ECI Indicator (3-D Secure) Reference

Field: three_ds.eci_indicator
Type: String (2-digit numeric, leading zero must be preserved)
Description: The Electronic Commerce Indicator (ECI) is returned by the 3-D Secure authentication flow. It identifies the authentication outcome and is the primary signal used to determine whether fraud chargeback liability shifts from the merchant to the issuer (Liability Shift).

1. ECI Values

ECI encoding differs by card network. Always map by card brand.

Visa / American Express / JCB / Discover / Diners

ECI	Meaning	Liability Shift
`05`	Fully Authenticated (cardholder authenticated by issuer)	✅ Highest probability
`06`	Attempted (issuer/cardholder not enrolled, but merchant attempted)	⚠️ Conditional
`07`	Not Authenticated / authentication failed	❌ No

Mastercard

ECI	Meaning	Liability Shift
`02`	Fully Authenticated	✅ Highest probability
`01`	Attempted	⚠️ Conditional
`00`	Not Authenticated / authentication failed	❌ No

2. Liability Shift Rules

✅ Highest probability of shift (Fully Authenticated)

Card Network	ECI
Visa / Amex / JCB / Discover / Diners	`05`
Mastercard	`02`

⚠️ Conditional shift (Attempted) — not guaranteed

Card Network	ECI
Visa / Amex / JCB / Discover / Diners	`06`
Mastercard	`01`

Factors that affect attempted liability shift:

Factor	Notes
Card type	Commercial / corporate / business cards typically do not qualify for attempted shift
Regional rules	Under EU PSD2 SCA, "attempted" may not count as compliant authentication
Transaction type	MOTO, recurring / MIT, agent-initiated transactions are often excluded
MCC / merchant category	High-risk MCCs (gambling, crypto, wire transfer, FX, stored-value, etc.) may be excluded by networks
Network rule version	Visa / Mastercard rules are updated periodically; the version in effect at the time of the transaction applies
Amex SafeKey version	SafeKey 1.0: `06` does not shift; SafeKey 2.0 / EMV 3DS 2.x: `06` generally shifts
Issuer / acquirer agreement	Bilateral agreements may override defaults

❌ No liability shift

Card Network	ECI
Visa / Amex / JCB / Discover / Diners	`07`
Mastercard	`00`

3. Integration Examples

Request

For standard card 3DS, only eci_indicator is required:

{
  "payment_method": {
    "type": "card",
    "card": { "...": "..." },
    "authentication_method": {
      "type": "three_ds",
      "three_ds": {
        "eci_indicator": "05"
      }
    }
  }
}

Wallet tokenized flows (Apple Pay / Google Pay) additionally carry online_payment_cryptogram, automatically returned by the wallet. Standard card payments do not need this field.

Response

{
  "payment_method_details": {
    "type": "card",
    "three_ds": {
      "eci_indicator": "05",
      "id": "3ds_server_xxx"
    }
  }
}

Fields:

eci_indicator: ECI value of this 3DS authentication

id: 3DS Server Transaction ID

4. Notes

ECI must preserve the leading zero (e.g., "05", "02", "00"). Do not pass it as an integer or strip the zero.

If 3DS is not performed, simply omit eci_indicator; the transaction will be processed as non-3DS.

Even with ECI 05 / 02, liability shift is not 100% guaranteed. Final adjudication depends on network rules and the actual authorization / dispute outcome.

The issuer may downgrade the requested ECI (e.g., 05 → 06); acquirers generally do not surface this downgrade.

5. References

EMVCo 3-D Secure Protocol Specification (authoritative source)

Visa Core Rules and Visa Product and Service Rules

Mastercard Chargeback Guide

American Express SafeKey Program Guide

JCB J/Secure Program Guide

Discover ProtectBuy Program Guide

ECI Indicator (3-D Secure) Reference

1. ECI Values#

Visa / American Express / JCB / Discover / Diners#

Mastercard#

2. Liability Shift Rules#

✅ Highest probability of shift (Fully Authenticated)#

⚠️ Conditional shift (Attempted) — not guaranteed#

❌ No liability shift#

3. Integration Examples#

Request#

Response#

4. Notes#

5. References#