AI-generated Key Takeaways
- 
          Liability shift changes the responsibility for fraudulent Google Pay transactions from the merchant to the issuing bank (or vice versa) for eligible Mastercard and Visa transactions. 
- 
          Google Pay supports liability shift for qualified Mastercard and Visa transactions using Android device tokens ( CRYPTOGTAM_3DS).
- 
          Merchants using the Google Pay API can enable Visa liability shift to protect themselves from fraudulent transactions, but Google is not responsible for fraud determinations or program rules. 
- 
          Certain high-risk Merchant Category Codes (MCCs) are excluded from Visa's liability shift program in the US. 
- 
          To ensure transactions qualify for liability shift, merchants must enable the feature, provide accurate transaction amounts and currency codes, and use the correct Electronic Commerce Indicator (ECI) value. 
Liability shift is a change of responsibility to cover the losses from fraudulent transactions. The responsibility changes from the merchant to the issuing bank or the other way around.
It's globally available for device tokens transactions with Mastercard and Visa that are subject to rules and changes by the networks.
  Google Pay supports liability shift to issuers for qualified facilitated transactions that use
  Mastercard and Visa Android device tokens (CRYPTOGTAM_3DS).
Google Pay API merchants can use liability shift features through Visa and Mastercard programs that are subject to Visa and Mastercard rules. Google Pay supports these features and makes them available to merchants. But Google isn't responsible for determinations of fraud, program rules, eligibility requirements, losses, or errors because of enablement or disablement of these features.
For Visa, merchants need to enable Fraud liability protection for Visa device tokens. Refer to Enable Visa liability shift.
Mastercard device tokens don't have any exclusions. However, Visa in the US excludes the following high-risk Merchant Category Codes (MCCs):
- 4829: Money transfer
- 5967: Direct marketing - inbound teleservices merchant
- 
    6051: Non-financial institutions - foreign currency, non-fiat currency (for example, cryptocurrency), money orders (not money transfer), account funding (not stored value load), travelers cheques, and debt repayment
- 6540: Non-financial institutions - stored value card purchase or load
- 7801: Government-licensed online casinos (online gambling) (US region only)
- 7802: Government-licensed horse or dog racing (US region only)
- 
    7995: Betting includes lottery tickets, casino gaming chips, off-track betting, wagers at race tracks, and games of chance to win prizes of monetary value
If you follow the appropriate Android or Web best practices, no adjustments are required to your existing Google Pay API integrations for qualified liability shift.
Transaction liability is determined during facilitation, but it can change during transaction processing.
Shift liability for Visa device tokens
Merchants can enable the Fraud liability protection for Visa device tokens, and then all qualified transactions with Visa device tokens can benefit from liability shift for fraudulent transactions.
The qualified transactions for Fraud liability protection for Visa device tokens are marked and visible to Payment Service Providers (PSPs) and merchants with direct integration. The liability shift status isn't visible to merchants that use the gateway integration.
This option might cause a change in the user flow outside of Europe because users are asked to unlock the device to complete the transaction. For European Economic Area (EEA) transactions where Secure Customer Authentication (SCA) is mandated, there are no changes in the user flow.
  Make sure to set a correct price for all transactions. Google Pay API doesn't qualify transactions
  where totalPrice (Android, Web) is unknown or set to
  zero. This reduces the chance of confusion for your users, because the totalPrice is displayed to
  them in the payment sheet.
Ensure to apply liability shift
  Merchants need to enable Fraud liability protection for Visa device tokens, and pass the
  transaction amount (totalPrice:
  Android,
  Web) and transaction currency
  code (currencyCode:
  Android,
  Web) for each Google Pay API
  request. If amounts are hard coded, set to $0, or currency codes don't match the currency code
  used in payment authorization, those transactions don't qualify for liability shift and might be
  declined.
For direct integrations, merchants need to ensure that the Electronic Commerce Indicator (ECI) value (Android, Web) is passed to the processor. Refer to your payment gateway documentation to ensure that the correct field for the ECI value is populated in the payment request.
  For merchants with gateway integrations, PSPs get the eciIndicator (Android, Web) value,
  and pass it to the processing flow. Merchants need to check with their payment gateway to make
  sure that ECI values aren't hard coded or altered.
The card networks qualify the transaction for liability shift during facilitation. However, transactions that qualify for liability shift can downgrade due to the network rules during transaction authorization processing.
Transactions that are facilitated by Google Pay web integrations with optional features that use the Offer callbackIntent don't qualify for Visa liability shift.
Enable Visa liability shift
Here're the steps to enable Visa liability shift:
- Sign in to the Google Pay & Wallet Console.
- Go to the Google Pay API tab.
- Go to the Settings tab.
- Enable the Fraud Liability Protection for Visa Device Tokens toggle.
 
Enable Visa liability shift for Google Pay API hosted checkout
PSPs and platform partners need to enable Visa liability shift in their Google Pay & Wallet Console.
Liability shift status
The liability shift status isn't visible to merchants that use gateway integration. Contact your PSP to check whether they can provide a liability shift report.
  Merchants with a direct integration (Android, Web) can see liability shift status through the ECI
  values that are returned in the encrypted message, eciIndicator (Android, Web).