Liability Shift
What is Liability Shift?
The 3D Secure liability shift is a rule protecting you from fraudulent transactions.
For example, if your consumer denies they authorised or made a purchase, (due to a lost or stolen card) and the 3D Secure authentication was successful (following either the frictionless or challenge flow), the liability for the payment shifts from you to the issuing bank.
If the 3D Secure authentication:
-
was attempted but not successful
-
could not be performed
-
failed
the liability does not shift and remains with you.
When Liability Shift does not apply
Liability shift does not apply to the following transactions:
-
When Exemptions to Strong Customer Authentication (3DS2 ) are used.
-
MIT (recurring MIT)
-
MOTO
Liability Shift Rules
The following 3D Secure 2 versions are supported:
- 3DS2.1
- 3DS2.2
Electronic Commerce Indicator
The Electronic Commerce Indicator (ECI) is a value returned by Directory Servers (for example Visa, Mastercard, American Express, JCB), which represents the authentication outcome of 3D Secure 2 transactions .
A cryptogram is a unique value returned by Directory Servers when authentication is successful. The liability shifts to the issuing bank when 3D Secure authentication is successful, except for a few cases where it depends on the cryptogram being available from the card scheme's directory server.
Card schemes observe liability shift rules based on a combination of ECI values and the presence of the cryptogram in the response from the Directory Server.
Authentication Successful
The liability shifts to the issuing bank when authentication is successful (following the frictionless or challenge flow), except for a few cases where it depends on the cryptogram being available.
| 3D Secure Authentication Result | Electronic Commerce Indicator | Card Scheme | Liability Shift | Tip |
|---|---|---|---|---|
| Authentication Successful | 5 |
Visa Amex JCB |
YES | |
| Authentication Successful |
02 N2 |
Mastercard | YES | |
| Authentication Successful | 06 | Mastercard | NO |
ECI value of 06 from Mastercard indicates the transaction is out of scope for Secure Customer Authentication. In this case, the merchant is not covered by liability shift. |
| Authentication Successful | 6 |
Visa Amex JCB |
YES | ECI value of 6 when received along with a cryptogram when authenticating Visa, Amex, JCB cards, indicates the authentication is successful. |
| Authentication Successful | 1 | Mastercard | YES |
ECI value of 1 received while authenticating Mastercard cards, indicates the authentication is performed by a stand-in service, and is classed as successful. In this case, the merchant is covered by liability shift. |
Authentication Attempted but not Successful
| 3D Secure Authentication Result | Electronic Commerce Indicator | Card Scheme | Liability Shift | Tip |
|---|---|---|---|---|
| Authentication Attempted but not Successful | 6 |
Visa Amex JCB |
NO |
ECI value of 6 when received without a cryptogram when authenticating Visa, Amex, JCB cards, indicates the authentication has not been successful. In this case, the merchant is not covered by liability shift. |
| Authentication Attempted but not Successful | 4 | Mastercard | NO | |
| Authentication Attempted but not Successful | 1 | Mastercard | NO |
ECI value of 1 when received without a cryptogram when authenticating Mastercard cards, indicates the authentication has not been successful. In this case, the merchant is not covered by liability shift. |
Authentication could not be Performed
| 3D Secure Authentication Result | Electronic Commerce Indicator | Card Scheme | Liability Shift |
|---|---|---|---|
| Authentication could not be Performed | Any values not already listed | ANY | NO |
Authentication Failed
| 3D Secure Authentication Result | Electronic Commerce Indicator | Card Scheme | Liability Shift |
|---|---|---|---|
| Authentication Failed |
7 00 |
Visa Amex JCB |
NO |
| Authentication Failed | NO | Mastercard | NO |