OSMP plan: how to adapt your payment strategy in France?

Since November 2024, the online payment landscape in France has been rapidly evolving under the OSMP Plan, a program led by the Observatoire de la Sécurité des Moyens de Paiement and overseen by the Banque de France. As the first regulatory deadlines are already in effect, businesses must now adapt to more stringent regulations that enhance security standards for remote payments.

For executives, financial managers, or payment experts, this evolution means adhering to "best practices" in payment processes, technological choices, and relationships with service providers.

In this article, we analyze how the tightening of rules will impact your payment strategy and how Payplug, as a French payment solution part of the Groupe BPCE, can help you navigate this regulatory constraint to reduce fraud while maintaining conversion rates.

1. OSMP: From regulation to practical application

Launched to address the increase in online payment fraud, the entry into force of the RTS¹ aims to generalize the application of the 3-D Secure (3DS) protocol while encouraging the smart use of exemptions to preserve user experience. The initial observation is clear: in 2023, payments without 3DS generated four times more fraud than authenticated ones (0.358% vs. 0.095%)¹.

Since February 10, 2025, payments initiated without 3DS have been limited to a €50 cap per card and per merchant over a 24-hour period. This threshold dropped to €30 on March 10 and will fall to €0 by April 10¹.

Only certain transactions will still benefit from a "frictionless" exemption, provided the issuer deems the risk level sufficiently low.

Another major change is the end of derogatory regimes like the MOTO sectoral exemption.

For customer experience reasons, sectors like mail order, travel, or hospitality have historically used MOTO (Mail Order / Telephone Order), where cards are used without strong authentication. Until now, these transactions benefited from a generalized exemption to facilitate remote sales.

However, this tolerance has deviated from its initial objective: a growing share of fraud has shifted to these paths, perceived as more vulnerable.

This exemption will end. Derogatory regimes like the MOTO sectoral exemption are being replaced by individualized schemes, negotiated on a case-by-case basis with issuers—especially for high-volume or high-risk merchants. The goal is to restore a framework of trust by imposing strong authentication where it was previously exempted.

2. A deep transformation of payment paths

One of the first visible effects of the OSMP Plan concerns the use of DTA (direct to authorization), a method historically used by some merchants and PSPs but non-compliant with DSP2 regulation. This method bypasses the rules to avoid strong authentication and limit costs associated with 3DS, leading to an increase in fraud rates.

End of DTA (direct to authorization)

Starting in April 2025, any transaction initiated via DTA without strong customer authentication (SCA) will be systematically rejected with a soft decline.

Merchants must ensure they send the correct data fields to maximize their chances of benefiting from exemptions: Acquirer TRA, Issuer TRA, Low Value Payment.

Strengthening rules for recurring payments (MIT)

Each MIT payment must be linked to an initial transaction (CIT) authenticated via 3DS. Chains must be complete, validated, and understandable by issuers. Generic or empty identifiers are no longer tolerated.

Enhanced controls are expected starting in the second quarter of 2025, with sanctions including a €0 velocity cap for non-compliant merchants.

Impact on one-click payments / saved cards

Frictionless use remains possible, but only if:

• The initial authentication was done via 3DS
• The call to the issuer includes a complete dataset: email, IP, browser, cardholder name, delivery country
• Without these data, the exemption is likely to be refused, which can lead to a drop in conversion rates

In this new context, transactional data becomes strategic. Its quality determines access to exemptions and, more broadly, the fluidity of the payment path. The OSMP thus introduces a new dynamic: merchants must not only secure their flows but also make them readable and usable by issuers.

3. How to adapt your payment strategy to OSMP recommendations?

As the first OSMP measures are already in effect, merchants must shift from passive compliance to a proactive approach to optimising flows. It's no longer just about understanding the rules but adapting your tools, contracts, and processes to maintain high performance within a more demanding regulatory framework.

Integrate 3-D Secure into paths from initiation

The gradual disappearance of DTA requires a rethink of authentication logic. It is essential to no longer bypass the 3DS route and ensure the right information is transmitted to benefit from exemptions. This shift involves reassessing authentication management by optimizing data handling and ensuring communication with the most appropriate authentication servers based on transaction and card types.

Comply with recurring payments (MIT)

For MIT payments, the challenge is now traceability. Each recurring flow must be linked to an authenticated original CIT via a clear, compliant, and technically readable chain. This requires reviewing the history of existing mandates, identifying risk cases (incomplete chains, grandfathering, multiple PSPs), and planning corrective actions. In some cases, this may require partial reconstruction of paths or even re-tokenization.

Structure data for better dialogue with issuers

The OSMP reinforces a fundamental trend: access to frictionless payments no longer depends solely on the PSP's scoring but also on the quality of data transmitted to the issuer. Elements like email, IP, browser, delivery country, and cardholder name must be systematically enriched and normalized in compliance with GDPR. This work involves technical, payment, fraud, and even CRM teams.

This data foundation will enable stable frictionless rates tomorrow—or negotiate specific tolerance thresholds with certain issuers.

Anticipate upcoming contractual discussions

Finally, this new era of payments comes with increasing individualization of rules: MOTO exemptions negotiated case-by-case, personalized velocity thresholds, and post-decline retry strategies adapted per actor. It is strategic to be supported by a PSP capable of negotiating directly with issuers, anticipating network evolutions, and providing transparency on flow processing. The choice of provider plays a decisive role here.

4. Payplug supports you in implementing the OSMP plan

Payplug, a French PSP part of the Groupe BPCE, is directly connected to the CB network and maintains close relationships with French issuers. This allows us to provide our clients with a precise operational reading of the OSMP and, most importantly, support them with concrete tools.

Our solutions include:

• A smart 3DS rule engine based on CB rules and French best practices. We apply 3DS systematically, with a logic of optimizing frictionless exemptions thanks to our Fraud Premium module.
• Advanced MIT management, including chain verification, token management, and monitoring of incoming data. We support our clients in the progressive compliance of their existing subscriptions.
• Optimised routing via the CB network, prioritizing low-cost flows, particularly through our integration with FastPass. This maximizes acceptance rates while reducing interchange fees.
• Native compatibility with Safe’R, CB's strong authentication solution, made possible by our ability to capture and process transactional data from our own vault solution.
• Finally, our belonging to the Groupe BPCE, which represents 20% of the French market², gives us direct visibility into processing and compliance issues, enabling us to act quickly in case of incidents or regulatory changes.

Conclusion: from compliance to performance

The OSMP Plan aims to enforce existing rules, particularly those from DSP2. Its objective is to mandate the systematic use of 3-D Secure in remote payment paths.

What was previously tolerated—generalized exemptions, flows without strong authentication—will no longer be accepted. Starting in April 2025, only payments compliant with authentication or clearly justified exemption requirements will be accepted.

In this new framework, it is essential to review payment paths, the quality of transmitted data, and relationships with PSPs to remain performant while respecting the rules.

Working with an actor deeply rooted in the French ecosystem, who understands issuers' expectations, domestic network behaviors, and CB market dynamics, becomes a differentiating factor.

👉 Want to review your paths or benefit from tailored support in the French context? Payplug experts are here to help.

¹ Banque de France
² Groupe BPCE data, 2024