# Banque de France enforces new requirements to combat fraud

Banque de France is enforcing a plan to combat fraud, which includes recommendations for French issuers to start declining merchant-initiated transactions (off_session), customer-initiated transactions (on_session) and mail order telephone order transactions ([MOTO](https://stripe.com/resources/more/moto-payments-101#:~:text=MOTO%20payments%20are%20transactions%20where,card%20is%20not%20physically%20present.)) that meet the criteria outlined below for European businesses subject to [PSD2](https://stripe.com/resources/more/what-is-psd2-here-is-what-businesses-need-to-know).
As a result, European businesses selling in France may see declines with the [decline code](https://docs.stripe.com/declines/codes) `authentication_required`. Read more about the authentication_required decline code.
### What is the expected impact for businesses?
The impact depends on each business's setup, business model and behaviour, as well as on each issuer's approach. For example, if a business is not using MOTO payments, the impact will be smaller than for a business selling via telephone orders.
**Reduce the impact of these changes**
* **Use Stripe Strong Customer Authentication (SCA) integrations**: To help you manage these new requirements and optimise conversion while reducing fraud, we strongly encourage businesses to use the latest [SCA-ready integrations](https://docs.stripe.com/strong-customer-authentication/migration).
* **Only use MOTO and off-session payments when there aren't other options:** Businesses on Stripe are responsible for ensuring that charges submitted as MOTO or off-session are eligible to be treated as such. For off-session payments, it's necessary to have an [appropriate mandate](https://docs.stripe.com/payments/setup-intents#mandates) in place with the customer.
**For businesses outside the European Economic Area (EEA) or the UK**
Starting in October 2025, velocity limits will also apply to transactions from French-issued cards at businesses located outside the EEA or UK. When transactions exceed these limits, issuers may decline with authentication_required and Stripe will automatically attempt 3D Secure authentication.
The thresholds will be introduced in phases:
* **Businesses in the Americas and Oceania**: 2000 EUR starting March 2026, decreasing to 500 EUR by September 2026
* **Businesses in Asia, Africa and the Middle East**: 2000 EUR starting January 2026, decreasing to 100 EUR by July 2026
* **Non-EEA European and Pacific French businesses**: 250 EUR starting October 2025, decreasing to 1.01 EUR by March 2026
### Banque de France recommendations to card issuers
Read the full specifications set out in their [remote card payment security plan](https://www.banque-france.fr/fr/strategie-monetaire/moyens-de-paiement/osmp/activites-osmp). The plan is summarised below.
French card issuers are encouraged to decline payments according to these guidelines. This approach is based on [Strong Customer Authentication](https://stripe.com/guides/strong-customer-authentication) regulation.
* The issuer may decline transactions from a business when the velocity, or the cumulative volume per card per business per 24 hours, on online payments not processed through [3D Secure](https://docs.stripe.com/payments/3d-secure) (3DS) rails exceeds a certain threshold. The velocity is calculated with:
  * The exclusion of certain Merchant Category Codes (MCCs)
  * The exclusion of low value transactions (less than 30 EUR)
  * A separate treatment for MOTO vs. on_session/off_session
  * Decreasing velocity thresholds:
    * First 500 EUR (10 June to 9 September 2024)
    * Then 250 EUR (9 September to 14 October 2024)
    * Then 100 EUR (starting 14 October 2024)
    * 50 EUR (starting 10 February 2025)
    * 30 EUR (starting 10 March 2025)
    * 10 EUR (starting 10 April 2025)
    * 1.01 EUR (starting 12 May 2025)
    * 0.01 EUR (starting 1 January 2026)
Velocity might be applied differently depending on issuers. The concept of "per business" is relative to each `merchant_ID`.
### on_session
These are also called Customer-Initiated Transactions (CIT).
* Decline due to [`authentication_required`](https://docs.stripe.com/declines/codes) of transactions outside [3DS](https://docs.stripe.com/payments/3d-secure) once the velocity limit has been reached
* CIT transactions outside 3DS shouldn't be declined when paid via a wallet already applying SCA (for example, Apple Pay or Google Pay)
**Example** for 500 EUR threshold: One issuer receives two CIT transactions of 300 EUR with the same card without 3DS from a company within 2 hours. 600 EUR is above the threshold so the issuer can start asking for a strong authentication for the next transactions from that company within the next 24 hours.
### off_session
These are also called Merchant-Initiated Transactions (MIT).
* Decline due to [authentication_required](https://docs.stripe.com/declines/codes) of transactions outside [3DS](https://docs.stripe.com/payments/3d-secure) once the velocity limit has been reached on all MIT transactions without chaining reference, or with an incorrect chaining reference.
**Example for 500 EUR threshold**: One issuer receives two MIT transactions of 300 EUR with the same card without 3DS from a company within 2 hours and realises that these MIT transactions don't contain any chaining reference. The issuer can start declining the next transactions from the company in the next 24 hours.
**What is a chaining reference?**
To perform an off-session transaction, a merchant needs to have authenticated the cardholder a first time during an on_session transaction (for instance when starting a subscription). The merchant [collects payment data](https://docs.stripe.com/payments/save-during-payment) so that they can [reuse](https://docs.stripe.com/payments/save-and-reuse) it later. The transaction is recorded by Stripe with a chaining reference that's used in subsequent off_session transactions.
### Mail Order Telephone Order (MOTO)
* Decline due to [authentication_required](https://docs.stripe.com/declines/codes) of MOTO transactions once the velocity limit has been reached, except on telephone order transactions with 3DS
* Velocity threshold maintained at 500 EUR for MOTO transactions, with the following exceptions for specific MCCs:
  * Until further notice: 5956
  * Until 11 May, 2026: 1771, 2741, 4814, 4900, 6010, 6012, 6300, 6513, 7032, 7033, 8111, 8220, 8398
  * Until 12 November, 2026: 3000-3299, 3350-3449, 7512, 3500-3999, 7011, 4011, 4112, 4411, 4511, 4722, 7322, 9405
**Example for 500 EUR threshold:** One issuer receives 2 MOTO transactions of 300 EUR with the same card without 3DS from a company within 2 hours. The issuer can start declining the next transactions from the company.
### Temporary exemption process
A merchant may request a temporary exemption from the velocity limitation mechanism, if it has suffered a significant deterioration in its acceptance rate following the implementation of the recommendation. Submit the request directly or via the acquiring PSP or any other member of the Bank of France steering committee. The eligibility requirements for requesting such an exemption are described in APPENDIX 3 of Banque de France's [remote card payment security plan](https://www.banque-france.fr/fr/strategie-monetaire/moyens-de-paiement/osmp/activites-osmp).