Part III: Cards: The Dominant Rail
Chapter 13 — Chargebacks, Fraud & Disputes
When things go wrong: the dispute lifecycle, reason codes, liability allocation, fraud patterns, and the economics of chargebacks.
It was 8:47 on a Tuesday morning when WhiteBottle Coffee's payments dashboard lit up like a Christmas tree.
Three dispute notifications, all within 12 minutes. Maria — WhiteBottle's payments lead, the same one who'd spent months tuning their 3DS strategy — opened each one and felt her stomach drop.
Dispute #1: Four gift card bundles, $847, shipped two weeks ago to an address in a different state. The cardholder says they never made the purchase. This one looked familiar — it was the exact same fraud pattern from their early days, except this time, the order had slipped through their 3DS rules because the card's issuer returned an "attempted" authentication rather than a full one. Liability shift? Unclear.
Dispute #2: A $32 bag of single-origin beans, ordered and delivered six days ago. Tracking shows it was left at the front door. The cardholder says it never arrived. Maria pulls up the delivery photo — package on the doorstep, house number clearly visible. But the cardholder's bank has already issued a provisional credit, and the clock is ticking.
Dispute #3: A monthly coffee subscription, $19.99, charged three days ago. The customer had called WhiteBottle's support line last month asking to cancel, but the agent marked the ticket as "resolved" without actually processing the cancellation. The customer went straight to their bank instead of calling back.
Three disputes. Three completely different causes. Three different outcomes waiting to unfold.
The gift card fraud will test whether WhiteBottle's 3DS evidence chain holds up through clearing. The missing-delivery claim will come down to whether a photo of a package on a porch counts as "compelling evidence." And the subscription dispute? That one's on WhiteBottle — they made a mistake, and paying up quickly is the smartest move.
This is the reality of selling online. Authentication can reduce fraud. Tokenization can protect credentials. But disputes never go to zero. Understanding how they work — the mechanics, the money, and the strategies for managing them — is what separates merchants who absorb losses from merchants who control them.

Refund ≠ Chargeback ≠ Dispute
Before we go any further, let's untangle three words that people use interchangeably but that mean very different things operationally.
A refund is something the merchant initiates voluntarily. WhiteBottle looks at that subscription dispute, realizes their support agent made a mistake, and processes a refund for $19.99 through their payment processor. The money flows back to the customer through the same rails it came in on. No third party is involved in the decision. The merchant chose to return the money.
A chargeback is something the issuing bank initiates on behalf of the cardholder. When the customer with the missing coffee beans called their bank and said "I never received this," the bank didn't ask WhiteBottle's permission. The issuer filed a chargeback, which pulled the $32 back from WhiteBottle's acquirer, who debited it from WhiteBottle's merchant account — plus a chargeback fee of $15. WhiteBottle had no say in the timing, the amount, or the decision to reverse the charge. That power belongs to the issuer.
A dispute is the umbrella term for the entire process — from the moment the cardholder contacts their bank to the final resolution. A dispute may result in a chargeback, or it may be resolved before one is filed (through alert services, which we'll cover later). Not every dispute becomes a chargeback, but every chargeback starts as a dispute.
Why does this distinction matter? Because the three paths have radically different consequences for the merchant.
| Dimension | Refund | Chargeback |
|---|---|---|
| Who initiates | Merchant (voluntary) | Issuing bank (on cardholder's behalf) |
| Merchant control | Full — merchant decides when and how much | None — funds are pulled without merchant consent |
| Timing | Merchant chooses when to process | Issuer files when cardholder disputes; merchant has 20–30 days to respond |
| Fees | No additional fees (standard processing cost only) | Chargeback fee: typically $15–$100 per dispute |
| Monitoring impact | No impact on chargeback ratio | Counts toward Visa VAMP / Mastercard ECP ratios |
| Governed by | Merchant's own refund policy | Card scheme rules (Visa, Mastercard) and consumer protection laws |
| Merchant can contest? | N/A — merchant chose to refund | Yes — through representment (re-presenting evidence) |
| Typical triggers | Customer complaint, return, service failure | Fraud, goods not received, not as described, processing error, friendly fraud |
Table 1: Refunds and chargebacks look similar from the cardholder's perspective — money comes back. But for the merchant, they're fundamentally different in cost, control, and consequences.
The key insight: a proactive refund is almost always cheaper than a chargeback. WhiteBottle's failed subscription cancellation will cost $19.99 if they refund it today. If they wait for the chargeback to land, it costs $19.99 plus $15 in fees, plus a ding on their chargeback ratio that inches them closer to Visa's monitoring thresholds. The math isn't close.
This is why experienced merchants build a "refund-first" culture for clear-cut cases. It's not about being generous — it's about being economically rational. Save the fight for disputes where you have evidence and the amount justifies the effort.
Now that we've established the vocabulary, let's follow a dispute from start to finish. The next section walks through the full lifecycle — from the moment a cardholder picks up the phone to the final resolution.
The Dispute Lifecycle: End to End
To understand how disputes work, it helps to remember how the money got there in the first place.
When a customer buys coffee from WhiteBottle's online store, the payment flows through the same four-party sequence we traced in Chapter 9: the cardholder's bank (issuer) authorizes the transaction, WhiteBottle's payment processor submits it for clearing through the card network, and settlement moves the actual money from the issuer to WhiteBottle's acquirer, who deposits it in WhiteBottle's merchant account. The whole process takes one to two business days.
Diagram 1: The normal payment flow — from authorization through settlement. Every step here can be reversed by the dispute process.
