# AI告诉欧盟金融科技公司，他们可以绕过所有低于30欧元的低价值支付的强客户认证（SCA），忽略了每日累计限额100欧元或5笔交易

- **ID:** `banking/psd2-scp-exemption-misuse`
- **领域:** banking
- **类别:** protocol_error
- **错误码:** `SCA_CUMULATIVE_LIMIT_ERR`
- **验证级别:** ai_generated
- **修复率:** 80%

## 根因

根据PSD2监管技术标准（RTS）第11条，低价值非接触式豁免（每笔交易30欧元）受累计限额100欧元或连续5笔交易的限制，之后需再次进行强客户认证（SCA），AI错误地将其视为无限制豁免，这是支付合规建议中的常见协议错误。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| PSD2 RTS Article 11 (2018) | active | — | — |
| EBA Guidelines on SCA (EBA/GL/2022/01) | active | — | — |
| Mastercard SCA Exemption Rules v2.0 (2023) | active | — | — |
| Visa SCA Exemption Framework 2024 | active | — | — |

## 解决方案

1. ```
   Implement a server-side counter per cardholder that tracks the cumulative amount and count of exempted transactions. Example pseudocode: 'if (exemptedCountToday < 5 && exemptedAmountToday + currentAmount <= 100) { allowExemption(); } else { requireSCA(); }'
   ```
2. ```
   Use the 'transaction risk analysis' (TRA) exemption under Article 18 instead, which allows exemption for transactions below €100 if the fraud rate is below a threshold (e.g., 0.13% for Mastercard). This removes the cumulative limit but requires fraud monitoring.
   ```
3. ```
   For card-present payments, use the 'contactless' exemption but reset the counter after each SCA-performed transaction. Example: 'After every 5th contactless payment, prompt the customer to insert the card and enter PIN to reset the counter.'
   ```

## 无效尝试

- **** — The payment network (e.g., Mastercard) will decline the transaction after the 5th consecutive exempted payment or once the cumulative total exceeds €100, returning a 'SCA Required' error (e.g., Mastercard decline code 58). (70% 失败率)
- **** — The RTS requires the counter to reset only after SCA is performed; a simple time-based reset is non-compliant and can lead to fines from the National Competent Authority (NCA) like the FCA in the UK or BaFin in Germany. (65% 失败率)
- **** — Recurring payments fall under a different exemption (fixed-amount recurring under Article 14), which has its own rules (first payment requires SCA, subsequent payments can be exempted if amount is fixed and <€30). Mixing exemptions causes compliance failures. (55% 失败率)