Wallester Insights: PSD2 and Strong Customer Authentication Compliance

Any software must include authentication tools to ensure its credibility and usability among different audiences. It has become a crucial component of safety and security architecture, and its role can hardly be underestimated in the FinTech industry. With several e-commerce transactions happening every second, this market is prone to facing more money laundering and fraud threats. From this perspective, choosing a card issuing service that complies with high-end authentication and cybersecurity standards is more than just a simple recommendation.

That’s where PSD2 regulations come in. Stay tuned to understand the genuine meaning of the term and the role of its impact on the finance environment of any business. Onwards!

Enhanced Cloning Techniques


Currently, the real-time authorization of cloned EMV cards remains an infeasible task. The extraction of essential cryptographic keys for generating payment cryptograms has remained elusive to both malicious actors and diligent researchers. However, it is crucial to recognize that alternative methods exist for creating functional card replicas:

One such method employed by criminals involves inscribing the Track2 Equivalent value onto the magnetic stripe. By duplicating the information present on a card’s magnetic stripe, known as the Track2 Equivalent, this technique serves as a parameter for card identification within Hardware Security Module (HSM) systems and other dedicated subsystems responsible for card processing.

Consequently, malicious individuals occasionally employ this attack by embedding Track2 Equivalent Data onto a magnetic stripe, enabling them to execute fraudulent transactions either as typical magnetic stripe transactions or by utilizing technical fallback mode. Skimmers, devices specifically designed to extract such data from ATMs, are commonly used in these instances.

To duplicate transactions, perpetrators may resort to employing the EMV Pre-play and Re-play attacks. The Re-play attack centers on circumventing mechanisms designed to ensure the uniqueness of each transaction and cryptogram. By exploiting this vulnerability, attackers can “clone” transactions for future use without requiring possession of the original card. In cases where a compromised terminal generates the same UN (Unpredictable Number) field, a cryptogram obtained from the card with a predictable UN value can be reused an unlimited number of times.

Even on subsequent days, attackers can submit information about an old cryptogram with the authorization request marked with the previous day’s date. The Pre-play scheme becomes relevant when a compromised terminal generates a predictable UN instead of an identical one. In such scenarios, an attacker, upon physical access to the card, can clone multiple transactions for future use. However, unlike the initial attack, each transaction can only be used once in this particular scenario.

Related: WooCommerce PCI Compliance: Everything You Need to Know!

PSD2: Definition, Influence, and Goals


Since the first Payment Services Directive was released in 2007, the market has undergone drastic changes and modifications. The advancement of technologies and the boom of online payments also show the opposite side of the coin. New business models often come with unregulated policies, while the development of the API economy contributes to the consistently increasing level of fraud in Europe.

In a nutshell, PSD2 is a suite of standards and laws for any payment service to follow to be able to perform in the EU and EEA. This policy secures internet-based transactions and strengthens the economic environment in both theory and practice.

Here are some features that distinguish PSD2 from other finance norms:
  • It makes card issuing more transparent since it becomes obligatory for compliant service providers to reveal their financial information publicly. At the same time, this innovation helps new players be competitive and offer their solutions on pair will well-established organizations.
  • PSD2 has established licensing for card-issuing solutions. On the one hand, it enables businesses offering such services in the EU to prove their reliability and credibility, despite having less experience. On the other hand, this method is also efficient for target audiences, letting them choose the best card issuing and processing institution easily.
  • PSD2 comes hand in hand with strong customer authentication. Two-factor authentication and similar means back up the major part of online payments and serve as an additional protection layer for such financial operations. There is a little loophole in this directive. When one of the engaged parties isn’t located within the EEA, it shouldn’t oblige to the requirement to implement the so-called SCA.

As of 2022, more than five hundred million people were expected to make online purchases in Europe. This rate is likely to increase even more. Backing up such a huge number of transactions by PSD2-compliant services will surely bring long-term benefits.

The Revised Payment Services Directive (PSD2)


Every country worldwide has its own recommendations concerning No CVM (Cardholder Verification Method) limits, which apply when payer verification is not required. This is commonly known as the Tap & Go scheme. For instance, within the European Economic Area, there is a recommended transaction limit of €50.