A dispute reverses this entire flow. Money that took two days to arrive can be pulled back in hours, and the merchant has limited time and options to contest it.
How a Dispute Unfolds

Let's follow WhiteBottle's $32 missing-coffee-beans dispute step by step.
Step 1: The cardholder contacts their bank. The customer opens their banking app, taps the $32 charge from WhiteBottle, and selects "I didn't receive this item." Some banks ask for a brief explanation; others just need a reason code selection.
Step 2: The issuer evaluates and files a chargeback. The issuing bank reviews the claim against the card scheme's rules. The transaction is within the dispute window (typically 120 days from the transaction date for both Visa and Mastercard). The reason code fits — this is a "goods not received" claim. The issuer assigns a reason code (Visa 13.1: Merchandise/Services Not Received, or Mastercard 4855: Goods or Services Not Provided) and files a chargeback.
At the same time, the issuer issues a provisional credit to the cardholder — the $32 goes back on their statement immediately. From the cardholder's perspective, the problem is already solved. From WhiteBottle's perspective, it's just beginning.
Step 3: The network routes the chargeback to the acquirer. The chargeback flows through the card network to WhiteBottle's acquirer, following the reverse of the original payment path.
Step 4: The acquirer debits the merchant. WhiteBottle's acquirer pulls $32 from their merchant account — plus a chargeback fee (in this case, $15). Maria sees a debit notification in the dashboard: -$47 total. The acquirer also forwards the dispute details: reason code, cardholder's statement, and the deadline to respond.
Step 5: The merchant decides — accept or fight. This is where the paths diverge.
If the merchant accepts the chargeback, the story ends here. The cardholder keeps the provisional credit, WhiteBottle absorbs the $47 loss, and the dispute counts against their chargeback ratio.
If the merchant contests the chargeback, they enter the process of representment — literally "re-presenting" the transaction to the issuer with evidence that the charge was legitimate. WhiteBottle has the delivery photo, the tracking number showing "delivered," and the shipping confirmation email. Maria compiles this into an evidence package and submits it through their payment processor within the response window.
For Visa, the merchant typically has 30 days to respond to a first chargeback. For Mastercard, it's 45 days for second presentment. American Express gives merchants approximately 20 days to submit a challenge.
Step 6: The issuer reviews the evidence. The issuer receives WhiteBottle's representment package and evaluates it. If the evidence is compelling — the delivery photo clearly shows the package at the correct address, the tracking number confirms delivery — the issuer may reverse the chargeback. The $32 goes back to WhiteBottle, the provisional credit is removed from the cardholder's account, and the chargeback fee may or may not be refunded depending on the acquirer's policy.
If the issuer isn't convinced — maybe the delivery photo is blurry, or the tracking just says "delivered" without proof of the specific address — the chargeback stands.
Step 7: Escalation — pre-arbitration and arbitration. If the merchant loses representment but believes they have a strong case, there's one more level: pre-arbitration (or "pre-arb"). This is a final attempt at resolution between the issuer and acquirer before involving the network.
If pre-arbitration fails, either party can escalate to arbitration, where the card network itself — Visa or Mastercard — reviews all evidence and makes a binding decision. The losing party pays an arbitration fee that can run into the hundreds of dollars ($500 for Visa, up to $300 for Mastercard). For a $32 bag of coffee beans, arbitration would be absurd. For an $8,000 piece of electronics, it might be worth it.
Diagram 2: The full dispute lifecycle — from cardholder complaint to final resolution. Notice how the merchant's window for action narrows at each stage. By the time you reach arbitration, the cost of fighting may exceed the cost of the dispute itself.
The Clock Is Always Ticking
Every stage of this process has a deadline, and missing one is an automatic loss. The cardholder has 120 days to file. The merchant has 20 to 45 days to respond (depending on the scheme). Pre-arbitration has its own window. And arbitration filings must happen within a set number of days after pre-arb.
This is why dispute management is fundamentally a time-sensitive operations problem, not just a financial one. A merchant who gets the notification on a Friday afternoon and doesn't check their dashboard until Monday has already burned two of their precious response days. Merchants with high dispute volumes often automate this workflow — ingesting chargeback notifications, auto-routing them by reason code to the right team, and pre-populating evidence templates so the response can ship within hours, not days.
The dispute lifecycle is the same regardless of whether the claim is legitimate. A real fraud victim and a friendly fraudster both enter the process the same way — the issuer files a chargeback with a reason code, and the merchant has to decide whether to fight. What differs is the reason code, and that's what we'll unpack next.
Reason Codes: The Taxonomy of "Why"
When an issuer files a chargeback, it doesn't just say "the customer wants their money back." It assigns a reason code — a standardized label that categorizes why the dispute was filed. This matters more than you might think, because the reason code determines two things: the legal-operational basis for the reversal, and what evidence the merchant needs to provide to win.
Think of reason codes as the dispute system's language. When WhiteBottle receives a chargeback with Visa reason code 13.1, the code itself tells Maria exactly what happened (the cardholder claims they didn't receive the goods), what evidence she needs (delivery confirmation, tracking number, proof of delivery to the correct address), and how long she has to respond.
Each card scheme maintains its own taxonomy. The codes don't map one-to-one across schemes, but the categories are broadly similar. Here are the five families that cover the vast majority of disputes a merchant will encounter.
