Chargeback fraud

The chargeback system was built for a world where the main threat was a stolen card. In that world the cardholder is the victim, so the dispute process gives the cardholder the benefit of the doubt at every step. Most disputes today do not come from that world. The majority are filed by real cardholders against transactions they themselves made, which means the process now mostly adjudicates claims where its core assumption is wrong. For a merchant, surviving this requires two separate capabilities: preventing the disputes that are preventable, and producing evidence that wins the rest.

This is the dispute-side companion to payment fraud detection, which covers stopping fraud before authorization, and ecommerce fraud prevention, which covers the full abuse taxonomy.

How a chargeback works

A cardholder disputes a transaction with their issuing bank. The issuer assigns a reason code (fraud, item not received, not as described, duplicate, and so on), reverses the funds, and passes the dispute to the merchant’s acquirer. The merchant can accept the loss or fight it by submitting evidence, a process called representment. The issuer rules on the evidence, and further appeals escalate to arbitration at the card network.

Three costs stack on the merchant side. The transaction amount is reversed. A dispute fee of roughly $20 to $100 applies regardless of outcome. And the dispute counts toward the merchant’s ratio. Card networks run monitoring programs that move high-ratio merchants into remediation, with fines and, eventually, loss of processing. Visa folded its separate dispute and fraud programs into one Acquirer Monitoring Program (VAMP) on April 1, 2025, which scores merchants on a combined fraud-plus-dispute ratio rather than disputes alone; the “excessive” threshold tightens to 1.5% across the US, Canada, and Europe in 2026, and merchants under 1,500 fraud-or-dispute transactions are exempt (Visa). The ratio pressure matters as much as the dollar losses, because it means a merchant cannot simply absorb disputes as a cost of doing business past a fairly low ceiling.

The taxonomy: most disputes are not stolen cards

Disputes break into three populations.

True fraud. A stolen card or a taken-over account was used by someone other than the cardholder, who then disputes correctly. The dispute is legitimate; the failure happened earlier, at checkout-time detection.

Friendly fraud (first-party misuse). The cardholder made the purchase and disputes it anyway. Industry data puts this at roughly 61% of disputes, and it splits into two motives. The intentional version is theft with a customer-service interface: claiming non-delivery on goods that arrived, disputing digital purchases after consuming them, or “cyber-shoplifting” a refund the merchant would not grant. The unintentional version is confusion: an unrecognized billing descriptor, a family member’s purchase, a forgotten subscription renewal. Both arrive with the same reason codes, which is part of what makes the category hard.

Merchant error. Duplicate charges, wrong amounts, undelivered orders. Real operational failures that belong in fulfillment and billing hygiene rather than fraud strategy.

The friendly-fraud majority is what breaks the traditional toolkit. 3-D Secure shifts liability for unauthorized use, and it does nothing when the cardholder is the person who clicked buy. The issuer’s fraud models key on the cardholder being victimized, and here the cardholder is the claimant. Every standard control points the wrong way.

Prevention: removing the disputes that should never happen

A meaningful share of friendly fraud is preventable upstream, and prevention is cheaper than the best representment:

Descriptor clarity. A billing descriptor that matches the brand the customer remembers buying from eliminates the largest accidental category. Test what your charge actually looks like in a banking app.
Subscription hygiene. Renewal reminders before the charge, one-click cancellation, and immediate prorated refunds on first complaint. A customer who can cancel easily files fewer disputes than one who has to fight.
Refund-before-dispute routing. Make the refund path faster and easier than the dispute path for the gray cases. A refund costs the transaction; a dispute costs the transaction, the fee, and the ratio.
Delivery evidence on physical goods. Signature or photo confirmation where item-not-received claims concentrate.

What prevention cannot remove is the intentional population, who know exactly what they bought and dispute it anyway. For them the questions become evidence and recognition.

Evidence: what wins representment now

Representment historically had poor odds on fraud-coded disputes because merchants had no way to prove the cardholder was present. That is the specific thing device intelligence changes.

Visa’s Compelling Evidence 3.0 rules, in force since April 2023, make the mechanism explicit. To overturn a card-absent fraud dispute (dispute condition 10.4), a merchant matches the disputed order against at least two prior undisputed transactions on the same account that are 120 to 365 days old, sharing at least two identifiers from the set of customer account or login ID, delivery address, device ID or device fingerprint, and IP address, where at least one of the two must be the device ID, the device fingerprint, or the IP address (Visa Compelling Evidence 3.0 merchant readiness). The rule effectively elevates device and network identity above the other evidence: the network now recognizes “this is the same device that has been buying from you for a year” as proof against an unauthorized-use claim.

Operationally this means the evidence has to be collected and durable before any dispute exists. A stable device identity attached to each order, retained with the transaction record, turns representment from a letter-writing exercise into a database join: the disputed order, the device that placed it, the account login from the same device three days later, the download or service usage that followed. Post-purchase signals carry weight here too. A “not received” claim is hard to sustain against logs showing the disputing account consuming the product.

Recognition: serial disputers come back

First-party fraud recurs. Professional refunders and habitual disputers rotate cards, emails, and accounts, and the operations that sell “refund-as-a-service” rotate identities deliberately. What rotates least is the device and the operational cluster behind it, which is the same structural fact that anchors fake account prevention.

The working pattern: when a dispute resolves against an account, tag the device cluster, not just the account. A “new” customer whose session matches a cluster with two prior chargebacks deserves different checkout treatment, such as a 3DS challenge to move liability, a hold on high-risk SKUs, or prepayment for delivery claims. This is where dispute defense connects back to checkout-time scoring rather than living as a separate back-office function.

How Foil supports it

Foil’s visitor fingerprint (visitor_fingerprint.id) gives each order a durable device identity that survives cookie clearing and account rotation, which serves both halves of the problem. For representment, transaction history keyed by the visitor fingerprint produces exactly the matched-device evidence CE 3.0 asks for: the disputed order and the prior undisputed orders carry the same visitor_fingerprint.id, which is the device-fingerprint identifier the rule elevates. For recognition, dispute outcomes fed back against the visitor fingerprint let the checkout flow treat repeat disputers as known risk regardless of which identity they present:

import { Foil, safeVerifyFoilToken } from "@abxy/foil-server";

const client = new Foil({ secretKey: process.env.FOIL_SECRET_KEY });

// The browser SDK produced a sealed token; verify it at checkout.
const result = safeVerifyFoilToken(sealedToken, process.env.FOIL_SECRET_KEY);
if (!result.ok) return res.status(400).json({ error: "invalid_token" });

const visitorId = result.data.visitor_fingerprint?.id;

const history = await disputes.byVisitor(visitorId);
if (history.lostDisputes >= 2) {
  return require3DS(req, res); // shift liability for a known disputer device
}

const fingerprint = await client.fingerprints.get(visitorId);
await orders.attachEvidence(order.id, {
  visitorFingerprintId: visitorId,
  firstSeenAt: fingerprint.lifecycle.first_seen_at,
  seenCount: fingerprint.lifecycle.seen_count,
});

The evidence write costs nothing at order time and is the difference between a winnable and an unwinnable dispute six weeks later. For the surrounding architecture, see fraud detection API.