One of our terminal provider says that contact card doesn't have CVM limit as it is dependent to what is in tag 8E (CVM List) and 9F33 (Terminal Capabilities). However another terminal provider of us supports setting CVM Limit with contact in its SDK for Mastercard and Visa. My question is, which one is more accurate/correct? Is it just compliance vs flexibility?
To be fair, it would be easiest if you just read EMVCo Book 3 to answer that yourself. I would risk saying that you will not be able to develop anything for real-life use without understanding the specifications behind it.
CVMs that terminal supports (indicated in Terminal Capabilities) are considered major change in terms of Implementation Conformance Statement of the terminal level 2 kernel (as per terminal type approval bulletin 11) so changing these values requires different Level 2 kernel approval.
Technically speaking, feature with dynamic kernel configuration selection (to reflect different values of Terminal Capabilities) is possible, but it requires separate certification for each of the configurations (both L2, as well as all L3 based on them).
Theoretically, it is therefore possible to have such functionality that would emulate on contact interface functionality of CVM Limit (working in similar fashion as it is handled by C-2 contactless kernel where below limit terminal capabilities show NoCVM only), but it is cumbersome (due to multiplication of certifications) and you still need to remember that there are schemes requirements for deployment environment to be fulfilled.
Quite frankly, it's hard to say without details about the vendor, but from my experience I would expect that it is just common contact/contactless API, but it does none of the above described when contact card used.