Image
Comparison of fraud liabilitiy in payments table.png
Back
If you’re a business that accepts card transactions, it’s crucial to understand the concept of the fraud liability shift in payments. The fraud liability shift determines who is financially responsible when fraud occurs and typically shifts between the merchant or card issuer, depending on several factors set by major card networks like Visa and Mastercard.
Over the last couple of decades, advancements in payment technology have reshaped how liability is assigned. As a merchant, staying ahead of these changes is crucial to reducing risk and maintaining trust while protecting revenue from chargebacks related to fraud.
This article is a complete breakdown of the fraud liability shift: how it works, what triggers it, and what practical steps you can take from the merchant side to reduce exposure and protect your business in today’s evolving payment landscape.
What is the fraud liability shift in payments?
Fraud liability shift in payments occurs when the financial responsibility for covering a fraudulent chargeback is transferred from one party to another, typically from the merchant to the card issuer.
Generally speaking, the party using less secure technology at the time of the transaction is held liable for any resulting fraud. However, on a more granular level, the responsibility for fraud-related losses varies based on factors like how the payment was made, where it occurred, security measures applied during checkout, and the type of transaction.
These liability shifts from merchant to issuer or vice versa represent a broader policy change in risk ownership within the payment ecosystem. It’s essential that merchants understand their responsibility in implementing secure transaction methods, as doing so can significantly reduce exposure to fraud-related losses.
EMV liability shift: A turning point in card fraud prevention
EMV (Europay, Mastercard, and Visa) is the global standard for chip-enabled cards and the payment terminals that read them. It’s maintained by EMVCo, the governing body for secure card payments, which has expanded to include most major networks, like Amex and Discover.
Europe implemented the EMV liability shift in the early 2000s, transitioning from magnetic stripe to chip-enabled cards as the standard. The U.S. followed in October 2015, establishing chip-and-PIN as the norm for in-person payments. This move was driven by upgraded security technology, where the newly embedded microchips in cards can generate unique transaction codes for each payment, making them much harder to clone or exploit using stolen data.
EMV standards also extend to contactless payments, including tap-to-pay cards and digital wallets like Apple Pay and Google Pay. These mobile transactions use near field communication (NFC) paired with Tokenization, and follow EMV-compliant protocols, offering the same level of security as chip card payments. As a result, EMV-enabled terminals equipped with NFC can accept mobile payments with the equivalent built-in fraud protections.
As a merchant, you’re not legally required to use EMV-enabled payment terminals, but doing so greatly reduces your fraud liability for in-person transactions. When you process payments using chip-and-PIN or via compliant contactless methods, liability for fraudulent transactions typically shifts from the merchant to the card issuer, especially in cases involving a card from an issuer that hasn’t adopted EMV standards.
How the fraud liability shift works in practice
Updating the global payment ecosystem in favour of chip-enabled cards helps close security gaps in traditional card-present transactions. In the case of restaurants, for example, customers’ cards have typically been taken out of sight to complete a payment on a fixed POS terminal. Today, however, it’s increasingly common for mobile EMV contactless card readers to be brought directly to the table, allowing transactions to happen in front of the cardholder. This reduces the risk of card skimming and fraud while also enhancing customer trust and creating a speedy checkout experience.
If you, as a merchant, continue to use outdated magstripe-only terminals, the liability shifts from the issuer to you, forcing the business to assume full responsibility for any fraudulent transactions that could have been prevented with chip or NFC technology. But if the fraud occurs on an EMV-compliant merchant terminal, the liability typically shifts back to the card issuer.
The key point to remember is that under the fraud liability shift, it’s up to merchants to ensure they have the proper payment technology in place to protect both customers and their business from financial losses related to fraud.
Card-present vs card-not-present
Liability rules differ significantly between card-present (CP) and card-not-present (CNP) transactions due to the level of security each environment provides. Below is a breakdown of the key liability rules that apply to CP and CNP transactions. Understanding these distinctions is essential for managing fraud risk and ensuring compliance as a merchant.
1. Card-present transactions (in-store)
In card-present transactions, where a card is typically inserted, tapped, or swiped at a terminal, EMV compliance is the main factor in determining who’s liable for fraudulent chargebacks. But merchants should also be aware of other key liability rules that apply to in-person payments. Understanding these rules, how they apply to your business, and what actions may cause a fraud liability shift are essential for protecting your company.
