Chargeback Strategy · Feature

The Two Data Elements That Win a Visa Compelling Evidence 3.0 Dispute

One Visa rule can flip a card-absent fraud chargeback into a guaranteed reversal. Almost every merchant that misses it fails on the same small piece of data, and it is the piece your payment processor was never built to keep.

The gist

Visa Compelling Evidence 3.0 qualification turns a card-absent fraud chargeback (reason code 10.4) into a near-guaranteed reversal. You need two prior undisputed transactions from the same cardholder, 120–365 days old, and you must match two data elements, at least one being the IP address or device ID. Capture that on every order and you win. Miss it once and you cannot qualify at all.

Picture this. A chargeback lands on a Tuesday. The reason code is 10.4, other fraud in a card-absent environment, and the amount is $420. You know this customer. They have bought from you three times this year, same account, same city, nothing unusual. Yet under the ordinary dispute process you are about to lose, because “I recognize this buyer” is not evidence a bank will accept. What the bank will accept is a specific pattern of proof that Visa itself defined, and if you can produce it, the chargeback does not just get contested. It gets reversed, and your fraud ratio is left untouched.

That pattern is Visa Compelling Evidence 3.0. It has been live since April 2023, it is one of the few genuine liability shifts a merchant can trigger on its own, and most businesses that accept cards online either do not use it or cannot qualify when they try. The reason they cannot qualify almost always comes down to two small data elements. This is a guide to what those elements are, why your current stack probably is not keeping them, and how to fix that before the next 10.4 dispute arrives.

01

The one rule that pays for itself

Most chargeback tools help you write a better argument. Compelling Evidence 3.0 is different in kind. It is a remedy rule, which means meeting a defined checklist produces a defined result rather than a discretionary judgment call by an analyst. Satisfy the criteria for a 10.4 card-absent fraud dispute and the chargeback is reversed. You are not persuading anyone. You are meeting a specification.

The part that makes it worth real effort is what happens to your ratios. A validated CE 3.0 win reverses the disputed amount and keeps your fraud ratio flat. That matters because your fraud ratio is the number that governs your standing in Visa’s monitoring programs. If you have been watching the tightening thresholds, you already know how little room there is: we covered the newest limits in our breakdown of Visa lowering the chargeback threshold under VAMP. CE 3.0 is one of the only ways to claw back a fraud dispute without the reversal costing you ratio headroom.

10.4The only reason code CE 3.0 remedies
120–365Days old the prior transactions must be
~75%Of chargebacks Visa attributes to first-party fraud

Hold those numbers in mind, because the whole rule turns on them. Roughly three in four chargebacks are first-party, or friendly, fraud, where the buyer really did make the purchase. That is exactly the population CE 3.0 was built to resolve, and it is why authentication alone will not save you. Authentication proves a card was verified at the moment of sale. It does not prove the same person came back and bought again, which is the story CE 3.0 wants you to tell. We drew that distinction in detail in 3D Secure versus Evidora.

02

The qualification recipe

Here is the specification, plainly. To qualify a 10.4 dispute for the CE 3.0 remedy, you point Visa to two prior undisputed transactions from the same cardholder. Those transactions must be between 120 and 365 days old relative to the disputed order, and they must not themselves have been charged back as fraud. Then you match two data elements across those prior orders and the disputed one. And here is the clause that decides everything: at least one of the two matching elements must be the IP address or the device ID.

CE 3.0 qualification, at a glance
  • Dispute typeReason code 10.4, card-absent fraud
  • Prior ordersTwo, same cardholder, undisputed
  • Age window120–365 days before the disputed order
  • MatchTwo data elements across all three orders
  • Mandatory elementIP address or device ID
  • Other elementsShipping address, account or login ID
  • Result if metChargeback reversed, fraud ratio unaffected

Read that mandatory line again, because it is where the game is won or lost. Shipping address and login ID are useful, but on their own they are not enough. Visa is asking for a technical fingerprint of the session, the IP or the device, tying the disputed purchase to earlier ones the same person made. It is the single element hardest to fake and hardest to argue with, which is precisely why Visa made it the anchor of the whole remedy.

Worth knowing

The two prior transactions do not have to be large or recent. A pair of small orders from eight months ago qualifies just as well as big ones, as long as the IP or device ID matches. The value is in the continuity of the record, not the size of the sale.

03

Why most merchants cannot qualify

Now the uncomfortable part. When a 10.4 dispute arrives, you are looking backward. The qualifying orders happened 120 to 365 days ago, which means the deciding evidence had to be captured long before you knew there would be a dispute. You cannot go back and collect an IP address from a purchase last spring. Either it was recorded and stored in a way you can retrieve and match today, or it was not, and if it was not, you cannot qualify no matter how obviously legitimate the customer is.

This is the trap, and it is a data-retention trap rather than a strategy problem. Your payment processor was built to move money, authorize a card, settle a batch, and manage the dispute correspondence. It was not built to be a searchable, year-long archive of the session-level fingerprint of every buyer. Many processors capture an IP somewhere in a log, but capturing is not the same as retaining it in a form you can pull up a year later, line up against two other specific orders, and submit as matched evidence. The device ID is often not captured at all. So the exact element CE 3.0 treats as mandatory is the one most stacks quietly drop.

The dispute is decided by data you had to capture a year before you knew the dispute existed. That is the whole game, and it is why prevention and proof are not the same job.

