Technology is transforming the payments industry. Nowadays, to protect your business from fraud and chargebacks, you must stay up-to-date with the latest regulations and security protocols. One of the key aspects of this includes liability shifts, and how they impact your business, issuers, and customers.
Under PSD2, liability shift is to incentivize banks and payment service providers to implement strong security measures to protect against fraud, and to encourage customers to take greater responsibility for their own security.
In this article, we’ll discuss payment liability shifts and explore key concepts such as EMV liability shift, 3D Secure, SCA exemptions, and out-of-scope transactions. By the end, you’ll know exactly how to make informed decisions to protect your businesses and customers.
What is a payment liability shift?
A payment liability shift refers to a change in rules or regulations that affects who’s responsible for issuing a chargeback. Normally, it’s a shift in liability from the payment card issuer to the merchant, or vice-versa.
The liability usually depends on the payment scenario, the technology used, and the security measures in place. And because chargebacks often lead to refunds, neither party (the card issuer or the merchant) wants to be liable and absorb the losses associated with chargeback requests.
For card-present transactions, historically, the card issuer – i.e. the issuing bank – was liable for fraudulent transactions. However, with the introduction of EMV (Europay, Mastercard, and Visa) chip technology, which provides enhanced security features to payment cards, there’s been a shift in liability for fraudulent transactions.
Nowadays, if you, the merchant, don’t support EMV chip technology – and a fraudulent transaction occurs using an EMV-enabled card – the liability shifts from the card issuer to you. Alternatively, if you do support EMV – but the card issuer doesn’t issue EMV-enabled cards – the liability remains with the card issuer.
The payment liability shift is intended to incentivize your business to adopt more secure payment processing technologies and reduce fraud.
3d secure and chargeback liability shifts
The 3D Secure protocol shift happened during the launch of the Strong Customer Authentication (SCA) regulation, as part of the EU’s PSD2 directive from 2015.
3D Secure is a security protocol that adds an extra layer of authentication to online payment transactions, prompting the cardholder to enter a one-time code sent to their device, to verify their identity and reduce fraud. If your business supports 3D Secure and a fraudulent transaction happens, the liability for the transaction generally remains with the card issuer.
To verify themselves using 3D Secure, customers have two options: frictionless and challenge.
The frictionless flow is based on background information that doesn’t require active verification from the customer. In this flow, the SDK and servers exchange all necessary information without involving the user.
On the other hand, the challenge flow is triggered when the issuer determines that the transaction needs additional verification from the customer. In this flow, the user gets a request to provide two-factor authentication, typically through an SMS code or a personal password. The customer can also use biometric authentication through face or fingerprint recognition.
When is the merchant liable?
If you, the merchant, accept a payment card that’s counterfeit, stolen, or expired, and you don’t take reasonable steps to verify the cardholder's identity or the validity of the card, then you may be liable for any resulting fraudulent transactions.
Additionally, for in-store payments, if you accept a payment card but don’t use an EMV-compliant payment terminal, and there’s a fraudulent transaction, the liability may also shift to you.
When is the issuer liable?
In contrast, if a payment card issuer authorizes a fraudulent transaction, either because they didn’t properly verify the ID of the cardholder, or because they didn’t detect suspicious activity on the card, the issuer may be liable for the transaction.
Meanwhile, if the card issuer issues a payment card with a known vulnerability, such as a weak magnetic stripe or an easily guessable PIN, the issuer is likely to be liable for any fraudulent transactions.
| Payment Method | Who is liable? |
|---|---|
| Contactless (card present) | Card issuer |
| Magnetic stripe (card present) | Merchant/Acquirer |
| Chip and PIN (card present) | Card issuer |
| Online CNP not using 3D Secure | Merchant/Acquirer |
| Online CNP (card not present) using 3D Secure | Card issuer |
| Phone, mail, and other offline CNP | Merchant/Acquirer |
Utilizing SCA exemptions and out of scope transactions
Strong Customer Authentication (SCA) is a regulatory requirement under the European Union's Payment Services Directive 2 (PSD2), which requires payment service providers (PSPs) to apply two-factor authentication for electronic payments.
However, there are some SCA exemptions and out-of-scope transactions that allow PSPs to bypass SCA requirements for certain types of transactions, based on the transaction’s risk level, amount, or payment channel used. Meanwhile, out-of-scope transactions are those that aren’t covered by PSD2's SCA requirements.
The most common SCA exemptions include:
- Low-value transactions – below a certain amount (€30 or equivalent).
- Trusted beneficiaries – transactions to previously authorized beneficiaries are exempted from SCA requirements.
- Recurring payments – regular transactions of the same amount and to the same payee.
- Secure corporate payments – transactions between businesses where a risk analysis has been conducted and certain security standards are met.
The most common out-of-scope transactions include:
- Mail-order or telephone-order (MOTO) transactions – the payment card isn’t present at the point of sale, so it’s manually keyed-in or read from a paper document.
- Offline transactions – the payment is made even though the card terminal isn’t connected to the payment card issuer's network.
- Low-risk transactions – transactions that are deemed low-risk based on the payment service provider's risk analysis.
Balancing conversion and fraud risk
3D Secure 2.0 (3DS2) is a security protocol designed to reduce the risk of fraudulent transactions for online payments. While this can provide additional protection against unauthorized transactions, it can also add friction to the payment process, as customers need to complete an additional step to complete their transaction.
That’s why it’s important you find the right balance. You should carefully weigh up the benefits of 3DS2 in reducing your fraud rates against the potential negative impact on customer convenience.
If your business has a high risk of fraud, then we recommend implementing 3DS2 to help reduce losses due to fraud. However, if your risk is low, the potential negative impact on customer experience and conversion rates may outweigh the benefits of implementing 3DS2.
When making this decision, you should also consider the potential impact of chargebacks. For instance, if you’re unable to provide sufficient evidence to support the legitimacy of a transaction, you may be liable for the chargeback amount. Implementing 3DS2 can help merchants to provide evidence of the cardholder's identity and reduce the risk of chargebacks.
Fight fraud and reduce friction with Checkout.com
Finding a balance between minimal friction in the payment process and leveraging the benefits of liability shift is crucial for maintaining customer satisfaction.
Fortunately, as part of our authentication product, we provide comprehensive coverage of common exemptions, ranging from data-sharing-only flows to indicating your customers' experience preferences to issuers, ensuring that you can effectively navigate these challenges.
