Contact us


Trusted Merchant Listing (TML) Best Practices pt.1: User Experience

SCA exemptions include a neat feature, merchant whitelisting. Enabling the cardholders to pick and choose merchants whom they trust provides them with control over their online payments user experience. To get more insight into cardholder UX along with best practices regarding managing the merchant whitelist, keep reading.

SCA exemptions include a neat feature, Trusted Merchant Listing (TML). Enabling the cardholders to pick and choose merchants whom they trust provides them with control over their online payments user experience. To get more insight into cardholder UX along with best practices regarding managing the trusted merchant list, keep reading.

This article is a part of our Trusted Merchant Listing (TML) Best Practices series. To round up the story take a look at our post regarding TML industry best practices, Risk Considerations edition.

What is Trusted Merchant Listing (TML)?

PSD2 & RTS enable cardholders to exempt certain merchants from SCA by adding them to their trusted merchant list. 3D Secure 2.2 brought us TML, also known and trusted beneficiaries, a part of the SCA exemptions. TML allows cardholders to select trusted beneficiaries in order to avoid an additional authentication step during online payment processing.

This approach leads to a truly frictionless user experience, regardless of the transaction amount or merchant fraud rate. TML is applicable for one-click payments, including both card-on-file and recurring payments with variable amounts. It is important to mention that not all merchants are eligible for trusted listing. The selection of TML eligible candidates is under the issuing bank's control. Depending on the merchant industry type, level of risk, and cardholder transaction history, the issuer compiles a list of merchants eligible for trusted merchant listing.

Specific conditions under which Trusted Merchant Listing (TML) is applicable includes the following requirements:

  • During adding or modifying a merchant on a cardholder's trusted list, SCA is mandatory.
  • Clear terms & conditions explaining what is the cardholder agreeing to, which entity on the trusted list, as well as in which countries and for which products is the exemption applicable.
  • Once a merchant is on the trusted list, each following transaction under issuer monitoring.
  • Issuing bank is the one in control of TML candidates, i.e. merchants can't put themselves on the trusted list.
  • Cardholders are able to remove a merchant from the trusted merchant list.

TML User Experience: Best Practices

The following paragraphs bring a summary of best practices suggested by VISA and MasterCard regarding the UX when it comes to trusted merchant listing.

Adding a merchant to a trusted list

There are two flows for adding a merchant to a trusted list.

During/after payment authentication

This approach involves issuing bank's ACS and has less impact on issuers. Merchants would be added to a trusted list one at a time.

Suggested best practices include the following:

  1. Upon deeming a merchant eligible for trusted listing, the payer is offered one out of two options to add the merchant to the trusted list:
  2. Checkbox visible on the payment authentication screen. The downside of this approach is the possibility that the cardholder will overlook the checkbox, while the benefit lies in fewer clicks and using a single page.
  3. Using a separate page after the payment authentication process. This approach decreases abandonment but requires an additional click from the cardholder.
  4. Use user-friendly language and make sure that the cardholder understands what stands behind trusted merchant listing.
  5. Recommendations suggest that trusted merchant listing is available only in cases where SCA is necessary.
  6. Since both payment and trust listing are happening simultaneously, a single SCA is sufficient according to PSD2 RTS.

Using issuing bank's online banking service

This would require issuers to make changes within their online banking service; the cardholder would be able to trust list merchants in bulk, making the user experience much more friendly.

Suggested best practices include the following:

  1. Recommendations suggest that issuing banks add an TML management functionality to their online banking service.
  2. A good practice would include offering cardholders their most frequent merchants (e.g. top 10), under the pre assumption that the mentioned merchants are eligible candidates according to the issuer's risk assessment. Recognizing cardholder's card-on-file and recurring payment agreements serves as a quality filter for determining their favorite merchants.
  3. Each individual adding of a merchant, or any change within the trusted list, requires SCA.

Editing and preview of a trusted merchant list

Cardholders need to be able to view, add and remove merchants from the trusted list using their online banking service. Each attempt to modify or view TML should require SCA. This is due to having access to sensitive payment data.

Promoting trusted merchant listing

Relevant stakeholders, issuers and ACSs, are the primary promoters of the new functionality. They should therefore communicate the benefits of trusted merchant listing to the cardholders.

Use the following ''selling-points'' when educating cardholders:

  • Cardholders have full control over merchants who are a part of their trusted list. They are free to both add or remove the merchant.
  • Recommended by the card payment industry and regulators.
  • TML enables fast checkout for merchant-initiated transactions (e.g. recurring payments of variable amounts), eliminating SCA.
  • SCA is applied in certain scenarios (shipping address mismatch, unfamiliar device, etc.).

Multiple cards enrollment

It is recommended that trust listing is applied for one card at a time; the card being used for processing the payment. In case trust listing is enabled for multiple cards, each card should require a separate SCA.

eBook: Leveraging the full potential of payment data

ASEE provides actionable advice on how to confront the high cart abandonment rates for mobile, as well as provides the tools that have the capacity to address other mCommerce challenges.

To find out more about Trides2 portfolio, contact us or visit our blog section.  

Want to learn more about cybersecurity trends and industry news?



chevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram