Evidora Blog – Your go-to resource for everything related to digital interaction evidence, consent and verification

Evidora Blog – Your go-to resource for everything related to digital interaction evidence, consent and verification

By Mike KensingtonPosted on Posted in Refunds & Chargebacks
Networks & Compliance · April 2026

Visa, Mastercard, and Every Card-Processing App + Evidora. There’s Love In The Air!

Card networks reward merchants with strong dispute evidence. The catch is PCI compliance. Here is why Evidora is built to give them what they want without breaking a single rule.

PaymentsPCI10 min read
TL;DR

Visa, Mastercard, and the payment apps that ride on top of them have a friendly-fraud problem. Their published programs (Compelling Evidence 3.0, First-Party Trust, VAMP) explicitly reward merchants with strong, structured evidence. The one rule they will not bend on is PCI. Evidora is engineered to deliver the evidence the networks want without ever touching the cardholder data PCI prohibits.

A merchant friend pings you with a worried message. “Someone told me Visa has a rule against recording order pages. Are we exposed if we use an evidence tool?”

It is a fair question. The answer is more interesting, and more useful, than a yes or no. There is a rule layer your friend is gesturing at, and it matters. It is just not the rule they think it is.

“Wait, isn’t this against Visa’s rules?”

Common Myth

“Visa has a rule against recording order or checkout pages.”

This claim circulates in merchant forums, payments Slack groups, and the occasional sales call. It is not accurate.

What’s Actually True

Visa enforces PCI DSS, which prohibits capturing cardholder data, not user behavior.

There is no Visa “no recording” rule. The constraint is what your vendor can see, not whether it can run.

So the real question is not “is recording allowed?” The real question is “is your recording vendor architected to stay on the right side of PCI?” Most generic session-replay tools stumble here. Evidora was designed to clear the bar from day one.

Why card networks want more evidence, not less

If you read the networks’ own publications, they are not subtle about wanting merchants to capture more. They have a friendly-fraud problem and they need help.

337M
Projected global
chargebacks in 2026
~75%
Of disputes are
friendly fraud
1.5%
New VAMP “excessive”
threshold (April 2026)

Three live programs all push in the same direction:

V

Compelling Evidence 3.0

Visa · Live since 2023

Liability shifts away from merchants who can produce structured evidence (device ID, IP, prior matched transactions) before a chargeback is filed.

Rewards evidence
M

First-Party Trust Program

Mastercard · Rolling out 2025–2026

Liability shift for merchants submitting enhanced data at authorization or during dispute response. More evidence, fewer disputes, healthier ecosystem.

Rewards evidence
V

VAMP Threshold Drop

Visa · Effective April 1, 2026

“Excessive” threshold cut from 2.2% to 1.5%. The fastest way to stay below the new line is defeating or deflecting disputes with strong checkout evidence.

Penalizes weak evidence

For the operational impact of the VAMP change in particular, see our VAMP breakdown.

Read the network programs end-to-end and the message is unmistakable. They want merchants to bring more proof, not less. The constraint is what kind.

The PCI rule everyone misunderstands

The single rule that creates the confusion is in PCI DSS Requirement 3. In plain language:

  • Sensitive Authentication Data (full track data, CVV, PIN) can never be stored after authorization. Ever. Even encrypted.
  • The full PAN must be masked when displayed. Maximum is the first six digits and the last four.
  • Anyone who stores, processes, or transmits cardholder data is in PCI scope, including third-party tools you embed on the page.

This is where most generic session-replay tools get themselves into trouble. If their script can see the card number, expiration, or CVV (even briefly), the merchant has just transmitted SAD to a third party. That is a serious PCI problem and the acquirer will eventually pass the consequences down to the merchant.

The good news: the rule does not say “no recording.” It says “no capturing cardholder data.” Those are very different lines.

