The liability shift conversation in payments has been running for years, mostly centered on EMV chip adoption. What changed in 2025 is that both major card networks updated their merchant and acquirer programs in ways that specifically tighten the screws on payment service providers who route transactions without real-time fraud controls. The updates are not a sudden cliff — they are a ratchet, and PSPs who have been coasting on rule-based checks are finding the cost of that choice showing up in their monthly statements.
This piece is not a comprehensive reading of the Visa Core Rules or the Mastercard Security Rules and Procedures. Those documents are dense and apply differently depending on your program type, region, and volume tier. What we can offer is practitioner framing: what the threshold mechanics look like, where liability lands, and what the gap is between "we have a rules engine" and "we have real-time behavioral scoring."
The Monitoring Program Trigger Points
Both networks operate tiered monitoring programs for merchants and, increasingly, for acquirers and PSPs. The terminology differs — Visa has the Visa Fraud Monitoring Program (VFMP) and Mastercard has the Excessive Fraud Merchant (EFM) program — but the structure is similar: you cross a threshold, you enter a monitoring window, you pay fines if you don't remediate, and at the outer limit you risk losing card acceptance.
The 2025 updates shifted several of those thresholds downward and, critically, changed how liability is calculated for card-not-present fraud in scenarios where the PSP has not deployed 3DS2 or an equivalent authenticated-transaction mechanism. Under the updated Visa rules, if a CNP transaction is processed without authentication and results in a fraud chargeback, and the issuer has deployed 3DS2 on their side, the liability defaults to the acquirer — meaning the PSP absorbs the loss, not the issuer.
That sounds straightforward, but the operational nuance is where PSPs get caught. The authentication requirement is not just "run 3DS2 occasionally." Issuers can challenge liability based on whether the PSP's integration demonstrated a good-faith attempt at real-time risk assessment. If you're routing transactions through a static rule set that hasn't been updated in three months, that's hard to defend as real-time risk assessment.
Where the Liability Gap Actually Lives
The most common misconception we encounter is that having 3DS2 deployed means liability is covered. It doesn't. 3DS2 is an authentication protocol — it passes risk signals to issuers who then make their own authentication decision. If your risk assessment upstream of 3DS2 is poor, you're sending weak signals to the issuer, who may still approve and then dispute liability later if fraud occurs.
The real liability gap lives in what happens between transaction initiation and the point where you submit for authorization. That gap is where behavioral scoring matters. A PSP with strong behavioral signals — device velocity, session timing anomalies, cross-merchant fingerprinting, typing cadence — can identify high-risk transactions before they hit authentication. Those transactions get stepped up to 3DS2 frictionless flow or full challenge depending on the risk score. Low-risk transactions go through with minimal friction.
A PSP without real-time behavioral scoring routes everything through the same path, relying on issuer-side fraud controls as the backstop. That's an expensive strategy now that liability-shift rules no longer treat all transactions the same based on authentication outcome alone.
The Threshold Mechanics in Practice
Consider a mid-size PSP processing roughly 2 million CNP transactions per month across their merchant base. At a 0.15% fraud rate — which feels low and is below most monitoring thresholds — that's about 3,000 fraudulent transactions per month. At an average ticket size of $85, that's $255,000 in monthly fraud exposure. Under older liability frameworks, a large portion of that would land on issuers. Under updated liability-shift rules, the portion that lacks documented authentication signals can now land back on the PSP.
The monitoring programs work on a rolling basis. Visa's VFMP standard tier triggers at $75,000 in fraud volume combined with a 0.65% fraud-to-sales ratio. The high-risk tier triggers at $250,000 at the same ratio. Mastercard's EFM has its own thresholds and a separate Merchant Fraud Liability (MFL) designation for persistent violators. The point is that the thresholds are not academic — a PSP at the scale described can hit them in a bad month, and the fine structure that follows is not small: monthly non-compliance fees can range from $25,000 to over $200,000 depending on the program and duration.
We're not saying these thresholds apply uniformly to every PSP in every region — network rules have significant carve-outs by geography, program type, and merchant category code. What we are saying is that the direction of travel is clear: more fraud cost is moving onto PSPs who lack documented, real-time risk assessment infrastructure.
What "Real-Time Scoring" Means to Network Compliance
Network compliance teams are not checking whether you use a specific vendor. They're asking whether you can demonstrate that fraud decisions are being made at transaction time using current signals. "We use a rules engine" is a defensible answer only if you can show that the rules are based on recent fraud patterns and are updated as those patterns shift — not rules written in 2022 and left alone.
What satisfies the spirit of the updated requirements is a scoring system that:
- Runs synchronously at authorization request time, not in a batch job after the fact
- Incorporates behavioral signals beyond static card and device checks — session velocity, typing cadence, navigation patterns, cross-merchant behavioral consistency
- Produces a risk score that informs 3DS2 step-up decisions in real time
- Has a feedback loop from chargeback outcomes that updates signal weights over time
That last point matters more than most PSPs realize. A scoring system that doesn't learn from its own chargebacks will slowly drift as fraud patterns evolve, and that drift will show up in rising monitoring program flags before it shows up as an obvious model failure. The feedback loop is what separates a scoring system from a risk posture.
What Risk Ops Should Do Now
If you're running risk ops at a PSP and you haven't audited your fraud liability exposure under the updated network rules, start with the data you already have. Pull your CNP fraud-to-sales ratio by merchant category. Identify which merchant verticals are generating the most chargeback volume. Then map those against your current authentication rates — specifically, what percentage of high-risk CNP transactions from those verticals are going through 3DS2 frictionless vs. full challenge vs. unauthenticated.
The gap between unauthenticated high-risk transactions and your current monitoring program headroom is your actual liability exposure. For most PSPs, that calculation is more uncomfortable than expected — not because fraud rates are unusually high, but because the new liability-shift rules mean that the unauthenticated CNP fraud that used to land on issuers now has a path back to the acquirer stack.
The practical remediation path is real-time transaction scoring that feeds directly into 3DS2 exemption and step-up logic. Score every transaction. Route low-risk transactions with a Transaction Risk Analysis (TRA) exemption claim where regulation permits. Step up anything above your risk threshold to 3DS2 challenge. Document the signal basis for every decision.
We built Txnworks for exactly this operational model — PSPs and risk teams that need per-transaction scores in under 50ms, with enough signal depth to justify TRA exemption claims and produce defensible audit trails. The 140+ behavioral signals we evaluate per transaction are specifically designed to satisfy the "real-time risk assessment" documentation requirement that the updated liability frameworks are pushing toward.
The Deeper Shift
The liability-shift rule updates are really a formalization of something the networks have been nudging toward for several years: PSPs are expected to be active participants in fraud prevention, not just routing infrastructure. The era of passing transactions through and letting issuers absorb fraud cost is ending at the policy level.
That's not only a compliance challenge — it's a competitive differentiation moment. PSPs with real-time behavioral scoring can offer merchants lower fraud rates and fewer false positives simultaneously. PSPs without it are competing on price while absorbing more regulatory and financial risk. The 2025 liability updates accelerated that gap, but they didn't create it. The gap was already there, and now it has a dollar figure attached.