Who pays for card fraud when something goes wrong? That question sits at the heart of the liability shift. In card-not-present (CNP) payments, a liability shift refers to a rule change in who must cover the cost of a fraudulent transaction. Historically, it was the card issuer who bore the brunt. Today, that liability can transfer to the seller if the correct verification measures aren’t in place.
For example, if a CNP transaction skips 3D Secure (3DS) and later turns out to be unauthorised, the business is typically held responsible. If verification is attempted and accepted through 3DS2, the liability often moves to the issuer. These changes are designed to encourage stronger fraud controls across the payment process and help reduce fraud from unauthorised card use.
The EMV liability shift, which began rolling out in Europe in 2005 and later in other regions, restructured card-present fraud risk. If a retailer doesn’t use an EMV-enabled terminal and a counterfeit card is used, they assume the fraud liability.
This shift marked a turning point in the deployment of EMV chip cards, which are far more resistant to cloning than traditional magnetic stripe payment methods. Businesses that continue to accept magstripe transactions without chip card terminals remain liable in cases of counterfeit fraud, reinforcing the practical benefit of upgrading to EMV chip infrastructure.
With the rise in online payments came the need for stronger verification in the digital space. 3DS2 is the latest mobile-first standard that enables real-time, risk-based checks. When used correctly, 3DS2 shifts chargeback liability for fraud from the seller to the issuer. That means even if the transaction ends up being fraudulent, online sellers can avoid bearing the cost—so long as the correct data flows are completed.
It’s also important to note that even an attempted check can qualify for liability protection in some cases. If the 3DS2 challenge was initiated but not completed due to an issuer-side issue, liability may still shift.
The move to 3DS2 is not only about confirming identity—it’s a key enabler of the fraud liability shift, transferring financial responsibility away from sellers when protocols are followed.
Frictionless flows verify the customer in the background, using data rather than a visible challenge. Challenge flows require an active step, such as entering a one-time code. Both can lead to a successful liability shift, but challenge flows offer greater assurance in high-risk cases.
RBA uses real-time data to decide whether to trigger a challenge. It balances security with user experience. But the choice to go frictionless must be made carefully: if fraud occurs and liability shift doesn’t apply, the retailer could be left absorbing the loss.
RBA serves as a targeted form of fraud prevention, enabling businesses to identify outliers without disrupting every transaction.
Example scenario:
Data quality is key. The liability shift under 3DS2 is contingent not just on identity checks, but on transmitting the right set of data—device info, risk scores, and customer attributes. Gaps here can mean losing the protection.
Not all transactions qualify for a liability shift. Merchant Initiated Transactions (MITs), Mail Order/Telephone Order (MOTO) payments, and unauthenticated recurring payments typically fall outside the shift framework. If 3DS is bypassed, fails, or is unavailable, the liability remains with the seller. In these cases, “no liability shift” means just that: the business is fully accountable for any fraud losses.
Organisations should also prepare for issuer declines or soft declines due to incomplete verification. Having retry logic or a fallback to a challenge flow can improve approval rates and restore liability protection.
Major card networks like Visa, Mastercard, American Express, JCB, UnionPay, Cartes Bancaires, and Bancontact all have their own liability shift policies.
While the principles are generally consistent (fraud liability sits with the least secure party) implementation details vary across regions. Companies operating globally must stay aware of network-specific nuances.
Learn more about how each of the major networks handles liability:
In Europe, PSD2 (and future PSD3) mandates Strong Customer Authentication (SCA) for most CNP transactions (European Commission PSD2 Directive). EMV 3DS2 is a common way to meet that requirement, offering a route to both compliance and liability protection. While EMVCo standards aren't law, they provide the baseline for global payment verification.
The European Banking Authority also provides technical guidance and regulatory Q&A on how liability and exemptions apply in practice (EBA payment services guidance).
Key exemptions under PSD2 and their liability implications:
Choosing an exemption route improves customer experience but shifts liability back to the business. Calibrating that trade-off is critical.
To stay on the right side of the liability shift, businesses need to:
Configure 3DS rules dynamically
Handle issuer declines smartly
Maintain strong dispute records
Monitor card scheme updates
Combining these tactics strengthens your fraud prevention programme and reduces exposure to fraud and chargebacks, creating a more resilient payment infrastructure.
Liability shift frameworks aren't just procedural—they represent a tactical choice in how you mitigate exposure to fraud. By implementing up-to-date verification methods and knowing when the risk transfers from seller to issuer, your team can reduce the risk of fraud and make payments more secure.
Rather than treating liability shift as a fixed rule, consider it a responsive tool that—when used correctly—can limit financial loss and streamline your dispute management. Connect with Antom to explore how 3DS2 and adaptive checks can support your protection strategy and help curb your chargeback burden.