The European Payment Services Directive (PSD2) has mandated strong authentication for online card transactions for several years. The 3D Secure protocol, in its version 2, serves as the main mechanism for this verification. Despite this regulatory framework, a significant number of online payments are still completed without any authentication step. The reasons are tied both to technical choices made by merchants and to exemption mechanisms outlined in the regulation itself.
PSD2 Exemptions and Transaction Risk Analysis: The Framework Allowing Payment Without 3D Secure
The fact that a payment is completed without authentication does not automatically imply a violation. PSD2 provides for several exemption cases, and this is where the subject becomes complex.
Further reading : Tips and practical advice for reheating a casserole in the oven without drying it out
Since the end of 2023, several European issuers have strengthened the use of so-called low-risk exemptions under the 3D Secure 2 protocol. Specifically, when the risk score of a transaction (assessed via the TRA method, or Transaction Risk Analysis) is deemed very low, the payment can be processed without strong authentication, even beyond the small amounts usually exempted.
The European Central Bank reminded in December 2023 that these exemptions are regulated but encouraged to facilitate online commerce. A detailed article discusses the topic of payment without 3D Secure on Geekfinity, explaining the various scenarios encountered by consumers.
Recommended read : Discover where Kleber tires are manufactured and their production process
The most common exemptions include:
- Low-value transactions, generally below a threshold defined by regulation, which can be processed without additional verification as long as a cumulative limit is not reached.
- Recurring payments with the same merchant (subscriptions), where only the first transaction requires full authentication.
- Transactions assessed as very low risk by the acquirer or issuer, based on the TRA, when their overall fraud rate remains below the thresholds set by PSD2.
- Trusted beneficiaries, manually added by the cardholder in their banking space, which allow bypassing authentication for subsequent purchases.
These mechanisms explain why a perfectly legitimate site can finalize your purchase without ever triggering a 3D Secure window.
Merchants Outside the EEA and Payment Routing: The Gray Areas of Bypassing
Not all transactions without authentication fall under legitimate exemptions. The European Banking Authority has clarified in its updates regarding PSD2 that some merchants systematically bypass strong authentication. Two methods frequently arise.
The first involves payment service providers (PSPs) located outside the European Economic Area. When the acquirer of the transaction is based outside the EEA, PSD2 rules do not apply in the same way. The merchant then escapes the obligation of strong authentication, even if the cardholder resides in Europe.
The second method relies on payment routers configured to route transactions through circuits that avoid triggering 3D Secure. This more opaque practice particularly concerns online gaming sites or platforms whose business model relies on rapid conversion, where each additional step in the payment tunnel results in lost customers.
Liability Shift in Case of Fraud
The key technical point to remember concerns the liability shift. When a payment goes through the 3D Secure protocol and fraud occurs, the financial responsibility falls on the issuing bank. In contrast, without 3D Secure, it is the merchant who bears the cost of the fraud. Some merchants deliberately accept this risk, believing that the reduction in cart abandonment rates compensates for losses related to disputes.
The available data does not allow for precise quantification of the volume of transactions intentionally routed outside 3DS in Europe. Field reports vary on this point between PSPs, who downplay the phenomenon, and national regulators, who monitor it closely.
Fraud on Payments Without Authentication: What French Data Shows
The Payment Means Security Observatory, in its 2024 report, provides direct insight into the reality of risk. Fraud on remote card payments has decreased since the widespread adoption of strong authentication. The finding is clear.
The highlight of the report lies in an asymmetry: transactions without 3D Secure account for the majority of amounts defrauded online, even though they represent only a minority of the total volume of online payments. The Observatory speaks of a “strong differentiation in the fraud rate” between authenticated and non-authenticated transactions.
For the consumer, this data has a concrete implication. A purchase made without authentication on an unknown site exposes one more to fraudulent use of card data. Even if the bank generally reimburses the cardholder in case of proven fraud (a legal obligation in France), the dispute process takes time and involves steps.
Warning Signs for the Consumer
Several elements can help assess the level of risk when making a purchase without authentication:
- The complete absence of a secure protocol (no HTTPS lock, no mention of a recognized PSP) constitutes a strong negative signal, distinct from the mere absence of 3D Secure.
- A site that displays no legal mentions, no physical address, or no customer service number increases the likelihood of non-compliant commerce.
- Platforms hosted outside the EEA, sometimes identifiable by their domain extension or terms and conditions, rarely apply European authentication standards.
Regulatory Evolution and Payments Without 3D Secure: What is Emerging
The European Commission is working on PSD3, which is expected to strengthen authentication requirements while refining existing exemptions. The stakes are twofold: to reduce residual fraud on non-authenticated transactions without degrading the shopping experience.
TRA exemptions will likely remain in place, as they address a real need for commercial fluidity. However, the bypass mechanisms via PSPs outside the EEA are receiving increasing attention from regulators. The European Banking Authority has indicated that merchants systematically resorting to these practices face sanctions and restrictions on access to European payment networks.
Payment without 3D Secure is therefore not on the verge of extinction. It will continue to exist for low-risk transactions assessed by banking algorithms. The line between legitimate exemption and problematic circumvention remains the true subject of vigilance, both for regulators and for buyers.