3D Secure v2: is the authentication systematic in the customer journey?
There is an obligation to systematically implement 3D Secure v2, but with possible exemptions.
As part of the regulatory obligations of the Payment Services Directive 2 (PSD2), strong authentication will have to be implemented by all e-commerce websites that accept online payments (via Internet or mobile applications) made by credit card.
However, some payments may be exempted and be made without strong authentication of the cardholder, if they are eligible for the exemptions defined by the PSD2 (examples: small amount, trusted beneficiary, etc.).
The operational implementation of these exemption cases will be carried out gradually in accordance with the schedule established between the Observatory for the Security of Payment Means (OSMP) of Banque de France and the stakeholders.
In case of online payment, the card issuer may refuse the absence of 3D Secure v2 authentication, contrary to the current version of 3D Secure v1. They will request cardholder authentication if they detect, for example, an unusual situation (payment via another device, payment from a foreign country, etc.).