Clarifying Liability and Security Expectations for Digital Wallet Transactions (Apple Pay / Google Pay)

Since the introduction of wallets in ecommerce, there has been a perception that wallet-based payments are inherently secured and that liability for fraud or chargebacks rests with the issuer. This is not always the case. Both Visa and Mastercard define scenarios where token-based transactions may be unsecured, depending on token security levels.

How to determine if a wallet transaction is secured

• In both Apple Pay and Google Pay integrations, the merchant/PSP receives:

  • The Card token

  • The Token cryptogram

  • ECI (Electronic Commerce Indicator), which signals the security level of the token

Security guidance by network

• Visa: An ECI of 7 indicates merchant liability in case of fraud related chargeback.

• Mastercard: An ECI of 0 or an empty ECI indicates merchant liability in case of fraud related chargeback.

What this means for you

• Do not assume wallet transactions are secured by default. Evaluate each transaction’s ECI to determine who is liable (merchant or issuer).

• If ECI indicates the token is not secured, proceed with appropriate risk controls and dispute/chargeback handling in line with your existing processes.

How to increase the liability shift for Google Pay with Visa cards

Merchants using Google Pay Hosted Checkout integration, can enable the liability shift in the Google Pay & Wallet Console. They need to follow the instructions here

Please consider that some payments will still not be secured, but enabling this extends the coverage (more payments with liability shift).