The table below maps the major codes across schemes; we'll walk through the most common families next.
| Category | Description | Visa Code | Mastercard Code | Amex Code | Typical Cause | Prevention Strategy |
|---|---|---|---|---|---|---|
| Fraud / No Cardholder Authorization | Transaction not authorized by cardholder | 10.4 | 4837 | F29 | Stolen card, card-not-present fraud | 3DS, AVS, CVV, device fingerprinting |
| Card absent fraud (CNP) | 10.4 | 4837 | F24 | Online fraud | Strong auth (3DS2), velocity checks | |
| Fraud – Card Present | 10.1 | 4837 | F10 | Skimming / counterfeit card | EMV chip enforcement | |
| Authorization Issues | No authorization obtained | 11.3 | 4808 | A01 | Merchant skipped auth | Always auth before capture |
| Expired card used | 11.1 | 4807 | A02 | Old card charged | Validate expiry | |
| Declined authorization | 11.2 | 4808 | A08 | Ignored issuer decline | Never override declines | |
| Processing Errors | Duplicate charge | 12.6 | 4834 | P08 | Charged twice | Idempotency keys |
| Incorrect amount | 12.5 | 4831 | P05 | Wrong amount charged | Validate order totals | |
| No-show / cancelled recurring error | 12.7 | 4841 | P02 | Improper billing logic | Clear cancellation flows | |
| Paid by other means | 12.4 | 4842 | P01 | Customer paid cash/bank transfer | Sync payment channels | |
| Consumer Disputes | Services not rendered | 13.3 | 4855 | C08 | Service never delivered | Proof of delivery |
| Goods not received | 13.3 | 4855 | C08 | Shipping failure | Tracking + confirmation | |
| Cancelled recurring | 13.2 | 4841 | C04 | Customer cancelled but billed | Proper subscription state mgmt | |
| Not as described / defective | 13.3 | 4855 | C05 | Product mismatch | Accurate product descriptions | |
| No refund processed | 13.6 | 4855 | C02 | Refund promised but not done | SLA on refunds | |
| Credit not processed | 13.6 | 4855 | C02 | Refund delay | Automate refund pipelines | |
| No Show / Cancellation | No-show dispute | 13.8 | 4841 | C03 | Hotel/airline no-show | Clear cancellation policy |
| Cardholder Disputes | No knowledge of transaction | 13.5 | 4837 | C01 | “Friendly fraud” | Descriptor clarity + receipts |
| Recurring without consent | 13.2 | 4841 | C04 | Subscription abuse | Explicit consent logs | |
| Compliance / Misc | Invalid card number | 12.1 | 4834 | P03 | Bad PAN captured | Input validation |
| Late presentment | 12.2 | 4842 | P07 | Settlement delay | Submit within SLA | |
| No show / fraud mix | 13.x | 48xx | Various | Hybrid issues | Policy + logs |
1. Fraud and Unauthorized Transactions
This is the big one. The cardholder says: "I didn't make this purchase." Either someone stole their card number (true fraud) or the cardholder is lying (friendly fraud). The merchant can't tell the difference from the reason code alone — both look the same in the chargeback notification.
For Visa, this falls under the 10.x family — specifically 10.4 (Card-Absent Environment) for online transactions, which is the most common code e-commerce merchants see. For Mastercard, it's 4837 (No Cardholder Authorization). These are the disputes where 3DS liability shift (from Chapter 11) can change who pays.
2. Goods Not Received
The cardholder says: "I paid, but nothing arrived." This is WhiteBottle's $32 coffee beans dispute. Visa codes this as 13.1 (Merchandise/Services Not Received). Mastercard uses 4855 (Goods or Services Not Provided). The winning evidence here is proof of delivery — tracking numbers with delivery confirmation, ideally with a signature or photo.
3. Not as Described or Defective
The cardholder says: "What I received isn't what I ordered" or "it's broken." Visa codes this as 13.3 (Not as Described or Defective Merchandise). Mastercard uses reason code 4853 (Cardholder Dispute — Defective/Not as Described). This is harder to fight because it often comes down to subjective judgment about product quality.

4. Processing Errors
Something went wrong technically. The cardholder was charged twice, the amount was wrong, or a cancelled recurring charge went through anyway. Visa's 12.x family covers these — 12.1 (Late Presentment), 12.2 (Incorrect Transaction Code), 12.4 (Incorrect Account Number), 12.5 (Incorrect Amount), 12.6 (Duplicate Processing). Mastercard groups these under 4834 (Point-of-Interaction Error). These disputes are often the merchant's fault, and the right move is usually to accept and fix the process.
5. Credit Not Processed
The cardholder says: "The merchant promised a refund, but I never got it." This is Visa 13.6 (Credit Not Processed) and Mastercard 4860 (Credit Not Processed). The winning evidence is proof that the refund was actually issued, or proof that the merchant's return policy doesn't entitle the customer to one.
