As part of the regulatory obligations of the Payment Services Directive 2 (PSD2), strong authentication must be implemented by all e-commerce websites that accept online payments (via Internet or mobile applications) made by credit card.
However, some payments may be exempted and be made without strong authentication of the cardholder, if they are eligible for the exemptions defined by the PSD2 (e.g.: small amount, trusted beneficiary, etc.).
The operational implementation of these exemption cases will be carried out gradually in accordance with the schedule established between the Observatory for the Security of Payment Means (OSMP) of Banque de France and the stakeholders.
In case of online payment, the card issuing institution can refuse the absence of 3D Secure v2 authentication. They will request cardholder authentication if they detect, for example, an unusual situation (payment via another device, payment from a foreign country, etc.).