ECI
What is Electronic Commerce Indicator?
Electronic Commerce Indicator (ECI) is a code that signifies the type of electronic commerce transaction during payment processing. It distinguishes between transaction categories, particularly in transactions where the and card are not physically present.
ECI values tell financial institutions about the nature of the transaction – whether it is a secure transaction or whether additional authentication was needed. This classification supports risk management and prevention, letting institutions apply security protocols based on the ECI value.
Key facts
- Also known as: ECI flag, ECI value
- Format: a two-digit numeric code returned in the authentication and authorization response
- Set by: the , based on the outcome of authentication
- Applies to: card-not-present and e-commerce transactions
- Affects: fraud between the and the merchant
ECI values and what they mean
The same ECI number means different things on different networks, so a value has to be read alongside the card brand. Visa and Mastercard use two separate numbering schemes.
| Network | ECI value | Meaning | Fraud liability |
| Visa | 05 | Cardholder fully authenticated via 3DS | Issuer (liability shift) |
| Visa | 06 | Authentication attempted; cardholder or issuer not enrolled | Issuer (liability shift) |
| Visa | 07 | No authentication performed | Merchant |
| Mastercard | 02 | Cardholder fully authenticated via 3DS | Issuer (liability shift) |
| Mastercard | 01 | Authentication attempted | Issuer (liability shift) |
| Mastercard | 00 | No authentication performed | Merchant |
A fully authenticated value (Visa 05, Mastercard 02) means the cardholder completed a 3DS challenge or was verified frictionlessly, and the issuer takes responsibility for fraud-related chargebacks. An attempted value (Visa 06, Mastercard 01) means the merchant tried to authenticate but the issuer or cardholder couldn't complete it; fraud liability still shifts to the issuer. A value showing no authentication (Visa 07, Mastercard 00) leaves the merchant liable for fraud chargebacks.
How an ECI value is assigned
- Authentication request – When a cardholder pays online, the merchant or gateway sends the transaction for authentication.
- Issuer check – The issuer decides whether the cardholder needs a challenge, such as a one-time code or , or can be verified frictionlessly.
- ECI assignment – Based on the authentication outcome, the card network assigns the ECI value and returns it with the authentication result.
- Authorization – The ECI travels with the authorization request, so the issuer and acquirer can see how the payment was verified before approving it.
Why it matters
The ECI value decides who absorbs the cost of a fraudulent chargeback. When a transaction carries a fully authenticated or attempted value, fraud-related chargebacks move to the issuer under the card network's rules. When it shows no authentication, the merchant keeps that liability.
Acquirers and risk systems also read the ECI to score transactions. A card-not-present payment with no authentication looks riskier than one the issuer verified, so it can draw extra scrutiny or a higher decline rate.
