What is liability shift in payments?

Technology is transforming the payments industry. To protect your business from fraud and chargebacks, it’s crucial to stay up-to-date with the latest regulations and security protocols. One key aspect of payments security is understanding liability shift, which allows you, as a merchant, to shift the financial cost of a fraudulent payment to the issuer. By leveraging mechanisms like 3D Secure (3DS) liability shift, merchants can reduce chargebacks and transfer the liability for fraudulent transactions to the issuer, helping mitigate the cost of fraud to their business.

In this article, we’ll discuss payment liability shifts in depth, focusing on how it applies across different regions, payment schemes, acquirers, payment methods, and transaction types (including Cardholder Initiated Transaction (CIT) or Merchant Initiated Transaction (MIT)). We’ll explain the various types of liability shift scenarios—such as EMV liability shift, 3D Secure, SCA (Strong Customer Authentication) exemptions, and out-of-scope transactions—and the specific requirements they entail in each global market. By the end, you’ll understand how these measures work to mitigate fraud liability shift and protect both you and your customers from fraudulent activity.

What is a payment liability shift?

A payment liability shift refers to a change in who’s responsible for covering the financial cost of a chargeback in the event that a payment turns out to be fraudulent. Normally, you’ll hear this phrase in reference to a transfer of liability from the merchant to the payment card issuer.

The liability depends on the payment scenario, including the payment method, region, transaction type (e.g., CIT or MIT), and the use of authentication within the payment flow. Since chargebacks have a financial cost, it’s important to strike the right balance between mitigating fraud liability and ensuring a smooth checkout experience for your customers.

EMV liability shift

For card-present transactions, historically, the card issuer – i.e. the issuing bank – was liable for fraudulent transactions. However, with the introduction of EMV chip technology, which provides enhanced security features to payment cards, the merchant is liable for transactions that do not meet scheme security criteria.

Nowadays, if you, the merchant, don’t support EMV chip technology – and a fraudulent transaction occurs using an EMV-enabled card – the liability shifts from the card issuer to you. Alternatively, if you do support EMV chip – but the card issuer doesn’t issue EMV-enabled cards – the liability remains with the card issuer.

The payment liability shift is intended to incentivize your business to adopt more secure payment processing technologies and reduce fraud.

3d secure and chargeback liability shifts

Chargeback liability shifts can also apply to online (card-not-present) transactions. 3D Secure (3DS), which has been in use for many years, is a widely adopted method for fraud prevention. 3DS was also mandated as part of the SCA requirements to reduce payment fraud in the EU and the UK. By adding an extra layer of authentication, merchants can shift liability for fraudulent transactions to the card issuer, helping to reduce the costs of fraud to their business.

If a customer flags a payment as fraudulent with their issuer and requests their funds back (a chargeback), the party liable for covering that cost depends on whether 3DS was used to authenticate the cardholder’s identity. In the EU and UK, 3DS is mandatory for many online payments under SCA, while in markets such as the US and MENA, its adoption is still evolving and not yet a regulatory requirement.

The use of the 3D Secure protocol significantly expanded in Europe following the introduction of SCA requirements. However, 3DS is also employed in other global regions, where schemes offer similar liability shift options for card-not-present transactions, even if SCA is not formally mandated.

3D Secure is a security protocol that adds an extra layer of authentication to online payment transactions. If your business supports this and a fraudulent transaction happens, the liability for the transaction generally shifts to the card issuer.

To verify themselves using 3D Secure, customers have two options: frictionless and challenge.

The frictionless flow uses background information that doesn’t require the customer to take any action. In this flow, the acquirer’s system provides the necessary transaction data to the issuer, allowing authentication checks to happen behind the scenes without involving the customer

On the other hand, the challenge flow requires additional action from the customer. It can be triggered by certain risk thresholds either on the merchant’s side or the issuer’s side. In this flow, the customer is typically asked to provide two-factor authentication (2FA), often through biometric authentication such as face or fingerprint recognition. While SMS codes or personal passwords were once common, biometrics are now just as prevalent for authentication

To learn more about how 3D Secure exemptions work at Checkout.com, see our 3D Secure exemptions product page.

‍

When is the merchant liable?

For in-store payments, if you accept a form of payment which is not covered by liability shift (such as a non-EMV card) or if you don’t use an EMV-compliant payment terminal, then you are responsible for covering fraud losses.

Similarly, if you accept an online payment that’s later flagged as fraudulent, and you cannot provide 3DS authentication data, then you are liable for the financial cost of reimbursing the customer.
‍

When is the issuer liable?

For in-store payments, if the card issuer has issued a payment card with a known vulnerability—such as a weak magnetic stripe or an easily guessable PIN—the issuer is likely to be liable for any fraudulent transactions.

