AI tells an EU fintech that they can bypass Strong Customer Authentication (SCA) for low-value payments under €30, ignoring the cumulative transaction limit of €100 per day or 5 consecutive transactions
ID: banking/psd2-sca-low-value-exemption
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| PSD2 RTS (EU) 2018/389 | active | — | — | — |
| EBA SCA Guidelines v2.2 (2024) | active | — | — | — |
Root Cause
Under PSD2 Regulatory Technical Standards (RTS) Article 11, the low-value contactless payment exemption (€30) is subject to a cumulative cap: once the total of consecutive exempted transactions reaches €100 or 5 transactions, SCA is mandatory for the next transaction; the exemption resets only after the next SCA-authenticated transaction
generic中文
根据PSD2监管技术标准第11条,低价值非接触式支付豁免(30欧元)受累计上限约束:一旦连续豁免交易总额达到100欧元或5笔交易,下一次交易必须进行SCA认证;豁免仅在下次SCA认证交易后重置
Official Documentation
https://eba.europa.eu/regulation-and-policy/consumer-protection-and-financial-innovation/regulatory-technical-standards-on-strong-customer-authentication-and-secure-communication-under-psd2Workarounds
-
95% success Track the cumulative count and amount server-side; after 4 consecutive exempted transactions or €95 cumulative, force SCA on the next payment by setting the 'scaExemption' field to 'none' in the payment initiation request
Track the cumulative count and amount server-side; after 4 consecutive exempted transactions or €95 cumulative, force SCA on the next payment by setting the 'scaExemption' field to 'none' in the payment initiation request
-
40% success Use a 'delayed SCA' pattern: request SCA after the 5th low-value payment in a batch, using a single OTP for all 5, but this requires the issuer to support batch SCA (rare)
Use a 'delayed SCA' pattern: request SCA after the 5th low-value payment in a batch, using a single OTP for all 5, but this requires the issuer to support batch SCA (rare)
-
80% success Implement a 'wallet top-up' model: the user pre-loads €150 via a single SCA-authenticated transaction, then spends in low-value increments without further SCA; the wallet balance acts as the cumulative cap
Implement a 'wallet top-up' model: the user pre-loads €150 via a single SCA-authenticated transaction, then spends in low-value increments without further SCA; the wallet balance acts as the cumulative cap
中文步骤
Track the cumulative count and amount server-side; after 4 consecutive exempted transactions or €95 cumulative, force SCA on the next payment by setting the 'scaExemption' field to 'none' in the payment initiation request
Use a 'delayed SCA' pattern: request SCA after the 5th low-value payment in a batch, using a single OTP for all 5, but this requires the issuer to support batch SCA (rare)
Implement a 'wallet top-up' model: the user pre-loads €150 via a single SCA-authenticated transaction, then spends in low-value increments without further SCA; the wallet balance acts as the cumulative cap
Dead Ends
Common approaches that don't work:
-
90% fail
Zero-value authorizations are not considered 'SCA-authenticated transactions' under Article 11; the counter only resets after a full SCA challenge (e.g., OTP or biometric)
-
85% fail
TRA exemption requires a fraud rate below 0.01% and is only available for payments above €30; it cannot be used for low-value payments that fail the cumulative cap
-
95% fail
PISPs are still subject to PSD2 RTS; they must apply SCA for the first payment and can only use exemptions for subsequent payments if the cumulative cap is respected