The 3D Secure protocol adds an authentication step when making a card payment online. The cardholder confirms their identity via a code received by SMS, a notification on their banking app, or a biometric data point. This verification reduces the risk of fraud by ensuring that the person making the payment is indeed the cardholder.
Not all merchant sites trigger this step, and the reasons relate both to regulations and the commercial choices of merchants.
A lire en complément : Getting Started on Social Media: Tips for Effectively Managing Your Online Presence
Exemptions Provided by the DSP2 Directive on Strong Authentication
The European Payment Services Directive (DSP2), in effect since 2019, mandates strong authentication for most online card payments. This requirement does not cover all scenarios. The text outlines specific exemptions that payment service providers and issuing banks can activate.
Low-value transactions constitute the first exemption. Below a certain threshold, the bank can authorize the payment without triggering 3D Secure, provided that the cumulative recent payments without authentication also remain below a ceiling.
A lire aussi : Getting Married at 50: Why Not?
Recurring subscriptions benefit from special treatment. Once the first payment is authenticated, subsequent charges, for the same amount from the same merchant, proceed without further verification. A streaming service or a newspaper subscription will therefore not request a code at each due date.
A detailed article on the subject of unsecured payments on Geekfinity discusses the various scenarios encountered by buyers.
- Transactions considered low-risk by the acquiring bank’s analysis, based on its overall fraud rate.
- Payments to a trusted beneficiary, previously added to a whitelist by the cardholder with their bank.
- Merchant-initiated transactions, such as adjustments after hotel bookings or vehicle rentals.
These exemptions do not stem from an arbitrary choice by the merchant site. They are regulated and validated by the issuing bank or payment service provider, which assesses the risk level in real-time.
Real-Time Risk Analysis and Frictionless Flow
Payment providers like Stripe, Adyen, or Worldpay integrate risk analysis engines that evaluate each transaction before deciding whether to trigger 3D Secure authentication. This assessment relies on dozens of parameters transmitted during the payment.
The 3D Secure 2 protocol, successor to the initial version, was designed to allow this type of contextual decision-making. Unlike the first version, which systematically required redirection to an authentication page, 3DS2 transmits more data to the banking network: device type, IP address, purchase history, browsing behavior.
When the analysis concludes that the fraud risk is very low, the transaction proceeds in “frictionless” mode: the customer does not see any additional authentication steps. 3D Secure has indeed been requested in the background, but the issuing bank deemed the verification unnecessary. From the buyer’s perspective, the payment appears to have not used the protocol.
This distinction is important. A site that does not trigger a visible authentication screen has not necessarily disabled 3D Secure. The frictionless flow is precisely the goal of 3DS2: to secure without slowing down.
Cart Abandonment Rate and Merchants’ Commercial Arbitration
Each step added to the payment funnel increases the risk that the buyer will abandon their order. Strong authentication, when it requires switching to a banking app or waiting for an SMS, generates measurable friction. Online merchants are aware of this correlation and seek to limit it.
Merchants with a low fraud rate can ask their payment provider to apply the so-called “TRA” (Transaction Risk Analysis) exemption. This exemption allows for processing more payments without visible authentication, provided that the merchant’s fraud rate remains below the thresholds set by European regulations.
This mechanism creates a situation where large e-commerce sites, which invest in effective anti-fraud tools, obtain exemptions more easily than smaller merchants. The paradox: the most reliable sites are also those that least often request 3D Secure from their customers.
Sites Based Outside the European Economic Area
The DSP2 applies to transactions where both the issuing bank and the merchant’s provider are located within the European Economic Area. A merchant site based in the United States or Asia, using a non-European acquirer, is not subject to the same strong authentication obligations.
In this case, the European issuing bank of the customer can still require authentication, but the foreign merchant has no obligation to implement it. The payment can then proceed without 3D Secure, with a transfer of responsibility in case of fraud falling on the issuing bank or the merchant according to the agreements in place.
Responsibility in Case of Fraud Without 3D Secure
3D Secure alters the distribution of financial responsibility in the event of a fraudulent transaction. When the protocol is activated and authentication is successful, responsibility shifts from the merchant to the issuing bank. This mechanism, known as “liability shift,” protects the merchant against payment disputes (chargebacks).
When a merchant chooses not to activate 3D Secure, or when an exemption is applied, this transfer of responsibility does not occur. The merchant then assumes the financial risk in case of fraud. This choice is calculated: some merchants prefer to absorb a low fraud rate rather than lose sales due to authentication.
For the buyer, protection remains the same in both cases. European banking regulations guarantee the reimbursement of an unauthorized transaction, whether or not 3D Secure was used. The cardholder’s bank must refund the customer who is a victim of fraud and then seek recourse against the merchant if the liability shift allows it.
The absence of visible authentication during an online purchase does not mean that the payment is less secure for the consumer. It reflects either a regulatory exemption, a frictionless flow, or a commercial arbitration by the merchant who assumes the risk on their behalf.