Understanding 3D Secure Liability Shift
Liability shift means that, under specific conditions, the responsibility for fraudulent card-not-present (CNP) transactions moves from the merchant to the card issuer when 3D Secure (3DS) authentication is used correctly.
In simple terms:
-
Without 3DS
→ The merchant is usually liable for fraud-related chargebacks. -
With valid 3DS authentication (or attempted authentication in some cases)
→ The issuer becomes liable for certain fraud disputes.
Not every transaction that goes through 3D Secure automatically benefits from liability shift. The outcome depends on how authentication was performed and how the transaction was processed. Understanding these scenarios helps you set the right expectations and protect your business.
Electronic Commerce Indicator (ECI)
The Electronic Commerce Indicator (ECI) is a value sent with the transaction that tells the card network and the issuer what level of 3DS authentication took place.
ECI is one of the key elements used by issuers to determine whether liability shift applies.
Different card schemes use different ECI values for similar scenarios. While ECI does not guarantee liability shift on its own, it is a strong indicator of what you can expect.
When does liability shift apply?
Scenarios where liability shift applies
| Scenario | Authentication Status | Visa ECI | Mastercard ECI |
|---|---|---|---|
| Fully authenticated (challenge or frictionless) | Y | 05 | 02 |
| Attempted authentication | A | 06 | 01 |
| Exemption applied (e.g. secure corporate, low-value) | Y | 05 | 02 |
| 3RI and decoupled authentication | Y | 05 (challenge) 07 (frictionless) |
02 |
Scenarios where liability shift does not apply
| Scenario | Visa Authentication Status | Mastercard Authentication Status | Visa ECI | Mastercard ECI |
|---|---|---|---|---|
| TRA exemption requested | Y | I | 06 | 06 |
| No challenge requested (challengeIndicator = 07) | Y | I | 06 | 06 |
| Data-only authentication (challengeIndicator = 06) | I | I | 07 | 06 |
| Mastercard IDCI (Identity Check Insights) | n/a | U | n/a | 04 |
| Not authenticated transaction | N | N | 07 | 00 |
| Error during 3D Secure | U | U | 07 | 00 |
| Authentication rejected | R | R | 07 | 00 |
Key points to remember
- Data-only 3DS does not provide liability shift.
- Recurring and Merchant-Initiated Transactions (MITs) do not receive liability shift unless they are authenticated using 3RI.
- Most exemptions do provide liability shift, with the important exception of the Transaction Risk Analysis (TRA) exemption.
Best practices
To maximize frictionless customer experiences while still benefiting from liability shift:
- Use the appropriate exemptions where applicable
- Provide as many data points as possible during authentication
- Ensure your 3DS integration is correctly configured and up to date
This approach helps issuers make confident decisions while maintaining a smooth checkout experience.