obOpen Banking Lab
GlossarySTETBlogContact
Security

Liability shift

Liability shift (transfer of fraud liability)

Card-scheme mechanism whereby liability for a fraudulent transaction shifts from the merchant to the issuing bank when 3DS2 was used. A major economic incentive for pushing 3DS2.

See also:3D SecureSCAChargebackVisa / MastercardCBAcquéreur / ÉmetteurAPP fraud

Definition

The liability shift moves the financial burden of card fraud from one party to another depending on the security mechanism used.

The best-known case: with 3DS2, liability for fraud passes from the merchant (liable by default) to the issuing bank. This is the single biggest economic incentive to deploy 3DS2 — far more powerful than PSD2's SCA mandate alone.

The baseline rule: who pays for fraud

With no specific safeguard in place, on a fraudulent transaction:

  • the cardholder is refunded by their issuing bank (PSD2 + SCA within the EEA);
  • the issuer raises a chargeback against the acquirer and the merchant;
  • the merchant therefore bears the loss (amount + chargeback fees).

The liability shift reverses this last step: if 3DS2 was used correctly, the issuer can no longer raise a fraud chargeback, and it is the one that absorbs the loss.

Liability-shift scenarios

  • E-commerce (3DS2): a transaction processed under 3DS2 (challenge or frictionless) shifts to the issuer on fraud grounds; without 3DS2, the merchant stays liable. An MIT (subscription) with an initial SCA agreement and the correct flag also shifts to the issuer.
  • Card-present (EMV): an EMV chip + PIN or EMV NFC transaction shifts to the issuer; a magnetic-stripe transaction where EMV was possible leaves the merchant liable (the case of the 2015 US EMV migration).
  • Apple Pay / Google Pay: tokenised DPAN + local biometric SCA → liability shift always lands on the issuer, one of the reasons these wallets have such a low fraud rate.

What the liability shift does not cover

  • Friendly fraud: the cardholder disputes a purchase they genuinely made — remains the merchant's responsibility.
  • APP fraud: authorised credit transfers, off-card, out of scope.
  • Other chargeback grounds: defective product, not delivered, subscription not cancelled all stay with the merchant.
  • Outside the EEA: 3DS2 is less systematic in the US, so the shift is less automatic there.

The economic case

For a merchant with €100M in annual volume: a fraud rate of 0.3% without 3DS2 (€300K of losses) can fall, with 3DS2, to 0.05% — of which €150K is transferred to the issuer and ~€50K is residual (friendly fraud, out of scope). That is ~€250K saved per year, well above the integration cost and the slight cart abandonment (frictionless costs < 1% in drop-off). This is why PSPs actively push 3DS2, even when an SCA exemption would be available.

How it has evolved since the IFR / PSD2

  • 2010s — liability shift for 3DS1, little adopted (degraded UX).
  • 2018+ — mandatory SCA in the EEA makes 3DS2 the standard, and the liability shift a near-universal mechanism on EEA cards.
  • 2024+ — Visa and Mastercard tighten chargeback-reason rules to curb friendly-fraud abuse.

What the liability shift is not

  • Not a zero-fraud guarantee: the merchant remains responsible for product quality, delivery, subscriptions and friendly fraud.
  • Not a PSD2 mechanism: it is a scheme mechanism, predating PSD2, that SCA made popular.
  • Not universal: it varies by network, jurisdiction and card type.
  • Not without a downside: an issuer suffering too much post-shift fraud may tighten its policy (more challenges, less frictionless).

In the PSD2 ecosystem

The liability shift is the economic alignment between the card schemes and PSD2 SCA: it makes investing in 3DS2 rational, even where it isn't mandated. It is also a quality lever — an ACS that is too lax on frictionless ends up paying more in losses, which pushes it to score well.

Concrete examples

  • E-commerce with 3DS2: a €200 purchase on Cdiscount processed under frictionless 3DS2; in a confirmed fraud case, the issuer refunds the cardholder without being able to chargeback — it bears the loss.
  • E-commerce without 3DS2: a merchant who bypasses 3DS2 takes a successful fraud chargeback and loses the €200.
  • US EMV migration: since October 2015, fraud on a magnetic stripe where EMV was possible shifts to whichever party did not migrate — which accelerated the migration of US payment terminals.
  • Apple Pay: a fraudulent transaction stays with the issuer (DPAN + biometric SCA), for a particularly low fraud rate.
  • Friendly fraud: a parent disputes €50 at Roblox paid by their child — not covered, the merchant's burden.
  • PSPs that optimise: Stripe Radar, Adyen RevenueProtect and Checkout.com add merchant-side fraud scoring to avoid friendly fraud and arbitrate between 3DS2 and exemptions.
  • Cost: the liability shift transfers several billion euros of fraud from merchants to issuers every year in the EEA, with issuers offsetting this through interchange and risk scoring.

Sources

Back to glossary