The DSP2 directive imposes strong authentication for online payments in the European Economic Area. However, in 2025, a significant proportion of card transactions still occur without any visible 3D Secure challenge for the cardholder. Understanding why, and under what conditions, requires distinguishing legitimate exemptions from actual compliance failures.
DSP2 Exemptions and Transaction Risk Analysis: The Technical Mechanism Behind Payments Without 3D Secure
A site that accepts card payments without displaying an authentication page is not necessarily breaking the law. Payment Service Providers (PSPs) have regulatory levers provided by the DSP2 itself to bypass the challenge.
Read also : The Role of Colors in Interior Decoration
The most commonly used is transaction risk analysis (TRA), a real-time risk analysis conducted by the acquirer or issuer. If the PSP’s fraud rate remains below the thresholds defined by the RTS (Regulatory Technical Standards), it can request an exemption for capped amounts. As a result, the cardholder does not see any 3D Secure screen, but the transaction remains covered by a legal framework.
Other common exemptions include:
Related reading : The subtleties of yield management in the online tourism industry
- Low-value transactions, typically below a cumulative threshold, as long as the number of consecutive operations without authentication does not exceed the limit set by the issuing bank.
- Recurring payments (subscriptions): only the first transaction requires strong authentication, while subsequent ones are exempt.
- Trusted beneficiaries: the cardholder can register a merchant on a whitelist with their bank, removing the challenge for future purchases.
- Merchant-initiated transactions (MIT), typically card-on-file debits, which fall outside the scope of SCA.
We observe that the majority of sites presented as “without 3D Secure” actually exploit one of these exemptions. Consulting a list of sites without 3D Secure in 2025 helps gauge the extent of the phenomenon, but sorting between legitimate exemptions and actual non-compliance requires a technical reading.
Liability in Case of Fraud on a Payment Without Strong Authentication
Without strong authentication and without a valid exemption, the liability for fraud rests with the PSP, not the cardholder. The Banque de France, as part of the Observatory of Payment Means Security (2024 report), reminds us of this distribution.
In practical terms, if a merchant processes a payment without SCA while no exemption applies, it is the payer’s bank (or the acquirer, depending on the agreement) that bears the chargeback risk. The defrauded cardholder has an almost automatic right to reimbursement.
For the merchant, the impact is indirect but real. Visa and Mastercard networks apply monitoring programs to merchants whose chargeback rates exceed certain thresholds. An abnormal volume of disputes on unauthenticated transactions can lead to:
- An increase in interchange fees applied by the acquirer.
- A placement in a monitoring program with a corrective action plan requirement.
- In extreme cases, termination of the card acquisition contract.
The liability shift remains the structuring point. With 3D Secure activated and a successful challenge, liability shifts to the issuer. Without 3D Secure, it remains with the acquirer or merchant, unless documented exemption applies.
Regulatory Controls and Expected Tightening with DSP3
The European Banking Authority (EBA) has intensified its controls on PSPs that abuse TRA exemptions. We recommend that merchants ensure their payment provider documents each exemption used, as European regulators are now targeting low-friction players whose exemption rates appear disproportionate.
Platforms located outside the EEA pose a distinct problem. A site based outside the Union is not directly subject to DSP2, but the European issuer of the card held by the cardholder is still required to apply SCA. In practice, some non-European acquirers do not trigger the protocol, which explains why some international sites still accept payments without any verification.
The future DSP3, for which legislative work is underway, aims to tighten the framework. Among the discussed directions: stricter harmonization of exemption application, enhanced regulation of cross-border transactions outside the EEA, and an extension of the scope to new payment methods (wallets, payment links).
Points of Caution for Cardholders on Sites Without 3D Secure
The absence of 3D Secure on a merchant site is not a fraud signal in itself. However, it alters the risk profile of the transaction. A purchase made without strong authentication on an unknown site combines two vulnerability factors: no identity verification on the payment side, and no guarantee on the reliability of the merchant.
The virtual one-time card remains the most effective solution for purchases on platforms without authentication. Most French banks offer this service, which limits exposure in case of card data compromise.
Another reflex: check that the merchant appears on the trusted beneficiaries list in your banking space. If not, and the payment goes through without challenge, it is likely a TRA exemption applied by the PSP. The cardholder retains their right to reimbursement in case of unauthorized transaction, whether or not 3D Secure was triggered.
The gradual disappearance of truly non-compliant sites is an ongoing trend. Merchants who deliberately bypass SCA without legal basis expose themselves to increasing sanctions, and issuers are tightening their filtering rules. By the time DSP3 comes into effect, the number of transactions without any form of authentication is expected to decrease significantly.