3DS authentication and liability shift


3D Secure authentication protects the merchant against "cardeholder challenge".

The term "liability shift" is used when liability for unpaid amounts for fraud (stolen or forged cards) is transferred from the merchant to the card-issuing bank (the final customer's bank) used for payment.

All Axepta merchants are registered in the 3D-Secure program. This operation is managed by Axepta teams during the onboarding.


3D Secure enrolement does not protect the merchant against all types of unpaid and fraudulent transactions.

3DS Secure authentication protection does not apply to :

  • MOTO payments or manually entered on the BO by the merchant
  • recurring payments or installements (excluding 1st transaction)
  • Batch payments



Matrix : Liability shift for 3DSV1 and 3DSV2


The following table shows the cases where liability shift applies :


LIABILITY SHIFT TO ISSUING BANK
Brand

Product

3DS Authentication result

3D SUCCESS*


3D ATTEMPT3D NOT ENROLLED3D ERROR3D FAILURE
With cryptogramWithout cryptogram
CBAllYES YES YES YES NO NO
VISAAll YES YESNO NO NO NO
MASTERCARDAll YES YES NO NONO NO
ALLPrepaid NO NONO NO NO NO

*In case of strong authentication request without frictionless or exemption request cf. The table 'Liability shift & Frictionless' below



In the Back-Office Axepta, the following data allows to understand the result of the authentication

Field in the Back-OfficeCard3DS Authentication result

3D SUCCESS


3D ATTEMPT3D NOT ENROLLED3D ERROR3D FAILURE
With cryptogramWithout cryptogram
Transaction StatusAll cardsYAA-NU
ECIVisa or CB (cobadged Visa)

05

0606 for CB / NA for Mastercard070707
Mastercard or CB (cobadged Mastercard)020101 for CB / NA for Visa000000




Matrix : Liability shift & Frictionless


In a strongly authenticated transaction (SCA - 3DS), the merchant can indicate which type of authentication he wishes to perform

To do so, the merchants add the JSON object threeDSPolicy EN to the payment request in order to :

  • Mandate an authentication
  • Request a passive authentication (frictionless)
  • Request an exemption


Important : The final choice of the authentication type applied to the transaction is made by the issuing bank (cardholder's bank).



In the case of 3DS Success, the liability shift depends on the card brand and the authentication type requested by the merchant (frictionless, exemption, etc.):


LIABILITY SHIFT TO ISSUING BANK

Merchant request -

Value for "challengePreference"

Challenge Indicator

Authentication method

(DS/ACS)

CB

Mastercard

(ECI = 05)

Visa

(ECI = 02)

American Express
No preference01Frictionless* / ChallengeIssuer

No challenge

02Frictionless*MerchantIssuer
ChallengeIssuer
Request challenge03Frictionless* / ChallengeIssuer
Challenge Requested (mandate)04ChallengeIssuer
Exemption : TRA acquérer05Frictionless*MerchantN.A.
ChallengeIssuerN.A.

Exemption : Low Amount

02Frictionless*MerchantIssuerN.A.
ChallengeIssuerN.A.

* Frictionless or Frictionless delegation


  • No labels