Since the implementation of the PSD2, the landscape of online payment in France has been structured around strong authentication. Websites that seem to operate without 3D Secure have not all disappeared, but their operation relies on specific mechanisms that are regulated. Measuring the actual risk level of these transactions compared to authenticated payments helps to understand what is at stake for consumers and merchants in 2025.
Fraud rates with and without strong authentication: the measured gaps
The report from the Payment Means Security Observatory (OSMP) provides actionable data to compare the two situations. The table below summarizes the documented fraud rates.
Recommended read : The Benefits of Chiropractic Care for Daily Pain Relief
| Payment Type | Fraud Rate | Observation |
|---|---|---|
| With strong authentication (3D Secure) | 0.095 % | Path with validated challenge or frictionless |
| Without strong authentication | 0.358 % | Exempted transactions or outside SCA scope |
| Ratio | x 3.8 | Payments without SCA generate nearly four times more fraud |
This ratio speaks for itself. The question for merchants operating paths without visible challenges concerns the exact nature of the exemption they benefit from, and its sustainability in the face of the regulatory tightening led by the Banque de France since November 2024.
To better understand the concrete stakes behind these figures, a detailed overview of sites without 3D Secure in 2025 helps to distinguish legitimate exemption cases from real vulnerabilities.
Related reading : What are the security risks of online payments without 3D Secure?
PSD2 exemptions and triggering thresholds: the mechanism behind the absence of challenge
A site where the buyer never sees a 3D Secure screen is not necessarily an unsecured site. Since 2023-2024, major French issuers (BNP Paribas, Société Générale, Crédit Agricole) have massively deployed risk-based authentication (RBA), a real-time analysis of over 100 signals by the bank.
The 3DS2 is triggered in the background, but the bank decides not to display a challenge when the risk is deemed low. The consumer feels like they are paying “without 3D Secure,” while the protocol has indeed been invoked.
The regulatory thresholds that condition the exemption
The PSD2 mechanism relies on specific rules for small amounts:
- Purchase under 30 euros: exemption possible, with no challenge displayed to the customer
- Once five consecutive payments without strong authentication are reached, the bank must trigger an SCA
- The accumulation of 100 euros of exempted payments also triggers automatic authentication
These thresholds create a tipping effect. A consumer who makes a series of low-value purchases eventually encounters a verification screen, even on a site that is usually smooth.
Merchants with good fraud scores: differentiated treatment
Payment service providers (PSPs) allow merchants with a very low fraud rate to benefit from broader exemptions. These merchants optimize their paths around the PSD2 thresholds to reduce friction without stepping outside the legal framework.
On the other hand, a merchant whose fraud rate exceeds the thresholds set by the OSMP gradually loses their exemptions. The OSMP plan, implemented since November 2024, accelerates this logic by eliminating certain derogatory regimes.
OSMP plan and the end of derogatory regimes: what changes concretely
The program led by the Banque de France aims to reduce fraud, which reached 1.2 billion euros in 2024 across all payment means. Several measures directly impact sites operating without visible authentication.
- End of DTA (Direct to Authorization), which allowed certain merchants to completely bypass the 3DS protocol
- Strengthening of rules on recurring payments (MIT): subscriptions and automatic debits are now subject to stricter controls during the initial card registration
- One-click payments with registered cards must include periodic identity verification of the cardholder
The elimination of DTA represents the most structural change. Merchants who used this route to offer a completely smooth payment path must migrate to 3DS2 compatible solutions, or risk having their transactions rejected by issuers.
Frictionless 3DS2 versus total absence of security: two distinct realities
The confusion between “no visible challenge” and “no security” fuels a misleading perception of risk. The frictionless flow of 3DS2 maintains an invisible layer of protection for the buyer, based on behavioral and contextual analysis.
A site truly devoid of any form of authentication exposes the cardholder to a risk nearly four times greater, as shown by OSMP data. For the merchant, this exposure translates into a higher chargeback rate and a potential deterioration of their pricing conditions with their acquirer.
Conversely, a merchant adopting frictionless 3DS2 retains a fast path while benefiting from the transfer of liability to the issuing bank in case of fraud. The frictionless protects both the merchant and the consumer, without adding any noticeable friction.
The French regulatory trajectory leaves no doubt about the direction taken. Transactions genuinely outside of 3DS are becoming rarer as the OSMP tightens the exemption conditions. For a buyer, the presence or absence of a verification screen is no longer a reliable indicator of the actual security level of a payment. What matters is the ability of the merchant and their bank to analyze risk in the background, transaction by transaction.