PSD2-SCA-EXEMPT-001 banking auth_error ai_generated true

AI告诉欧盟金融科技公司他们可以绕过30欧元以下低价值支付的强客户认证,却忽略了每日累计交易限额100欧元或连续5笔交易

AI tells an EU fintech that they can bypass Strong Customer Authentication (SCA) for low-value payments under €30, ignoring the cumulative transaction limit of €100 per day or 5 consecutive transactions

ID: banking/psd2-sca-low-value-exemption

其他格式: JSON · Markdown 中文 · English
80%修复率
87%置信度
1证据数
2024-05-20首次发现

版本兼容性

版本状态引入弃用备注
PSD2 RTS (EU) 2018/389 active
EBA SCA Guidelines v2.2 (2024) active

根因分析

根据PSD2监管技术标准第11条,低价值非接触式支付豁免(30欧元)受累计上限约束:一旦连续豁免交易总额达到100欧元或5笔交易,下一次交易必须进行SCA认证;豁免仅在下次SCA认证交易后重置

English

Under PSD2 Regulatory Technical Standards (RTS) Article 11, the low-value contactless payment exemption (€30) is subject to a cumulative cap: once the total of consecutive exempted transactions reaches €100 or 5 transactions, SCA is mandatory for the next transaction; the exemption resets only after the next SCA-authenticated transaction

generic

官方文档

https://eba.europa.eu/regulation-and-policy/consumer-protection-and-financial-innovation/regulatory-technical-standards-on-strong-customer-authentication-and-secure-communication-under-psd2

解决方案

  1. Track the cumulative count and amount server-side; after 4 consecutive exempted transactions or €95 cumulative, force SCA on the next payment by setting the 'scaExemption' field to 'none' in the payment initiation request
  2. Use a 'delayed SCA' pattern: request SCA after the 5th low-value payment in a batch, using a single OTP for all 5, but this requires the issuer to support batch SCA (rare)
  3. Implement a 'wallet top-up' model: the user pre-loads €150 via a single SCA-authenticated transaction, then spends in low-value increments without further SCA; the wallet balance acts as the cumulative cap

无效尝试

常见但无效的做法:

  1. 90% 失败

    Zero-value authorizations are not considered 'SCA-authenticated transactions' under Article 11; the counter only resets after a full SCA challenge (e.g., OTP or biometric)

  2. 85% 失败

    TRA exemption requires a fraud rate below 0.01% and is only available for payments above €30; it cannot be used for low-value payments that fail the cumulative cap

  3. 95% 失败

    PISPs are still subject to PSD2 RTS; they must apply SCA for the first payment and can only use exemptions for subsequent payments if the cumulative cap is respected