Prevention

3-D Secure (3DS) is the EMVCo-developed authentication protocol that lets the issuer verify the cardholder for a card-not-present transaction. 3-D Secure 2 (3DS2) — the current generation — uses biometrics, device intelligence, and risk scoring to deliver a mostly-frictionless flow with a step-up challenge only when the issuer is uncertain.

The key prize: liability shift. When a transaction successfully completes a 3DS2 challenge (or qualifies for a frictionless flow under issuer rules), liability for any subsequent fraud chargeback shifts to the issuer. For 10.4 / 4863 CNP fraud cases — the largest single category in ecommerce disputes — this is the single highest-impact prevention layer.

Caveat: a frictionless flow obtained because the acquirer requested an SCA exemption (e.g. low risk, low value, MIT) does not carry the same liability shift. The exemption mechanism trades fraud liability for a smoother UX — useful but deliberate.

When a cardholder calls their issuer to dispute a charge, the issuer's system can — if the merchant is enrolled — fire a real-time alert to the merchant before the formal chargeback is raised. Three networks dominate:

Most mature operations run RDR + Ethoca + CDRN together, with RDR covering the Visa happy path and Ethoca / CDRN catching the cases RDR doesn't reach. Per-alert costs vary by network and processor — typical pricing is in the $5–$20 range, paid only when an alert fires and is actioned, so the math closes against a $20+ chargeback fee plus ratio impact.

A surprisingly large share of disputes (industry estimates put the figure between 20–40% of friendly fraud) are triggered by the cardholder simply not recognising the descriptor on their statement. Three operational fixes have outsized impact:

• Descriptor matches the customer-facing brand name (not a parent legal entity the customer has never heard of).
• Descriptor includes a recognisable city OR phone number — Verifi and Ethoca both prefer descriptors that include a service phone number, and use it for matching.
• Customer support contact is one click from the order confirmation email and the receipt PDF — friction here turns "is this charge legit?" calls into chargebacks.

Stopping the fraud transaction before it settles is cheaper than fighting the chargeback after. Most modern processors expose a rule engine that can decline or step-up authentication based on:

• AVS / CVV mismatch.
• High-velocity card-on-file usage (same card hitting many merchants in short windows).
• Geographic mismatch between IP and billing address (or shipping).
• Device fingerprint reuse across many cardholders.
• Disposable / temporary email domains.
• New cardholder + high-ticket purchase + rush shipping (common synthetic-fraud pattern).

The trade-off is always false-positive rate. A merchant who declines aggressively will lower their fraud rate but lose legitimate revenue and frustrate good customers. The win is to route high-risk transactions through 3DS2 step-up rather than declining them — let the issuer make the call, keep the liability shift.

Recurring-billing disputes (Visa 13.2, Mastercard 4853 when subscription-related) are a high-volume dispute category for any business that bills repeatedly:

• Send a renewal-reminder email at least 3–7 days before billing for annual / long-term plans.
• Make 'cancel subscription' as easy as 'start subscription' — the FTC's Click-to-Cancel rule formalises this for US merchants and many other jurisdictions follow.
• Confirm cancellation by email, and make the email findable later — cardholders often dispute because they "thought" they cancelled.
• Publish a clear refund policy on the checkout page and include it in the order confirmation; require explicit acceptance for high-risk SKU categories.

Once a CNP dispute reaches Stage 1, the merchant's ability to win it is largely a function of what evidence was captured at purchase + fulfilment. By the time the chargeback arrives, you can't go back and add it. Capture by default:

• IP address and device fingerprint at every checkout, persisted on the order record (the CE 3.0 entry ticket).
• AVS / CVV result codes (preserved in processor records — many merchants forget these can be retrieved years later).
• Cardholder-account creation date, order count, prior order IDs (the prior-undisputed-transactions that CE 3.0 and FPT need).
• Carrier tracking number stored with the order, plus delivery confirmation event when available (signature image for $200+ orders).
• For digital goods: download / first-login / first-use logs tied to the cardholder account.
• For SaaS: usage activity post-billing — proof the cardholder actually consumed the service.

A pragmatic prevention stack for a mid-sized CNP merchant looks roughly like:

1. 3DS2 on every transaction over a risk threshold; mandatory in EU/UK.
2. RDR with a Visa-fraud rule (auto-refund on incoming fraud claim) + Ethoca / CDRN for Mastercard / cross-network reach.
3. Descriptor that includes the brand name, city, and a customer-service phone number.
4. Gateway-side fraud rules with 3DS step-up (not decline) on high-risk signals.
5. Subscription dunning + reminder email + one-click cancel.
6. Order-record schema that persists IP, device ID, AVS/CVV results, tracking, and delivery confirmation by default.

Each layer multiplies into the next — a 50% reduction at each of three layers is an 87.5% combined reduction. Most well-run merchants run a stack like the above and keep their dispute ratio well under the Above-Standard 0.5% floor — far from any monitoring-program threshold.