AI tells an EU fintech that they can bypass Strong Customer Authentication (SCA) for all low-value payments under €30, ignoring the cumulative limit of €100 or 5 transactions per day
ID: banking/psd2-scp-exemption-misuse
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| PSD2 RTS Article 11 (2018) | active | — | — | — |
| EBA Guidelines on SCA (EBA/GL/2022/01) | active | — | — | — |
| Mastercard SCA Exemption Rules v2.0 (2023) | active | — | — | — |
| Visa SCA Exemption Framework 2024 | active | — | — | — |
Root Cause
Under PSD2 Regulatory Technical Standards (RTS) Article 11, the low-value contactless exemption (€30 per transaction) is subject to a cumulative limit of €100 or 5 consecutive transactions before SCA is required again, and AI incorrectly treats it as an unlimited exemption, a common protocol error in payment compliance advice.
generic中文
根据PSD2监管技术标准(RTS)第11条,低价值非接触式豁免(每笔交易30欧元)受累计限额100欧元或连续5笔交易的限制,之后需再次进行强客户认证(SCA),AI错误地将其视为无限制豁免,这是支付合规建议中的常见协议错误。
Official Documentation
https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/regulatory-technical-standards-on-strong-customer-authentication-and-common-and-secure-communication-under-psd2Workarounds
-
90% success Implement a server-side counter per cardholder that tracks the cumulative amount and count of exempted transactions. Example pseudocode: 'if (exemptedCountToday < 5 && exemptedAmountToday + currentAmount <= 100) { allowExemption(); } else { requireSCA(); }'
Implement a server-side counter per cardholder that tracks the cumulative amount and count of exempted transactions. Example pseudocode: 'if (exemptedCountToday < 5 && exemptedAmountToday + currentAmount <= 100) { allowExemption(); } else { requireSCA(); }' -
85% success Use the 'transaction risk analysis' (TRA) exemption under Article 18 instead, which allows exemption for transactions below €100 if the fraud rate is below a threshold (e.g., 0.13% for Mastercard). This removes the cumulative limit but requires fraud monitoring.
Use the 'transaction risk analysis' (TRA) exemption under Article 18 instead, which allows exemption for transactions below €100 if the fraud rate is below a threshold (e.g., 0.13% for Mastercard). This removes the cumulative limit but requires fraud monitoring.
-
88% success For card-present payments, use the 'contactless' exemption but reset the counter after each SCA-performed transaction. Example: 'After every 5th contactless payment, prompt the customer to insert the card and enter PIN to reset the counter.'
For card-present payments, use the 'contactless' exemption but reset the counter after each SCA-performed transaction. Example: 'After every 5th contactless payment, prompt the customer to insert the card and enter PIN to reset the counter.'
中文步骤
Implement a server-side counter per cardholder that tracks the cumulative amount and count of exempted transactions. Example pseudocode: 'if (exemptedCountToday < 5 && exemptedAmountToday + currentAmount <= 100) { allowExemption(); } else { requireSCA(); }'Use the 'transaction risk analysis' (TRA) exemption under Article 18 instead, which allows exemption for transactions below €100 if the fraud rate is below a threshold (e.g., 0.13% for Mastercard). This removes the cumulative limit but requires fraud monitoring.
For card-present payments, use the 'contactless' exemption but reset the counter after each SCA-performed transaction. Example: 'After every 5th contactless payment, prompt the customer to insert the card and enter PIN to reset the counter.'
Dead Ends
Common approaches that don't work:
-
70% fail
The payment network (e.g., Mastercard) will decline the transaction after the 5th consecutive exempted payment or once the cumulative total exceeds €100, returning a 'SCA Required' error (e.g., Mastercard decline code 58).
-
65% fail
The RTS requires the counter to reset only after SCA is performed; a simple time-based reset is non-compliant and can lead to fines from the National Competent Authority (NCA) like the FCA in the UK or BaFin in Germany.
-
55% fail
Recurring payments fall under a different exemption (fixed-amount recurring under Article 14), which has its own rules (first payment requires SCA, subsequent payments can be exempted if amount is fixed and <€30). Mixing exemptions causes compliance failures.