Learn the domain· 8 min read
Evidence
Disputes are won and lost on evidence. "Compelling evidence" is a scheme-defined term with very specific data requirements that have tightened sharply since Visa shipped CE 3.0 in April 2023 and Mastercard rolled out First-Party Trust globally in 2025. The right evidence by reason category, in the right format, with timely submission — that's the win condition.
Last reviewed against primary sources on .
The two compelling-evidence programs
Both major schemes now offer formal programs that shift liability back to the issuer when the merchant can show the cardholder has a pattern of legitimate purchases consistent with the disputed transaction. These are structured, machine-readable evidence frameworks — not free-form submissions:
Visa
Compelling Evidence 3.0 (CE 3.0)
Effective 15 April 2023. Applies specifically to 10.4 (Card-Absent Environment Fraud) — the dominant ecommerce fraud code. To qualify, the merchant must supply two undisputed prior transactions on the same payment credential, dated between 120 and 365 days before the disputed transaction.
Across all three transactions, two of four data elements must match, and one of those two must be IP address or device ID:
- User ID (whatever account identifier you use)
- Shipping address
- IP address (captured at checkout)
- Device ID (device fingerprint at checkout)
Since 17 October 2025, Visa automatically qualifies eligible transactions for CE 3.0 protection when they pass through Visa Secure (the modern 3-DS flow) or Visa Data Only.
Mastercard
First-Party Trust (FPT)
Mastercard's equivalent, expanded globally in 2025. FPT matches the disputed transaction against two historical transactions across three categories; one element from each category must match:
- Cardholder identity (account ID, email, phone)
- Device / context (device fingerprint, IP)
- Order details (shipping, delivery, geo)
Merchants may submit the enhanced data either in the authorization message (preferred) or post-transaction during the dispute response. A validated FPT submission shifts liability to the issuer for first-party-misuse (friendly-fraud) disputes.
Evidence by category
Outside CE 3.0 / FPT, evidence requirements depend on what the issuer is claiming. The playbook differs by reason category:
Fraud (10.x, 4837/4863, F-codes)
The cardholder denies authorizing the transaction.
Evidence that tends to win
- 3-DS / Visa Secure / Mastercard Identity Check authentication record (best — usually a hard liability shift on its own).
- CE 3.0 / FPT qualifying data: 2 prior undisputed transactions on the same credential with matching device-ID or IP.
- Positive AVS (Address Verification Service) match + CVV match recorded at auth.
- Delivery confirmation matching cardholder address (especially courier signature for high-ticket).
- Cardholder communication confirming receipt or use (download logs, login activity, customer support thread).
Operator's note: True fraud (stolen card) is rarely winnable; the merchant's job is prevention. Friendly fraud where the cardholder actually did the buy is the addressable share — that's what CE 3.0 / FPT was built for.
Authorization (11.x, 4808/4812, A-codes)
The transaction lacked a valid authorization or was processed after a decline.
Evidence that tends to win
- Authorization approval code with timestamp matching the settlement.
- Evidence the auth was valid and not expired at the time of capture.
- For partial captures: documentation of the agreed installment / partial schedule.
Operator's note: These cases turn on processor records. If the merchant did capture without a clean auth, there's no winning the case. Fix the root cause in the order pipeline.
Processing errors (12.x, 4831/4842, P-codes)
Duplicate, late presentment, wrong amount or currency, incorrect account number.
Evidence that tends to win
- Original receipt + processor-side settlement record showing the disputed transaction is distinct from the alleged duplicate.
- Cardholder authorization for the contested amount (signed agreement, ToS acceptance, recurring-billing schedule).
- Evidence the second charge was for a different SKU / service / date.
Operator's note: Mostly defensible with clean processor records. The most common failure mode is poor descriptor / SKU hygiene that makes legitimate distinct transactions look like duplicates.
Consumer disputes (13.x, 4853, C-codes)
Goods not received, defective, refund not processed, subscription not cancelled.
Evidence that tends to win
- Delivery proof — carrier tracking with timestamp + signature, scaled to ticket value (recipient signature for $200+ items in many scheme rules).
- For digital goods: download / activation logs tied to the cardholder account, IP, device.
- For SaaS / subscriptions: ToS acceptance, login activity post-billing, cancellation policy and how it was surfaced.
- For "not as described": item photos at fulfilment, listing snapshot, return policy and any return communication.
- Refund-not-processed: timestamped credit memo + processor refund record.
Operator's note: The most evidence-heavy category. Win rates depend almost entirely on how clean the operational side (fulfilment + customer support records) is.
What 'evidence' looks like in practice
Card-network rules specify formats. Visa requires representment packets as PDFs; size limits are tight (typically ≤4 MB per file, ≤2 files per case for the core packet). Some processors enforce stricter limits.
Practical evidence pack for a high-conviction CNP defence (10.4 / 4863) typically includes:
- Order receipt with cardholder name, billing + shipping address, item list, total, transaction date.
- Authentication record (3-DS challenge result, or CE 3.0 prior-txn pair).
- Session telemetry — IP address + device fingerprint captured at checkout, with proof of consistency vs prior orders.
- Delivery confirmation — tracking number, carrier name, delivery date, signature image if available.
- Cardholder communication — order confirmation email, post-delivery follow-up, any support thread referencing the order.
- Refund policy + Terms of Service acceptance trail (timestamp + IP of acceptance).
Win rates: what to actually expect
Industry survey data is noisy, but useful directional figures: merchants with mature dispute operations recover ~30–40% of contested disputes net of fees; merchants without dedicated tooling recover well below 10%. CE 3.0 and FPT have noticeably raised the recovery ceiling for ecommerce friendly fraud — properly qualified CE 3.0 submissions report ~50–70% win rates in practitioner reports, though the program has only had ~3 years of data to draw from.
Two operational metrics matter more than raw win rate: response rate (% of disputes you respond to at all — should be ~100% on cases worth fighting; missing responses counts as a loss and often triggers fees) and net recovery(recovered $ minus chargeback fees and arbitration fees on lost cases). It's common for a merchant's headline win rate to look good but for net recovery to be negative once fees are netted out.
Sources
- Visa · Compelling Evidence 3.0 Merchant Readiness (March 2023) — Authoritative source for the CE 3.0 effective date, 10.4 scope, 2-prior-transactions / 120–365 day window, and the four data elements.
- Visa · Evolution of Compelling Evidence — Client FAQs (October 2022) — Visa-published Q&A clarifying how CE 3.0 qualification works and what counts as a matching data element.
- Mastercard · First-Party Trust developer guide — Authoritative source for FPT data-sharing requirements and the three-category match rule.
- Mastercard · Scaling efforts to combat friendly fraud (June 2025) — Mastercard-side announcement of FPT global expansion in 2025 and intent to shift liability on qualifying matches.
- Visa Core Rules and Visa Product and Service Rules (current public edition) — Authoritative source for representment packet format requirements (PDF, size limits) and per-code evidence requirements.