Online fraud: what merchants need to know in 2025

Online fraud remains a persistent challenge for e-merchants. As fraudsters continuously adapt to regulatory loopholes, merchants must stay one step ahead. Fortunately, with the right fraud prevention strategy, it’s possible to protect your business and your customers.

Fraud techniques are becoming increasingly sophisticated

The introduction of strong customer authentication (SCA) through the Payment Services Directive 2 (PSD2) has helped reduce fraudulent payments, but it hasn’t eliminated them entirely. Even transactions secured via 3-D Secure (3DS) aren’t always foolproof—fraudsters are already finding ways around the system.

One of the most prevalent tactics today: refund fraud.

How does refund fraud work?
Fraudsters simulate returns, report fake delivery issues, and demand refunds. This method has become so advanced that some so-called “experts” offer it as a paid service to other fraudsters.
Because refund scams often resemble legitimate purchase behaviours, they’re notoriously difficult to detect at the point of sale.

Beyond refund fraud, fraudsters are diversifying their tactics through:

• identity theft using synthetic or stolen identities;
• exploitation of flaws in risk scoring systems and human error;
• the use of artificial intelligence (AI) to generate fake documents and automate attacks.

Payment fraud isn’t just the work of amateurs anymore—it’s driven by organised, professional actors who test the limits of security systems and adapt quickly to new defences.

Regulatory changes and what they mean for you

With the rollout of PSD2, e-commerce businesses have developed strategies to deliver a frictionless shopping experience by leveraging exemptions to Strong Customer Authentication (SCA).

Fraudsters, however, seized on this loophole. In 2023, non-3DS payments were four times more likely to result in fraud than authenticated transactions (0.358% vs. 0.095%).¹

In this context, the latest recommendations from the OSMP address this issue by reinforcing the strong customer authentication (SCA) requirement for specific types of transactions.

Here’s what’s changing:

• Direct to Authorisation (DTA) payments without strong authentication will now be systematically declined;
• Merchant Initiated Transactions (MIT) must include a valid chaining reference in order to be approved.

This initiative is part of a broader European effort to harmonise online payment security under the upcoming Payment Service Regulation (PSR), set to take effect by 2027.

By aligning with the OSMP plan, you’re not only strengthening the security and performance of your payments—you’re also staying ahead of future compliance standards.

Best practices for tackling fraud

1. Leverage behavioural data to flag suspicious transactions. 

Spotting fraudulent activity requires powerful tools capable of detecting and blocking high-risk payments. That’s why at Payplug, we’ve developed a suite of fraud prevention solutions—from an adaptive rule engine and exemption management tool to hands-on support from our in-house experts.

2. Adjust your payment strategy to align with OSMP directives.

That means understanding how the changes affect your operations and anticipating potential dips in acceptance rates. It’s essential to work closely with your payment service provider (PSP) to maintain optimal performance across France and Europe.

Take action now to protect your business.

1. Source: Banque de France, 2023.