{"id":2467,"date":"2025-09-24T13:39:18","date_gmt":"2025-09-24T03:39:18","guid":{"rendered":"https:\/\/www.gpayments.com\/blog\/?p=2467"},"modified":"2025-09-24T14:45:02","modified_gmt":"2025-09-24T04:45:02","slug":"3d-secure-liability-shift-in-the-united-states-whats-covered-and-what-isnt","status":"publish","type":"post","link":"https:\/\/www.gpayments.com\/blog\/article\/3d-secure-liability-shift-in-the-united-states-whats-covered-and-what-isnt\/","title":{"rendered":"3D Secure Liability Shift in the United States: What&#8217;s Covered and What Isn&#8217;t"},"content":{"rendered":"\n\n\n<p style=\"text-align: left;\"><a href=\"https:\/\/www.gpayments.com\/blog\/article\/us-3d-secure-3ds2-explained-for-us-merchants\/\">3D Secure (3DS)<\/a> can move fraud liability off the merchant and onto the issuer, but only in specific cases. This article explains when <a href=\"https:\/\/www.gpayments.com\/blog\/article\/liability-shift-3d-secure\/\">liability shift<\/a> applies in the US, when it does not, and what evidence your team should include when a dispute lands.<\/p>\n<h2 style=\"text-align: left;\" data-start=\"1055\" data-end=\"1095\">What &#8216;Liability Shift&#8217; actually means<\/h2>\n<p style=\"text-align: left;\" data-start=\"1096\" data-end=\"1387\">With successful <a href=\"https:\/\/www.gpayments.com\/blog\/article\/opting-for-the-right-3d-secure-provider-a-comprehensive-guide\/\">3DS<\/a> authentication, certain <a href=\"https:\/\/www.gpayments.com\/blog\/article\/cnp-transactions-and-3d-secure\/\"><strong data-start=\"1140\" data-end=\"1166\">card-not-present fraud<\/strong><\/a> disputes shift from the merchant to the issuer. The exact conditions depend on the network program (Visa Secure, Mastercard Identity Check) and how the transaction was authenticated.<\/p>\n<h2 style=\"text-align: left;\" data-start=\"1394\" data-end=\"1433\">When does Liability Shift usually apply<\/h2>\n<ul style=\"text-align: left;\" data-start=\"1434\" data-end=\"2174\">\n<li data-start=\"1434\" data-end=\"1826\">\n<p data-start=\"1436\" data-end=\"1826\"><strong data-start=\"1436\" data-end=\"1497\">Fraud-coded CNP disputes after successful authentication:<\/strong>\u00a0For Visa and Mastercard, fully authenticated 3DS transactions are generally protected from fraud chargebacks (e.g., Visa <strong data-start=\"1619\" data-end=\"1627\">10.4<\/strong> &#8216;Other Fraud &#8211; Card-Absent&#8217;). Your auth payload should include the authentication value (CAVV\/AAV) and the appropriate <strong data-start=\"1747\" data-end=\"1754\">ECI<\/strong> to signal authentication level.<\/p>\n<\/li>\n<li data-start=\"1827\" data-end=\"2174\">\n<p data-start=\"1829\" data-end=\"2174\"><strong data-start=\"1829\" data-end=\"1848\">ECI indicators:<\/strong>\u00a0Networks use <strong data-start=\"1862\" data-end=\"1869\">ECI<\/strong> to denote authentication level and related liability. Typical patterns: Visa <strong data-start=\"1947\" data-end=\"1957\">ECI 05<\/strong> (authenticated) and <strong data-start=\"1978\" data-end=\"1988\">ECI 06<\/strong> (attempted) vs <strong data-start=\"2004\" data-end=\"2014\">ECI 07<\/strong> (no 3DS). Mastercard uses a different scale (e.g., <strong data-start=\"2066\" data-end=\"2076\">ECI 02<\/strong> authenticated). Always confirm with your acquirer\u2019s matrix.\u00a0<\/p>\n<\/li>\n<\/ul>\n<blockquote>\n<p data-start=\"2178\" data-end=\"2332\"><strong data-start=\"2178\" data-end=\"2187\">Note:<\/strong> Program matrices evolve; rely on your acquirer\u2019s latest guidance and network documentation for edge cases.