Since the full implementation of the European DSP2 directive, strong customer authentication (SCA) has become the standard for online card payments in Europe. Most transactions go through the 3D Secure 2.0 protocol, which verifies the identity of the cardholder before validating the purchase.
Some sites continue to process payments without this verification, relying on exemption mechanisms provided by the regulation. The question of the viability of this approach arises with particular acuity in 2025.
You may also like : How to Optimize Space in a Small Room for an Office: Our Practical Tips
DSP2 Exemptions and Transactions Without 3D Secure: The Mechanism Behind the Exemption
The DSP2 does not impose strong authentication for every transaction. The regulation provides several exemption cases that payment service providers (PSPs) can invoke to allow a payment to pass without bank verification.
The most commonly used exemptions concern so-called “low-value” transactions (low amounts, generally below a threshold defined by the PSP) and operations deemed “low-risk” by the PSP’s real-time risk analysis (TRA). A PSP whose fraud rate remains below certain thresholds can request that its transactions be exempted from strong authentication.
You may also like : The best sites to download content in 2023: where to go?
- Recurring transactions after a successful initial authentication can be processed without 3D Secure for subsequent payments.
- Low-value operations benefit from an automatic exemption, but a cumulative series of successive transactions triggers a new verification.
- The real-time risk analysis (TRA) allows the PSP to evaluate each operation and decide if the exemption applies, provided its fraud rate remains compliant with regulatory thresholds.
For merchants consulting a list of sites without bank verification in 2025, these exemptions explain why some platforms can still operate without visible authentication. The payment goes through, but the responsibility in case of fraud changes hands.
Chargebacks and Financial Responsibility: What the Merchant Assumes Without Strong Authentication
The transfer of liability constitutes the most direct financial risk. When a payment is authenticated via 3D Secure, the issuing bank assumes responsibility in the event of a fraudulent dispute. Without this authentication, the merchant bears the cost of the chargeback alone.
The Payment Means Security Observatory (OSMP) reported in its report published in March 2025 a significant increase in chargebacks on European sites that do not use 3D Secure. Consumer disputes are multiplying, and the trend is accelerating.
For a high-volume site, this exposure can represent a considerable cost. Each dispute generates not only the refund of the amount but also processing fees charged by the PSP. Beyond a certain chargeback rate, card networks (Visa, Mastercard) place the merchant in a monitoring program that leads to additional penalties, or even termination of the acceptance contract.
Most Exposed Sectors to Bank Blocking
French banks have strengthened their automatic filters on unauthenticated transactions. According to field feedback reported by TF1 Info at the end of 2025, automatic blocks primarily affect high-risk sectors such as gaming. A merchant in these sectors that does not trigger 3D Secure sees an increasing share of its transactions rejected even before reaching the payment stage.
Dependence on Low-Risk Exemptions: A Structural Fragility for E-Commerce Merchants
Building a payment model around DSP2 exemptions amounts to betting on the stability of its fraud rate. The mechanism works as long as the indicators remain within the limits. As soon as a fraud spike occurs, the PSP loses its ability to invoke the TRA exemption, and all the merchant’s transactions revert to strong authentication.
This shift can be abrupt. A site accustomed to a smooth payment process (without an authentication step) suddenly sees its cart abandonment rate rise because its customers had never faced verification. The adaptation is not instantaneous: payment pages, conversion tunnels, and even customer communication must be rethought.
Japan illustrates the direction taken by regulators. Since April 2025, 3D Secure 2.0 has become mandatory for all Japanese e-commerce sites, as detailed by Stripe in its updated documentation. Platforms that had not integrated the protocol found their card payments blocked overnight. The available data does not allow us to conclude that Europe will adopt a similar timeline, but regulatory convergence is moving in that direction.
Social Engineering Fraud and Limits of Filters Without Authentication
Fraud techniques evolve faster than statistical filters. Real-time risk analysis relies on models that assess buyer behavior (device used, geolocation, history). These models effectively detect known patterns but struggle against social engineering attacks where the cardholder is manipulated into making the purchase themselves.
In this case, the TRA analysis detects no anomaly since the behavior is that of the real cardholder. The payment goes through without authentication, the fraudster obtains the good or service, and the consumer then disputes the transaction with their bank. The merchant, without proof of strong authentication, systematically loses the dispute.
Tokenization and Alternatives: Complements, Not Substitutes
Some merchants compensate for the absence of 3D Secure with other layers of security: tokenization of card data, enhanced behavioral scoring, address verification (AVS). These tools reduce certain fraud vectors, but none replace the transfer of liability that strong authentication offers.
Tokenization protects stored data against leaks. Scoring refines detection. AVS compares the billing address. None of these methods prove that the cardholder validated the transaction, which remains the determining criterion in a dispute.
The European regulatory framework continues to tighten around strong authentication. The DSP3, currently being finalized, is expected to expand the scope of SCA and reduce current exemption margins. For an e-commerce merchant who has built their payment tunnel on the absence of verification, each regulatory evolution represents a direct operational risk. Integrating 3D Secure 2.0 now, including on transactions eligible for an exemption, remains the least costly strategy in the medium term.