| Dispute Category | Visa Code + Window | Mastercard Code + Window | Amex Code + Window |
|---|---|---|---|
| Fraud / Unauthorized | 10.4 (Card-Absent Fraud). Cardholder: 120 days from transaction. Merchant response: 30 days. | 4837 (No Cardholder Authorization). Cardholder: 120 days. Second presentment: 45 days. | Fraud code (F series). Cardholder: 120 days. Merchant challenge: 20 days. |
| Goods Not Received | 13.1 (Not Received). Cardholder: 120 days from expected delivery. Merchant: 30 days. Visa imposes 15-day waiting period before filing. | 4855 (Not Provided). Cardholder: 120 days from expected delivery. Second presentment: 45 days. | C08 (Goods Not Received). Cardholder: 120 days. Challenge: 20 days. |
| Not as Described / Defective | 13.3 (Not as Described). Cardholder: 120 days from discovery of defect. Merchant: 30 days. | 4853 (Defective/Not as Described). Cardholder: 120 days. Second presentment: 45 days. | C31 (Goods/Services Not as Described). Cardholder: 120 days. Challenge: 20 days. |
| Processing Errors | 12.1–12.6 (various). Cardholder: 120 days. Merchant: 30 days. 540-day outer cap for some error types. | 4834 (Point-of-Interaction Error). Cardholder: 120 days. Second presentment: 45 days. | P series (Processing errors). Cardholder: 120 days. Challenge: 20 days. |
| Credit Not Processed | 13.6 (Credit Not Processed). Cardholder: 120 days from expected credit. Merchant: 30 days. | 4860 (Credit Not Processed). Cardholder: 120 days. Second presentment: 45 days. | C02 (Credit Not Processed). Cardholder: 120 days. Challenge: 20 days. |
Table 2: Cross-scheme reason code comparison. Codes and windows are illustrative — schemes update these periodically, and your acquirer's documentation is the authoritative source for current codes in your region.
Why Reason Codes Matter Operationally
The reason code isn't just a label — it's an instruction manual. Each code comes with a specific list of "responsive evidence" that the merchant can submit during representment. Send the wrong evidence for the code, and your representment will fail even if you have a strong case.
Smart merchants route their disputes by reason code before deciding how to respond. A fraud dispute (10.4) gets routed to the fraud team with 3DS evidence and transaction history. A goods-not-received dispute (13.1) goes to fulfillment for delivery proof. A processing error (12.x) goes to the operations team for investigation. Different codes, different teams, different evidence, different win rates.
The reason code also tells you whether fighting is worthwhile. Processing errors where the merchant made a genuine mistake? Accept, refund, and fix the process. Fraud disputes with solid 3DS evidence? Fight and win. Friendly fraud claims on delivered goods with proof of delivery? Fight — these are winnable.
With the dispute lifecycle and reason codes in hand, the next question is: when things go wrong, who actually pays? That's the story of liability allocation — and it's more nuanced than "the merchant always loses."
Who Really Pays: Liability and Risk Allocation
The default rule in card payments is brutally simple: the merchant pays. When a chargeback lands, the acquirer debits the merchant's account. If the merchant can't cover it — because they've gone bankrupt, run off with the money, or disappeared — the acquirer eats the loss. The issuer is protected by the scheme's rules because they acted on the cardholder's behalf.
This is the liability waterfall: merchant first, acquirer second, issuer last. It's why acquirers care so much about the merchants they onboard — every merchant's chargeback is the acquirer's contingent liability.
How Liability Shift Changes the Equation
The waterfall has one major exception: liability shift. As we covered in Chapter 11, when a merchant successfully authenticates a transaction with 3DS and carries the authentication evidence — the ECI indicator and cryptographic proof (CAVV/AAV) — correctly through authorization and clearing, fraud liability shifts from the merchant to the issuer.
This means WhiteBottle's $847 gift card dispute could play out very differently depending on whether 3DS was used:
| Scenario | Merchant Pays? | Acquirer Pays? | Issuer Pays? | Key Factor |
|---|---|---|---|---|
| Card-not-present (CNP) fraud, no 3DS | Yes — full amount + fees | Only if merchant defaults | No | No authentication = merchant bears fraud risk |
| CNP fraud, 3DS fully authenticated | No | No | Yes — full amount | Successful 3DS shifts fraud liability to issuer |
| CNP fraud, 3DS "attempted" only | Possibly — weaker protection | Only if merchant defaults | Possibly — depends on scheme rules | Attempted auth offers limited, uncertain protection |
| Card-present, EMV chip used | No (for counterfeit fraud) | No | Yes | EMV chip liability shift (since 2015 in US) |
| Card-present, no chip — swiped | Yes (for counterfeit fraud) | Only if merchant defaults | No | Merchant chose not to use available chip technology |
| Goods not received (any auth method) | Yes | Only if merchant defaults | No | 3DS protects against fraud, not fulfillment disputes |
Table 3: Liability allocation by scenario. Notice that 3DS only shifts liability for fraud disputes — fulfillment problems always land on the merchant regardless of authentication.
The critical insight: liability shift is not a blanket shield. It only covers fraud chargebacks ("I didn't authorize this"). If the cardholder says "I never received my order" or "the product was defective," the merchant pays regardless of whether 3DS was used. WhiteBottle's missing-beans dispute ($32) lands on them even though the original transaction was authenticated.
Monitoring Programs: The Meta-Risk
Here's where the economics of chargebacks get truly dangerous. Individual chargebacks cost money — the reversal amount plus fees. But the aggregate chargeback rate can threaten the merchant's ability to accept cards at all.
Both Visa and Mastercard run monitoring programs that track merchants' dispute metrics. Breach the thresholds, and the consequences escalate from warnings to fines to account termination.
Visa's Acquirer Monitoring Program (VAMP) — effective April 2025, Visa consolidated its former dispute and fraud monitoring programs into a single framework. VAMP tracks a combined ratio: (reported fraudulent transactions + total disputes) ÷ total settled card-absent transactions.
