How does PSD2 work in Europe and does it affect Non-VBV BINs?

[Mutt]

Payment Services Directive 2 (PSD2) is a European Union directive adopted in 2015 and entered into full force in 2019 (with additional transition periods until 2021) that regulates payment services in the European Economic Area (EEA). It aims to improve the security of online transactions, promote competition and protect consumers. PSD2 has a significant impact on payment processing, including the use of Non-Verified by Visa (Non-Verified by Visa) bins, as it introduces strict authentication requirements. Below, I will explain in detail how PSD2 works and how it affects Non-VBV bins for educational purposes, with a focus on the technical and practical aspects in the context of carding.

1. How does PSD2 work?​

PSD2 (Directive (EU) 2015/2366) replaces the original PSD (2007) and introduces new rules for banks, payment providers and online shops. Key aspects related to transaction security include:

a) Strong Customer Authentication (SCA)​

• Definition: SCA is a key part of PSD2, requiring two-factor authentication (2FA) for most online transactions and operations involving access to payment accounts.
• How it works:
  • To confirm a transaction, the user must provide two of three elements:
    1. Knowledge (something that only the user knows, such as a password or PIN).
    2. Possession (something the user has, such as a phone to receive an SMS code or a banking app).
    3. Inherence (something that is part of the user, such as biometrics - fingerprint, facial recognition).
  • Example: When making a purchase in an online store, the user enters card details (knowledge) and confirms the transaction via SMS code or push notification in the bank's application (ownership).
• Technical implementation:
  • SCA is often implemented through the 3D-Secure 2.0 protocol (Verified by Visa, MasterCard SecureCode, Amex SafeKey), which redirects the user to the bank's authentication page to enter an OTP (one-time password) or biometric verification.
  • 3DS 2.0 uses Risk-Based Authentication (RBA) where the bank analyzes the transaction (IP, device, amount, region) and decides whether full authentication is required or whether SCA can be skipped for low-risk transactions.

b) Scope of PSD2​

• Geography: PSD2 applies to EEA countries (28 EU countries + Iceland, Norway, Liechtenstein).
• Transaction types:
  • Online payments (e-commerce).
  • Access to bank accounts through third-party services (e.g. fintech applications).
  • Contact and contactless payments (in some cases).
• Exceptions to SCA:
  • Low-risk transactions: Banks may skip SCA for transactions that are considered safe based on risk analysis (e.g. small amounts or repeat payments at the same store).
  • Low value transactions: Payments up to €30 (or equivalent) may be exempt from SCA, but with a limit on the number of such transactions (usually 5 in a row) or the total amount (€100).
  • Recurring transactions: For example, subscriptions (Netflix, Spotify) where SCA is only required for the first transaction.
  • Trusted Recipients: User can add the store to the "whitelist" in their bank to skip SCA for future payments.
  • Offline transactions: Some physical payments (e.g. in stores with a PIN) may be exempt.

c) Open Banking​

• PSD2 requires banks to provide third-party providers (such as fintech companies) with access to customer data via APIs (with the customer's consent).
• This indirectly affects anti-fraud measures, as banks can use data from third-party sources to analyze transactions.

d) Anti-fraud measures​

• PSD2 requires banks and stores to implement modern anti-fraud systems, including real-time transaction monitoring, behavioral analysis and geolocation.
• Example: A bank may reject a transaction if the user's IP address does not match the card's region, even if SCA is passed.

2. Impact of PSD2 on Non-VBV bins​

Non-VBV bins are bank identification numbers (BINs) that do not require verification via Verified by Visa (3D-Secure). In the context of PSD2, their use for fraudulent transactions (e.g. carding) is significantly more difficult. Let's look at how PSD2 affects such bins:

a) Mandatory use of 3D-Secure​

• Impact:
  • PSD2 requires SCA for most online transactions in the EEA, making Non-VBV bins virtually useless in Europe as issuing banks are required to implement 3DS for all cards.
  • Even if a bean is technically classified as Non-VBV (e.g. due to old bank settings), merchants and payment gateways in the EEA are required to request 3DS to comply with PSD2.
• Consequences for carding:
  • Carders cannot complete a transaction without access to the cardholder's phone or email, as 3DS requires OTP or biometric verification.
  • Attempts to use Non-VBV bins in Europe are often rejected if the merchant or bank requires SCA.
• Example: If a carder tries to use a Non-VBV card (e.g. bin 479126 from ESL FCU, USA) in a European store, the transaction will be rejected as the store is required to request 3DS and the issuing bank (if not from the EEA) may not support SCA, resulting in an automatic rejection.