<\/p>\n<\/blockquote>\n<h2 data-start=\"2339\" data-end=\"2381\">\u00a0<\/h2>\n<h2 style=\"text-align: left;\" data-start=\"2339\" data-end=\"2381\">What Liability Shift <strong data-start=\"2363\" data-end=\"2375\">does not<\/strong> cover<\/h2>\n<ul style=\"text-align: left;\" data-start=\"2382\" data-end=\"3137\">\n<li data-start=\"2382\" data-end=\"2631\">\n<p data-start=\"2384\" data-end=\"2631\"><strong data-start=\"2384\" data-end=\"2407\">Non-fraud disputes:<\/strong>\u00a03DS does <strong data-start=\"2417\" data-end=\"2424\">not<\/strong> shield you from consumer or processing disputes like product not received, not as described, cancelled service, credit not processed, or authorisation\/processing errors. <span class=\"\" data-state=\"closed\"><span class=\"ms-1 inline-flex max-w-full items-center relative top-[-0.094rem] animate-[show_150ms_ease-in]\" data-testid=\"webpage-citation-pill\"><a class=\"flex h-4.5 overflow-hidden rounded-xl px-2 text-[9px] font-medium text-token-text-secondary! bg-[#F4F4F4]! dark:bg-[#303030]! transition-colors duration-150 ease-in-out\" href=\"https:\/\/usa.visa.com\/content\/dam\/VCOM\/global\/support-legal\/documents\/merchants-dispute-management-guidelines.pdf\" target=\"_blank\" rel=\"noopener\"><span class=\"relative start-0 bottom-0 flex h-full w-full items-center\"><span class=\"flex h-4 w-full items-center justify-between overflow-hidden\"><span class=\"max-w-full grow truncate overflow-hidden text-center\">Visa<\/span><\/span><\/span><\/a><\/span><\/span><\/p>\n<\/li>\n<li data-start=\"2632\" data-end=\"2837\">\n<p data-start=\"2634\" data-end=\"2837\"><strong data-start=\"2634\" data-end=\"2652\">Data-Only 3DS:<\/strong>\u00a0&#8216;Data-Only&#8217; shares 3DS data with issuers but is <strong data-start=\"2701\" data-end=\"2708\">not<\/strong> a full authentication flow; it improves decisioning but <strong data-start=\"2765\" data-end=\"2776\">doesn\u2019t<\/strong> grant liability shift. <span class=\"\" data-state=\"closed\"><span class=\"ms-1 inline-flex max-w-full items-center relative top-[-0.094rem] animate-[show_150ms_ease-in]\" data-testid=\"webpage-citation-pill\"><a class=\"flex h-4.5 overflow-hidden rounded-xl px-2 text-[9px] font-medium text-token-text-secondary! bg-[#F4F4F4]! dark:bg-[#303030]! transition-colors duration-150 ease-in-out\" href=\"https:\/\/developer.visaacceptance.com\/docs\/vas\/en-us\/payer-authentication\/developer\/all\/rest\/payer-auth\/pa2-use-data-only-intro.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\"><span class=\"relative start-0 bottom-0 flex h-full w-full items-center\"><span class=\"flex h-4 w-full items-center justify-between overflow-hidden\"><span class=\"max-w-full grow truncate overflow-hidden text-center\">Visa Acceptance <\/span><\/span><\/span><\/a><\/span><\/span><span class=\"\" data-state=\"closed\"><span class=\"ms-1 inline-flex max-w-full items-center relative top-[-0.094rem] animate-[show_150ms_ease-in]\" data-testid=\"webpage-citation-pill\"><a class=\"flex h-4.5 overflow-hidden rounded-xl px-2 text-[9px] font-medium text-token-text-secondary! bg-[#F4F4F4]! dark:bg-[#303030]! transition-colors duration-150 ease-in-out\" href=\"https:\/\/help.trustpayments.com\/hc\/en-us\/articles\/4402321044369-3-D-Secure-v2-Liability?