Visa 10.4 / MC 4837 · spec §3.1

card-absent fraud chargebacks (Visa 10.4): evidence that wins

Visa 10.4 (and Mastercard 4837) is the card-absent “fraudulent transaction” code: the cardholder’s bank asserts the cardholder did not authorize an online or phone purchase. Because 10.4 is a Visa allocation-workflow dispute, the response is a structured pre-arbitration challenge, not a free-form letter — and for a 10.4 with Compelling Evidence 3.0 you get exactly one attempt, so an incomplete submission is simply declined.

What actually wins it

The evidence that carries a Visa 10.4.

The network rules that decide this code, in plain language — each claim named to its source and flagged where the source is less than primary.

The 3-D Secure liability shift (lead with it)

If the transaction was authenticated, the dispute is invalid on the network rules alone.

  • A completed 3-D Secure authentication (Visa Secure / Mastercard Identity Check / Amex SafeKey ECI 5 or 6) shifts fraud liability to the issuer, making the dispute invalid — lead with the ECI value, CAVV/AAV, and DS transaction ID as Exhibit A.Visa Core Rules — 3-D Secure liability shift

Visa Compelling Evidence 3.0 (10.4 only)

No 3DS? CE3.0 flips liability to the issuer when a prior-transaction pattern qualifies.

  • CE3.0 qualifies on two or more prior undisputed transactions on the same card and merchant descriptor, with at least two matching elements from {account login, IP, shipping address, device ID} — and at least one of those matches must be IP or device ID — plus an item description for all three transactions.Visa Compelling Evidence 3.0
  • A CE3.0-qualified case is excluded from the VAMP fraud numerator, so it protects your monitoring ratio in a way a merely-won representment does not.Visa — VAMP program rules
  • The priors reportedly need to be aged 120–365 days; because Visa’s text and Stripe’s API anchor that window to different dates, we satisfy both rather than assume one.Visa CE3.0 window (Stripe anchors to transaction date) inferred — verify
  • Since 17 October 2025 Visa is reported to auto-qualify CE3.0 from Visa Secure / Data Only authentication data, but we still supply the full element set rather than rely on it.Visa Secure / Data Only auto-qualification secondary source

Legacy compelling evidence (non-qualifying cases)

When neither 3DS nor CE3.0 applies, the older Visa compelling-evidence set can still win.

  • For physical goods, delivery to the AVS-confirmed (Y/M) address carries legacy compelling evidence with no signature required; for digital goods, the download timestamp plus two of {IP+geo, device ID, name+email match, prior same-device order}.Visa legacy compelling evidence
  • On the Mastercard side, an AVS X/Y match combined with shipment to that confirmed address is a valid 4837 second presentment on its own.Mastercard — AVS-match second presentment

The fatal mistakes

What loses a Visa 10.4 on sight.

  • Fighting genuine third-party fraud with no 3DS and no CE3.0/FPT qualification: the true-fraud win rate is 9–17%, so this burns your response effort and standing — refund fast instead.Spec §3.1 / §4 triage
  • Claiming Mastercard compelling evidence on a guest-checkout order: guest checkout has no Mastercard compelling-evidence right, so the argument is dead on arrival.Mastercard compelling-evidence eligibility
  • Submitting an incomplete CE3.0 questionnaire: 10.4 with CE3.0 is one structured attempt through VROL — a missing element is not a second chance, it is a decline.Visa §3.0 allocation workflow

Proof, published

A real Visa 10.4 packet, redacted.

This is the same structure, exhibits, and citations a live Visa 10.4 dispute gets — with every figure fabricated.

Sample
Rebuttal · Visa 10.4 / MC 4837 · Card-absent fraud1 / 2

SAMPLE — illustrative data

The cardholder claims this card-absent transaction was unauthorized. The grounded authentication, transaction and history evidence below places the cardholder at the purchase and defeats this Visa 10.4 / MC 4837 fraud claim.

Primary argument: 3-D Secure liability shift (§3.1): the transaction authenticated under ECI 05 with a valid CAVV and DS transaction ID; under network liability-shift rules the dispute is invalid and liability rests with the issuer.

AmountUSD 249.00
Transaction date2026-05-02
Transaction IDch_SAMPLE_fraud3ds01
ECI05
CAVVSAMPLEcavvAAABBWcSNIAAAAABgJI3dA=
DS transaction IDSAMPLE-ds-0f38e6948-5388-41a6
  • Exhibit A — 3-D Secure authentication data (ECI / CAVV / DS transaction ID).
  • Exhibit B — Authorization and AVS record tied to the authenticated session.
  • Exhibit C — Order confirmation and prior undisputed account history.

Fabricated sample data — the only merchant is the fictional Example Threads Co.. Read the complete packet: full letter (HTML) · download PDF.

Honest triage

Should you even fight it?

Be honest with yourself first. If this is genuine third-party fraud with no 3-D Secure authentication and no CE3.0 pattern, the win rate is 9–17% — you should refund it fast (pre-dispute if you were alerted) to keep your VAMP ratio clean, not fight it. But the moment you have a 3DS liability shift or a qualifying CE3.0 pattern, the economics invert: the dispute is invalid on the rules and worth every packet. This is exactly the case where “friendly fraud” (~44% win rate) hides inside a fraud code.

  • ~20% of contested disputes overall (Mastercard 2025 issuer-side data)
  • 9–17% on true third-party fraud
  • ~44% on friendly fraud
  • ~47% on sub-$30 items vs ~28% on $300+
  • Stripe's $15 dispute fee plus a $15 'countered' fee (US, since June 2025)

Questions

Straight answers on Visa 10.4.

Does a 3-D Secure authentication really make a Visa 10.4 dispute invalid?

Yes. A completed 3-D Secure authentication (ECI 5 or 6 with a valid CAVV and DS transaction ID) shifts fraud liability to the issuer under the Visa Core Rules. The cardholder’s own bank verified them at checkout, so the 10.4 claim fails on the network rules before your other evidence is even read.

What is Visa Compelling Evidence 3.0 and when does it qualify?

CE3.0 lets you defeat a 10.4 by showing two or more prior undisputed transactions on the same card and descriptor that share at least two connection elements (account login, IP, shipping address, or device ID) with the disputed one — at least one being IP or device ID — with item descriptions for all three. It flips liability to the issuer and is excluded from your VAMP fraud count.

Can I fight a Mastercard 4837 on a guest-checkout order?

Not with compelling evidence — guest checkout has no Mastercard compelling-evidence right. You can still win on a 3-D Secure liability shift, First-Party Trust qualification, or an AVS X/Y match with shipment to that confirmed address.

How many attempts do I get on a Visa 10.4 with CE3.0?

One. A 10.4 is a Visa allocation-workflow dispute answered through a structured VROL questionnaire, and an incomplete CE3.0 submission is declined rather than returned for a second try. Completeness is the whole game.

When should I just refund a fraud chargeback instead of fighting?

When it is true third-party fraud with no 3DS authentication and no CE3.0, First-Party Trust, or Amex-CE qualification. The 9–17% win rate makes fighting net-negative, and a fast pre-dispute refund keeps your VAMP ratio clean where a won representment would not.

More reason-code guides

Every code gets its own playbook.

Counterproof publishes one guide and one real packet per reason-code family. Browse the others, or see the full sample-packet library.

Get this for every dispute

Counterproof drafts this packet for you — and shows it before it's sent.

Flat fee, no success cut. Deterministic evidence selection cited to the network rule, with the letter you can edit and a triage verdict when a case isn't worth fighting.