Skip to content

Visa’s coming chargeback evidence changes are mostly good news for merchants

Read the State of Fraud Report

Read the State of Fraud Report

The cover of the state of fraud 2021 report

For ecommerce payments and risk intelligence professionals, Visa’s recent announcement that it would change the rules around fighting first-party fraud was nothing short of a disturbance in the force. 

The rules and processes for recovering losses from fraudulent online orders are long, detailed and long-standing. Anytime any of the chargeback rules change merchants rightfully begin digging, looking for answers and the best way forward. 

Let’s start with this: Visa’s coming change to the rules around the compelling evidence needed to dispute a first-party  chargeback fraud are — on balance — a good thing for merchants. 

What you need to know
  • Visa’s new rules for compelling evidence in first-party chargeback cases take effect April 15, 2023.
  • The rules, known as Visa CE 3.0, create a higher standard of proof but provide clear outcomes and a liability shift.
  • Rather than producing one benchmark transaction to demonstrate a legitimate cardholder was behind an order, merchants must produce two that are at least 120 days old, but no more than a year old.
  • If a merchant successfully produces the required orders with the required data elements and conditions, liability for the chargeback will shift to the issuer.

Granted, when a card brand makes noise about making life better for merchants, it does bring to mind that dark-humor chestnut: “I’m from the government and I’m here to help.” But Visa’s CE 3.0, which will come into play April 15, for disputes baring reason code 10.4, improves the chargeback recovery process for merchants in two big ways:

  • It lays out clear guidelines on what evidence is needed to allow the merchant to dispute the chargeback in question, which removes the opacity from the current process.
  • Assuming that evidence can be produced, it shifts the liability for the cost of the chargeback from the merchant to the issuing bank, which can investigate the claim using the data the merchant provided.

So, what’s changing?

Under CE 3.0 merchants need to produce two transactions older than 120 days that can be connected to the disputed transaction and which have not been reported as fraud. To show the connection between the orders and the cardholder, Visa requires at least two of four bits of evidence:

  • IP address
  • Device ID or fingerprint
  • Shipping address
  • Account log-in ID (must match)

And while only two elements are required, it’s not just any two elements. One of the data elements submitted must be the IP address or device ID. 

Visa CE 3.0 offers merchants two paths to object to disputes and chargebacks. Merchants can provide their evidence “pre-dispute,” or at the time a consumer contacts their bank about an allegedly fraudulent charge. The issuing bank can contact the merchant for the required evidence, which if provided shifts the liability to the issuer. It also means the merchant’s chargeback rate is not affected, because the chargeback has yet to be filed. 

The second path seeks the compelling evidence after the chargeback has been filed. This scenario still reflects negatively on the chargeback rate, because the chargeback has already been filed. But again, the liability shifts once the evidence is provided. 

Visa’s CE 3.0 rules are more rigorous than Visa’s current standard for compelling evidence —  one previous transaction that has not been reported as fraud that connects the cardholder to a disputed transaction. But the current system comes with no liability shift and the reality that producing compelling evidence today is no assurance that a merchant will win a chargeback dispute. If a consumer insists the disputed order is fraudulent and provides a reasonable explanation, an issuer might well accept the chargeback as valid

Natalie England, Visa’s senior director, direct global risk lead, explained during a webinar co-hosted by the MRC that the four-month-old orders establish a benchmark of legitimate activity by the cardholder.

Visa CE 3.0 comes with a liability shift

Matching the required two elements with elements in the disputed transaction means the order “would be qualified for protection, meaning that the liability would sit with the issuer for that fraud dispute — and the issuer can utilize all the data that was supplied by the merchant to supplement their investigation into that transaction and potentially rebill the cardholder for the transaction.” 

That’s the good news. England acknowledged the not-so-good news, which is that the coming requirements set “a really high bar for the merchant to meet.” 

“We absolutely understand that,” England said. “It’s our first step at chipping away at this problem. And we do look to continue to partner with MRC and our clients to see how else we can drive more of this behavior out of the ecosystem.”

Why is this happening now?

The rapid and dramatic shift to ecommerce during the pandemic reshaped online commerce forever. It’s a far bigger piece of the retail pie. Whereas ecommerce sales made up less than 10% of retail sales in many verticals before COVID-19, some verticals today are seeing 20% and more of sales being conducted digitally. That’s made online a bigger target for professional fraudsters.

Meanwhile, more consumers, in general, are shopping online. Once-in-a-generation inflation and episodic consumer dissatisfaction with the online experience have inspired buyer’s remorse among some shoppers and an inclination to carry out ecommerce frontier justice among others. 

Visa CE 3.0 is a response to rampant consumer abuse

The challenge for retailers has been boiling for a while. In a 2020 survey, 40.3% of respondents admitted to falsely telling their bank that a charge they made was fraudulent, according to polling commissioned by Signifyd and conducted by PureSpectrum. A high percentage — 33.2% — in the same poll admitted to falsely claiming a package that did arrive did not or that a satisfactory product arrived in unsatisfactory condition. 

As recently as this Spring, consumer abuse — a measure of chargebacks deemed illegitimate and contested by Signifyd — is up 143% year-to-date compared to the same period last year, according to Signifyd data. 

“This issue is complex and costly; we’re talking billions of dollars a year,” MRC CEO Julie Ferguson said in a written statement. “To solve it, every stakeholder in the payments chain needs to work together.” 

So, what should merchants do to prepare for the change?

While Visa’s announcement is still fresh and there are months to go before the changes take effect, now is the time for merchants to begin preparing for what’s to come. Some first steps if you’re a merchant: 

Continue to be vigilant to avoid chargebacks in the first place. Future-focused commerce protection solutions, like Signifyd, rely on vast networks of merchants to build transaction intelligence that provides an understanding of the identity and intent behind every order. That sort of insight provides a proven way to decline fraudulent orders before they’re fulfilled.

Study up on the specifics of Visa’s changes. You can start with Visa’s FAQs. Share your thoughts and questions with your network. Chances are you have questions others have answers for and you have the answers to others’ questions. Don’t hesitate to reach out to trusted partners and vendors, including Signifyd, for more information. 

Take data inventory. Now that the rules are clear about what will be needed to clear the compelling evidence bar, merchants should determine where that data lives and how it can be quickly and easily accessed when needed. Visa is recommending its Order Insights as a way to present the compelling evidence.

Consider roles, responsibilities and organization. Do you need to reorganize any aspect of your risk and chargeback operation to make sure there are clear lines of communication and responsibility to execute on Visa’s new rules? Have you considered additional training for your risk intelligence teams?

How Signifyd can help

In addition to preventing fraud, Signifyd can help fight and win chargebacks that do occur. The vast data network that powers Signifyd’s Chargeback Recovery product has the transaction history and the data attributes that merchants will need to take advantage of the coming Visa CE 3.0 changes.

As the leading payment security and online fraud prevention provider to the largest retailersSignifyd has established a chargeback win rate of more than 50%, better than the industry average. Signifyd’s data science and risk intelligence teams bring deep expertise to the world of chargebacks and disputes and our customer success team is award-winning. Meanwhile, Signifyd’s experts navigate card scheme changes — like CE 3.0 — so you don’t have to.

We’re here to help.

Photo by Getty Images

Contemplating your Visa CE 3.0 strategy? We can help.

Mike Cassidy

Mike Cassidy

Mike is the head of storytelling at Signifyd. A former journalist and a retail geek, he covers ecommerce and the way technology is transforming digital commerce. Contact him at [email protected].