While stores and acquiring banks have the freedom to set their own limits for terminals, they also assume the associated risks of No CVM fraud. This is why not all banks or merchants may choose to set limits higher than the average, as it could attract a greater number of fraudsters.

One prevalent scam involving stolen contactless cards is taking advantage of the Tap & Go scheme by conducting multiple transactions within the No CVM limits. Anti-fraud systems seldom intervene to block such transactions. Some audacious scammers have even found cashiers willing to split a large bill into several smaller transactions, such as £30 each, effectively bypassing the restrictions.

Combating these fraudulent activities

To combat these fraudulent activities, the European Union has introduced a set of new regulations known as the Payment Services Directive, version 2 (PSD2). These regulations include specific requirements regarding the frequency of payer verification. Starting in 2020, issuing banks are required to impose limits on the number of transactions below the Tap & Go threshold. They must track the total amount spent and prompt for a PIN after every five transactions or when the cardholder reaches the equivalent of the maximum amount across five Tap & Go transactions, such as 250 euros.

MasterCard and Visa provide two alternatives for transactions that exceed Tap & Go limits: Soft limits and Hard limits. The majority of countries follow the Soft limits scheme, which requires additional payer verification, such as a signature or an online PIN, for payments above the set limit. However, the United Kingdom operates under the Hard Limits scheme, which mandates the use of a chip-enabled card for payments exceeding ‘Tap & Go’ limits. It is important to note that this scenario does not apply to mobile wallets, as they have separate limits in place.

Security experts have conducted tests to assess the effectiveness of these rules and explore potential ways they can be bypassed using publicly known vulnerabilities or newly discovered variations. The results revealed that hackers possessing stolen cards and a customized terminal could make payments in regular stores that exceed the predetermined limits by resetting these limits using their compromised terminal.

Working with Professional Card Issuing Platforms: Wallester Edition


The number and variety of services that follow the norms of PSD2 keep increasing, which is a perfect opportunity for businesses to find the best strategic and economic fit for their needs and objectives. By cooperating with Wallester, you decide on credit and debit cards that are safe to use in the EU for e-commerce purposes. With advanced SCA technologies like 3D Secure, biometric verification, PIN, and others, you take a proactive step forward establishing a reliable and credible finance environment for prospective users of your services.

The quantity and regularity of SCA procedures are determined by several factors — from your audience’s shopping behavior and habits to what type of merchant you are.

The list of typical limitations and checks includes the following:
  • The system will restrict the available number of contactless payments and require end users to type in a PIN when the limit is reached.
  • The service verifies payments if they exceed the maximum amount of money to spend per purchase or for online shopping overall.

The aforementioned criteria depend on your own regulations as well. Wallester lets clients set up custom performance restrictions when issuing the desired type and number of cards, visit their website https://wallester.com.

Related: HIPAA Compliance Automation with DevOps | All You Need to Know!

Wrap It Up


While contactless bank cards offer convenience, they also possess vulnerabilities that can be exploited by fraudsters. Legacy modes and the utilization of magnetic stripes introduce security risks, enabling attackers to clone cards and manipulate transaction data. Despite these risks, banks continue to support outdated payment methods for several reasons, including compatibility, associated costs, user adoption, and international acceptance.

Moreover, cardholder verification methods can be circumvented, and the Tap & Go scheme is susceptible to abuse. Although regulations like PSD2 have been introduced to combat fraud, limits can still be bypassed using compromised terminals. Ongoing advancements in payment security are crucial to effectively address these challenges.

If you want to ensure your company’s health and status in the long run, it is better to take care of how compliant it is with the latest norms and regulations now. Thanks to solutions like Wallester, you don’t have to worry about how to implement PSD2 and SCA standards — it is done for you by default.

Disclosure: Some of our articles may contain affiliate links; this means each time you make a purchase, we get a small commission. However, the input we produce is reliable; we always handpick and review all information before publishing it on our website. We can ensure you will always get genuine as well as valuable knowledge and resources.
Share the Love

Related Articles

Published By: Souvik Banerjee

Souvik BanerjeeWeb Developer & SEO Specialist with 15+ years of experience in Open Source Web Development specialized in Joomla & WordPress development. He is also the moderator of this blog "RS Web Solutions".