Does an online payment accepted without an SMS code or validation in your banking app mean that the merchant site neglects your security? Since the widespread adoption of the 3D Secure 2.x protocol and the implementation of the PSD2 in Europe, the answer requires a more nuanced reading than the simple reflex of “no 3D Secure = danger.” This article compares different payment scenarios without visible authentication to assess the real risk faced by the buyer.
Payment without visible authentication: what the PSD2 regulation says
The European Payment Services Directive (PSD2) requires banks to provide strong authentication for online payments. This obligation covers the vast majority of card transactions on European e-commerce sites.
Read also : Everything You Need to Know About Legal Notices: Obligations and Tips for Your Website
The PSD2 also provides for specific exemptions. A payment can be accepted without a visible authentication step in several regulatory cases, without constituting a violation or a sign of fraud.
- Low-value transactions, below a threshold defined by regulatory texts (RTS), can be exempted by the issuing bank.
- Recurring fixed-amount subscriptions only trigger strong authentication at the first due date, not for subsequent ones.
- Trusted beneficiaries, whom the cardholder has previously registered with their bank, are exempt from additional verification.
- Behavioral analysis (risk-based authentication) allows the bank or acquirer to assess the risk in real-time and eliminate the visible step if the transaction is deemed safe.
Understanding sites without 3D Secure in 2025 requires distinguishing these legitimate exemptions from a complete absence of security protocol on the merchant side.
You may also like : Planning Your Trips in 2025: The Best Apps to Avoid Hassles
3D Secure 2.x and frictionless authentication: comparative table of scenarios
Since the migration to 3D Secure 2.2+, Visa and Mastercard networks allow so-called “frictionless” journeys: the customer is authenticated in the background, without seeing an SMS code or banking notification. The visual criterion is therefore no longer reliable for judging the level of protection of a site.
| Payment Scenario | Actual Authentication | Visible Step for the Customer | Risk for the Buyer |
|---|---|---|---|
| 3D Secure 2.x with challenge (SMS, app) | Strong (PSD2) | Yes | Low |
| 3D Secure 2.x frictionless | Strong (background analysis) | No | Low |
| PSD2 exemption (low amount, trusted beneficiary) | Partial or deferred | No | Low to moderate |
| Site outside EEA without 3DS protocol | No on the merchant side | No | High |
| Fraudulent or non-compliant site | None | No | Very high |
The table highlights a major gap: the absence of a visible step does not always correspond to a lack of protection. The frictionless scenario and PSD2 exemptions offer a level of security comparable to the classic challenge, provided that the bank or payment provider correctly implements the protocol.
Bank liability in case of fraud on an unauthenticated payment
When a payment is made without strong authentication and fraud occurs, liability shifts to the party that triggered the exemption. In practice, for a European buyer, this changes the game.
If the issuing bank or acquirer authorized an exemption and a fraudulent transaction is identified, the bank assumes financial responsibility for the refund. The cardholder benefits from the protection provided by the PSD2 and can dispute the transaction with their banking institution.
In contrast, on a site located outside the European Economic Area that does not implement any authentication protocol, this regulatory protection does not apply in the same way. Recourse in case of fraud then depends on the general conditions of the card network (Visa, Mastercard) and the contract with your bank.
The specific case of sites outside Europe
Japan has made 3D Secure 2.0 mandatory for all e-commerce businesses since March 2025. Other markets are moving in the same direction. However, many merchant sites, particularly in the United States, are not subject to any obligation equivalent to the PSD2.
Shopping on an American site without visible authentication remains common. The risk then depends on the payment provider used by the merchant and the refund policy of your own bank, not the site itself.
Concrete signals to assess the reliability of a site without 3D Secure
Rather than systematically avoiding any site where authentication is not visible, a few checks can help measure the real risk.
- Check that the URL starts with HTTPS and that the SSL certificate is valid (padlock in the address bar). A site without data encryption is a much more reliable warning signal than the absence of 3D Secure.
- Identify the payment provider: Stripe, Adyen, PayPal, or another recognized player integrates their own layers of security and fraud detection, even without a visible challenge.
- Consult the legal notices and the general terms of sale. A compliant site displays its SIRET number (in France), its physical contact details, and its refund policy.
A site that uses a recognized payment provider without displaying visible 3D Secure can be as safe as a site with SMS challenge. The frictionless authentication protocol works in the background without the buyer noticing.
When caution remains justified
An unknown merchant site, hosted outside Europe, without legal notices, with a questionable SSL certificate, and a payment form that asks for your PIN code, accumulates signals that have nothing to do with 3D Secure. In this case, the absence of visible authentication adds to a bundle of clues, without being the main cause.
The most reliable approach in 2025 is to evaluate the complete security chain of the site (encryption, payment provider, legal compliance) rather than relying solely on the presence or absence of a visible banking validation step. The massive migration to 3D Secure 2.x frictionless makes this isolated criterion less and less relevant for judging the reliability of an online purchase.