Uruguay

Rates

For all requests involving transactions in Uruguay, it is mandatory to include an object called rates. This object allows specifying a particular tax rate through two properties. The key property identifies the tax name—in Uruguay, this corresponds to the IVA (Value Added Tax), so the value must be "iva". The value property indicates the percentage of the applied tax rate, expressed as a numeric value.

Uruguay has the following main IVA categories:

  • Standard: 22%
  • Reduced: 10%
  • Exempt: 0%
The value should reflect the appropriate rate based on the transaction, although other values may also be declared when applicable, such as promotional rates or tax benefits.

Example with a Standard category value:

"rates": [
  {
    "key": "iva",
    "value": 22.0
  }
]

Regulation Code

For all requests involving transactions in Uruguay, it is mandatory to include the regional_regulation_code field to ensure the correct application of regional regulations during processing. The following law codes are currently supported:
  • "17934": applies to both credit and debit cards
  • "19210": applies to debit cards only

If the value provided corresponds to one of these recognized codes, the corresponding discount or special treatment will be applied during post-processing, as defined by the processing rules.

Example:

"regional_regulation_code": "17934"

Spain

Introduction to PSD2 and Strong Customer Authentication (SCA)

The Revised Payment Services Directive (PSD2) is a European regulation introduced to increase security, transparency, and innovation within electronic payments. In effect since September 2019, PSD2 requires Payment Service Providers (PSPs) to implement Strong Customer Authentication (SCA) for most online transactions within the European Economic Area (EEA).
SCA is intended to reduce fraud and improve consumer protection by requiring users to verify their identity using multi-factor authentication during payment transactions. This applies to a wide range of operations, including:
  • Online card payments
  • Access to account information
  • Bank transfers initiated through electronic channels SCA is mandatory unless a valid exemption is applied and accepted by the card issuer.

What is Strong Customer Authentication (SCA)?

Under PSD2, SCA requires that authentication be based on at least two of the following independent factors:

  • Knowledge: something the user knows (e.g., password or PIN)
  • Possession: something the user has (e.g., mobile device or hardware token)
  • Inherence: something the user is (e.g., fingerprint or facial recognition) This is commonly known as two-factor authentication (2FA). The goal is to prevent unauthorized access even if one of the factors is compromised.

When is SCA Required?

SCA must be applied in the following cases:

  • Accessing account information
  • Initiating electronic payments
  • Any action that may imply a risk of payment fraud or abuse However, several exemptions are allowed under certain risk and transaction conditions, which can help improve user experience by avoiding unnecessary friction in low-risk scenarios.

SCA Exemptions

While Strong Customer Authentication (SCA) is required for most electronic payments, PSD2 defines several exemptions that allow transactions to be processed without triggering customer authentication. These exemptions are intended to reduce friction and optimize user experience when the associated fraud risk is considered low.

Possible values for field sca_exemption

valuesdescription
LVVLow Value
TRATransaction Risk Analysis
CORCorporate Pay
MITMerchant Initiated Transactions
ATDAdditional Transaction Data
Important: The application of any exemption is subject to acceptance by the card issuer. Even if an exemption is requested, the issuer may still require SCA based on its own risk assessment.

Low-Risk Transactions (TRA – Transaction Risk Analysis)

Transactions may be exempt from SCA if both the Payment Service Provider (PSP) and the issuer meet the required fraud rate thresholds and have real-time risk analysis mechanisms in place.

Fraud Rate ThresholdMaximum Transaction Amount
≤ 0.13%up to €100
≤ 0.06%up to €250
≤ 0.01%up to €500

If either the PSP or the issuer exceeds these fraud rates, the exemption may be rejected, and the transaction will require SCA.

Low-Value Payments (LWV)

Transactions not exceeding €30 may be exempt from SCA. However, this exemption has limits:
  • SCA is required after 5 consecutive uses of this exemption without authentication, or
  • If the cumulative amount of exempted transactions exceeds €100 These limits are tracked by the issuer, who may choose to prompt for SCA even within those thresholds. In most cases, the TRA exemption is preferred over LWV due to its greater flexibility.

Recurring Transactions and Subscriptions

Recurring payments of fixed amount and frequency are only subject to SCA on the first transaction. Subsequent charges are exempt, provided they match the original terms and were initiated with customer consent.

Trusted Beneficiaries

Customers may add specific merchants to a trusted list maintained by their bank. Transactions from trusted beneficiaries can be exempted from SCA automatically, subject to issuer support and customer opt-in.

MIT – Merchant-Initiated Transactions

Merchant-Initiated Transactions (MITs), such as those using stored credentials or references, occur without the cardholder present. These are technically out of scope for SCA, but in practice they are often treated as exemptions. Conditions:

  • The initial transaction (when credentials were stored) must have been authenticated
  • The customer must have agreed to future charges (known as a mandate) As with all exemptions, issuers can reject MITs and request SCA at their discretion.

Additional Exemptions

Other scenarios may be exempt from SCA under PSD2, including:

  • Mail Order / Telephone Order (MO/TO: Transactions where card details are collected by phone are out of scope, but must be flagged accordingly.
  • Corporate Payments: Transactions made using corporate cards through channels not accessible to consumers may be exempt, depending on issuer policy.