Mastercard's Excessive Chargeback Program (ECP) tracks both the number of chargebacks and the chargeback-to-transaction ratio.
| Program | Level | Count Trigger | Ratio Trigger | Consequences |
|---|---|---|---|---|
| Visa VAMP | Standard | — | < 0.9% | No action |
| Visa VAMP | Excessive | — | ≥ 0.9% (merchant: ≥ 2.2%, dropping to 1.5% in April 2026) | Fines ($25,000+/month), remediation plan required, potential termination |
| Mastercard ECP | ECM (Excessive) | 100–299 chargebacks/month | 1.50%–2.99% | Issuer recovery assessment fees; acquirer must file remediation plan |
| Mastercard ECP | HECM (High Excessive) | 300+ chargebacks/month | ≥ 3.00% | Higher fines ($50,000–$200,000/month), mandatory review, potential termination |
Table 4: Scheme monitoring program thresholds. These are simplified — actual thresholds vary by region and enforcement period. Your acquirer is the authoritative source for current thresholds.
Why does this matter? Because a merchant can be profitable on every individual transaction and still get terminated. If WhiteBottle processes 10,000 card-absent transactions per month and receives 100 chargebacks, their dispute rate is 1.0% — above Visa's VAMP threshold. Even if they win 60% of those disputes through representment, the filed count still hits the ratio. And once you're in a monitoring program, the fines alone can be devastating: $25,000 per month at the Visa Excessive level, escalating from there.
This is also why Visa's Compelling Evidence 3.0 matters beyond the individual dispute. CE 3.0 wins on fraud chargebacks are excluded from the VAMP fraud ratio calculation. So fighting and winning with CE 3.0 doesn't just recover the transaction amount — it protects the merchant's monitoring status.
The monitoring programs create a harsh reality: chargeback management isn't optional for any merchant with meaningful volume. Even if you can afford to eat individual losses, you can't afford to lose the ability to accept cards. That makes understanding fraud patterns — and the tools to fight them — essential. That's next.
Fraud Patterns and the Rules That Catch Them
WhiteBottle's $847 gift card dispute and the $19.99 subscription cancellation look identical in the chargeback notification — both arrive with a reason code and a deadline. But the fraud behind them is fundamentally different, and treating them the same is one of the most expensive mistakes a merchant can make.
Two Buckets of Fraud
Every dispute driven by fraud falls into one of two categories, and the distinction changes everything about how you prevent and fight it.
- Unauthorized fraud (third-party fraud). Someone who isn't the cardholder uses the card to make a purchase. A stolen card number used to buy gift cards from WhiteBottle's online store. A data breach that leaks thousands of card numbers (PANs) into a dark web marketplace. A phishing email that tricks a customer into entering their credentials on a fake checkout page. The cardholder genuinely didn't authorize the transaction, and the dispute is legitimate. This is the fraud that 3DS (Chapter 11) is designed to prevent. When WhiteBottle's $847 gift card order slipped through because the issuer returned an "attempted" rather than a full authentication, the system didn't fail entirely — it just didn't provide the strongest possible protection. Strong Customer Authentication, device fingerprinting, and network-level fraud scoring all target this bucket.
- First-party fraud (friendly fraud). This is the fraud that blindsides merchants. The cardholder actually made the purchase — used their own card, received the goods or service — and then disputes it anyway. Sometimes it's buyer's remorse. Sometimes the cardholder forgot about the charge and doesn't recognize it on their statement. Sometimes it's deliberate: a "refund hack" where the customer gets both the product and their money back.
WhiteBottle's subscription dispute sits in a gray zone. The customer genuinely tried to cancel but WhiteBottle's support agent didn't process it. That's a merchant error, not fraud. But many subscription disputes are friendly fraud — the cardholder enjoyed the service, decided they didn't want to pay, and went straight to their bank instead of requesting a cancellation. From the reason code alone, you can't tell the difference.
Friendly fraud is harder to prevent because the transaction itself looks perfectly legitimate.
The cardholder passed authentication, the card wasn't stolen, and the goods were delivered. The only defense is evidence — proof that the cardholder authorized the purchase and received what they paid for.
This is where Visa's Compelling Evidence 3.0 becomes valuable: by matching the disputed transaction's device fingerprint or IP address against two prior undisputed purchases, the merchant can demonstrate that the same person has been happily buying from them for months.

Card Testing: The Bot-Driven Prelude to Fraud
Before stolen cards are used for big purchases, fraudsters need to know which ones still work. Card testing (also called enumeration attacks) is the process of running small transactions — often $1 or $2 — against a merchant's checkout to validate stolen card numbers in bulk.
The mechanics are straightforward. A bot hammers a merchant's payment page with hundreds or thousands of authorization requests, each using a different card number from a stolen batch. The ones that return "approved" are confirmed as active cards with available credit. Those validated cards then get sold or used for larger fraudulent purchases elsewhere.
For WhiteBottle, a card testing attack might look like 300 authorization attempts for $1 coffees in 10 minutes, all from the same IP address or device. Most will decline — but the 30 that approve just confirmed 30 live card numbers. Even the declines cause problems: they inflate WhiteBottle's decline rate, which processors monitor, and the approved micro-transactions may later generate chargebacks when cardholders notice charges they didn't make.
Prevention: Rules, Signals, and Layers
No single tool stops fraud. Effective prevention stacks multiple signals, each catching what the others miss.
- Velocity rules are the first line of defense. Too many authorization attempts from the same card, IP address, device, or email address in a short window? That's a pattern that almost never reflects legitimate shopping. WhiteBottle might set a rule: no more than three authorization attempts per card number per hour, and no more than 10 per IP address per minute. The card testing bot that fires 300 requests in 10 minutes gets shut down after the first handful.
- AVS and CVV checks catch a different signal. The Address Verification System compares the billing address the customer enters against what the issuer has on file. A CVV mismatch means the person doesn't have the physical card (or a good enough image of it). Neither is foolproof — fraudsters can buy addresses alongside card numbers — but a billing-address mismatch combined with other signals is a strong indicator of risk.