In contrast, if a payment card issuer authorizes a fraudulent transaction processed using 3D Secure, either because they didn’t properly verify the cardholder’s ID or failed to detect suspicious activity, the issuer may be liable for the transaction.
‍

Payment Method	Typical liability
Contactless (card present)	Card issuer
Magnetic stripe (card present)	Merchant/Acquirer
Chip and PIN (card present)	Card issuer
Online CNP not using 3D Secure	Merchant/Acquirer
Online CNP (card not present) using 3D Secure	Card issuer
Phone, mail, and other offline CNP	Merchant/Acquirer

Utilizing SCA exemptions and out of scope transactions

SCA is a regulatory requirement which requires payment service providers (PSPs) to apply 2FA such as 3DS for most electronic payments.

However, there are some SCA exemptions and out-of-scope transactions that allow PSPs to bypass SCA requirements for certain types of transactions, depending on factors like the transaction’s risk level, amount, or payment channel used. Out-of-scope transactions refer to those that are not subject to SCA requirements under current regulations. Additionally, the rules may vary for CIT (Cardholder Initiated Transaction) vs. MIT (Merchant Initiated Transaction), so businesses should verify how exemptions apply to recurring or subscription payments.
‍

The most common SCA exemptions include:

Low-value transactions – below a certain amount (€30 or equivalent)
Trusted beneficiaries – transactions to previously authorized beneficiaries are exempted from SCA requirements
Secure corporate payments – transactions between businesses where a risk analysis has been conducted and certain security standards are met
‍

The most common out-of-scope transactions include:

Mail-order or telephone-order (MOTO) transactions – the payment card isn’t present at the point of sale, so it’s manually keyed-in or read from a paper document
Offline transactions – the payment is made even though the card terminal isn’t connected to the payment card issuer's network
Low-risk transactions – transactions that are deemed low-risk based on the payment service provider's risk analysis
Recurring payments - regular transactions of the same amount and to the same payee

To learn more about how 3D Secure exemptions work at Checkout.com, see our 3D Secure exemptions product page.

Liability shift using APMs

Many alternative payment methods (APMs), including popular digital wallets like Apple Pay and Google Pay, offer opportunities to reduce chargebacks and achieve a 3DS liability shift or other types of fraud liability shift. By leveraging biometric authentication, device-based cryptograms, and tokenized card details, these methods help merchants shift liability for potential fraud from the merchant to the card issuer.

Apple Pay

Apple Pay inherently meets SCA requirements in most regions, allowing customers to authenticate purchases via Touch ID or Face ID. As a result, Apple Pay transactions often benefit from a liability shift without needing a separate 3DS challenge. If the issuer returns an Electronic Commerce Indicator (ECI) confirming successful authentication, the liability for fraudulent charges typically remains with the card issuer. In MENA, Apple Pay also aligns with regional SCA guidelines, enabling liability shift in many local markets.

Google Pay

Similarly, Google Pay can deliver liability shift through its CRYPTOGRAM_3DS mode (where payment credentials are tied into the consumer’s Android device). In such cases, the issuer acknowledges that the cardholder was properly authenticated and usually takes on liability for fraud. However, if Google Pay uses PAN_ONLY, you may still need to implement 3DS for a complete fraud liability shift. Note that regional variations and card scheme differences can also influence liability.

Other APMs

Beyond Apple Pay and Google Pay, many other APMs provide strong authentication features or limited dispute windows, helping you lower the risk of chargebacks. Offering these methods can create a frictionless payment experience while mitigating fraud losses.

See our article on how APMs can reduce chargebacks for more information.

Balancing conversion and fraud risk

3DS is a security protocol designed to reduce the risk of fraudulent transactions in online payments. While it provides valuable protection against unauthorized transactions, it can also add friction to the payment process, as customers may need to complete additional steps to complete their transaction. Finding the right balance between security and convenience is essential. Factors such as your industry, transaction sizes, and your target audience can influence how aggressively you apply 3DS.

If your business has a high risk of fraud, adopting 3DS may significantly reduce potential losses. However, your overall risk appetite,ongoing fraud trends, and the adoption of 3DS in your market should also shape your decision. Even if your perceived fraud risk is low at present, threats evolve quickly, and outdated security measures can leave you vulnerable down the line. At the same time, be mindful of the potential for chargebacks: if you’re unable to demonstrate that a transaction was validly authorized, you could be liable for the refund.

Implementing 3DS helps you gather strong evidence of the cardholder’s identity, reducing chargeback exposure and supporting a more resilient payment strategy.

Fight fraud and reduce friction with Checkout.com

Finding a balance between minimal friction in the payment process and leveraging the benefits of liability shift is crucial for maintaining customer satisfaction.

Fortunately, as part of our authentication product, we provide comprehensive coverage of common exemptions, ranging from data-sharing-only flows to indicating your customers' experience preferences to issuers, ensuring that you can effectively navigate these challenges.

Download PDF