b) Exceptions to SCA and their limitations​

• PSD2 allows for exceptions to SCA (e.g. for transactions up to €30 or recurring payments), but these are strictly controlled:
  • Low-risk transactions: A bank may skip SCA if the transaction is considered safe (e.g. a purchase in a familiar store from the same device). However, Non-VBV bins rarely fall under this exception, as anti-fraud systems analyze additional parameters (IP, geolocation, behavior).
  • Small amounts: Transactions under €30 may not require SCA, but banks and merchants often apply additional checks (such as AVS or Device Fingerprinting) which reduces the effectiveness of Non-VBV bins.
  • Recurring Payments: After the first transaction with SCA, subsequent subscriptions can be released, but this requires the carder to successfully pass 3DS first, which is virtually impossible without the owner's data.
• Consequences for carding:
  • Non-VBV beans can work only in rare cases when a store has incorrectly configured SCA or uses exceptions. However, such stores become a target of anti-fraud systems, and their settings are quickly corrected.
  • Carders have to look for stores outside the EEA (for example, in the US or Asia), where PSD2 does not apply, but even there anti-fraud systems are becoming increasingly strict.

c) Anti-fraud systems and Non-VBV​

• PSD2 requires banks and merchants to implement advanced anti-fraud mechanisms that complement SCA:
  • Risk analysis: Even if Non-VBV bin allows to bypass 3DS, anti-fraud systems analyze IP, device, transaction history and reject suspicious transactions.
  • Device Fingerprinting: Collecting unique device characteristics (browser, OS, fonts) makes using Non-VBV bins risky, as carders often use VPN or Tor, which raises suspicions.
  • Geolocation: PSD2 encourages checking that an IP address matches the region of the map, making it difficult to use Non-VBV bins from other countries.
• Example: A carder tries to use a Non-VBV bin from the US in a European store. Even if the store does not require 3DS (which is unlikely due to PSD2), the anti-fraud system will reject the transaction due to an IP mismatch (e.g. Russia instead of the US).

d) Regional restrictions​

• Within the EEA: Non-VBV bins are largely unusable as issuing banks and merchants are required to comply with PSD2. Even if a bin is classified as Non-VBV, the issuing bank must support 3DS and the merchant must request SCA.
• Non-EEA transactions: If the merchant or issuing bank is located outside the EEA (e.g. in the US), PSD2 does not apply and Non-VBV bins can be used. However, European merchants that deal with EEA customers are required to comply with PSD2, which limits the options for carders.
• Example: A European store (e.g. German) can accept a Non-VBV card from the US, but only if the transaction falls under the SCA exception (e.g. amount up to €30) and passes anti-fraud checks.

e) Closing loopholes​

• PSD2 closes loopholes that previously allowed the use of Non-VBV bins:
  • Mandatory 3DS integration: All issuing banks in the EEA must support 3DS 2.0, making Non-VBV beans a rarity.
  • Fines for non-compliance: Merchants and banks that do not implement SCA risk fines from regulators, which encourages them to use 3DS even for small transactions.
  • Improved anti-fraud systems: PSD2 requires real-time transaction monitoring, which reduces the likelihood of successful use of Non-VBV bins, even if they fall under the exceptions.