- Device fingerprinting builds a profile of the customer's device — browser type, screen resolution, installed fonts, time zone, behavioral patterns like typing speed and mouse movement. When WhiteBottle sees a transaction from a device that's been associated with five different cards in the past week, that's a red flag that no single data point would reveal.
- Bot mitigation targets the automated nature of card testing and enumeration attacks. CAPTCHAs, invisible challenge scripts, and behavioral analysis can distinguish a human browsing a coffee menu from a bot cycling through card numbers at machine speed.
The key insight is that these tools work best in combination. A single failed AVS check on a $30 order might be a customer who moved recently. A failed AVS check plus a new device fingerprint plus three other cards tried from the same IP in the last hour? That's almost certainly fraud.
Reason Codes as a Feedback Loop
Here's something that surprises merchants who treat disputes as purely a cost-of-business problem: reason codes are analytics gold.
Each code maps back to a specific operational breakdown, and tracking them over time reveals patterns that prevention tools alone can't surface.
For example, a spike in Visa 10.4 (fraud) chargebacks from a specific product category might mean stolen cards are targeting gift cards or high-resale items — time to add 3DS challenge flows for those product categories.
A cluster of 13.1 (not received) disputes from a specific shipping carrier or region suggests a fulfillment problem, not a fraud problem.
A wave of 13.6 (credit not processed) disputes means the refund process is broken or too slow — customers are going to their bank because the merchant isn't responding fast enough.
Smart merchants build dashboards that segment disputes by reason code, product category, fulfillment channel, and time period. The reason code tells you not just what happened but what to fix — and fixing the upstream process is always cheaper than fighting the downstream dispute.
The Decision Flowchart: What to Do When a Dispute Lands
When a dispute notification arrives, the first 24 hours matter most. Here's the decision tree that experienced merchants follow:
Diagram 3: The merchant's decision flowchart for incoming disputes. The first question — is this our fault? — is the most important. If yes, accept fast and save the chargeback fee. If no, the reason code determines what evidence to assemble.
The flowchart captures a simple but powerful principle: Triage before you fight.
A merchant error that costs $20 to refund will cost $35+ to lose as a chargeback (the amount plus fees plus ratio damage). A fraud dispute with strong 3DS evidence (Chapter 11) is worth fighting — the win rate on fully authenticated transactions is significantly higher than on unauthenticated ones.
And a consumer dispute over a $15 item? Accept it, log the reason code, and fix whatever caused it. The economics of representment only work when the amount justifies the effort.
With fraud patterns and prevention tools covered, the next question is concrete: what does all of this actually cost? The next section walks through two WhiteBottle scenarios with real numbers — line by line.
The Money: Two Scenarios, Line by Line
Everything we've covered so far — reason codes, liability shifts, monitoring thresholds — becomes concrete when you see the actual numbers. Let's walk through two WhiteBottle disputes and trace every dollar.
Scenario A: CNP Fraud, No 3DS — Merchant Loses

A fraudster uses a stolen card to buy a $100 gift card bundle from WhiteBottle's online store. The transaction wasn't authenticated with 3DS — WhiteBottle's rules engine exempted gift card orders under $150 to reduce checkout friction. The order ships. Two weeks later, the real cardholder notices the charge and disputes it.
| Line Item | Amount | Running Total |
|---|---|---|
| Original sale | +$100.00 | +$100.00 |
| Processing fees (merchant discount rate, ~3%) | –$3.00 | +$97.00 |
| Settlement received | $97.00 deposited | +$97.00 |
| Cost of goods shipped | –$40.00 | +$57.00 |
| Chargeback filed (full sale amount debited) | –$100.00 | –$43.00 |
| Chargeback fee | –$25.00 | –$68.00 |
| Net merchant impact | –$68.00 |
Table 5: Scenario A — CNP fraud with no 3DS. The merchant loses more than the sale amount because they've already shipped the goods and paid processing fees before the chargeback reverses the full $100.
The math is brutal. WhiteBottle didn't just lose the $100 sale — they lost $168 in total value ($100 revenue + $40 in goods + $3 in fees + $25 chargeback fee), netting out to a $68 cash loss after accounting for the $100 they'd already received.
And that $68 doesn't include the operational time Maria spent reviewing the dispute, the ratio damage that inches them toward VAMP thresholds, or the shipping cost to send the gift cards in the first place.
Now imagine WhiteBottle had used 3DS on this transaction and received a full authentication (ECI 05). The liability shift would have moved the fraud chargeback to the issuer. WhiteBottle keeps the $97, keeps the goods cost as a sunk expense, and pays no chargeback fee. The difference between –$68 and $0 is the entire economic case for 3DS on high-risk orders.
Scenario B: Duplicate Processing Error — Merchant Wins

A WhiteBottle barista accidentally processes a $45 in-store order twice. The customer sees two identical charges on their statement and disputes the duplicate with their bank. The issuer files a chargeback with reason code 12.6 (Duplicate Processing).
