The 3D Secure protocol adds an authentication step when making an online purchase with a credit card. Since the full implementation of the European DSP2 directive, this strong authentication has become the norm for the majority of transactions. Some merchants do not activate this system, either for technical reasons or because they benefit from regulatory exemptions. Shopping on these platforms exposes both the cardholder and the merchant to specific risks.
Transfer of liability in case of fraud without strong authentication
The least visible mechanism for the buyer is also the most structural. When a payment goes through 3D Secure, the liability for a fraudulent transaction shifts from the merchant to the card-issuing bank. Without this authentication, the scheme reverses.
You may also like : Analysis of high-stakes matches in Euro 2024: the games you couldn't miss
The Banque de France reminds us in its 2024 Payment Fraud Panorama that the rules of the Monetary and Financial Code continue to apply: the issuer must immediately refund the payer, unless there is suspicion of fraud on the part of the latter. The responsibility for the refund lies with the payment service provider when a payment has been made without strong authentication when it was required.
In practice, this means that the consumer remains protected by law. The situation is much riskier for the merchant who chooses not to activate 3D Secure: in case of a dispute, they bear the financial loss. To understand why some merchants make this choice nonetheless, a list of sites without 3D Secure on Geekfinity details the commercial motivations behind this decision.
Further reading : Navigating the World of Educational Portals: Focus on User Authentication
Credit card fraud on sites without 3D Secure: a higher rate
The latest report from the Payment Security Observatory (OSMP) confirms a clear trend: the fraud rate on online card payments is continuously decreasing during the 2023-2024 period, thanks to the widespread adoption of strong authentication and 3D Secure 2.
The report specifies that transactions made without strong authentication, even when allowed by a regulatory exemption, concentrate a significantly higher share of fraud than authenticated transactions. Therefore, purchasing on a site that does not trigger this verification places the transaction in the statistically most exposed category.
How a fraudster exploits the absence of 3D Secure
Without strong authentication, a fraudulent purchase requires only three pieces of information: the card number, its expiration date, and the three-digit visual cryptogram on the back. Researchers have demonstrated that this data can be guessed through brute force by exploiting the responses of payment systems from certain sites, as reported by the site Korben.
The typical scenario unfolds as follows:
- A fraudster obtains a card number via a phishing site or a data leak.
- They test the card on a site without 3D Secure, where no SMS code or biometric validation is required.
- The transaction is validated in a few seconds, without the cardholder being alerted before receiving their bank statement.
This type of attack is made much more difficult, if not impossible, when strong authentication requires an additional factor that the fraudster does not possess (access to the phone, fingerprint).
DSP2 exemptions: why some payments go through without authentication
Not all online payments without 3D Secure are illegitimate. The DSP2 provides for exemptions to strong authentication in specific cases:
- Low-value transactions, below a threshold defined by regulation.
- Recurring operations with the same merchant after a successful initial authentication.
- Transactions considered low risk by the real-time analysis of the payment provider (the so-called “frictionless” approach of 3D Secure 2).
- Purchases from trusted beneficiaries previously registered by the cardholder with their bank.
The “frictionless” mode of 3D Secure 2 deserves special attention. Authentication does occur, but it is silent: the system analyzes dozens of parameters in the background (device used, location, purchase history) to decide if an active verification of the holder is necessary. The absence of a pop-up does not mean the absence of protection.
This distinction is important. A site that benefits from a DSP2 exemption remains within a controlled regulatory framework. A site that simply does not offer 3D Secure, often hosted outside the European Economic Area, does not benefit from any of these safeguards.
Check the security of a site before making an online card purchase
Before entering banking information on a site that does not trigger authentication, several points can help assess the actual level of risk.
The presence of the HTTPS lock in the address bar guarantees the encryption of data in transit, but says nothing about the reliability of the merchant. A fraudulent site can very well have an SSL certificate.
Alternative payment methods offer an additional layer of protection. Virtual credit cards, offered by most banks and fintechs, generate a one-time card number that becomes unusable after the transaction. Even in the event of a data leak, the retrieved information does not allow for any subsequent purchases.
The website of the Ministry of Economy also recommends never saving banking details on a merchant site and avoiding public Wi-Fi networks for transactions.
The regulatory trend is towards strengthening authentication, not relaxing it. The upcoming DSP3 directive plans for even stricter regulation of exemptions and an extension of the scope of strong authentication. Sites that currently bypass 3D Secure for commercial convenience will need to adapt their practices or accept to bear an increasing financial risk with each transaction dispute.