Visa Compelling Evidence 3.0, Explained: Winning Friendly-Fraud Disputes in 2026

Friendly fraud rewrote the rules — so Visa rewrote them back

For most of e-commerce history, fraud defense meant one thing: stop the stolen card before the transaction clears. But the fastest-growing threat in digital payments isn't the criminal with someone else's card — it's the legitimate cardholder who buys something, receives it, and then disputes the charge with their bank anyway. This is first-party misuse, better known as friendly fraud, and industry research now puts its cost at more than $100 billion annually [Source: FIS Global / Ethoca]. By some estimates it accounts for up to 70% of all card fraud [Source: FIS Global / Ethoca].

Some of it is honest confusion — an unfamiliar billing descriptor, or a family member's purchase the cardholder doesn't recognize. Some of it is deliberate: disputing a charge is now a few taps in a banking app, easier than requesting a refund. Either way, the merchant absorbs the loss, the fee, and a mark against their dispute ratio.

The problem is that traditional dispute evidence — a tracking screenshot, a copy of your refund policy — is subjective. The issuing bank decides who wins, and the bank is motivated to side with its own cardholder. Visa's answer is Compelling Evidence 3.0 (CE 3.0): a structured, data-driven framework that, when its requirements are met exactly, mandates a liability shift back to the issuer and overturns the dispute. This article covers what CE 3.0 is, which disputes it applies to, the data you need to qualify, and why winning under CE 3.0 protects your account in a way a normal win does not.

What is Visa Compelling Evidence 3.0?

CE 3.0 is Visa's framework for resolving certain fraud disputes using a cardholder's own transaction history as proof. The logic is simple: if a customer has a documented pattern of legitimate, undisputed purchases from your store on the same payment credential — from the same device or IP address — then a later "I don't recognize this charge" claim on that same profile is almost certainly false [Source: Visa Compelling Evidence 3.0 Merchant Readiness, usa.visa.com].

Unlike legacy representment, where you assemble a qualitative argument and hope the issuer agrees, CE 3.0 is deterministic. Supply two qualifying prior transactions that match the disputed one on the right data elements, and Visa's rules require the remedy. The subjectivity is removed — which is what makes it the most valuable tool a card-not-present merchant has in 2026.

Why CE 3.0 matters more than ever in 2026

On April 1, 2026, Visa's Acquirer Monitoring Program (VAMP) tightens the merchant "excessive" dispute threshold from the legacy 2.2% down to 1.5% [Source: Visa Acquirer Monitoring Program Fact Sheet, 2025]. That 0.7-point contraction sounds small, but in high-volume commerce it is the line between compliant and penalized. A merchant running a 2.0% combined fraud-and-dispute ratio was safe under the old rules; the same performance now breaches the limit and triggers fines of $8 per dispute and fraud event in any month the threshold is exceeded [Source: Visa Acquirer Monitoring Program Fact Sheet, 2025].

Here is why that makes CE 3.0 urgent: every dispute counts against your VAMP ratio — even ones you eventually win through normal representment. CE 3.0 is the one mechanism that removes the event from the ratio entirely (more on that below). The timing side of survival — how the VAMP math works and why your processor may enforce a stricter limit than Visa's — is covered in our companion article, Why Rushing Chargeback Evidence Loses Disputes.

Which dispute reason codes qualify (10.4 only)

CE 3.0 is a precision instrument, not a universal remedy. It applies to exactly one dispute category: Visa Reason Code 10.4 — Other Fraud, Card-Absent Environment [Source: Visa Compelling Evidence 3.0 Merchant Readiness, usa.visa.com]. This is the code issuers use when a cardholder claims they didn't authorize or don't recognize an online purchase — the signature of friendly fraud.

If a dispute is filed under any other reason — "merchandise not as described," "canceled recurring transaction," "services not rendered" — CE 3.0 does not apply, and standard evidence rules govern instead. Identifying the reason code is the first step, because it determines whether the data-matching path below is even available to you.

The core data elements

CE 3.0 sorts the data points it accepts into two tiers. Main (primary) elements are hardware and network identifiers that are hard to spoof:

• Customer purchase IP address
• Customer device ID / device fingerprint

Secondary elements are account- and logistics-level identifiers:

• Shipping / delivery address
• Customer account ID or login ID
• Customer email address

Visa weights IP and device ID as "main" for a defensive reason: a fraudster can compromise an account login or reroute a shipping address, but reproducing the true cardholder's historical IP range or device fingerprint from months earlier is far harder [Source: Visa Compelling Evidence 3.0 Merchant Readiness, usa.visa.com].

The two-element matching requirement

To trigger the liability shift, you must prove that at least two of these elements match across all three transactions — the disputed charge plus two qualifying prior ones. But there is a structural rule that trips up most merchants:

At least one of the two matching elements must be a Main element — an IP address or a device ID.