PCI permits
  • Scrolls, hovers, clicks on the merchant page
  • Form interactions on the Terms / Agreement checkbox
  • Time on page, navigation through the funnel
  • Click events on “Place Order” / “Submit”
  • Capture of the rendered consent and disclosure language
  • Checkout flows where the card field is in a processor-hosted iframe
PCI prohibits
  • Keystrokes inside the card number, CVV, or expiration fields
  • The DOM contents of an unmasked PAN
  • Storing track data, CVV, or PIN under any circumstance
  • Third-party scripts that can read into the payment iframe
  • Vendors who cannot produce an Attestation of Compliance

How Evidora sits next to the payment iframe

Your checkout page
Evidora script (merchant page only)
  • Scrolls & hovers
  • Terms checkbox
  • “Place Order” click
  • Rendered page state
  • Time on page
  • Bot-detection score
Cannot read across this line
🔒 Processor iframe (Stripe / Braintree / Adyen)
Card data is sandboxed here, sealed from outside scripts
  • Card number
  • CVV
  • Expiration
  • PIN / track data
Evidora records the merchant page around the iframe. Cardholder data stays sealed inside the processor’s sandbox, where Evidora is structurally unable to read.

The high-value evidence (proof the consumer agreed and ordered) does not actually need the card field contents. It lives on the merchant page, before and around the payment iframe. That is the territory Evidora was built for.

How Evidora is built to comply, not skirt

Most evidence vendors retrofit PCI safety on top of a generic session-replay engine. Evidora was architected the other way around: PCI-safe by default, before the first line of capture.

🔒
Evidora’s PCI Posture

Zero. Sensitive. Data. Captured.

  • Full PAN (Primary Account Number) · not seen, not stored, not transmitted
  • CVV / CVC / CID · not seen, not stored, not transmitted
  • Card expiration · not seen, not stored, not transmitted
  • PIN data & track data · not seen, not stored, not transmitted
  • Any Sensitive Authentication Data under PCI DSS Requirement 3 · architecturally excluded

100% aligned with Visa-enforced PCI DSS. The Evidora script is structurally unable to read the contents of the processor’s hosted card iframe.

The four design choices that make this true

🔒
Card capture stays in the processor’s iframe

Stripe Elements, Braintree Hosted Fields, Adyen secured fields, and similar. Evidora is structurally unable to read into them.

Allow-list redaction

By default, no input fields are recorded. Each field your team explicitly opts in is what gets captured, and only then.

📝
Evidence on the agreement, not the card

Terms checkbox, “I agree” click, scroll position over disclosures, time on page, the rendered page the consumer saw.

🛡
AOC-ready

When your processor or compliance team asks for an Attestation of Compliance from your evidence vendor, Evidora is positioned to provide one.

The result: adding Evidora to a checkout that already uses a processor-hosted iframe does not push your PCI scope from SAQ A to a heavier assessment. You get the dispute-defense benefits without the compliance penalty.

Why payment apps and processors benefit too

Visa’s VAMP enforcement does not stop at the merchant. Acquirers are now in the program too. A new “Above Standard” acquirer threshold of 0.5% kicked in January 1, 2026. When their merchants run high dispute ratios, the acquirer is fined and faces program scrutiny.

That changes the math for payment apps and processors. Stripe, Shopify, Square, PayPal, Adyen, and every other player whose business is essentially a portfolio of merchant accounts now has a direct interest in their merchants having strong dispute evidence.

🛒

Merchant

Refund requests deflected, representments won, dispute ratio drops below VAMP threshold.

🏘

Acquirer / payment app

Healthier merchant book, reduced VAMP exposure, faster liability shifts under CE 3.0 and FPT, less chargeback support burden.

💳

Card network

Cleaner ecosystem, fewer disputes processed, more legitimate transactions protected, friendly fraud trend reversed.

The chain works in one direction: better merchant evidence is better acquirer health is a better network ecosystem. Evidora sits at the start of that chain.

If you build, run, or rely on a payment app, an Evidora-enabled merchant book is a healthier one. We covered a related angle in our piece on 3D Secure versus evidence-based defense and in our deep dive on what actually wins chargeback disputes.