- EMV chip vs magstripe fallback – If a card is inserted into an EMV-enabled terminal and the chip is used, the transaction is protected through dynamic authentication. But if the chip fails, the merchant might ask the customer to swipe their card instead, referred to as using a magstripe fallback. If that transaction turns out to be fraudulent, the liability shifts to the merchant because they have agreed to accept a less secure payment method, and thereby assuming responsibility if anything goes wrong.
- NFC and contactless rules – Tap-to-pay transactions using NFC follow EMV contactless standards, meaning that if fraud occurs on a properly configured EMV-enabled terminal, liability typically shifts to the card issuer. However, if the merchant is using a non-EMV or non-NFC-capable terminal, they may be held liable for any fraudulent contactless transactions that occur.
- POS compliance thresholds – Major card networks set “no Cardholder Verification Method (CVM)” limits that allow low-value contactless payments to be completed without requiring a PIN or signature. In the U.S., this limit typically ranges between $50 and $100. In Europe, the no-CVM limit is generally around €50 per transaction. Under PSD2 regulations, European issuers must also enforce cumulative limits—usually triggering CVM (such as PIN entry) after five consecutive contactless transactions or once the total spend reaches approximately €250. If these payments are processed on an EMV-compliant terminal and stay within the regional thresholds, fraud liability typically shifts from the merchant to the card issuer.
2. Card-not-present transactions (online, phone, and app)
Card-not-present (CNP) transactions carry a higher risk of fraud because the card is not physically in front of you for the payment, and it’s harder to verify the customer’s identity.
Digital wallets like Apple Pay and Google Pay are often used to facilitate CNP transactions and provide an additional layer of security by tokenizing card details and utilizing biometric or device-based authentication. While this protects cardholder details, fraud liability ultimately depends on how the transaction is authenticated.
In most cases, merchants are liable for chargebacks from fraudulent CNP transactions unless the payment qualifies for an exemption under the Strong Customer Authentication (SCA) requirements. SCA mandates that payment service providers must verify the cardholder’s identity using two-factor authentication (2FA). However, some transactions are exempt, like low-value payments, transactions to trusted payees, and payments authenticated via 3D Secure, which plays a central role in shifting fraud liability from merchants to issuers.
The role of 3D Secure 2.0 in liability shift
The latest version of 3D Secure, 2.0 (3DS2), significantly enhances online payment security while enabling smoother and more flexible authentication for card-not-present transactions. It’s the primary standard used to meet SCA requirements in the EU and UK, mandated per the revised Payment Service Directive (PSD2) introduced in 2016.
While 3DS is not a legal requirement in the US or Canada (yet), liability shift incentives offered by major card networks encourage adoption by both merchants and issuers. When implemented correctly and supported by the issuer, 3DS2 allows merchants to shift liability for fraudulent chargebacks away from themselves, even in markets where SCA is not formally mandated.
In practice, 3DS2 facilitates two streamlined authentication flows for card-not-present transactions:
- Frictionless authentication flow – For low-risk transactions, 3DS2 allows for real-time, behind-the-scenes cardholder verification using contextual data like the device ID, transaction history, and geolocation. Since this happens in the background, the customer experiences no interruption at checkout, thereby creating a frictionless flow.
- Challenge authentication flow – When extra verification is needed, 3DS2 supports modern authentication methods, such as biometrics built into devices (Face ID or fingerprint). It also accommodates challenge options like push notifications, one-time passwords, and authenticator apps for issuers that don’t support biometrics.
When merchants implement 3DS2 correctly and issuers support it, fraud liability shifts from the merchant to the issuer, regardless of whether a challenge is triggered. As long as the 3DS2 protocol is properly followed, merchants are usually not liable for CNP chargebacks due to fraud.
What about merchant versus issuer liability?
So now the million-dollar question… who’s actually liable for fraudulent payments, the merchant or the card issuer?
The quick answer is: Merchant versus issuer liability is determined by rules set by card networks based on how the transaction was processed and which party used the more secure technology. Responsibility for chargebacks is generally assigned based on who could have prevented the fraud from occurring.