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\"><span class=\"relative start-0 bottom-0 flex h-full w-full items-center\"><span class=\"flex h-4 w-full items-center justify-between overflow-hidden\"><span class=\"max-w-full grow truncate overflow-hidden text-center\">Trust Payments<\/span><\/span><\/span><\/a><\/span><\/span><\/p>\n<\/li>\n<li data-start=\"2838\" data-end=\"3137\">\n<p data-start=\"2840\" data-end=\"3137\"><strong data-start=\"2840\" data-end=\"2873\">Some recurring\/MIT scenarios:<\/strong>\u00a0Subsequent <strong data-start=\"2885\" data-end=\"2907\">merchant-initiated<\/strong> or recurring charges may be ineligible for liability shift, depending on the network and setup, even if the first payment was authenticated. Treat initial 3DS as context, not blanket coverage.<\/p>\n<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\" data-start=\"3650\" data-end=\"3675\">Friendly Fraud and 3DS<\/h2>\n<p style=\"text-align: left;\" data-start=\"3676\" data-end=\"4025\">&#8216;Friendly fraud&#8217; is often coded as <strong data-start=\"3711\" data-end=\"3720\">fraud<\/strong> by issuers. If the transaction was properly authenticated, liability typically sits with the issuer, but issuers can still initiate disputes. Your job is to <strong data-start=\"3877\" data-end=\"3890\">represent<\/strong> with complete 3DS evidence (ECI + CAVV\/AAV + server\/ACS transaction IDs) and purchase context.<\/p>\n<h2 style=\"text-align: left;\" data-start=\"3676\" data-end=\"4025\">Covered vs Not covered<\/h2>\n<table class=\" alignleft\" style=\"width: 100%; height: 131px;\">\n<thead>\n<tr style=\"height: 33px;\">\n<th style=\"height: 33px;\">Scenario<\/th>\n<th style=\"height: 33px;\" align=\"right\">Liability shift likely?<\/th>\n<th style=\"height: 33px;\">Why<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"height: 33px;\">\n<td style=\"height: 33px;\">Fraud CNP with successful 3DS auth (correct ECI\/CAVV)<\/td>\n<td style=\"height: 33px; text-align: center;\" align=\"right\"><strong>Yes<\/strong><\/td>\n<td style=\"height: 33px;\">Network programs provide protection for fraud disputes when auth is valid. (<a title=\"EMV\u00ae 3-D SECURE: A U.S. PAYMENTS FORUM RESOURCE BRIEF\" href=\"https:\/\/www.uspaymentsforum.org\/wp-content\/uploads\/2025\/05\/EMV3DS-MiniSeries-Brief1-FINAL-USPaymentsForum.pdf?utm_source=chatgpt.com\">U.S. Payments Forum<\/a>)<\/td>\n<\/tr>\n<tr style=\"height: 16px;\">\n<td style=\"height: 16px;\">Fraud CNP with <strong>Data-Only<\/strong><\/td>\n<td style=\"height: 16px; text-align: center;\" align=\"right\"><strong>No<\/strong><\/td>\n<td style=\"height: 16px;\">Data-Only isn\u2019t full authentication; no shift. (<a title=\"Examples Using 3-D Secure Data Only\" href=\"https:\/\/developer.visaacceptance.com\/docs\/vas\/en-us\/payer-authentication\/developer\/all\/rest\/payer-auth\/pa2-use-data-only-intro.html?utm_source=chatgpt.com\">Visa Acceptance<\/a>)<\/td>\n<\/tr>\n<tr style=\"height: 33px;\">\n<td style=\"height: 33px;\">Non-fraud consumer disputes (e.g., goods not received)<\/td>\n<td style=\"height: 33px; text-align: center;\" align=\"right\"><strong>No<\/strong><\/td>\n<td style=\"height: 33px;\">Outside fraud category. (<a title=\"Dispute Management Guidelines for Visa Merchants June 2024\" href=\"https:\/\/usa.visa.com\/content\/dam\/VCOM\/global\/support-legal\/documents\/merchants-dispute-management-guidelines.pdf\">Visa<\/a>)<\/td>\n<\/tr>\n<tr style=\"height: 16px;\">\n<td style=\"height: 16px;\">Subsequent recurring \/ MIT<\/td>\n<td style=\"height: 16px; text-align: center;\" align=\"right\"><strong>Varies<\/strong><\/td>\n<td style=\"height: 16px;\">Often