Matching a customer account ID and a shipping address is not enough, because both are secondary. A valid combination is either two main elements (IP + device ID) or one main plus one secondary — for example, IP address + customer account ID [Source: Visa Compelling Evidence 3.0 Merchant Readiness, usa.visa.com]. If your checkout never captured the customer's IP or a device fingerprint, you structurally cannot qualify a 10.4 dispute for CE 3.0, no matter how much other data you have.

The 120-to-365-day window

The two prior transactions you use as your baseline can't be just any past orders. Each must have settled at least 120 days before the dispute was filed, and no more than 365 days before [Source: Visa Compelling Evidence 3.0 Merchant Readiness, usa.visa.com]. The 120-day floor is deliberate: because consumers generally have 120 days to file a fraud dispute, requiring the baseline transactions to be older than that guarantees the window to dispute them has already closed — which is what certifies them as legitimately undisputed.

Same payment method, and a clean record

Two more conditions complete the eligibility test. First, the prior transactions must have used the same payment credential (the same account number or token) as the disputed charge. Second, neither prior transaction may carry its own fraud report or dispute — the baseline must be immaculate [Source: Visa Compelling Evidence 3.0 Merchant Readiness, usa.visa.com]. A transaction the customer once disputed cannot be used to prove a later one was legitimate.

Two ways CE 3.0 gets applied

The same data can work at two points in the dispute lifecycle. In a pre-dispute flow, integrated merchants respond to the issuer in real time through Visa's Order Insight (via Verifi): Visa surfaces the candidate prior transactions, the merchant's system returns the matching elements, and if the data validates the dispute is deflected before it is ever formally created — never coded as a fraud chargeback at all [Source: Visa Compelling Evidence 3.0 Merchant Readiness, usa.visa.com].

In a post-dispute (pre-arbitration) flow, the 10.4 chargeback has already hit and you've been debited. Here you locate the prior transactions yourself, package the CE 3.0 elements, and submit them back through your acquirer; on successful validation the rule still mandates the remedy and returns the funds. Both paths use the same data — the difference is whether you stop the dispute before it forms or overturn it after.

The VAMP-exclusion benefit — the real payoff

This is the part most merchants miss. Winning a chargeback through ordinary representment gets your money back, but the dispute event stays on your ledger and keeps dragging your VAMP ratio toward the 1.5% cliff. A dispute won under CE 3.0 is different: Visa's rules exclude that event from your VAMP ratio entirely [Source: Visa Acquirer Monitoring Program Fact Sheet, 2025].

So CE 3.0 doesn't just recover revenue — it expunges the event from the risk metric that decides whether you keep the ability to process. In a 1.5%-threshold world where your acquirer may cut you off well before you reach Visa's official limit, that exclusion can be the difference between a clean ratio and a frozen account.

How to qualify your transactions for CE 3.0

1. Capture the right data at checkout. Log the customer's purchase IP address and a device ID or fingerprint on every order — not just the shipping address and account ID. Without a main element, you can't qualify.
2. Retain it for at least 365 days. The lookback reaches back a full year, so transaction metadata must be stored that long to be usable.
3. Keep the identifiers queryable. You need to find two prior transactions on the same credential, inside the 120-365 day window, and compare their IP, device, account, address, and email against the disputed order — quickly, across whatever systems hold that data.
4. Confirm the reason code is 10.4 before attempting a CE 3.0 response; other codes need a different approach.

How ChargePilot automates CE 3.0 assembly

Doing this by hand for every fraud dispute is impractical: you're searching a year of payment history for two qualifying transactions, then matching data elements across three orders, under a tight deadline. ChargePilot automates that assembly. When a 10.4 dispute arrives, it locates the qualifying prior transactions inside the 120-365 day window, verifies the same-credential and clean-record conditions, and assembles the matching elements — anchored on the customer IP address — into a CE 3.0 payload submitted through Stripe. Because the historical identifiers required for the lookback are sensitive, that data is encrypted with AES-256-GCM at rest and TLS 1.2+ in transit, and the platform never stores raw card numbers; the full security posture is documented at chargepilot.ai/security.

The framing matters: no tool can guarantee a dispute outcome — issuers remain the arbiter — so the honest description is that the system submits evidence that competes for the dispute on Visa's own terms. What it removes is the manual archaeology that makes CE 3.0 impractical at volume.

The bottom line

CE 3.0 is the strongest answer merchants have to the friendly-fraud surge — but only if your checkout captures IP and device data, you retain it for a year, and you can match it on demand. Get those fundamentals right and you don't just win 10.4 disputes; you keep them off the VAMP ratio that now governs your standing on the network. The other half of the equation is when you submit — covered in Why Rushing Chargeback Evidence Loses Disputes.