To encourage widespread implementation of an electronic commerce card authentication system by the numerous different card issuers and merchants, the card association assigns liability for fraudulent transaction based upon a party's compliance with the authentication system. To enable this feature, an embodiment of the card processing system includes the ability to track and record attempts by merchants to initiate authentications, even in circumstances where the card issuer does not support authentication or can not authenticate the card information its receives. A directory server determines whether a card account is capable of being authenticated. If the card issuer cannot authenticate the card account, the directory server instructs the merchant system to attempt authentication with an alternate access control server. The alternate access control server is adapted to communicate an authentication response message with the merchant system indicating that the merchant system attempted an authentication.