3. Practical impact on carding​

In the context of carding, PSD2 makes it much more difficult to use Non-VBV bins in Europe for the following reasons:

a) Inability to bypass SCA​

• Carders need access to the cardholder's phone, email or biometric data to pass 3DS. Without this, Non-VBV bins become useless in most European stores.
• Attempts to reset the 3DS password (for example, through social engineering) are difficult, since banks require additional data (SSN, passport, answers to secret questions), and suspicious calls can lead to the card being blocked.

b) Limited Exceptions​

• SCA exceptions (e.g. transactions under €30) are strictly controlled. Anti-fraud systems may reject even such transactions if they look suspicious (e.g. IP from a region with a high fraud rate).
• Carders may try to use Non-VBV bins for small purchases (gift cards, subscriptions), but this requires an exact match of IP, device, and cardholder data, which complicates the process.

c) Increased costs and risks​

• Carders have to use complex schemes:
  • Clean IP: Proxy or VPN that matches the map region, but anti-fraud systems easily detect popular VPN services.
  • Fake data: Accurate data of the holder (name, address, phone), which requires access to data leaks.
  • Clean Devices: Using new or "clean" devices with no traces of previous fraudulent transactions.
• These measures increase costs and risks, making carding less profitable.

d) Focus on stores outside the EEA​

• Since PSD2 only applies to the EEA, carders can look for stores in the US, Asia or other regions where 3DS is not mandatory. However, even there, anti-fraud systems are becoming stricter, and many global platforms (Amazon, eBay) are implementing 3DS voluntarily.

4. Technical aspects​

• 3DS 2.0 и Risk-Based Authentication:
  • 3DS 2.0 transmits up to 100+ transaction parameters (IP, device, purchase history, geolocation) to the store and bank, which allows for accurate risk assessment.
  • Non-VBV bins lose their effectiveness because even without the required OTP, the bank can reject the transaction based on these parameters.
• API and integration:
  • PSD2 requires banks to provide APIs for 3DS and transaction monitoring, making it easier to integrate SCA into payment gateways (Stripe, Adyen).
  • Stores use these APIs to automatically validate transactions, which reduces the likelihood of successful use of Non-VBV beans.
• Anti-fraud analytics:
  • PSD2 requires real-time transaction monitoring, which includes geolocation, device, and behavioral analysis. This makes Non-VBV beans vulnerable, as carders can rarely perfectly impersonate a legitimate user.

5. Examples and consequences​

• Example 1: European store:
  • The carder tries to use a Non-VBV bin (e.g. 455620 from Santander Consumer Bank, Germany) to make a purchase at a European store. The store redirects to a 3DS page, requiring an OTP. Without access to the owner's phone, the transaction is rejected.
• Example 2: SCA Exception:
  • A carder uses a Non-VBV bin to make a €20 purchase at a store that uses the SCA exception. However, the store's anti-fraud system notices that the Russian IP address does not match the German card and rejects the transaction.
• Example 3: Store outside the EEA:
  • The carder uses Non-VBV bin in a US store where PSD2 is not applied.
  Practical impact of PSD2 on carding:
• Mandatory use of 3D-Secure: PSD2 makes the use of Non-VBV binaries in Europe virtually impossible, as most online transactions require two-factor authentication (SCA) via 3D-Secure. This significantly reduces the possibilities of carders, as without access to the cardholder's phone or email, verification is impossible.
• Limited exceptions: PSD2 allows exceptions from SCA for low-risk or small-value transactions (up to €30), but anti-fraud systems make such transactions difficult for fraudsters by analyzing IP, device, and other parameters.
• Shift in focus: Due to strict PSD2 requirements in Europe, carders are forced to look for stores outside the EEA where 3DS is not mandatory, or use complex schemes (clean IP, fake data, new devices), which increases costs and risks.
• Closing the loopholes: PSD2 addresses the vulnerabilities that previously allowed Non-VBV beans to be exploited by mandating 3DS, penalizing non-compliance, and strengthening anti-fraud systems.

Conclusion:
PSD2 has radically changed the online payments landscape in Europe, making Non-VBV beans virtually unusable for carding in the EEA. Mandatory use of SCA via 3D-Secure 2.0, strict anti-fraud measures and real-time transaction monitoring mean that carders have to overcome significant barriers (OTP access, data forgery, geolocation bypass), making such schemes less effective and more risky. Outside the EEA, Non-VBV beans can still be used, but the global adoption of 3DS and improved anti-fraud systems are reducing their effectiveness.

If you want to dive deeper into other aspects, such as how banks use APIs to implement PSD2 or how specific anti-fraud services work, let me know!