But WhiteBottle's system caught the error first. Their reconciliation process flagged the duplicate that same evening, and they issued a refund for the second charge before the chargeback even arrived. When the dispute notification lands, Maria has everything she needs.
| Line Item | Amount | Running Total |
|---|---|---|
| Original sale (correct charge) | +$45.00 | +$45.00 |
| Duplicate charge (error) | +$45.00 | +$90.00 |
| Refund issued (same day, linked to duplicate via Trace ID) | –$45.00 | +$45.00 |
| Chargeback filed on duplicate | –$45.00 | $0.00 |
| Chargeback fee | –$15.00 | –$15.00 |
| Representment: refund evidence submitted | — | –$15.00 |
| Chargeback reversed (merchant already refunded) | +$45.00 | +$30.00 |
| Chargeback fee refunded (acquirer policy) | +$15.00 | +$45.00 |
| Net merchant impact | +$45.00 (original sale retained) |
Table 6: Scenario B — Duplicate processing error with successful representment. Because WhiteBottle caught the error, issued a refund proactively, and linked it to the original transaction via Trace ID, they had airtight evidence for representment.
The key to Scenario B isn't just that WhiteBottle won — it's why they won.
Three things made the difference.
- First, their reconciliation process caught the duplicate before the customer even noticed.
- Second, they issued the refund immediately and linked it to the original transaction using the payment processor's Trace ID, creating an evidence trail.
- Third, when the chargeback arrived anyway (because the customer had already contacted their bank), Maria could submit the refund confirmation as representment evidence — proving the issue was already resolved.
If WhiteBottle had waited for the chargeback to arrive before acting, the outcome might have been the same — but the process would have been slower, more stressful, and the dispute would have counted against their chargeback ratio for longer.
The Takeaway
Scenario A shows why prevention matters: a $100 sale becomes a $68 loss when fraud succeeds. Scenario B shows why operational hygiene matters: catching errors fast, issuing refunds proactively, and maintaining evidence trails turns a potential loss into a non-event.
The merchants who manage chargebacks well aren't the ones who win every dispute. They're the ones who make the right call on:
- Which disputes to fight
- Which to accept
- Which to prevent from happening in the first place.
The next section puts numbers around what "good" looks like across the industry.
Benchmarks and Best-Practice Mitigations
So what does "good" actually look like? Chargeback rates vary dramatically by industry, and understanding where you sit relative to your peers is the first step toward knowing whether you have a problem — or just normal operating friction.
| Industry Vertical | Approximate Chargeback Rate | Why |
|---|---|---|
| Education / Online Learning | ~1.02% | High subscription churn, buyer's remorse on courses |
| Travel & Hospitality | ~0.89% | Long delivery windows, cancellation disputes, booking confusion |
| Gaming & Digital Goods | ~0.83% | In-app purchases by minors, friendly fraud on virtual goods |
| SaaS / Software | ~0.66% | Forgotten subscriptions, unclear cancellation flows |
| Retail / E-commerce | ~0.52% | Shipping disputes, product quality, return friction |
| Restaurants / Food Service | ~0.12% | Low ticket values, card-present transactions, immediate fulfillment |
Table 7: Industry benchmark chargeback rates. These are approximate and vary by source. Note that rates can be calculated by count (number of chargebacks ÷ number of transactions) or by amount (chargeback dollars ÷ sales dollars) — the two methods produce different numbers, so make sure you're comparing apples to apples.
WhiteBottle, as a coffee company selling both in-store (card-present, low ticket) and online (subscriptions, gift cards), will see a blended rate. Their in-store transactions will look like the restaurant benchmark. Their online gift card and subscription business will trend higher — closer to retail or SaaS.
The Three-Layer Defense

So what can merchants do to stay out of trouble? Build a layered defense:
- Layer 1: Prevention
Prevention stops disputes from ever happening.
- Use clear billing descriptors ("WHITEBOTTLE COFFEE" instead of a cryptic merchant code)
- Implement proactive shipping notifications
- Have easy-to-find cancellation flows
- Offer responsive customer service
These all reduce the number of customers who feel their only option is to call their bank.
- Layer 2: Deflection
Deflection intercepts disputes before they become chargebacks.
This is where alert services earn their keep.
Ethoca (owned by Mastercard) and Verifi (owned by Visa, via its Cardholder Dispute Resolution Network and Rapid Dispute Resolution products) notify merchants when a cardholder contacts their bank, giving the merchant a window to issue a refund before the chargeback is filed.
- Ethoca gives merchants 24 hours to respond; Verifi CDRN gives 72 hours.
- Verifi's Rapid Dispute Resolution goes further — it uses merchant-defined rules to automatically refund eligible disputes without any manual intervention, and Visa reports an average 34% drop in chargebacks for businesses using RDR.
The cost of an alert (typically $30–50) is almost always less than the cost of a chargeback ($15–100 in fees, plus lost merchandise, plus ratio damage). Most serious merchants run both Ethoca and Verifi to cover both Mastercard and Visa disputes.
- Layer 3: Representment
Representment means assembling evidence and fighting back.
The key to effective defense is evidence hygiene:
- keeping detailed records of every transaction, linking refunds to original purchases via Trace IDs, saving delivery confirmations and customer communications, and maintaining 3DS authentication data.
- Visa's Compelling Evidence 3.0 deserves special mention here.
- For fraud chargebacks (reason code 10.4), CE 3.0 allows merchants to submit evidence of two prior undisputed transactions from the same customer — matching on at least two data elements (device ID, IP address, customer login, or delivery address), with at least one being the device ID or IP.
Successful CE 3.0 representments are excluded from VAMP's fraud ratio calculation, making them doubly valuable: they recover revenue and protect monitoring status.
Merchants with high dispute volumes should use dispute management platforms like Chargeflow, Chargebacks911, or Kount to automate evidence compilation and submission.
Don't Forget the Basics
One prevention measure is so fundamental it's easy to overlook: Don't store sensitive authentication data after authorization. PCI DSS explicitly prohibits storing CVV2/CVC2 values after the transaction is complete.
