The European Payment Services Directive (PSD2) has mandated strong authentication for online card transactions for several years. In 2025, the regulatory framework will tighten even further. Merchants who continue to operate without 3D Secure are exploiting legal exemptions, but these margins are shrinking quarter by quarter under the pressure of regulators and card networks.
Fraud liability shift: what merchants underestimate
The least visible mechanism for an e-commerce merchant refusing 3D Secure concerns the liability shift. Since Visa and Mastercard updated their liability programs between 2023 and 2025, a merchant without 3D Secure bears the full cost of fraudulent chargebacks. The acquirer and the card issuer no longer cover fraud if strong authentication has not been triggered.
Recommended read : Discover the best solutions for streaming movies and series in 2024
In practice, a site processing a significant volume of transactions without authentication accumulates unpaid amounts that its acquiring bank no longer covers. Beyond a certain threshold of chargebacks, card networks implement monitoring programs with increasing financial penalties. Several European merchants have seen their processing fees rise sharply after being placed under monitoring by Visa or Mastercard.
The situation of sites without 3D Secure in 2025 remains legal as long as the exemptions are properly documented, but the actual financial cost often exceeds the supposed savings on the conversion rate.
Read also : Renovating an In-Ground Pool: Tips, Costs, and Steps for a Successful Transformation
SCA exemptions in 2025: an increasingly monitored framework
European regulations provide for several cases where strong authentication can be bypassed: low-value transactions, real-time risk analysis (TRA), trusted beneficiaries on a whitelist, or recurring payments after an initial authentication. These exemptions exist to maintain the fluidity of the purchasing journey.
The European Banking Authority (EBA) published several updates to its Q&A on PSD2 at the end of 2024. The message is clear: exemptions must remain minority, documented, and monitored. Payment service providers (PSPs) that allow too high a volume of exempted transactions expose themselves to enhanced controls and injunctions to limit the use of non-authentication paths.
For a merchant, this means that even if their PSP agrees today to route certain transactions without 3D Secure via the TRA exemption, there is no guarantee that this possibility will be maintained in six months. PSPs adjust their thresholds based on regulatory pressure.
Exemptions still usable and their conditions
- Low-value transactions (generally below a threshold set by the network) remain exempt, but a cumulative cap applies. Beyond that, strong authentication becomes mandatory again.
- Real-time risk analysis (TRA) allows the PSP to bypass 3D Secure if its overall fraud rate remains below a certain threshold. A PSP whose fraud rate increases loses this ability.
- The whitelist (trusted beneficiaries) relies on a decision by the cardholder with their bank. The merchant has no direct control over this registration.
Fraud on internet payments without strong authentication: field data
The Bank of France, in the 2024 annual report of the Payment Security Observatory, notes a clear trend. Fraud on internet card payments increases where strong authentication is not systematically applied. Transactions protected by 3D Secure 2.x show a significantly lower fraud rate than the rest.
This observation leads French regulators to discourage configurations without 3DS beyond very targeted use cases. Field reports vary on the exact extent of the fraud differential by sector, but the direction is clear: less authentication leads to more fraud.
For merchants, the risk is not only financial. A high fraud rate damages the site’s reputation with card issuers, who may decide to systematically refuse transactions from this merchant, even those with authentication. The cycle then becomes difficult to reverse.
DSP3 and online payment: what is being prepared after 2025
The European Commission is working on DSP3, which is expected to replace PSD2 in the coming years. Ongoing discussions focus on tightening authentication obligations and reducing the scope of exemptions.
Several directions are emerging:
- A stricter framework for the TRA exemption, with lower fraud thresholds for PSPs wishing to benefit from it.
- A European harmonization of exemption practices, which currently varies from country to country based on the interpretation of national regulators.
- The integration of new authentication methods (behavioral biometrics, session tokens) that could make 3D Secure less visible to the user while maintaining the level of security.
If DSP3 follows the current trajectory, sites operating without any form of strong authentication will become a regulatory anomaly rather than a simple business strategy. Merchants who do not anticipate this shift risk having to adapt their payment infrastructure in an emergency.
Conversion and security: the false opposition
The historical argument against 3D Secure was based on the friction it added to the purchasing journey. With version 2.x of the protocol, this friction has significantly decreased. Authentication is now often done passively, through terminal and buyer behavior analysis, without visible intervention.
The available data does not allow for a conclusion that 3D Secure 2.x significantly degrades conversion compared to a journey without authentication. On the other hand, the absence of 3D Secure generates chargebacks that do have a measurable impact on margin.
The economic calculation has changed. In 2025, the question for a merchant is no longer whether they can do without 3D Secure, but how long they can still do so before the indirect costs exceed the supposed benefit on the conversion rate.