A quick note on the love

The headline is playful on purpose. Evidora has no formal endorsement, partnership, or testimonial from Visa or Mastercard, and this article does not claim one. The case rests on the networks’ own published programs and rules: Compelling Evidence 3.0, First-Party Trust, VAMP, and PCI DSS. Read those documents and the alignment is obvious. Evidora is built to deliver the evidence the networks reward, in a way the networks’ compliance regime permits. That is where the “love” comes from. It is not from a press release.

The Missing Piece

Most merchants and payment apps assume the choice is “skip evidence to stay PCI safe” or “capture evidence and risk PCI scope.” That is a false choice. Architected correctly, an evidence platform sits entirely on the merchant page around the processor’s hosted card field, captures exactly what the networks reward, and never touches what PCI prohibits. That is the lane Evidora was built in.

Frequently asked questions

Does Visa prohibit recording order or checkout pages?

No. Visa does not publish a rule that bans session recording on order pages. What Visa enforces is PCI DSS, which prohibits capturing or storing Sensitive Authentication Data such as the full PAN, CVV, or PIN. Capturing user behavior like scrolls, clicks, terms-checkbox events, and consent actions is industry-standard and permitted, as long as the script never sees cardholder data.

Why do card networks want merchants capturing more evidence?

Friendly fraud is now the largest category of chargeback dispute, and it costs the entire payments ecosystem trust and operational expense. Networks have responded with programs that explicitly reward merchants who can produce structured, verifiable evidence: Visa Compelling Evidence 3.0, Mastercard First-Party Trust, and VAMP threshold enforcement. Strong merchant evidence reduces dispute volume, helps issuers resolve faster, and protects legitimate transactions.

Is Evidora PCI compliant?

Yes. Evidora is architected to follow every Visa-enforced PCI DSS rule. The Evidora script never sees, stores, transmits, or shares cardholder data, Sensitive Authentication Data, or any payment field contents. Card capture stays inside the payment processor’s hosted iframe (Stripe Elements, Braintree Hosted Fields, and similar), which Evidora is structurally unable to read into.

Does adding Evidora expand my PCI scope?

No. Because Evidora cannot see cardholder data by design, adding it to a checkout that already uses a processor-hosted iframe does not push you from SAQ A to a heavier assessment. Evidora’s role is limited to capturing the merchant-page interactions that PCI explicitly permits: consent actions, scroll behavior, time on page, agreement checkboxes, and submission events.

What about California CIPA wiretapping lawsuits?

CIPA exposure is real and growing, with about 1,500 lawsuits filed in the 18 months before mid-2025. The risk is highest for merchants who run undisclosed third-party recording, chat, or pixel tools. Evidence capture done with proper consent and disclosure is defensible. Evidora is designed for the disclosed-and-consented use case, not the silent third-party-pixel use case that drives most CIPA complaints.

Has Visa or Mastercard endorsed Evidora?

No. Evidora has no formal endorsement, partnership, or testimonial from Visa or Mastercard, and this article does not claim one. The case is built on the networks’ own published programs and rules. Visa’s Compelling Evidence 3.0, Mastercard’s First-Party Trust, and the VAMP threshold change all explicitly reward merchants who can produce structured, verifiable, PCI-compliant evidence. Evidora delivers exactly that.

Why should payment apps and processors care about this?

VAMP enforcement now reaches acquirers. When their merchants run high dispute ratios, the acquirer is fined by Visa and faces program scrutiny. Payment apps and processors whose merchants run Evidora carry less risk, defend more disputes successfully, stay below VAMP thresholds, and qualify for liability-shift programs faster. Healthier merchant book equals healthier acquirer.

Give the networks the evidence they reward, without the PCI risk they punish

Evidora captures court-ready evidence on the merchant side of the checkout, in a way that aligns with Visa, Mastercard, and PCI DSS. One line of code. Free to start. Pay only when you retain a record.

See how it works →
Love Is In The Air
Scroll to top