OSMP recommendations: how to adapt your payment strategy in France?

Since November 2024, the online payment landscape in France has been rapidly evolving under the OSMP recommendations, a program led by the Observatory for the Security of Payment Means (OSMP) and overseen by the Banque de France. While the first regulatory deadlines are already in effect, businesses must now adapt to more stringent regulations that strengthen security standards for remote payments.

For executives, financial managers, or payment experts, this evolution means adhering to "best practices" in payment processes, technological choices, and relationships with service providers.

In this article, we analyse how the tightening of rules will impact your payment strategy and how Payplug, as a French payment solution and part of the Groupe BPCE, can help you navigate this regulatory constraint to reduce fraud while maintaining conversion rates.

1. OSMP : From regulation to practical application

Launched to address the increase in online payment fraud, the enforcement of the RTS¹ aims to generalise the application of the 3-D Secure (3DS) protocol while encouraging the intelligent use of exemptions to preserve the user experience. The initial observation is clear: in 2023, payments without 3DS generated four times more fraud than authenticated ones (0.358% vs. 0.095%)¹.

Since 10 February 2025, payments initiated without 3DS have been limited to a €50 cap per card and per merchant over a rolling 24-hour period. This threshold dropped to €30 on 10 April and will fall to €0 as of 10 May¹.

Only certain transactions will still benefit from a "frictionless" exemption, provided the issuer deems the risk level sufficiently low.

Another major change is the end of derogatory regimes like the Mail Order / Telephone Order (MOTO) sectoral exemption.

For customer experience reasons, sectors like mail order, travel, or hospitality have historically used MOTO, where cards are used without strong authentication. Until now, these transactions benefited from a generalised exemption to facilitate remote sales.

However, this tolerance has deviated from its initial objective: a growing share of fraud has shifted to these paths, perceived as more vulnerable.

This exemption will end. Derogatory regimes like the MOTO sectoral exemption are being replaced by individualised schemes, negotiated on a case-by-case basis with issuers—especially for high-volume or high-risk merchants. The goal is to restore a framework of trust by imposing strong authentication where, until now, exceptions were made. 

2. A deep transformation of payment journeys

One of the first visible effects of the OSMP Plan concerns the use of DTA (direct to authorisation), a method historically used by some merchants and PSPs but non-compliant with DSP2 regulation. This method bypasses the rules to avoid strong authentication and limit costs associated with 3DS, leading to an increase in fraud rates.

End of DTA (direct to authorization)

Starting in May 2025, any transaction initiated via DTA without strong customer authentication (SCA) will be systematically rejected with a soft decline.

Merchants must ensure they send the correct data fields to maximise their chances of benefiting from exemptions: Acquirer TRA (Transaction risk analysis), Issuer TRA, Low Value Payment

Strengthening rules for recurring payments (MIT)

Each MIT (Merchant initiated transaction) payment must be linked to an initial Customer initiated transaction (CIT) authenticated via 3DS.

Chains must be complete, validated, and understandable by issuers. Generic or empty identifiers are no longer tolerated.

Enhanced controls are expected starting in the second quarter of 2025, with sanctions including a €0 velocity cap for non-compliant merchants.

Impact on one-click payments / saved cards

Frictionless use remains possible, but only if :

• The initial authentication was done via 3DS
• The call to the issuer includes a complete dataset: email, IP, browser, cardholder name, delivery country
• Without these data, the exemption is likely to be refused, which can lead to a drop in conversion rates

In this new context, transactional data becomes strategic. Its quality determines access to exemptions and, more broadly, the fluidity of the payment journey. The OSMP thus introduces a new dynamic: merchants must not only secure their flows but also make them readable and usable by issuers.

3. How to adapt your payment strategy to OSMP recommendations?

While the first OSMP measures are already in effect, merchants must shift from passive compliance to a proactive approach to optimizing flows. It's no longer just about understanding the rules, but adapting your tools, contracts, and processes to maintain high performance within a more demanding regulatory framework.

Integrate 3-D Secure from the start of the payment journey

The gradual disappearance of DTA requires a rethink of authentication logic. It is essential to stop bypassing the 3DS route and ensure the right information is transmitted to benefit from exemptions. This shift involves reassessing authentication management by optimising data handling and ensuring the ability to communicate with the authentication servers in a manner that is suitable according to the type of transaction and cards used by the customer.

Bring recurring payments (MIT) into compliance

For MIT payments, the challenge is now traceability. Each recurring flow must be linked to an authenticated original CIT via a clear, compliant, and technically readable chain. This requires reviewing the history of existing mandates, identifying risk cases (incomplete chains, grandfathering, multiple PSPs), and planning corrective actions. In some cases, this may require partial reconstruction of paths or even re-tokenization.

Structure data for better dialogue with issuers

The OSMP reinforces an underlying trend: access to frictionless payments no longer depends solely on the PSP's scoring but also on the quality of data transmitted to the issuer. Elements like email, IP, browser, delivery country, and cardholder name must be systematically enriched and normalised in compliance with GDPR. This work involves technical, payment, fraud, and even CRM teams.

This data foundation will enable stable frictionless rates in future—or allow for the negotiation of specific tolerance thresholds with certain issuers.

Anticipate upcoming contractual discussions

Finally, this new era of payments comes with an increasing individualisation of rules: MOTO exemptions negotiated case-by-case, personalised velocity thresholds, and post-decline retry strategies adapted per actor. It is becoming strategic to be supported by a PSP capable of negotiating directly with issuers, anticipating network evolutions, and providing transparency on flow processing. The choice of provider plays a decisive role here.

4. Payplug supports you in implementing the OSMP plan

Payplug, a French PSP belonging to the Groupe BPCE, is directly connected to the CB network and maintains close relationships with French issuers. This allows us to provide our clients with a precise operational reading of the OSMP and, most importantly, support them with concrete tools.

Our solutions include:

• An intelligent 3DS authentification engine based on CB rules and French best practices. We apply 3DS systematically, with a logic of optimizing frictionless exemptions thanks to our Fraud Premium offer.
• Advanced MIT management, including chain verification, token management, and monitoring of incoming data. We support our clients in the progressive compliance of their existing subscriptions.
• Optimised routing via the CB network, prioritizing low-cost flows, particularly through our integration with FastPass. This maximizes acceptance rates while reducing interchange fees.
• Native compatibility with Safe’R, CB's strong authentication solution, made possible by our ability to capture and process transactional data from our own vault solution.
• Finally, our belonging to the Groupe BPCE, which represents 20% of the French market², gives us direct visibility into processing and compliance issues, enabling us to act quickly in case of incidents or regulatory changes.

Conclusion: from compliance to performance

The OSMP recommendations aims to enforce existing rules, particularly those from DSP2. Its objective is to mandate the systematic use of 3-D Secure in remote payment journeys.

What was previously tolerated—generalised exemptions, flows without strong authentication—will no longer be accepted. Starting in May 2025, only payments that comply with authentication requirements or clearly justified exemptions will be accepted.

In this new framework, it is essential to review payment journeys, the quality of transmitted data, and relationships with PSPs to remain performant while respecting the rules.

Working with an actor deeply rooted in the French ecosystem, who understands issuers' expectations, domestic network behaviors, and CB market dynamics, becomes a differentiating factor.

This proximity—technical, regulatory, and operational—will enable merchants to limit friction, preserve performance, and anticipate the next steps of the OSMP recommendations with agility.

👉 Want to review your journey or benefit from support tailored to  the French context? Payplug experts are here to assist you.

¹ Banque de France
² Groupe BPCE data, 2024