3DS is a partial shield with specific shapes. The carve-outs cluster around what counts as a real authentication and around reason codes that 3DS never covered at all.
3-D Secure is sold as a liability shield: a merchant who authenticates the customer at checkout no longer carries the fraud risk; the issuer takes it. The framing is broadly correct, but the carve-outs are where merchants lose cases they thought they had hedged.
What counts as a real authentication is where most of the carve-outs sit. A full Visa authentication (ECI 5) shifts liability, but an "attempts only" response (ECI 6), where 3DS was invoked but the issuer's system declined or was unavailable, does not always shift, with rules varying by region. Visa Data Only, a separate product that runs the 3DS pipe for issuer risk-scoring without challenging the cardholder, does not shift at all. Cards not enrolled in 3DS return a non-authenticated response with no shift, and transactions where the merchant authenticated but failed to pass the CAVV through to the authorization can be re-litigated by the issuer after the fact.
Other carve-outs have nothing to do with authentication quality. Non-fraud reason codes (13.x consumer disputes, 11.x authorization disputes) are never covered regardless of authentication. Specific MCCs are excluded (gambling, adult, certain digital subscription categories). PSD2 SCA exemptions claimed by the merchant in the EEA pull liability back, on the principle that the merchant chose not to authenticate. 3DS is a partial shield with specific shapes; merchants who treat it as uniform protection will find that the cases shifted are a meaningful share, but never all of them.
Sources
- A full Visa authentication response (ECI 5) shifts liability on fraud reason codes; an "attempts only" response (ECI 6) does not shift in all regions, and Visa Data Only runs the 3DS pipe for issuer risk-scoring without challenging the cardholder, with no liability shift.Visa Secure Program Guide; Visa Core Rules and Visa Product and Service Rules, 18 April 2026
- 3DS liability shift applies to fraud-related Visa Dispute Conditions only (10.x); non-fraud conditions (11.x, 12.x, 13.x) are not covered regardless of authentication.Visa Core Rules, Section on 3DS liability allocation
- Specific merchant category codes (gambling, adult, certain digital subscription categories) are excluded from 3DS liability shift by network rule.Visa Secure Program Guide; Mastercard Identity Check Operations Guide
- In the EEA and UK under PSD2, a merchant claiming an SCA exemption (TRA, low-value, MIT, corporate) carries the fraud liability for that transaction.EBA RTS on Strong Customer Authentication, 2019; PSD2