The Banque de France has been enforcing a plan to combat fraud starting June 10, 2024, which includes recommendations for French issuers to start declining merchant-initiated transactions (off_session), customer-initiated transactions (on_session), and mail order telephone order transactions (MOTO) meeting certain criteria outlined below for European businesses subject to PSD2.

As a result, European businesses selling in France may see declines with the decline code authentication_required. Read more about the authentication_required decline code.

What is the expected impact for businesses?

The impact will depend on each business’s setup, business model, and behavior, as well as on each issuer’s approach. For example, if a business is not using MOTO payments, the impact will be smaller than for a business selling via telephone orders.

Reduce the impact of these changes

• Use Stripe Strong Customer Authentication (SCA) integrations: To help you manage these new requirements and optimize conversion while reducing fraud, we strongly encourage businesses to use the latest SCA-ready integrations.
• Only use MOTO and off-session payments when there aren't other options: Businesses on Stripe are responsible for ensuring that charges submitted as MOTO or off-session are eligible to be treated as such. For off-session payments, it’s necessary to have an appropriate mandate in place with the customer.

Banque de France recommendations to card issuers

Read the full specifications set out in the Plan de sécurisation des paiements par carte à distance on the Banque de France's site. The plan is summarized below.

French card issuers are encouraged to decline payments according to these guidelines. This approach is based on Strong Customer Authentication regulation.

• Issuer may decline transactions from a business when the velocity—where velocity is the cumulative volume per card per business per 24 hours— on online payments not processed through 3D Secure (3DS) rails exceeds a certain threshold. The velocity is calculated with:
  • The exclusion of certain Merchant category codes (MCC codes)
  • The exclusion of low value transactions (less than 30 EUR)
  • A separate treatment for MOTO vs on_session/off_session
  • Decreasing velocity thresholds:
    • First 500 EUR (June 10 to September 9 2024)
    • Then 250 EUR (Sept 9 to October 14 2024)
    • Then 100 EUR (starting October 14 2024)
    • 50 EUR (starting February 10 2025)
    • 30 EUR (starting March 10 2025)
    • 10 EUR (starting April 10 2025)
    • 0.01 EUR (starting May 12 2025)

Velocity might be applied differently depending on issuers. The concept of “per business” is relative to each merchant_ID.

on_session

Also called Customer-Initiated Transactions (CIT)

• Decline due to authentication_required of transactions outside 3DS once the velocity limit has been reached
• CIT transactions outside 3DS should not be declined when paid via a wallet already applying SCA (for example, Apple Pay or Google Pay)

Example for 500 EUR threshold: One issuer receives two CIT transactions of 300 EUR with the same card without 3DS from company Business.com within 2 hours. 600 EUR is above the threshold so the issuer can start asking for a strong authentication for the next transactions from Business.com within the next 24 hours.

off_session

Also called Merchant-Initiated Transactions (MIT)

• Decline due to authentication_required of transactions outside 3DS once the velocity limit has been reached on all MIT transactions without chaining reference, or with an incorrect chaining reference

Example for 500 EUR threshold: One issuer receives two MIT transactions of 300 EUR with the same card without 3DS from company Business.com within 2 hours and realizes that these MIT transactions do not contain any chaining reference. The issuer can start declining the next transactions from Business.com in the next 24 hours.

What is a chaining reference?

In order to perform an off-session transaction, a merchant needs to have authenticated the cardholder a first time during an on_session transaction (for instance when starting a subscription). The merchant collects payment data so that they can reuse it later and the transaction is recorded by Stripe with a chaining reference that is used in subsequent off_session transactions.

Mail Order Telephone Order (MOTO)

• Decline due to authentication_required of MOTO transactions once the velocity limit has been reached, except on telephone order transactions with 3DS
• Velocity threshold maintained at 500 EUR for MOTO transactions in non-exempted sectors, until further notice
• Exception on following MCC codes: 1771, 2741, 3000-3299, 3350-3449, 3500-3999, 4011, 4112, 4411, 4511, 4722, 4814, 4900, 5965, 6010, 6012, 6300, 6513, 7011, 7032, 7033, 7322, 7512, 8111, 8220, 8398, 9405

Example for 500 EUR threshold: One issuer receives 2 MOTO transactions of 300 EUR with the same card without 3DS from company Business.com within 2 hours. The issuer can start declining the next transactions from Business.com.

Temporary exemption process

A merchant may request a temporary exemption from the velocity limitation mechanism, if it has suffered a significant deterioration in its acceptance rate following the implementation of the recommendation. Submit the request directly or via the acquiring PSP or any other member of the Bank of France steering committee. The eligibility requirements for requesting such an exemption are described in APPENDIX 3 of the Plan de sécurisation des paiements par carte à distance on the Banque de France's site.