This is the same lesson that shows up across every dispute type. Winning is less about the letter you write at dispute time and more about what you were quietly recording all along. We made that case in the five things that actually win chargeback disputes, and CE 3.0 is the sharpest example of it. The rule practically names the evidence for you. The only question is whether you kept it.

04

Capturing it next to your processor

The fix is not to replace your payment processor. It is to sit an evidence layer beside it that captures and retains exactly what CE 3.0 asks for, on every transaction, whether or not that transaction ever gets disputed. This is where Evidora fits. A single line of code on your checkout captures the session as it is rendered to that specific buyer, and it records the elements the remedy rule turns on.

Processor alone

  • Authorizes and settles the payment
  • IP address buried in logs, if kept at all
  • Device ID typically not captured
  • No easy way to match three specific orders a year apart
  • You learn what you were missing at dispute time

Processor plus Evidora

  • Payment flow untouched, runs as it does today
  • IP and device ID captured on every order
  • Rendered page, timestamp, and buyer details retained together
  • Pull two qualifying prior orders on demand
  • The CE 3.0 packet is assembled, not reconstructed

Because Evidora captures alongside the payment flow rather than inside it, the integration is seamless and processor-agnostic. Your checkout does not change, your authorization path does not change, and the buyer notices nothing. What changes is that every completed purchase now carries a retained, matchable record: the IP, the device ID, the rendered confirmation the customer actually saw, a tamper-evident timestamp, and the order and customer details around it. That is not only the CE 3.0 fingerprint. It is also the cardholder purchase history the rule wants you to point back to, building quietly with every sale.

When the 10.4 dispute lands on that Tuesday, the work is already done. You are not hunting through processor logs hoping an IP survived. You are selecting two prior orders whose device ID matches the disputed one and producing the packet. The same capture approach underpins the Mastercard side of the house too, which we walk through in the Mastercard First-Party Trust guide, and it starts from the same idea we introduced in recording your checkout page: capture now, produce later.

05

What changes on October 24

CE 3.0 is not static, and a meaningful expansion is dated. Effective October 24, 2026, Visa widens the application of the 10.4 remedy rule and, importantly, adds support for multi-merchant transactions as qualifying evidence. In plain terms, a cardholder’s purchase pattern across more than one merchant can help establish that a disputed transaction is legitimate, not only their history with you alone.

That broadens who can win, but it does not change the underlying currency. The evidence is still the session fingerprint, the IP and device ID, tied to real rendered purchases with reliable timestamps. A wider rule rewards the merchants who have been capturing that record consistently and does nothing for the ones who have not been keeping it. If anything, the October change raises the payoff for having a clean, retained evidence trail in place before the rule expands. You can read the mechanics directly in Visa’s Compelling Evidence 3.0 merchant readiness guide and in the current Visa Core Rules.

The missing piece

Most merchants treat CE 3.0 as a dispute-time tactic, something the chargeback team reaches for after the fact. It is not. It is a data-capture decision you make at checkout, months before any dispute, on transactions you have no reason to think will ever be questioned. The business capturing the IP, the device ID, and the rendered purchase on every order is quietly building qualifying evidence with each sale. The business that waits until a 10.4 arrives has already lost, because the two prior transactions it needs were never recorded in a form it can use.

Frequently asked questions

What is Visa Compelling Evidence 3.0?

Compelling Evidence 3.0 is a Visa remedy rule for card-absent fraud disputes under reason code 10.4. If a merchant can show two prior undisputed transactions from the same cardholder and match two data elements between them and the disputed order, the chargeback is reversed and the merchant’s fraud ratio is not affected.

What are the two data elements CE 3.0 requires?

You must match two data elements between the two prior transactions and the disputed one, and at least one of the two must be the IP address or the device ID. The other qualifying elements are the shipping address and the account or login ID. Because IP or device ID is effectively mandatory, capturing it on every order is the deciding factor.

How old do the prior transactions need to be for CE 3.0?

The two prior undisputed transactions must be between 120 and 365 days old, measured against the disputed transaction date, and they must belong to the same cardholder. They also must not themselves have been disputed as fraud.

Does winning a CE 3.0 dispute affect my chargeback ratios?

A validated CE 3.0 win reverses the chargeback and keeps your fraud ratio flat, which protects your standing under Visa monitoring programs like VAMP. Your dispute ratio is still affected, so CE 3.0 is a remedy for individual fraud disputes rather than a substitute for prevention.

What changes with CE 3.0 on October 24, 2026?

Effective October 24, 2026, Visa widens the application of the 10.4 remedy rule and adds support for multi-merchant transactions as qualifying evidence, so a cardholder’s purchase pattern across more than one merchant can help establish that a disputed transaction is legitimate.

How does Evidora help a merchant qualify for CE 3.0?

Evidora runs alongside your checkout and payment processor and captures the IP address, device ID, rendered page, timestamp, and buyer details on every transaction, then retains them in a matchable form. When a 10.4 dispute lands, you can pull two prior orders with matching data elements and assemble the CE 3.0 packet instead of discovering the qualifying data was never stored.

Turn every checkout into CE 3.0 evidence

Evidora captures the IP, device ID, rendered page, and buyer details on every order, then retains what matters and expires what does not. One line of code, alongside any payment processor, so the qualifying record is ready before the dispute is.

See how it works →
Compelling Evidence
Scroll to top