Payments
go to Evonet

Explaining Liability Shift

This document provides a simple overview of liability shift related to Card payments including Apple Pay and Google Pay.

What is Liability Shift

Liability shift is a rule set by card networks (like Visa and Mastercard) that determines which party is responsible for the cost of a fraudulent transaction.

  • Without Liability Shift: The merchant is typically held responsible for the cost of fraud.
  • With Liability Shift: The responsibility for fraud costs shifts from the merchant to the card issuer.

When is Liability Shift Effective

Liability shift becomes effective when a transaction is authenticated using secure methods recognized by card networks. These typically include:

  • 3D Secure (3DS): An additional security layer where the customer confirms their identity with the card issuer during checkout.
  • Network Tokenization: Using secure digital tokens (like those in mobile wallets) instead of actual card numbers.
  • Biometric/Device Authentication: When a user unlocks their device using a fingerprint, face ID, or passcode to authorize a payment.

Upon the completion of a transaction, card scheme will send back an ECI (Electronic Commerce Indicator). Liability Shift is only effective when a specific ECI value is provided.


ECI and Liability Shift

The follow table provides a summary of which ECI values will offer Liability Shift.

ECI Value with Liability ShiftECI Value without Liability Shift
Visa, AMEX, Diners, Discovers05, 0607
Mastercard01, 0200, 04, 06

Special Notes for Apple Pay

Frictionless Shift: Because Apple Pay uses device-specific tokens and biometric authentication (FaceID/TouchID), liability shift often occurs "frictionless-ly" for supported networks, meaning no additional 3DS step is required.


Special Notes for Google Pay

Liability shift for Google Pay depends on how the card is stored and used:

  • Web FPAN (Saved Cards): For a New Card saved to a Google Account (used via Chrome or YouTube), liability shift is not automatic and usually requires the merchant to perform a 3DS check.


    Visa Exceptions: Liability shift may not be effective for Visa transactions if the transaction uses a new entry card the web (FPAN) without 3DS authentication.

  • Mobile DPAN (Device Tokens): Liability shift is generally automatic for major networks like Visa and Mastercard when using the mobile app.

    Visa Exceptions: The merchant has not enabled the expanded merchant liability shift for eligible Visa online transactions via the Google Pay & Wallet Console.

    Additional Reading for Visa Liability shift from Google


How to check if Liability Shift is Effective

Portal

Navigate to the transaction details, the 3DS authentication information on the right handside will indicate an ECI value:


API Response

In our Payment API Response, check one of the parameters:

  • authentication.liabilityShift- If there is an liabilityShift, the value will be true.
  • authentication.threeDS.mpiData.eci - refer the values in this table.

Updated about 12 hours ago