ineligible; check acquirer\/network rules. (<a title=\"Credit Card Liability Shift Still Confusing? Read This\" href=\"https:\/\/www.chargeblast.com\/blog\/credit-card-liability-shift-still-confusing\/?utm_source=chatgpt.com\">ChargeBlast<\/a>)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: left;\">\u00a0<\/p>\n<h2>\u00a0<\/h2>\n<h2>\u00a0<\/h2>\n<h2>\u00a0<\/h2>\n<h2>\u00a0<\/h2>\n<p>\u00a0<\/p>\n<h2 style=\"text-align: left;\">Your disputes playbook: How to win when you should<\/h2>\n<ul style=\"text-align: left;\">\n<li data-start=\"4777\" data-end=\"5034\">\n<p data-start=\"4780\" data-end=\"5034\"><strong data-start=\"4780\" data-end=\"4815\">Pass complete data at checkout:<\/strong>\u00a0Clean addresses, email, phone, device\/browser data; run the 3DS Method or use the SDK so device context is available. Better signals reduce step-ups and strengthen cases later.<\/p>\n<\/li>\n<li data-start=\"5035\" data-end=\"5262\">\n<p data-start=\"5038\" data-end=\"5262\"><strong data-start=\"5038\" data-end=\"5066\">Store the 3DS artifacts:<\/strong>\u00a0Keep <strong data-start=\"5072\" data-end=\"5079\">ECI<\/strong>, <strong data-start=\"5081\" data-end=\"5093\">CAVV\/AAV<\/strong>, <strong data-start=\"5095\" data-end=\"5118\">XID\/transaction IDs<\/strong>, DS\/ACS references, AVS\/CVV results, timestamps, IP\/device info. You will need these for representment.<\/p>\n<\/li>\n<li data-start=\"5263\" data-end=\"5531\">\n<p data-start=\"5266\" data-end=\"5531\"><strong data-start=\"5266\" data-end=\"5305\">Respond with &#8216;compelling evidence&#8217;:<\/strong>\u00a0Visa outlines acceptable evidence for fraud conditions (10.x), including technical logs and proof of cardholder participation. Organise templates so your ops team can respond quickly.<\/p>\n<\/li>\n<li data-start=\"5532\" data-end=\"5779\">\n<p data-start=\"5535\" data-end=\"5779\"><strong data-start=\"5535\" data-end=\"5562\">Segment your liability:<\/strong>\u00a0Tag transactions by route (ECI value, wallet tokenisation, Data-Only, SDK vs browser) so finance can attribute chargebacks to the right controls and see where coverage applies.<\/p>\n<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\">At a Glance<\/h2>\n<p style=\"text-align: left;\">3D Secure 2 can shift liability for card-not-present fraud to the issuer when authentication succeeds (correct ECI plus valid authentication values). It does not cover non-fraud disputes, and Data Only does not provide liability shift. Some recurring or merchant-initiated transactions may be ineligible, so check your acquirer and network matrix. Maximise your win rate by sending complete data, running the 3DS Method or SDK, and retaining ECI, CAVV\/AAV, and transaction IDs for representment.<\/p>\n<h2 style=\"text-align: left;\" data-start=\"5786\" data-end=\"5793\">FAQs<\/h2>\n<p style=\"text-align: left;\" data-start=\"5795\" data-end=\"5992\"><strong data-start=\"5795\" data-end=\"5861\">Does liability shift apply to all chargebacks if 3DS was used?