SCA_CUMULATIVE_LIMIT_ERR banking protocol_error ai_generated true

AI告诉欧盟金融科技公司,他们可以绕过所有低于30欧元的低价值支付的强客户认证(SCA),忽略了每日累计限额100欧元或5笔交易

AI tells an EU fintech that they can bypass Strong Customer Authentication (SCA) for all low-value payments under €30, ignoring the cumulative limit of €100 or 5 transactions per day

ID: banking/psd2-scp-exemption-misuse

其他格式: JSON · Markdown 中文 · English
80%修复率
87%置信度
1证据数
2024-01-20首次发现

版本兼容性

版本状态引入弃用备注
PSD2 RTS Article 11 (2018) active
EBA Guidelines on SCA (EBA/GL/2022/01) active
Mastercard SCA Exemption Rules v2.0 (2023) active
Visa SCA Exemption Framework 2024 active

根因分析

根据PSD2监管技术标准(RTS)第11条,低价值非接触式豁免(每笔交易30欧元)受累计限额100欧元或连续5笔交易的限制,之后需再次进行强客户认证(SCA),AI错误地将其视为无限制豁免,这是支付合规建议中的常见协议错误。

English

Under PSD2 Regulatory Technical Standards (RTS) Article 11, the low-value contactless exemption (€30 per transaction) is subject to a cumulative limit of €100 or 5 consecutive transactions before SCA is required again, and AI incorrectly treats it as an unlimited exemption, a common protocol error in payment compliance advice.

generic

官方文档

https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/regulatory-technical-standards-on-strong-customer-authentication-and-common-and-secure-communication-under-psd2

解决方案

  1. Implement a server-side counter per cardholder that tracks the cumulative amount and count of exempted transactions. Example pseudocode: 'if (exemptedCountToday < 5 && exemptedAmountToday + currentAmount <= 100) { allowExemption(); } else { requireSCA(); }'
  2. Use the 'transaction risk analysis' (TRA) exemption under Article 18 instead, which allows exemption for transactions below €100 if the fraud rate is below a threshold (e.g., 0.13% for Mastercard). This removes the cumulative limit but requires fraud monitoring.
  3. For card-present payments, use the 'contactless' exemption but reset the counter after each SCA-performed transaction. Example: 'After every 5th contactless payment, prompt the customer to insert the card and enter PIN to reset the counter.'

无效尝试

常见但无效的做法:

  1. 70% 失败

    The payment network (e.g., Mastercard) will decline the transaction after the 5th consecutive exempted payment or once the cumulative total exceeds €100, returning a 'SCA Required' error (e.g., Mastercard decline code 58).

  2. 65% 失败

    The RTS requires the counter to reset only after SCA is performed; a simple time-based reset is non-compliant and can lead to fines from the National Competent Authority (NCA) like the FCA in the UK or BaFin in Germany.

  3. 55% 失败

    Recurring payments fall under a different exemption (fixed-amount recurring under Article 14), which has its own rules (first payment requires SCA, subsequent payments can be exempted if amount is fixed and <€30). Mixing exemptions causes compliance failures.