Documentation
API ReferenceRecipesChangelogCommunity
Start typing to search…

New Pilot Program Impacting Liability Shift for Mastercard 3-D Secure Transactions

Effective 27 February 2026, Mastercard is launching a pilot for the Identity Check Approved Merchant List. This program acts as a filter during the authentication process to detect and block "ghost" merchants and fraud.

If a business is not included on the Approved Merchant List and a transaction is flagged as "Non-Low Risk" by Mastercard, the transaction will be automatically converted to a Data Share Only (DSO) transaction. In this scenario, merchants will retain liability for fraud, even if a standard 3-D Secure authentication was attempted.

How the New Logic Works

During the pilot (which involves selected U.S. Issuer account ranges but affects merchants in both the US and Canada), Mastercard’s Directory Server will perform the following checks upon receiving your Authentication Request:

  1. Is the Merchant on the Approved List?
    1. YES: The transaction proceeds to the Issuer’s ACS for standard authentication (Business as Usual). Liability shift applies if successful.
    2. NO: The system checks the Mastercard Smart Authentication Risk Score.
  2. Risk Score Evaluation (If NOT on the list):
    1. Low Risk: The transaction proceeds to standard authentication. Liability shift applies.
    2. Non-Low Risk: The transaction is converted to Data Share Only (DSO). The Issuer receives the data, but no challenge is performed. Liability Shift is LOST.

Required Action

  • The following combination of elements in the Authentication Response (ARes) indicates that liability protection does not apply:
    • Transaction Status: I (Informational)
    • ECI: 06
    • UCAF is present
  • Please note that ECI 06 does not provide liability shift for fraud chargebacks on the Mastercard network, even if a cryptogram was received, and proceeding with the transaction means accepting the risk of a fraud chargeback. Issuers are not liable for fraud on ECI 06 transactions where Status = I (Informational).

Frequently Asked Questions (FAQs)

Why is Mastercard implementing this list?

This program is designed to protect the payment ecosystem from "ghost" merchants and scams. By distinguishing legitimate "good actor" merchants from potential threats, Mastercard aims to reduce fraud and improve approval confidence for legitimate businesses.

How do I get added to the Approved Merchant List?

During the pilot phase, Mastercard selects merchants automatically based on predetermined criteria, including historical fraud performance. There is no application process for you to join the list at this time. An enrollment process will be defined for the future commercial rollout.

I am a legitimate merchant. Why wouldn't I be on the list?

The list is curated based on specific risk criteria. Being off the list does not mean you are flagged as fraudulent; it simply means your transactions will be subject to a real-time risk score by Mastercard. If your transactions are scored as "Low Risk," they will proceed normally with full liability protection.

What exactly are the responses in the API response if I am converted to DSO?

Typically, for standard authentications, you might expect a Transaction Status of Y (Success) or C (Challenge). Under this mandate, if you are converted, you will receive Transaction Status I (Informational). Additionally, the Electronic Commerce Indicator (ECI) will be 06.

Does `Transaction Status I` always mean I am liable?

Yes. Status I combined with ECI 06 explicitly means "Data Share Only" or "Merchant Risk-Based Decisioning." In these cases, the issuer has not authenticated the cardholder, and merchant fraud liability protection does not apply.

Will my transactions be declined if I am not on the list?

No, being off the list just means the transaction is evaluated by the risk score.

  • Low Risk: Proceed as usual (Protected).
  • Non-Low Risk: Converted to DSO (Unprotected). You make the final decision on whether to proceed with the transaction after receiving the DSO response.
Which cards does this apply to?

The pilot begins on 27 February 2026 with selected U.S. Issuer account ranges. However, it applies to global online merchants processing transactions for these cards.


Updated 11 days ago