The Importance of ECI Indicators: How to Interpret 3DS Transaction Responses
Is credit card authorization really that complicated? After all, a customer inserts or taps a card, and a sale is either approved or denied by the bank. Isn’t that all there is to it?
Well, not really.
The authorization response you receive can instruct you to proceed in a few different ways. Plus, if you deploy 3-D Secure (or “3DS”) during the transaction, you also have the ECI indicators to consider as well. As we’ll explore below these numeric indicators are just one of the many potential values that could assist or complicate the checkout process for your business.
Recommended reading
- What is Geolocation? A Key Anti-Fraud Tool for 2024
- The Top 10 Fraud Detection Tools You Need to Have in 2024
- What are Velocity Checks? How Do They Stop Fraud Attacks?
- Proxy Piercing: How Merchants Can Use it to Prevent Fraud
- Card Verification Values: What Are CVVs & How Do They Work?
- Payment Authentication: How to Verify Buyers Before a Sale
What is an ECI Indicator?
- Chargebacks
In simple terms, an Electronic Commerce Indicator (ECI) is basically a 3-D Secure response code. The ECI value tells you what to do next in a 3DS transaction — proceed, reject the purchase, or try again.
[noun]/ē • cē • ī • in • duh • kāy • tər/When a customer who's enrolled with 3-D Secure from their bank initiates a purchase, the tool will deploy during the checkout process. It prompts the cardholder to enter more information as a way to validate their identity.
The ECI indicator is a figure provided by the Directory Server and the Access Control System (ACS). It signifies the result of the authentication request made for 3DS transactions. This ECI value serves as a guide for merchants, helping them decide whether to move forward with a transaction.
Basically, standard credit card authorizations are accompanied by a string of numbers either approving or denying the transaction. ECI indicators are like an extra authorization step that incorporates 3DS technology into the checkout process.
ECI indicators appear as simple two-digit codes. However, the codes can vary from one card network to the next, as we’ll see below.
List of ECI Indicators
Next, let’s go over the more common ECI indicator responses, broken up by what the response in question means. We’ll illustrate what the codes look like, and give their uses and explanations for each card network.
Can you Charge a Credit Card Without an ECI Indicator?
Not anymore. Most processors now require an ECI indicator as part of the authentication process. So, without an ECI indicator to authorize the request, the transaction will be declined.
Violating this requirement and trying to bypass requirements to run transactions without an ECI indicator could result in fines. It could also result in your account being terminated, and you being blacklisted from accepting credit cards in the future.
It’s worth noting that the assignment of an ECI indicator happens within the point-of-sale system that the seller uses. Visa and Mastercard strictly mandate that online sellers should not employ any software or devices that fail to support the Electronic Commerce Indicator.
Finally, any credit card information sent over email is considered a transaction that necessitates the inclusion of the ECI when it's processed by the bank.
What if a Customer Isn't Enrolled in 3DS?
This is what those "Authentication Attempted" indicator codes are for.
You must still attempt 3DS with every card-not-present transaction. If you get this response, you may still proceed, as you have fulfilled your duty under 3DS requirements.
As of June 1, 2000, Visa USA brought into effect a system of penalties for acquirers failing to accurately identify electronic commerce transactions with the right electronic commerce indicators. Similarly, MasterCard International introduced its own penalty system for the same transgression, effective from August 1, 2000.
For card-not-present transactions, you’d likely be using software or a payment gateway to process transactions. However this is done, remember that Visa and Mastercard both require online merchants to use software or equipment that supports Electronic Commerce Indicators.
If your software sends an ECI with values of 5, 6, or 7, these transactions are marked as secure ECI transactions. However, if the ECI value sent is 8 or 9, it means you’re processing the card data in an insecure manner.
It’s important that you comply with 3DS requirements. Visa and MasterCard have hundreds of employees whose main role is to identify web merchants violating this policy. Infringements could lead to fines, termination of your account, or even landing you on a blacklist for credit card acceptance.
What About Brick-&-Mortar Purchases?
3-D Secure — and, as a result, ECI indicators — are only used in eCommerce. As a result, they have no relevance for brick-and-mortar retail.
The industry has other solutions in place to make it easier to validate card-present buyers. Examples include:
EMV “Chip & PIN” Cards
This system requires customers to enter a Personal Identification Number (PIN) to verify their identity. The chip within the card offers an extra layer of security because it's harder to clone than a magnetic stripe card.Biometric Authentication
Biometric data, like fingerprints, facial recognition, or retinal scans, can be used to verify a customer's identity at the point of sale. Biometric technologies are advancing rapidly, and we're beginning to see their introduction in more and more retail environments.Tokenization
Tokenization involves replacing sensitive data with unique identification symbols that won’t compromise data security. Many mobile payment systems use this technology, as do EMV chip cards.Of course, you’ll also need to deploy other solutions and practices yourself to stop fraud in this environment, like ensuring your card readers are EMV compliant. To illustrate, a few best practices we recommend include:
ID Verification
In some cases, particularly for large purchases, it might be appropriate to ask for additional identification (like a driving license or passport) to confirm a customer's identity.Machine Learning
AI-based point-of-sale systems can help in fraud detection. The tools can learn the patterns of purchase and highlighting the transactions that look suspicious based on previous data.Employee Training
One of the best defenses against fraud can be well-trained employees who know what to look for in terms of suspicious behavior, counterfeit currency, or fraudulent cards.All Part of a Broader Strategy
Remember: fraud and chargeback prevention requires a multi-faceted approach.
The best strategies often involve a combination of these and other measures. On the other hand, for online merchants, 3DS and ECI indicators can be valuable, useful tools. They just won’t be enough to keep your business safe on their own.
Your fraud prevention solutions must be augmented by other indicators, which often include additional verification steps and tools to tackle other threat sources. For instance, 3DS can’t predict or prevent an act of friendly fraud.
FAQs
What is an ECI indicator?
As briefly explained above, The Electronic Commerce Indicator (ECI) is a figure provided by the Directory Server and the Access Control System (ACS) that signifies the result of the authentication request made for EMV® 3-D Secure transactions. This ECI value serves as a guide for merchants, helping them decide whether to move forward with authorization.
What is the ECI indicator for Mastercard?
There are several ECI indicators for each card network. “02” means the authentication was successful; “01” means authentication was attempted; “00” means authentication either failed, or was not permitted.
What is the ECI indicator for Visa?
There are several ECI indicators for each card network. “05” means the authentication was successful; “06” means authentication was attempted; “07” means authentication either failed, or was not permitted.
Can you Charge a Credit Card Without an ECI Indicator?
Not anymore. Most processors now require an ECI indicator as part of the authentication process for all online transactions. Without an ECI indicator to authorize the request, the transaction will be declined. Violating could result in fines, your account being terminated, and/or you being blacklisted for accepting credit cards.
Additionally, Visa and MasterCard strictly mandate that online sellers should not employ any software or devices that fail to support the Electronic Commerce Indicator.