, transactions outside the EEA, or payment methods outside PSD2's scope.


