{ "id": "banking/psd2-scp-exemption-misuse", "signature": "AI tells an EU fintech that they can bypass Strong Customer Authentication (SCA) for all low-value payments under €30, ignoring the cumulative limit of €100 or 5 transactions per day", "signature_zh": "AI告诉欧盟金融科技公司,他们可以绕过所有低于30欧元的低价值支付的强客户认证(SCA),忽略了每日累计限额100欧元或5笔交易", "regex": "SCA.*exempt|low.value.*SCA|under €30.*no SCA|bypass.*SCA.*payment|€30.*exemption", "domain": "banking", "category": "protocol_error", "subcategory": null, "root_cause": "Under PSD2 Regulatory Technical Standards (RTS) Article 11, the low-value contactless exemption (€30 per transaction) is subject to a cumulative limit of €100 or 5 consecutive transactions before SCA is required again, and AI incorrectly treats it as an unlimited exemption, a common protocol error in payment compliance advice.", "root_cause_type": "generic", "root_cause_zh": "根据PSD2监管技术标准(RTS)第11条,低价值非接触式豁免(每笔交易30欧元)受累计限额100欧元或连续5笔交易的限制,之后需再次进行强客户认证(SCA),AI错误地将其视为无限制豁免,这是支付合规建议中的常见协议错误。", "versions": [ { "version": "PSD2 RTS Article 11 (2018)", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "EBA Guidelines on SCA (EBA/GL/2022/01)", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Mastercard SCA Exemption Rules v2.0 (2023)", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Visa SCA Exemption Framework 2024", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "The payment network (e.g., Mastercard) will decline the transaction after the 5th consecutive exempted payment or once the cumulative total exceeds €100, returning a 'SCA Required' error (e.g., Mastercard decline code 58).", "fail_rate": 0.7, "condition": "", "sources": [] }, { "action": "", "why_fails": "The RTS requires the counter to reset only after SCA is performed; a simple time-based reset is non-compliant and can lead to fines from the National Competent Authority (NCA) like the FCA in the UK or BaFin in Germany.", "fail_rate": 0.65, "condition": "", "sources": [] }, { "action": "", "why_fails": "Recurring payments fall under a different exemption (fixed-amount recurring under Article 14), which has its own rules (first payment requires SCA, subsequent payments can be exempted if amount is fixed and <€30). Mixing exemptions causes compliance failures.", "fail_rate": 0.55, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Implement a server-side counter per cardholder that tracks the cumulative amount and count of exempted transactions. Example pseudocode: 'if (exemptedCountToday < 5 && exemptedAmountToday + currentAmount <= 100) { allowExemption(); } else { requireSCA(); }'", "success_rate": 0.9, "how": "Implement a server-side counter per cardholder that tracks the cumulative amount and count of exempted transactions. Example pseudocode: 'if (exemptedCountToday < 5 && exemptedAmountToday + currentAmount <= 100) { allowExemption(); } else { requireSCA(); }'", "condition": "", "sources": [] }, { "action": "Use the 'transaction risk analysis' (TRA) exemption under Article 18 instead, which allows exemption for transactions below €100 if the fraud rate is below a threshold (e.g., 0.13% for Mastercard). This removes the cumulative limit but requires fraud monitoring.", "success_rate": 0.85, "how": "Use the 'transaction risk analysis' (TRA) exemption under Article 18 instead, which allows exemption for transactions below €100 if the fraud rate is below a threshold (e.g., 0.13% for Mastercard). This removes the cumulative limit but requires fraud monitoring.", "condition": "", "sources": [] }, { "action": "For card-present payments, use the 'contactless' exemption but reset the counter after each SCA-performed transaction. Example: 'After every 5th contactless payment, prompt the customer to insert the card and enter PIN to reset the counter.'", "success_rate": 0.88, "how": "For card-present payments, use the 'contactless' exemption but reset the counter after each SCA-performed transaction. Example: 'After every 5th contactless payment, prompt the customer to insert the card and enter PIN to reset the counter.'", "condition": "", "sources": [] } ], "workarounds_zh": [ "Implement a server-side counter per cardholder that tracks the cumulative amount and count of exempted transactions. Example pseudocode: 'if (exemptedCountToday < 5 && exemptedAmountToday + currentAmount <= 100) { allowExemption(); } else { requireSCA(); }'", "Use the 'transaction risk analysis' (TRA) exemption under Article 18 instead, which allows exemption for transactions below €100 if the fraud rate is below a threshold (e.g., 0.13% for Mastercard). This removes the cumulative limit but requires fraud monitoring.", "For card-present payments, use the 'contactless' exemption but reset the counter after each SCA-performed transaction. Example: 'After every 5th contactless payment, prompt the customer to insert the card and enter PIN to reset the counter.'" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/regulatory-technical-standards-on-strong-customer-authentication-and-common-and-secure-communication-under-psd2", "official_doc_section": null, "error_code": "SCA_CUMULATIVE_LIMIT_ERR", "verification_tier": "ai_generated", "confidence": 0.87, "fix_success_rate": 0.8, "resolvable": "true", "first_seen": "2024-01-20", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }