Online fraud isn’t just a cardholder problem. Merchants often bear the brunt of it, especially when a customer files a chargeback for unauthorized use. But 3D Secure (3DS) technology aims to change that. And with the 3DS liability shift in place, the rules about who pays for fraud are different now.
Let’s break down how this works and what merchants need to know if they want to avoid eating the cost of fraud.
What Is 3DS and Why Does It Matter?
3DS, short for 3D Secure, is a security protocol designed to authenticate cardholders during online transactions. When 3DS is active, customers are asked to confirm their identity through a one-time password, fingerprint, or facial recognition. This extra step helps verify that the real cardholder is making the purchase.
Versions of 3DS include:
- 3DS 1.0: The original version with pop-up verification windows (less user-friendly)
- 3DS 2.0 and 2.2: Mobile-friendly, frictionless flows, and biometric authentication options
The major upside for merchants? It shifts fraud liability to the card issuer.
What the 3DS Liability Shift Actually Means
When a merchant uses 3DS to authenticate a transaction, and the cardholder still files a fraud-related chargeback (like a “card not present” claim), the issuer, not the merchant, is liable for the loss.
Here’s a simple way to look at it:
- If 3DS authentication is successful, the merchant is protected from fraud chargebacks.
- If the issuer declines 3DS or cannot authenticate, the issuer still holds the risk.
- If the merchant bypasses 3DS or uses a non-compliant system, the merchant retains liability.
This shift creates a major incentive for merchants to use 3DS, especially for high-risk or international transactions.
Which Chargebacks Are Covered by the Liability Shift?
The liability shift primarily applies to fraud-related chargebacks, especially those with reason codes like:
- 10.4 (Other Fraud — Card-Absent Environment) for Visa
- 4837 (No Cardholder Authorization) or 4863 (Cardholder Does Not Recognize) for Mastercard
It does not apply to chargebacks related to:
- Product quality
- Late delivery
- Cancellations or refund disputes
Duplicate charges
So while 3DS helps with unauthorized use, it won’t protect you from friendly fraud or customer dissatisfaction.
Are There Exceptions to the 3DS Liability Shift?
Yes. A few important ones.
- Merchant-Initiated Transactions (MITs): These include subscriptions or recurring billing. If the initial transaction was authenticated but later ones were not, the shift may not apply.
- Country Rules: Some regions mandate 3DS (e.g., the EU under PSD2), and failure to comply could keep merchants on the hook.
- Outdated Integrations: Using 3DS 1.0 may not qualify for the shift depending on the network. Most issuers now require 3DS 2.2 or higher for full protection.
Always check with your payment processor for updates specific to your industry, region, and card networks.
How Merchants Can Stay Protected
To take full advantage of the 3DS liability shift, merchants should:
- Upgrade to 3DS 2.2 or higher for optimal coverage and a smoother customer experience.
- Enable 3DS on high-risk transactions like high-ticket items, international orders, or unfamiliar IP addresses.
- Keep transaction records like timestamps, shipping confirmation, and customer correspondence. Even with liability protection, documentation helps with a broader fraud strategy.
- Monitor fraud filters to make sure they’re working alongside 3DS and not blocking good transactions.
Most importantly, combine 3DS with other chargeback prevention tools. Authentication is powerful, but layered protection is stronger.
FAQs: 3DS Liability Shift Explained
What is the 3DS liability shift in simple terms?
The 3DS liability shift means that when a transaction is authenticated using 3D Secure, responsibility for fraud-related chargebacks usually moves from the merchant to the card issuer. This reduces the merchant's financial risk for unauthorized transactions.
Does the liability shift cover all chargebacks?
No. It only applies to fraud-related chargebacks, like unauthorized card use. It does not cover chargebacks due to product issues, refunds, or customer dissatisfaction.
Is 3D Secure mandatory?
Not everywhere. Some regions, like the EU require 3DS under laws like PSD2. In other countries, it’s optional but highly recommended to reduce liability and fraud risk.
What happens if I don’t use 3DS?
If you skip 3DS and a customer claims fraud, you’ll likely be liable for the chargeback. You also risk higher dispute rates and could be flagged as high-risk by your processor.
Can friendly fraud still happen with 3DS?
Yes. A customer can authenticate a purchase using 3DS and still file a chargeback, pretending it wasn’t them. In these cases, issuers may still favor the cardholder unless you have strong evidence or early alerts.
Chargebacks? Chargeblast.
Even with 3DS in place, fraud and friendly fraud are still risks. That’s where Chargeblast comes in. Our system detects dispute triggers early, responds to alerts automatically, and helps you resolve issues before they escalate into lost revenue.
Think of it as your next layer of defense—working with 3DS, not replacing it. If you're looking to cut down on dispute costs, avoid pre-arbs, or prevent getting flagged by your processor, Chargeblast gives you the right tools without disrupting your checkout flow.
