3D Secure v2: is it systematically required during purchases?

There is an obligation to systematically implement 3D Secure v2, but with possible exemptions.

As part of the regulatory obligations of the Payment Services Directive 2 (PSD2), which came into force on 14 September 2019, 3D Secure v2 authentication will have to be implemented by all e-commerce websites that accept credit card payments online (via Internet or mobile applications).

However, some payments may be exempted and be made without strong authentication of the cardholder, if they meet the criteria defined by the DSP2 (e.g.: small amount, trusted beneficiary, etc.).

The operational implementation of these exemption cases will be carried out gradually in accordance with the schedule established between the Observatory for the Security of Payment Means (OSMP) of Banque de France and the stakeholders.

In case of online payment, the card issuer may refuse the absence of 3D Secure v2 authentication, contrary to the current version of 3D Secure v1. The issuer will request cardholder authentication if an unusual situation (payment using a new device, payment from a foreign country, etc.) is detected.