Since mid-2021, the European directive DSP2 mandates strong authentication for online card payments in France and the European Union. The 3D Secure system, in its version 2.0, is the main mechanism deployed by banks and payment service providers to meet this requirement.
However, some merchants continue to accept transactions without triggering this verification. The year 2025 marks a tightening of controls and a shift in liability that changes the game for these players.
Further reading : Top French Torrent Sites to Discover for Your Downloads in 2024
Transfer of liability: what the merchant bears without 3D Secure
The central mechanism to understand is called the liability shift. When a payment goes through 3D Secure and fraud occurs, the financial responsibility is transferred to the card-issuing bank. Without this authentication, it is the merchant who absorbs the loss in the event of a dispute (chargeback).
Payplug emphasizes that banks are now strengthening their liability shift policies. Merchants who do not apply 3D Secure or an equivalent strong authentication bear the losses related to payment disputes themselves. The financial burden is not limited to the amount of the disputed transaction: management fees for the chargeback, charged by the acquirer, and the loss of the shipped product must also be added.
Read also : Motorcycle balaclava: what the law says and tips for riding safely
An e-commerce site that processes a regular volume of transactions without strong authentication accumulates a financial risk proportional to its turnover. For an online merchant looking to consult a list of sites without bank verification to understand the state of the market, this liability shift point represents the first concrete alert.
Reporting by the Observatory of Payment Means Security in France
The Observatory of Payment Means Security (OSMP) produces reports that map high-loss market segments. The criteria analyzed include the type of payment journey and the level of authentication applied.
Merchants who accept payments without 3D Secure or any other form of SCA (Strong Customer Authentication) are more likely to be identified as points of vulnerability in these reports. This identification is not trivial: it can trigger compliance requests from payment service providers (PSPs) or banking acquirers.
Specifically, a PSP that notices an abnormally high fraud rate on a merchant can impose the activation of 3D Secure, increase its fees, or terminate the contract. The merchant then faces a limited choice of providers, often more expensive or less efficient.
A cascading effect on fees and access to services
The reclassification as a “weak link” is not merely theoretical. Acquirers adjust their pricing grids based on risk profile. A merchant flagged for a high dispute rate sees their transaction fees rise, sometimes significantly. In extreme cases, some providers outright refuse to onboard these merchants.
Authorization refusals and cart abandonment: the network effect in 2025
Card networks (Visa, Mastercard, and others) are actively pushing for the global adoption of 3D Secure 2.0. Stripe reminds us that this dynamic goes beyond the European framework: in Japan, schemes have required the activation of 3DS2 on e-commerce sites due to the ongoing rise in fraud on remote payments.
For a site that does not activate 3D Secure, the consequences also manifest on the authorization rate. Issuing banks become stricter: they refuse more unauthenticated transactions, especially when the amount exceeds a certain threshold or when the purchasing behavior appears atypical. The merchant then suffers a high authorization refusal rate on legitimate transactions.
The paradox deserves to be highlighted. Some merchants avoid 3D Secure for fear of cart abandonment related to the additional authentication step. However, 3D Secure 2.0 has significantly reduced this friction compared to version 1.0. Authentication is now often done seamlessly (background risk analysis), without the customer having to enter a code. Version 2.0 generates fewer abandonments than the absence of authentication causes bank refusals.
Legal exemptions and gray areas: what DSP2 still allows
The DSP2 provides for cases of exemption from strong authentication. These exemptions do not mean that the site operates “without verification,” but that verification is modulated according to the assessed risk.
- Low-value transactions (generally below a threshold defined by regulation) may be exempt if the overall fraud rate of the PSP remains low.
- Recurring payments, after an initial strong authentication, can be processed without further verification for identical amounts.
- Real-time risk analysis (Transaction Risk Analysis, TRA) allows PSPs with particularly low fraud rates to exempt certain transactions, under strict conditions.
These exemptions are managed by the payment provider, not by the merchant. A site that claims not to use 3D Secure may actually benefit from TRA exemptions without the buyer realizing it. The distinction between “site without 3D Secure” and “site whose PSP applies calibrated exemptions” is often blurred for the consumer.
The available data do not allow for definitive conclusions
Field reports diverge on the actual rate of transactions that go through without any form of verification in 2025. Some platforms use proprietary fraud detection mechanisms that do not rely on 3D Secure but offer a comparable level of protection. Others, on the other hand, simply do not apply any control, exposing both the customer and the merchant.
- A site without any verification places the risk of fraud on the merchant (liability shift) and undermines customer trust.
- A site using TRA exemptions via its PSP remains compliant with the DSP2 while providing a smooth journey.
- A site outside the European Economic Area is not subject to the DSP2, complicating the reading for French buyers.
For an online buyer, the visible absence of authentication does not mean the absence of protection. The actual level of risk depends on the technical architecture of the site and its payment provider, not just on what is displayed on the screen.
The regulatory trend is clearly moving towards tightening. Merchants who do not integrate any form of strong authentication in 2025 accumulate direct financial risk (uncovered chargebacks), a risk of access to payment services (termination or additional costs by PSPs), and a reputational risk with customers who are increasingly aware of online transaction security. The cost of inaction now exceeds that of compliance.