# AI tells an EU fintech that they can bypass Strong Customer Authentication (SCA) for low-value payments under €30, ignoring the cumulative transaction limit of €100 per day or 5 consecutive transactions - **ID:** `banking/psd2-sca-low-value-exemption` - **Domain:** banking - **Category:** auth_error - **Error Code:** `PSD2-SCA-EXEMPT-001` - **Verification:** ai_generated - **Fix Rate:** 80% ## Root Cause Under PSD2 Regulatory Technical Standards (RTS) Article 11, the low-value contactless payment exemption (€30) is subject to a cumulative cap: once the total of consecutive exempted transactions reaches €100 or 5 transactions, SCA is mandatory for the next transaction; the exemption resets only after the next SCA-authenticated transaction ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | PSD2 RTS (EU) 2018/389 | active | — | — | | EBA SCA Guidelines v2.2 (2024) | active | — | — | ## Workarounds 1. **Track the cumulative count and amount server-side; after 4 consecutive exempted transactions or €95 cumulative, force SCA on the next payment by setting the 'scaExemption' field to 'none' in the payment initiation request** (95% success) ``` Track the cumulative count and amount server-side; after 4 consecutive exempted transactions or €95 cumulative, force SCA on the next payment by setting the 'scaExemption' field to 'none' in the payment initiation request ``` 2. **Use a 'delayed SCA' pattern: request SCA after the 5th low-value payment in a batch, using a single OTP for all 5, but this requires the issuer to support batch SCA (rare)** (40% success) ``` Use a 'delayed SCA' pattern: request SCA after the 5th low-value payment in a batch, using a single OTP for all 5, but this requires the issuer to support batch SCA (rare) ``` 3. **Implement a 'wallet top-up' model: the user pre-loads €150 via a single SCA-authenticated transaction, then spends in low-value increments without further SCA; the wallet balance acts as the cumulative cap** (80% success) ``` Implement a 'wallet top-up' model: the user pre-loads €150 via a single SCA-authenticated transaction, then spends in low-value increments without further SCA; the wallet balance acts as the cumulative cap ``` ## Dead Ends - **** — Zero-value authorizations are not considered 'SCA-authenticated transactions' under Article 11; the counter only resets after a full SCA challenge (e.g., OTP or biometric) (90% fail) - **** — TRA exemption requires a fraud rate below 0.01% and is only available for payments above €30; it cannot be used for low-value payments that fail the cumulative cap (85% fail) - **** — PISPs are still subject to PSD2 RTS; they must apply SCA for the first payment and can only use exemptions for subsequent payments if the cumulative cap is respected (95% fail)