Shift liability to issuer

Liability shift is a change of responsibility to cover the losses from fraudulent transactions. The responsibility changes from the merchant to the issuing bank or the other way around.

It's globally available for device tokens transactions with Mastercard and Visa that are subject to rules and changes by the networks.

Google Pay supports liability shift to issuers for qualified facilitated transactions that use Mastercard and Visa Android device tokens (CRYPTOGTAM_3DS).

Google Pay API merchants can use liability shift features through Visa and Mastercard programs that are subject to Visa and Mastercard rules. Google Pay supports these features and makes them available to merchants. But Google isn't responsible for determinations of fraud, program rules, eligibility requirements, losses, or errors because of enablement or disablement of these features.

For Visa, merchants need to enable Fraud liability protection for Visa device tokens. Refer to Enable Visa liability shift.

Mastercard device tokens don't have any exclusions. However, Visa in the US excludes the following high-risk Merchant Category Codes (MCCs):

  • 4829: Money transfer
  • 5967: Direct marketing - inbound teleservices merchant
  • 6051: Non-financial institutions - foreign currency, non-fiat currency (for example, cryptocurrency), money orders (not money transfer), account funding (not stored value load), travelers cheques, and debt repayment
  • 6540: Non-financial institutions - stored value card purchase or load
  • 7801: Government-licensed online casinos (online gambling) (US region only)
  • 7802: Government-licensed horse or dog racing (US region only)
  • 7995: Betting includes lottery tickets, casino gaming chips, off-track betting, wagers at race tracks, and games of chance to win prizes of monetary value

If you follow the appropriate Android or Web best practices, no adjustments are required to your existing Google Pay API integrations for qualified liability shift.

Transaction liability is determined during facilitation, but it can change during transaction processing.

Shift liability for Visa device tokens

Merchants can enable the Fraud liability protection for Visa device tokens, and then all qualified transactions with Visa device tokens can benefit from liability shift for fraudulent transactions.

The qualified transactions for Fraud liability protection for Visa device tokens are marked and visible to Payment Service Providers (PSPs) and merchants with direct integration. The liability shift status isn't visible to merchants that use the gateway integration.

This option might cause a change in the user flow outside of Europe because users are asked to unlock the device to complete the transaction. For European Economic Area (EEA) transactions where Secure Customer Authentication (SCA) is mandated, there are no changes in the user flow.

Make sure to set a correct price for all transactions. Google Pay API doesn't qualify transactions where totalPrice (Android, Web) is unknown or set to zero. This reduces the chance of confusion for your users, because the totalPrice is displayed to them in the payment sheet.

We are excited to bring liability shift for Visa device tokens in the coming months to our merchants and web integrations that use callbackIntents, like Authorize Payments, Dynamic Price Updates, and Promo Codes.

Ensure to apply liability shift

Merchants need to enable Fraud liability protection for Visa device tokens, and pass the transaction amount (totalPrice: Android, Web) and transaction currency code (currencyCode: Android, Web) for each Google Pay API request. If amounts are hard coded, set to $0, or currency codes don't match the currency code used in payment authorization, those transactions don't qualify for liability shift and might be declined.

For direct integrations, merchants need to ensure that the Electronic Commerce Indicator (ECI) value (Android, Web) is passed to the processor. Refer to your payment gateway documentation to ensure that the correct field for the ECI value is populated in the payment request.

For merchants with gateway integrations, PSPs get the eciIndicator (Android, Web) value, and pass it to the processing flow. Merchants need to check with their payment gateway to make sure that ECI values aren't hard coded or altered.

The card networks qualify the transaction for liability shift during facilitation. However, transactions that qualify for liability shift can downgrade due to the network rules during transaction authorization processing.

Transactions that are facilitated by Google Pay web integrations with optional features that use callbackIntents, like Authorize Payments, Dynamic Price Updates, and Promo Codes, can't qualify for Visa liability shift. These aren't supported on mWeb, the websites with Google Pay API web integration, loaded on an Android device that uses a Chrome browser.

Enable Visa liability shift

Here're the steps to enable Visa liability shift:

  1. Sign in to the Google Pay & Wallet Console.
  2. Go to the Google Pay API tab.
  3. Go to the Settings tab.
  4. Enable the Fraud Liability Protection for Visa Device Tokens toggle.

Enable Visa liability shift for Google Pay API hosted checkout

PSPs and platform partners need to enable Visa liability shift in their Google Pay & Wallet Console.

Liability shift status

The liability shift status isn't visible to merchants that use gateway integration. Contact your PSP to check whether they can provide a liability shift report.

Merchants with a direct integration (Android, Web) can see liability shift status through the ECI values that are returned in the encrypted message, eciIndicator (Android, Web).