Turn payment security
into customer convenience

Paula Costa

Product Manager Cards at Ingenico ePayments, Global Online

By acting now, you can deliver secure, compliant transactions without compromising the user experience. This means you’re able to turn payment security into customer convenience. This article is designed to help merchants looking to understand how 3D Secure 2.2 impacts fraud liabilities – and how they can best prepare.

The latest version of 3D Secure (3DS), the industry-standard means for achieving SCA compliance, is designed to deliver the game-changing, intuitive customer experience previous versions lacked. How? By integrating seamlessly into customers’ payment journeys to protect online credit card transactions against fraud, while also complying with SCA.  

Liability shift occurs when the responsibility for fraud-related chargebacks on a payment transaction changes from the default liability holder. In an ePayments context, it means the liability shifts from the merchant to the card issuer.

Liability shift occurs when the responsibility for fraud-related chargebacks on a payment transaction changes from the default liability holder. In an ePayments context, it means the liability shifts from the merchant to the card issuer.

For merchants, the latest version of 3D Secure, 3DS 2.2, has many advantages. One key area of debate, however, has been around where the buck stops when it comes to transaction fraud – when does responsibility sit with the issuer, and when with the merchant? Previously, merchants without 3D Secure would always be liable. But with 3DS 2.2, the rules are shifting.

The good news is that in most cases, when 3D Secure is implemented correctly, transaction fraud liability will automatically shift from the merchant to the issuer. So, when an issuer authenticates a payment via 3D Secure, it becomes liable for fraud-related chargebacks. This represents a huge incentive for businesses to adopt 3DS 2.2.

However, issuer liability is subject to a few exceptions, and will depend on the version of 3D Secure merchants implement.

The three exceptions to issuer responsibility occur when:

1. The merchant requests an exemption

If this exemption is accepted by the issuer and no SCA is performed, liability shifts back to the merchant.

2. After the first Merchant Initiated Transaction

In a repeat payment, such as subscriptions, the merchant is liable for subsequent transactions. However, with 3DS 2.2, some schemes like Mastercard will ‘authenticate’ ongoing transactions initiated by the merchant and liability will shift to the issuer.

3. For mail order/ telephone order (MOTO) transactions

Liability for a MOTO transaction lies with the merchant, unless 3DS 2.2 is used with decoupled authentication (where the authentication and the payment are processed at different times).


A closer look at online payments

In practice though, online transactions cover a huge range of different scenarios, which can make liability confusing. Ingenico has compiled an overview of three key outcomes and when they might apply, so merchants know where they stand when it comes to fraudulent transactions.

Outcome one:
The issuer is always liable, unless the merchant is using 3DS 2.2 and is granted an exemption by the issuer.

When it might apply:

  • Immediate payments where a consumer makes a purchase online and pays the full amount (common in the retail industry).
  • Fast checkout online where a consumer uses pre-filled card details to complete the fields required to make a payment.

Outcome two:
The issuer is generally liable for transactions.

When it might apply:

  • Pre-order of products online (e.g. ordering a video game before release) where the merchant authorizes the full payment at a later date.
  • Multiple products bought from an online marketplace where the marketplace (e.g. Amazon or eBay) authorizes the transaction and passes the information onto merchants.

Outcome three:
The issuer is liable for the first collection of a Merchant Initiated Transaction payment. The merchant is liable for subsequent payment collections, unless 3RI was used (Mastercard only) – only available with 3DS 2.2

When it might apply:

  • Online streaming with a monthly subscription fee where the merchant starts collecting after the trial period ends.
  • Online streaming through a website where the consumer agrees to a subscription and a fee is charged immediately.
  • On-demand online streaming with increasing fees where the monthly fee increases as the customer changes to a premium subscription.

You can find a detailed breakdown of different payment scenarios in Ingenico’s PSD2 guide.


Get the support you need, and make PSD2 work for you

Frictionless authentication through 3DS 2.2 largely shifts fraud liability away from merchants, without any impact on the customer experience. Plus, it presents a fantastic opportunity for businesses to capture and communicate customer information, which can be used to evolve business models.

To leverage the full benefits of these changes, Ingenico recommends that merchants review their payments strategy and processes to make sure they are fully compliant well ahead of the December 2020 deadline. Using Ingenico’s PSD2 roadmap, merchants can see what they need to do – and when – to be sure they are on track. That way they can gather and test the data they need before authentication becomes a mandatory requirement.

Early adoption of 3DS 2.2, which supports the main exemptions of regular online payments and offline authentication, will put merchants in a strong position to make the best of all the opportunities that 3D Secure offers.

Ingenico can help with every aspect of 3D Secure implementation. Plus, merchants can benefit from unrivalled support and expert insight into how best to use customer data to streamline authentication processes.


This article was originally published on blog.ingenico.com. Since October 28, 2020, Ingenico has joined Worldline.