# AI tells an EU fintech that they can bypass Strong Customer Authentication (SCA) for all low-value payments under €30, ignoring the cumulative limit of €100 or 5 transactions per day - **ID:** `banking/psd2-scp-exemption-misuse` - **Domain:** banking - **Category:** protocol_error - **Error Code:** `SCA_CUMULATIVE_LIMIT_ERR` - **Verification:** ai_generated - **Fix Rate:** 80% ## Root Cause Under PSD2 Regulatory Technical Standards (RTS) Article 11, the low-value contactless exemption (€30 per transaction) is subject to a cumulative limit of €100 or 5 consecutive transactions before SCA is required again, and AI incorrectly treats it as an unlimited exemption, a common protocol error in payment compliance advice. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | PSD2 RTS Article 11 (2018) | active | — | — | | EBA Guidelines on SCA (EBA/GL/2022/01) | active | — | — | | Mastercard SCA Exemption Rules v2.0 (2023) | active | — | — | | Visa SCA Exemption Framework 2024 | active | — | — | ## Workarounds 1. **Implement a server-side counter per cardholder that tracks the cumulative amount and count of exempted transactions. Example pseudocode: 'if (exemptedCountToday < 5 && exemptedAmountToday + currentAmount <= 100) { allowExemption(); } else { requireSCA(); }'** (90% success) ``` Implement a server-side counter per cardholder that tracks the cumulative amount and count of exempted transactions. Example pseudocode: 'if (exemptedCountToday < 5 && exemptedAmountToday + currentAmount <= 100) { allowExemption(); } else { requireSCA(); }' ``` 2. **Use the 'transaction risk analysis' (TRA) exemption under Article 18 instead, which allows exemption for transactions below €100 if the fraud rate is below a threshold (e.g., 0.13% for Mastercard). This removes the cumulative limit but requires fraud monitoring.** (85% success) ``` Use the 'transaction risk analysis' (TRA) exemption under Article 18 instead, which allows exemption for transactions below €100 if the fraud rate is below a threshold (e.g., 0.13% for Mastercard). This removes the cumulative limit but requires fraud monitoring. ``` 3. **For card-present payments, use the 'contactless' exemption but reset the counter after each SCA-performed transaction. Example: 'After every 5th contactless payment, prompt the customer to insert the card and enter PIN to reset the counter.'** (88% success) ``` For card-present payments, use the 'contactless' exemption but reset the counter after each SCA-performed transaction. Example: 'After every 5th contactless payment, prompt the customer to insert the card and enter PIN to reset the counter.' ``` ## Dead Ends - **** — The payment network (e.g., Mastercard) will decline the transaction after the 5th consecutive exempted payment or once the cumulative total exceeds €100, returning a 'SCA Required' error (e.g., Mastercard decline code 58). (70% fail) - **** — The RTS requires the counter to reset only after SCA is performed; a simple time-based reset is non-compliant and can lead to fines from the National Competent Authority (NCA) like the FCA in the UK or BaFin in Germany. (65% fail) - **** — Recurring payments fall under a different exemption (fixed-amount recurring under Article 14), which has its own rules (first payment requires SCA, subsequent payments can be exempted if amount is fixed and <€30). Mixing exemptions causes compliance failures. (55% fail)