Documentation
API ReferenceRecipesChangelogCommunity

3D Secure Liability Shift

A liability shift happens when certain types of fraudulent or disputed transactions occur and the responsibility is moved from one party in the payment flow (you, merchant, etc.) to another (the card issuer).

When the liability shift applies, the issuer becomes responsible for fraud chargebacks. When it does not apply, the merchant remains liable for the disputed funds.

⚠️

Prepaid cards do not receive a liability shift.

Mastercard

Mastercard 4837: No Cardholder Authorization

A liability shift applies, which prevents issuers from opening chargebacks with reason code 4837 for transactions properly authenticated and identified through 3DS.

The liability shift applies to the following Electronic Commerce Indicator (ECI) values:

  • ECI 01: Attempted
  • ECI 02: Authenticated

The Mastercard fraud chargeback liability shift does not apply if the ECI is 00.

Visa

Visa 10.4: Other Fraud – Card-Absent Environment

The liability shift applies to the following ECI values (provided that the transaction does not meet any of the criteria for exclusions listed in the table below):

  • ECI 05: Authenticated
  • ECI 06: Attempted

The Visa fraud chargeback liability shift provided with 3DS does NOT apply under the following conditions:

⚠️

ECI 06 Alone Done Not Guarantee Liability Shift

ECI 06 indicates attempted authentication, and is subject to additional exclusions that can disqualify a transaction from liability shift protection. Common disqualifiers include:

Scope

Restriction

ECI

Description

Global

07

Liability shift does not apply

Global

Any

An Electronic Commerce Transaction in which the Issuer responded to an Authentication Request with either:

  • Unable-to-Authenticate Response
  • Authentication Denial

Global

CAVV Missing

05 or 06

Merchants will receive a CAVV for authenticated and attempted authentication transactions which they must provide in the authorization message.

For ECI 05 or ECI 06 transactions where a CAVV was not received in authorization, the ECI will be reclassified to ECI 07.

Global

Non-Reloadable Prepaid

06

Non-reloadable Visa prepaid cards are not required to participate in the Visa Secure program, but issuers may elect to participate. In terms of liability:

  • Authentication: If a non-reloadable Visa prepaid card is authenticated during Visa Secure program (ECI 05), the merchant is protected against specific Dispute reason codes.
  • Attempted Authentication: If authentication is attempted on a non-reloadable Visa prepaid card (ECI 06), the merchant does not receive liability protection on e-commerce fraud-related Disputes. ECI is reclassified to 07.

Global

Visa Fraud Monitoring Program

05 or 06

Merchants are not protected if they have been identified in the program.

U.S.

Visa 3-D Secure Fraud Monitoring Program

05 or 06

Merchants are not protected if they have been identified in the program.

U.S

Merchant Restricted Merchant Category Codes (MCCs)

05 or 06

Merchants are not protected if their MCC is one of the following:

  • MCC 4829: Wire Transfer/Money Order
  • MCC 5967: Direct Marketing-Inbound Teleservices
  • MCC 6051: Non-Financial Institution-Foreign Currency, Money Order (not Wire Transfer), Travelers’ Cheques
  • MCC 7995: Betting, including Lottery Tickets, Casino Gaming Chips, Off-Track Betting and Wagers at Race Tracks
  • MCC 6540: Non-Financial Institutions: Stored Value Card Purchase / Load
  • MCC 7801: Government Licensed On-Line Casinos (On-Line Gambling)
  • MCC 7802: Government-Licensed Horse/Dog Racing

Other Resources

  • 3DS: 3DS Overview
  • 3DS FAQs: General 3DS Frequently asked questions

Updated 6 days ago