PSD2 SCA exemption (B2B / secure corporate payment processes)
aka secure corporate payment processes exemption, Article 17 SCA exemption, corporate card SCA exemption, RTS Article 17 exemption
Article 17 of Commission Delegated Regulation (EU) 2018/389 (the PSD2 SCA RTS) exempts dedicated corporate payment processes from per-transaction Strong Customer Authentication, where the payer is a business and not a consumer.
Last reviewed May 2026
Definition
The PSD2 SCA exemption for secure corporate payment processes is set out in Article 17 of Commission Delegated Regulation (EU) 2018/389, the Regulatory Technical Standards (RTS) on Strong Customer Authentication and secure communication. It is separate from - and often confused with - PSD2 Article 17 itself. The exemption lets a payment service provider skip the per-transaction SCA challenge that would otherwise apply under Article 97 of PSD2, provided three conditions hold: the dedicated payment process or protocol is used only by payers who are not consumers, the process delivers security equivalent to PSD2 SCA, and the national competent authority (in Ireland, the Central Bank of Ireland) is satisfied that this equivalence holds. In practice this is the legal basis on which corporate cards issued by EU-IBAN providers - Pleo, Soldo, Spendesk, Payhawk and Revolut Business - can run business expense transactions without firing a per-purchase 3-D Secure challenge to the cardholder. The exemption applies only to legal-person payers; consumer cards always require SCA. Issuers relying on the exemption must report it to their national competent authority as part of their annual operational and security risk reporting and must demonstrate the equivalent-security test on a continuing basis. The exemption sits inside the EBA's broader SCA RTS framework, alongside the low-value (under EUR 30), recurring fixed-amount, merchant-initiated, and trusted-beneficiary exemptions.
Why it matters for software choice
Friction is the silent killer of corporate card adoption in Irish SMEs. A finance team that issues cards to ten employees and gets a 3-D Secure challenge on every supplier purchase will see those cards stop being used inside a month. The Article 17 RTS exemption is what makes the modern Irish corporate-card category usable - Pleo, Soldo, Spendesk, Payhawk and Revolut Business all rely on it. When evaluating a corporate card platform for an Irish entity, ask the provider explicitly whether they operate under the secure corporate payment processes exemption, whether the exemption is registered with their home regulator, and what the practical SCA experience looks like for the cardholder. Card-issuers that fire 3DS on every B2B purchase are signalling either weak compliance posture or a consumer-facing acquiring relationship masquerading as a corporate product.
Authority sources
- EUR-Lex: Commission Delegated Regulation (EU) 2018/389 (PSD2 SCA RTS, Article 17) (eur-lex.europa.eu)
- European Banking Authority Q&A 2018_4060: Exemption for secure corporate payment processes and protocols (www.eba.europa.eu)
- European Banking Authority Q&A 2018_4383: Exemption of secure corporate payment processes and protocols (www.eba.europa.eu)
- Central Bank of Ireland: Strong Customer Authentication (www.centralbank.ie)
- European Banking Authority: SCA Regulatory Technical Standards (www.eba.europa.eu)
Software categories this affects
Vendors covered by this term
Pleo
Smart company cards and automated expense management for European businesses
Soldo
Irish-regulated prepaid card and spend management platform for European SMEs
Spendesk
All-in-one spend management combining cards, invoices, and reimbursements for European SMEs
Payhawk
Spend management and company cards for mid-market European businesses
Revolut Business
EU-licensed business banking with Irish IBANs, SEPA Instant, and multi-currency accounts
Related terms
Strong Customer Authentication
PSD2 requirement that electronic payments use two of three authentication factors: knowledge (PIN), possession (phone or token) and inherence (biometric). Applies to Irish card and bank payments.
PSD2 (Payment Services Directive 2)
The EU directive governing payment services and payment service providers across the EEA. Transposed into Irish law by SI 6/2018 (European Union (Payment Services) Regulations 2018). Created the open banking and Strong Customer Authentication regimes.
Open Banking (PSD2)
EU regulatory framework that lets authorised third parties access bank account data (AIS) and initiate payments (PIS) on the customer's behalf. The basis for live bank feeds and payment-initiation tools.
Electronic Money Institution (EMI)
A specific Central Bank of Ireland authorisation that permits a firm to issue electronic money (prepaid balances, e-wallets, cards) and provide payment services. EMIs cannot take deposits and customer funds are safeguarded, not insured.
Central Bank of Ireland (CBI)
Ireland's financial regulator and gatekeeper for banks, payment firms, e-money issuers, MiFID investment firms and insurance providers. Maintains the public CBI register and operates the Fitness and Probity regime for senior staff at regulated firms.