# AI tells an EU merchant to accept SEPA direct debits without PSD2 Strong Customer Authentication (SCA), ignoring EBA guidelines

- **ID:** `banking/ecb-psd2-strong-auth`
- **Domain:** banking
- **Category:** auth_error
- **Error Code:** `EBA_SCA_REQUIRED_401`
- **Verification:** ai_generated
- **Fix Rate:** 92%

## Root Cause

PSD2 mandates SCA (two-factor authentication) for all electronic payments, including SEPA direct debits, per EBA Regulatory Technical Standards (RTS); merchants failing to implement SCA face chargeback liability and regulatory fines.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| PSD2 directive 2015/2366 | active | — | — |
| EBA RTS v2.0 | active | — | — |

## Workarounds

1. **Implement 3D Secure 2.0 with SCA: integrate with an ACS provider like Adyen or Stripe; example API call: stripe.paymentIntents.create({ amount: 1000, currency: 'eur', payment_method_types: ['sepa_debit'], mandate_data: { type: 'single_use' }, payment_method_options: { sepa_debit: { mandate_options: { reference: 'INV-001' } } } })** (92% success)
   ```
   Implement 3D Secure 2.0 with SCA: integrate with an ACS provider like Adyen or Stripe; example API call: stripe.paymentIntents.create({ amount: 1000, currency: 'eur', payment_method_types: ['sepa_debit'], mandate_data: { type: 'single_use' }, payment_method_options: { sepa_debit: { mandate_options: { reference: 'INV-001' } } } })
   ```
2. **Use the 'recurring transaction' exemption: register the mandate with SCA at first payment, then use 'merchant_initiated_transaction' flag for subsequent debits** (88% success)
   ```
   Use the 'recurring transaction' exemption: register the mandate with SCA at first payment, then use 'merchant_initiated_transaction' flag for subsequent debits
   ```
3. **Partner with a PSD2-compliant payment gateway (e.g., Klarna) that handles SCA and exemption logic automatically** (85% success)
   ```
   Partner with a PSD2-compliant payment gateway (e.g., Klarna) that handles SCA and exemption logic automatically
   ```

## Dead Ends

- **Disabling SCA for recurring payments under 30 EUR** — EBA RTS allows low-value exemptions only for individual transactions under 30 EUR; recurring debits still require SCA at initiation (90% fail)
- **Using 3D Secure v1.0 without dynamic linking** — PSD2 requires dynamic linking (transaction-specific codes); 3DS v1.0 is deprecated and rejected by acquirers (85% fail)
- **Storing card-on-file without re-authentication for subsequent payments** — PSD2 mandates re-authentication for each payment unless a variable recurring exemption applies (88% fail)