Who determines contactless payment limits with the Walletmor? It’s not iCard (I set a 1000 euro limit per transaction). Is it individual stores / chains? Payment processors? Local law? Is it hard-coded in the terminals?
With one exception, all the stores in my area seem to decline payments over 50 euros.
It doesn’t actually make any sense because contact credit payments also don’t require a pin, but they’re not limited. Even if bad actors were able to skim an exchange mid-transaction, they would only be able to do a replay attack for one or maybe a few transactions. The new secure element systems are very different from the old PAN magstripe systems, but people don’t seem to get that. The ignorance is real
There are regional “boilerplate” limits which are part of a larger overall security template. The issuers (banks) typically just go with the template… but not always. Also professors can set additional limits based on their own requirements or based on specific merchant request.
iCard is not actually a bank. They are a neobank which is licensing financial operating regulatory status from another bank… who knows which. I would not be surprised if they had no direct influence over things like limits… But you never know
This whole business is fabulously convoluted. I’m not stupid (not all the time anyway) and I’m really making an effort to wrap my head around who does what, but I still don’t get it
Oh well. 50 euros it is then. It’s not a problem though: if it’s over the limit, I just ask the cashier to break it down into 50-euro chunks and I pay several times. It seems to work fine. It’s just inconvenient.
I think they do though: why else would they offer to set your own limits?
Not sure what you mean here but if you’re referring to the customer (you) being able to set a lower limit… that’s fine… what I mean is going above the ceiling limit (upper limit), which is called… confusingly… the floor limit in industry.
I would prefer it the other way. Replay attacks are difficult, have limited scope, and are easily spotted by algorithms already in place to counteract fraud. If you’re using a secure element (contact or contactless) don’t require a pin, and then if there’s any fishy transactions lock them out and send a text or email to the user to confirm. The whole thing should be as seamless as possible, with the security baked right in.