3D Secure v2: is the authentication systematic in the customer journey?

As part of the regulatory obligations of the Payment Services Directive 2 (PSD2), strong authentication will have to be implemented by all e-commerce websites that accept online payments (via Internet or mobile applications) made by credit card.

However, certain payments may be exempted, and thus be made without strong cardholder authentication (frictionless mode), if they are eligible for the exemptions defined by the PSD2, e.g. low amount, issuer transaction risk analysis (issuer TRA), acquirer transaction risk analysis (acquirer TRA), trusted beneficiary, etc. See What are the exemptions from strong authentication? for more information.

The operational implementation of these exemption cases will be carried out gradually in accordance with the schedule established between the Observatory for the Security of Payment Means (OSMP) of Banque de France and the stakeholders. The trusted beneficiary exemption is scheduled for 2022, for example.

In case of online payment, card issuers may refuse the absence of 3D Secure authentication with a soft decline rejection code.

They will request cardholder authentication if they detect, for example, an unusual situation (payment via another device, payment from a foreign country, etc.).