Secure payments: standards and e-commerce certifications

The security of transactions has become a strategic issue for every e-commerce site. According to the Banque de France, the fraud rate on online payments reached 0.193% in 2023, approximately 10 times higher than in-store payments. Faced with this risk, merchants must rely on a strict ecosystem of technical standards and regulatory certifications. Understanding these frameworks is not optional: it is a legal, commercial and insurance obligation that determines consumer confidence and business sustainability.

PCI DSS: the global foundation for card security

The Payment Card Industry Data Security Standard (PCI DSS), issued by the PCI Security Standards Council (Visa, Mastercard, American Express, Discover, JCB), is the mandatory framework for any organisation storing, processing or transmitting payment card data. Version 4.0, fully applicable since 31 March 2024, imposes 12 major requirements distributed across 6 objectives: secure the network, protect data, manage vulnerabilities, control access, monitor systems and maintain a security policy.

Compliance level depends on annual transaction volume:

• Level 1: more than 6 million transactions/year — annual audit by a QSA (Qualified Security Assessor)

• Level 2: 1 to 6 million — self-assessment SAQ + quarterly ASV scan

• Levels 3 and 4: fewer than 1 million — simplified SAQ

Non-compliance exposes merchants to fines ranging from €5,000 to €100,000 per month, or even loss of card acceptance approval.

3D Secure 2 and strong authentication (SCA)

Mandated by the European DSP2 Directive (PSD2) and its technical regulation RTS, strong customer authentication (SCA) has been mandatory since 15 May 2021 in France. It is based on the combination of at least two factors among: knowledge (password), possession (smartphone) and inherence (biometrics).

The 3D Secure 2.x protocol (EMV 3DS) replaces the historical version. It enables real-time risk analysis through more than 100 contextual data points (device fingerprint, history, shopping cart), allowing "frictionless" journeys for low-risk transactions. Result: conversion rate preserved and fraud liability transferred to the card issuer (liability shift).

Tokenisation, encryption and complementary certifications

Tokenisation replaces sensitive data with a non-exploitable identifier, drastically reducing the PCI DSS scope. Combined with TLS 1.2 minimum encryption (TLS 1.3 recommended) and FIPS 140-2 Level 3 certified HSMs (Hardware Security Modules), it constitutes current best practice.

Other certifications strengthen a merchant site's credibility:

• ISO/IEC 27001: information security management

• SOC 2 Type II: operational controls at cloud service providers

• PSP certification by the ACPR for payment institutions

• eIDAS label for qualified electronic signatures

Legal framework applicable in France and Europe

Beyond PSD2, several texts govern online payment: the Monetary and Financial Code (articles L.133-1 et seq.) sets responsibilities in case of fraud; the GDPR (EU regulation 2016/679) requires minimisation of collected banking data; the DORA regulation (applicable since January 2025) strengthens the digital operational resilience of financial actors. The CNIL regularly sanctions breaches: in 2023, several e-commerce sites were flagged for non-compliant CVV storage.

Conclusion

Payment security is not limited to ticking regulatory boxes: it is a direct investment in conversion rate and reputation. A site compliant with PCI DSS 4.0, integrating 3DS2 with intelligent exemptions and tokenisation, reduces both fraud (up to -80%) and cart abandonment. Annually auditing your payment service provider (PSP) and keeping your compliance documentation up to date are essential practices for any serious e-commerce merchant.