Beyond compliance, this is practical dispute prevention — data you don't store can't be breached, and breaches feed the stolen-card fraud that drives the most expensive chargebacks.
Scheme rules and operational best practices form the merchant's playbook. But they operate within a broader legal framework that varies by jurisdiction — and in some cases, the law gives consumers more protection than the schemes do.
Legal and Regulatory Overlay
Everything we've discussed so far — reason codes, representment, monitoring programs — operates under the card schemes' rules.
Visa and Mastercard set the timelines, define the evidence requirements, and enforce the thresholds. But scheme rules aren't the only rules.
In many jurisdictions, consumer protection laws create a separate layer of dispute rights that can override or supplement what the schemes provide.
1. United States: FCBA and Regulation Z
The Fair Credit Billing Act (FCBA), implemented through the Federal Reserve's Regulation Z, gives US cardholders statutory rights for billing disputes. A cardholder must send a written notice to their card issuer within 60 days of the billing statement containing the error.
The issuer must acknowledge the notice within 30 days and resolve the dispute within two billing cycles (maximum 90 days). During the investigation, the issuer cannot report the disputed amount as delinquent.
For most practical purposes, scheme rules are more generous than FCBA — Visa and Mastercard give cardholders 120 days to dispute, versus FCBA's 60. But FCBA creates a legal floor: even if a scheme tightened its dispute windows, the statutory right would still apply.
2. European Union: PSD2
The Payment Services Directive 2 (PSD2) establishes statutory rules for unauthorized payment transactions across the EU.
Under PSD2, a payment service user who notifies their provider of an unauthorized transaction is entitled to a refund by the end of the next business day — significantly faster than scheme timelines.
The maximum liability for an unauthorized transaction is capped at €50 if the customer didn't act negligently (and €0 if the provider didn't require Strong Customer Authentication).
PSD2's interaction with 3DS is notable: when a merchant triggers a 3DS exemption and the transaction turns out to be fraudulent, the liability framework gets complex. The statutory and scheme rules can point in different directions.
3. United Kingdom: Section 75
The UK's Consumer Credit Act, specifically Section 75, creates a unique protection for credit card purchases between £100 and £30,000.
Under Section 75, the credit card issuer is jointly and severally liable with the merchant for breach of contract or misrepresentation. This means the cardholder can claim against their card issuer even if the merchant has gone bankrupt or disappeared.
Section 75 is powerful because it goes beyond dispute resolution — it creates actual liability for the issuer based on the underlying commercial transaction, not just the payment instruction.
| Jurisdiction | Law / Regulation | Key Right | Time Limit |
|---|---|---|---|
| United States | FCBA / Regulation Z | Dispute billing errors; provisional credit during investigation; issuer must resolve within 2 billing cycles | 60 days from billing statement |
| European Union | PSD2 | Refund for unauthorized transactions by next business day; max €50 liability (or €0 without SCA) | 13 months from transaction date |
| United Kingdom | Consumer Credit Act, Section 75 | Joint issuer/merchant liability for breach of contract on credit card purchases £100–£30,000 | 6 years from breach (standard limitation period) |
Table 8: Regulatory framework comparison. Scheme rules (Visa, Mastercard) govern the operational dispute process, but statutory rights can be broader and sometimes more favorable to the consumer.
The practical takeaway for merchants: don't assume that scheme rules are the only rules governing disputes. A customer in London buying with a credit card has both Visa/Mastercard dispute rights and Section 75 rights. A customer in Berlin has both scheme rights and PSD2 protections. When these frameworks conflict, the more consumer-friendly rule generally prevails. If you sell internationally, your dispute strategy needs to account for the regulatory landscape in each market you serve.
What Comes Next
This chapter covered what happens when card payments go wrong — from the moment a cardholder picks up the phone to the final resolution of a dispute. We've walked through the lifecycle, the reason codes, the liability rules, the fraud patterns, and the economics.
But we've been talking about one-time purchases. What about recurring payments — the subscription that charges your card every month, the membership that auto-renews every year? Subscription billing introduces an entirely different category of disputes. "I cancelled but was still charged" is one of the most common chargeback reasons in e-commerce, and it plays by subtly different rules than the one-time fraud and fulfillment disputes we've covered here. We'll return to subscription billing in Part IV.
But before we leave card rails behind, there's one more dimension to explore. Everything we've covered so far assumes the customer walks in with someone else's card.
What happens when the merchant issues the card — or when the marketing offer is wired directly into the payment stream? That's next.
Sources
- Visa, Visa Core Rules and Visa Product and Service Rules — dispute rights, timeframes, and the 10.x/12.x/13.x reason-code families under Visa Claims Resolution
- Visa, Compelling Evidence 3.0 program documentation — qualifying evidence rules and VAMP fraud-ratio exclusion
- Visa, Visa Acquirer Monitoring Program (VAMP) announcements — the consolidated fraud-plus-dispute ratio framework effective April 2025
- Mastercard, Chargeback Guide — reason codes 4834, 4837, 4853, 4855, 4860 and representment procedures
- Mastercard, Excessive Chargeback Program (ECP) documentation — merchant monitoring thresholds
- US Fair Credit Billing Act and Regulation Z — statutory billing-error dispute rights (60-day window, two-billing-cycle resolution)
- EU Second Payment Services Directive (PSD2) — unauthorized-transaction refund rights and the 13-month notification window
- UK Consumer Credit Act 1974, Section 75 — joint issuer liability on credit purchases between £100 and £30,000