3D Secure Results and Liability Shift
When 3D Secure is used in conjunction with an authorization request through the Card Payments API—requiring the customer to authenticate the card used in the transaction—a major advantage to the merchant is that with disputed payments the financial liability can shift from the merchant to the card issuer. Many factors affect whether this liability shift occurs, so merchants should contact their account manager for advice.
The values of the PARes status code (the threeDResult returned by the API) and the Electronic Commerce Indicator (eci) have a bearing on the situation, and are summarized below.
PARes status code | Description | Recommendation | Note |
---|---|---|---|
Y | Authentication successful | Proceed with authorization | Cardholder passed authentication |
A | Authentication attempted | Proceed with authorization | Liability shift in most cases |
N | Authentication failed | Do not proceed with authorization | Cardholder failed authentication |
U | Authentication unavailable | Decision to proceed with authorization at merchant's discretion | No liability shift |
E | Error | Do not proceed with authorization | No liability shift |
The Electronic Commerce Indicator (eci), returned with the threeDResult parameter, indicates the level of cardholder authentication used in the online transaction. No eci is returned when the threeDResult = N, U, or E.
The ECI value returned by the API does not have a preceding zero unlike the values in the 3DS standard.
Liability Shift with 3D Secure
3D Secure authentication provides a means for card issuers to verify the identity of the cardholder, typically by asking them to enter a password or secret code that only the cardholder should know. This adds an additional layer of security to the online transaction, since even if the customer's card number and card details are fraudulently obtained, it is less likely that a fraudster would also have access to the customer's secret password. For a successfully authenticated cardholder, the risks of fraud are therefore significantly reduced.
To encourage merchants to use 3D Secure, card issuers who participate in the 3D Secure program offer merchants a guarantee of payment for successful online transactions that have also been authenticated using 3D Secure. This means that if there is a dispute or chargeback for a transaction for fraud reasons (e.g. customer disputes that they made or authorized the transaction) the merchant will typically not be liable for the dispute/chargeback costs, and will not have transaction funds taken from their account and returned to the customer. This is referred to as "liability shift". There are some differences in the treatment of liability shift by the different card brands, as outlined below.
Card Brand | Enrollment Status | Authentication Status | Liability * | Recommended Action |
---|---|---|---|---|
Is card enrolled in 3DSecure? | * for disputed transactions or chargebacks | |||
Visa | U - Unavailable | - | Merchant | No liability shift; consider whether to proceed with the transaction |
Visa | N - Not Enrolled | - | Card Issuer | Proceed to Card Auth |
Visa | Y - Enrolled | Y - Authentication Successful | Card Issuer | Proceed to Card Auth |
Visa | Y - Enrolled | N - Authentication Failed | Merchant | No liability shift; do not proceed with the transaction |
Visa | Y - Enrolled | A - Authentication attempted | Card Issuer | Proceed to Card Auth |
Visa | Y - Enrolled | U - Authentication unavailable | Merchant | No liability shift; consider whether to proceed with the transaction |
Visa | Y - Enrolled | E - Authentication error | Merchant | No liability shift; consider whether to proceed with the transaction |
Mastercard | N - Not Enrolled | - | Merchant | No liability shift; consider whether to proceed with the transaction |
Mastercard | Y - Enrolled | Y - Authentication Successful | Card Issuer | Proceed to Card Auth |
Mastercard | Y - Enrolled | N - Authentication Failed | Merchant | No liability shift; do not proceed with the transaction |
Mastercard | Y - Enrolled | A - Authentication attempted | Card Issuer | Proceed to Card Auth |
Mastercard | Y - Enrolled | U - Authentication unavailable | Merchant | No liability shift; consider whether to proceed with the transaction |
Mastercard | Y - Enrolled | E - Authentication error | Merchant | No liability shift; consider whether to proceed with the transaction |
- In some cases liability is not covered by the card issuer; for example with some commercial cards. For more information please contact Customer Support.
- There is NO liability shift for non-fraud related chargeback reasons.
- The merchant should always take additional steps to check the identity of the customer and reduce the risks of fraud by applying Risk Rules—such as Velocity Checks—IP restrictions, Blacklists, CVV/CV2 matching, and the Address Verification Service (AVS). To enable any of these features for your account, please contact Customer Support.
- The above table and recommendations are provided as a reference only. Merchants should always rely on the official guidance provided by your acquirer. Paysafe is not responsible for the card scheme rules relating to 3D Secure.
What to Do After an Unsuccessful Authentication
What should a merchant do if the cardholder cannot be authenticated? For example, if the service is unavailable or the cardholder failed authentication (closed the authentication window without entering their password or provided incorrect authentication details). In these circumstances it is the merchant's responsibility to decide how to proceed. Below are some options that you could consider. The best solution will depend on your business and the type of goods and services sold.
- Ask the customer to pay using a different payment method.
- If the authentication service is unavailable or an error occurred during authentication, you may consider requesting that the customer repeats the transaction or performs additional security checks to verify the customer's identity; but be aware that you will not benefit from liability shift and may be held liable for fraudulent transactions.
- If the cardholder failed authentication you are strongly advised not to proceed—particularly for high-value goods or services.