<\/strong><br data-start=\"5861\" data-end=\"5864\" \/>No. It typically applies to <strong data-start=\"5892\" data-end=\"5901\">fraud<\/strong> disputes only, not consumer or processing disputes. <span class=\"\" data-state=\"closed\"><span class=\"ms-1 inline-flex max-w-full items-center relative top-[-0.094rem] animate-[show_150ms_ease-in]\" data-testid=\"webpage-citation-pill\"><a class=\"flex h-4.5 overflow-hidden rounded-xl px-2 text-[9px] font-medium text-token-text-secondary! bg-[#F4F4F4]! dark:bg-[#303030]! transition-colors duration-150 ease-in-out\" href=\"https:\/\/usa.visa.com\/content\/dam\/VCOM\/global\/support-legal\/documents\/merchants-dispute-management-guidelines.pdf\" target=\"_blank\" rel=\"noopener\"><span class=\"relative start-0 bottom-0 flex h-full w-full items-center\"><span class=\"flex h-4 w-full items-center justify-between overflow-hidden\"><span class=\"max-w-full grow truncate overflow-hidden text-center\">Visa<\/span><\/span><\/span><\/a><\/span><\/span><\/p>\n<p style=\"text-align: left;\" data-start=\"5994\" data-end=\"6161\"><strong data-start=\"5994\" data-end=\"6043\">Does &#8216;Data-Only&#8217; 3DS provide liability shift?<\/strong><br data-start=\"6043\" data-end=\"6046\" \/>No. It improves issuer decisioning but does not grant liability protection. <span class=\"\" data-state=\"closed\"><span class=\"ms-1 inline-flex max-w-full items-center relative top-[-0.094rem] animate-[show_150ms_ease-in]\" data-testid=\"webpage-citation-pill\"><a class=\"flex h-4.5 overflow-hidden rounded-xl px-2 text-[9px] font-medium text-token-text-secondary! bg-[#F4F4F4]! dark:bg-[#303030]! transition-colors duration-150 ease-in-out\" href=\"https:\/\/developer.visaacceptance.com\/docs\/vas\/en-us\/payer-authentication\/developer\/all\/rest\/payer-auth\/pa2-use-data-only-intro.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\"><span class=\"relative start-0 bottom-0 flex h-full w-full items-center\"><span class=\"flex h-4 w-full items-center justify-between overflow-hidden\"><span class=\"max-w-full grow truncate overflow-hidden text-center\">Visa Acceptance<\/span><\/span><\/span><\/a><\/span><\/span><\/p>\n<p style=\"text-align: left;\" data-start=\"6163\" data-end=\"6397\"><strong data-start=\"6163\" data-end=\"6208\">What should I include in a 10.4 response?<\/strong><br data-start=\"6208\" data-end=\"6211\" \/>Provide the 3DS evidence set (ECI + CAVV\/AAV + transaction IDs), plus order details and device\/behaviour signals. Follow your acquirer\u2019s checklist.<\/p>\n\n\n\n\n\n\n","protected":false},"excerpt":{"rendered":"<p>3D Secure (3DS) can move fraud liability off the merchant and onto the issuer, but only in specific cases. This article explains when liability shift applies in the US, when it does not, and what evidence your team should include when a dispute lands. What &#8216;Liability Shift&#8217; actually means With successful 3DS authentication, certain card-not-present [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":2531,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[2],"tags":[19,13,10,128],"class_list":["post-2467","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-article","tag-3d-secure","tag-3ds2","tag-liability-shift","tag-usa"],"aioseo_notices":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/posts\/2467","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/comments?post=2467"}],"version-history":[{"count":30,"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/posts\/2467\/revisions"}],"predecessor-version":[{"id":2538,"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/posts\/2467\/revisions\/2538"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/media\/2531"}],"wp:attachment":[{"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/media?parent=2467"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/categories?post=2467"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gpayments.com\/blog\/wp-json\/wp\/v2\/tags?post=2467"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}