A more in-depth look: When a chargeback occurs, payment networks investigate whether the merchant or card issuer used the appropriate tools, such as EMV-enabled terminals, 3DS2, or card verification methods when required, determining who used the less secure or non-compliant method and holding them liable for fraud.
As a merchant, it’s important to keep SCA exemptions in mind, as certain low-value payments and recurring charges may not require full authentication but still qualify for protection against fraudulent chargebacks.
Liability rules also depend on who initiated the transaction. During cardholder-initiated transactions (CITs), when a customer makes a purchase online or in-store, authentication occurs in real-time, whether through 3DS verification or with EMV terminals. In contrast, merchant-initiated transactions (MITs), like recurring subscriptions or delayed charges, have different rules.
MITs are generally exempt from SCA, provided the original CIT was properly verified. However, since MITs fall under CNP and are not authenticated at the time of each transaction, liability for fraud remains with the merchant.
Here’s a quick overview of merchant versus issuer liability and what common cases may trigger a shift:
When the merchant is liable
The fraud liability typically shifts to merchants in the following scenarios:
- A transaction is processed using a magstripe-only POS terminal, rather than an EMV chip reader.
- The merchant fails to implement 3DS for a CNP transaction where it was mandated.
- The merchant manually enters card details, bypassing available authentication tools.
- An incorrectly configured merchant terminal or system results in a fallback to a less secure payment method.
- The merchant uses a payment service provider (PSP) that isn’t properly configured for fraud liability protection.
When the issuer is liable
Fraud liability shifts to the card issuers in these situations:
- A transaction is authenticated using 3DS2, and the issuer approves it.
- The issuer authenticates a transaction without a challenge during a frictionless flow.
- A merchant uses an EMV-compliant terminal, but the issuer provides a card without a chip.
- The merchant attempts to initiate 3DS authentication with an issuer that opts not to support it.
In all of these cases, the card issuer has more control over the fraud prevention tools and is expected to assume liability if they are not used.
What triggers liability shift? 7 common scenarios
When a merchant or issuer fails to meet the standards set by card networks, liability for fraud can shift to the party that didn’t do its part in creating a secure payment environment. If you’re a merchant, you should be aware of the following common scenarios to avoid responsibility for the financial burden of fraudulent chargebacks:
1. Swipe instead of chip: If you swipe a card rather than using the chip on an EMV-capable terminal, you forfeit liability protection because you’re choosing to accept a less secure payment method.
2. No 3DS on an e-commerce site: For CNP transactions, no 3DS on your merchant website means assuming full responsibility for fraudulent online transactions. Even if the card issuer doesn’t have 3DS enabled, you, as the merchant, still bear the liability burden since card networks expect 3DS initiation from the business side. However, if you attempt 3DS authentication on a transaction and it’s declined or fails on the issuer's side, the liability shifts to them.
3. Lost or stolen card used at non-EMV: When a lost or stolen card is used at a terminal that doesn’t support EMV, the merchant is liable, even if the card issuer could have flagged the transaction. But in cases where a stolen card is used at an EMV-enabled terminal and you decline a fallback method, the liability shifts to the issuer.
4. Merchant disables fraud filters: If, on the merchant side, you choose to turn off fraud detection tools like address verification service (AVS) or geolocation, you assume liability for any resulting fraudulent transaction, as these tools are essential for flagging suspicious activity.
5. Tokenization not implemented: Failing to use Tokenization to secure customer data can render your business liable if stolen data is misused, especially under PCI DSS compliance requirements. Through this process of swapping out sensitive card data with unique tokens, cardholder information stays protected, reducing liability risks on the merchant side.
6. Device fingerprint bypassed: Without device fingerprinting, your merchant system may not have enough information to properly flag a fraudulent transaction before it’s completed. Device fingerprinting is a core component of 3DS2 frictionless authentication and overall risk evaluation for CNP transactions, enabling the identification of known or suspicious devices. If the merchant side doesn’t align with expected standards surrounding relevant payments, liability shifts away from the issuer and onto you.
7. Chargebacks without documentation: Prove it or lose it. If you can’t provide sufficient evidence to respond to a chargeback, such as authentication logs or proof of delivery, you’ll automatically lose the dispute and bear the financial loss.
Comparison of fraud liability in payments
What can merchants do to protect themselves?
To protect your business from unexpected liability shifts, as a merchant, you should take a proactive approach to payment security and compliance. Implementing up-to-date, network-approved systems goes beyond protecting against chargebacks by ultimately futureproofing your business as the fraud landscape continues to evolve and regulations tighten over time.
Here’s what merchants can do to protect themselves from a fraud liability shift:
- Use EMV-compliant terminals: Ensure your POS terminals support EMV chip card transactions, which is the baseline for in-person fraud liability protection and helps shift the financial burden of chargebacks to the issuer in the event of counterfeit card use.
- Enable contactless and NFC payments: Support for contactless payments via NFC allows secure tap-to-pay experiences. When processed through EMV contactless protocols, these transactions offer the same liability protection as chip-and-PIN transactions.
- Implement strong CNP authentication: For online and mobile payments, enable the latest version of 3D Secure, 3DS 2.0, for secure customer authentication and to shift fraud liability from your business to card issuers. Support for biometric authentication via 3DS2 enhances both security and user experience, while reducing merchant liability in the event of fraud.
- Automate chargeback management: If you implement solutions that automate chargeback responses, you can log and track evidence in real time. Well-documented responses to fraud can reduce business losses and improve win rates when it comes to dispute resolution.
- Use Tokenization and end-to-end encryption: Tokenization and encryption work together to secure sensitive card and transaction information from the moment it's captured, cutting down on exposure to data breaches and fraud. This is especially important for subscription-based models and stored credentials, as it eliminates the need for sensitive customer information to ever touch the merchant system.
- Maintain PCI DSS compliance: Aligning with the Payment Card Industry Data Security Standard (PCI DSS) helps ensure your systems securely handle cardholder data. While PCI compliance doesn’t guarantee a liability shift, non-compliance can leave your business more vulnerable in the event of fraud or a breach, and will likely lead to a weaker position in a chargeback dispute.
The hidden cost of non-compliance
Non-compliance with fraud prevention standards can lead to serious consequences under liability shift rules, including chargeback losses, fines and fees, reputational damage, and partner restrictions with PSPs and banks.
Staying compliant helps protect your business from preventable losses that stem from fraud liability shifts. By adopting secure technologies and adhering to network rules, merchants can minimise risk and unnecessary financial exposure from chargebacks and disputes.
How we help merchants mitigate fraud and liability
Planet provides merchants with a secure, future-ready payment ecosystem designed to reduce fraud risk and prevent liability shifts. Our solutions combine the latest payment technology with global expertise to support hotelier, retailers and unattended merchants across both in-store and online channels with:
- EMV-compliant checkout hardware
- 3DS2 integration for CNP
- Robust Tokenisation
- Secure payment gateway infrastructure
- Global expertise with localised protection
Discover Planet’s fraud prevention solutions
Final thoughts about the fraud liability shift in payments
To reiterate, the fraud liability shift is not random. It’s determined by clearly defined rules set by card networks based on how securely a transaction is processed. Whether you’re a merchant with a physical storefront or sell goods and services online, the tools you use (or fail to implement) directly determine whether you will absorb the cost when fraud occurs.
The main point to remember about the fraud liability shift in payments is that proactive protection is always better than a reactive response. By adopting EMV-compliant terminals, enabling 3DS2, and leveraging Tokenization with fraud detection tools, you can significantly reduce your exposure as a merchant to both chargebacks and broader operational and reputational damage from fraud.
Looking to the future, the payment landscape will continue to evolve, and so will expectations surrounding security and liability for fraud. Merchants who invest in secure, scalable infrastructure now will be in a better position to navigate tomorrow’s risks with confidence.
Planet helps future-focused merchants stay ahead of challenges related to fraud and liability with global payment solutions designed to reduce risk and keep liability in the hands of the card issuers. Learn about how we can support your business today.
Disclaimer: The information provided in this blog is for general informational purposes only and does not constitute legal advice. We are not legal professionals, and the content is not legally binding. While we strive for accuracy, we accept no legal responsibility for any actions taken based on the information provided.
Stay in English