Visa Compelling Evidence 3.0 – What’s Changing and How Does It Affect Your Business?

For online merchants, the worst kind of fraud is the friendly kind. 

Malicious fraudsters using scaled techniques to compromise accounts, exploit security vulnerabilities, and game affiliate advertising schemes are comparably easy to catch when you’re outfitted with a strong technological fraud solution, like SEON.

Friendly fraud, however, is generally executed by a single person, facilitated by their own lies.

Typical arbitration has little ability to submit suspected lies as a reason not to issue a chargeback – as evidence, it’s not compelling enough. However, as of April 2023, the Visa Compelling Evidence 3.0 rules have given merchants a data-driven approach to controlling losses to the chargeback process.

What are these approaches, and how do they impact your business workflows? SEON gives compelling answers. 

What Is Visa Compelling Evidence 3.0?

Visa’s new Compelling Evidence 3.0 (CE 3.0) initiative is the company’s most recent effort to curb the damage that friendly fraud and chargebacks have on merchants’ bottom lines. It is an update from CE 2.0. 

Compelling Evidence requirements establish a framework for disputing and resolving chargebacks. They denote a line between what qualifies as fraud, when a chargeback should be awarded, and where the liability for any damages lies. Furthermore, they stipulate what qualifies as evidence, how and when that evidence should be presented, and how the tenacity of that evidence is verified.

The changes from the previous policy reflect a new glove that better fits the hand of the modern chargeback. They target friendly fraudsters explicitly, informed by loopholes that were previously exploited with regularity.

As of April 2023, the rules for disputes shift to encompass the technology that has emerged as the most effective for generating confidence in user identification and transaction behavior. Underpinning the changes is the idea that a cardholder who has made previous purchases from a merchant is technically satisfied with their purchase, and disputes that occur after these instances cannot qualify for chargebacks.

This compelling evidence will still be submitted when the chargeback issuing bank contacts the merchant for their response. If all the evidence criteria are met, the merchant will win the chargeback dispute.

What Changed with the Adoption of Visa’s New Evidence Rules?

The new thresholds introduced by CE 3.0 consider modern merchant practices for transaction monitoring, as well as the changing face of chargebacks. 

The most significant new implementations in CE 3.0, working towards an overall higher merchant win rate for disputes, focus on the nature of data that can be submitted for evidence, establish a timeframe during which disputes must be initiated by the customer, and introduce a new way to stop chargebacks before they happen, provided that compliant evidence exists.

Changes in CE 3.0 Data Requirements

In terms of data, updated language in the framework takes into account the increasing prevalence – and increasing chargebacks – in verticals that deliver digital goods or services rather than physical, and thus don’t have a delivery address, per se. This is apparent in the new data metrics. 

Previously, the IP address, email address, physical address, and phone number were all requirements for merchants seeking to avoid chargebacks. Those data points were used to verify that the disputing cardholder had previously completed a transaction that was not disputed, which constituted compelling evidence to deny the chargeback request. This has changed to include at least two of the following:

• customer account or login ID
• delivery address
• device fingerprint
• IP address

Notably, a new addendum to CE 3.0 stipulates that of the two data points submitted as evidence, at least one of them must be either the IP address or device fingerprint.

Another change within this evidence requirement is that, where previously only one instance of a non-disputed transaction was required to deny the chargeback, now there must be two. Then the third, when disputed, can use the previous two as compelling evidence, provided the identifying data aligns.

Addition of a Resolved Dispute Timeframe in CE 3.0

The CE 3.0 initiative has targeted first-party chargeback fraudsters exploiting particular loopholes in company policies to cover the tracks of their crime. Until April 2023, first-party fraudsters familiar with Visa’s chargeback and compelling evidence rules had an easy workaround when a fraud representative would follow up on a chargeback initiation. 

Previously, at this stage, the fraud team member would cite the previous undisputed charge on the customer’s account. At the time, this counted as compelling evidence that the currently open chargeback was not legitimate, and the customer would be denied their claim. However, if the customer simply said the previous charge was also fraud and needed to have its own chargeback initiated, the compelling evidence would dissipate and the chargeback would progress.

The addition of a 120-day statute of limitations for chargebacks is crucial to filling this loophole. Charges that have gone undisputed for 120 days or more can no longer have a fraud claim opened on them and will count as compelling evidence moving forward. Again, the number of these undisputed customer transactions required for CE 3.0 goes from one to two, with the disputed charge constituting the third.

What Are the CE 3.0 Requirements?

When a cardholder initiates a chargeback with their bank, the Compelling Evidence 3.0 initiative requires a fraud investigation software solution that monitors certain data points. Those data points must fall within the correct parameters.

As mentioned previously, CE 3.0 first stipulates that at least two transactions must have been completed with the same payment method at least 120 days prior to the current transaction. Those two transactions cannot have had fraud claims against them in order to qualify.

Additionally, CE 3.0 has clear guidelines about how to establish that the user currently submitting the chargeback request has completed those two transactions. Now, of the following four data points, two data points must stay consistent across all three transactions in question to establish a consistent identity for the purposes of CE 3.0. Of those two consistent points, one must be either:

• IP address
• device fingerprint

The other two points, user ID and delivery address, can help establish identity, but legislators have deemed the first two more steadfast as compelling evidence.

Notably, it is still wise to gather all four of the data points that can be used for compelling evidence, as some users will inevitably have inconsistent connection data across them. Upon submission of compelling evidence during a chargeback dispute, having all of the data points, outside of just the two required, will always be a boon for merchants hoping to avoid a costly chargeback.

Advantages of CE 3.0

Though chargebacks will always be a headache for revenue teams, CE 3.0 offers some new safeguards against increasing volumes of friendly fraudsters. Adapting workflows to the new Compelling Evidence initiative could result in advantages such as:

• Fewer chargebacks: The new CE 3.0 framework is designed to catch fraudsters who were previously abusing the unlimited window to file a chargeback on a historical transaction, and are also targeting services that have purely digital delivery methods without a physical delivery address attached. 
• Broader scope: Verticals that focus on purely digital deliveries (and thus don’t necessarily collect a physical delivery address) are considered with the new rules. Companies that provide ridesharing, dating apps, and other digital marketplaces have more relevant options when it comes to evidence submission.

Once a CE 3.0 framework is integrated, any remaining friendly fraud pain points that are still leaking revenue can be addressed at a more granular level, perhaps by amending internal policies, external communications, and language on the site itself.

Disadvantages of CE 3.0

The metrics for assessing the veracity of Compelling Evidence have become slightly more complicated with the onset of CE 3.0. Not only have the required data points changed in such a way that an in-depth chargeback management tool is crucial, but the addition of a time window also introduces a new parameter when submitting a chargeback defense. Inevitably, this will create an increased workload and an increase of human resources invested.

Additionally, the new 120-day window may, in some cases, lead to a chargeback progressing when previously it could have been stopped. It remains to be seen how efficacious CE 3.0 is in curbing rising chargeback rates, and if the increased resources it requires are worth it for your bottom line.

How Can SEON Help with CE 3.0?

SEON is best-in-class for gathering the required information for CE 3.0, particularly for in-depth device fingerprints and tracking a friendly fraudster across IDs in the case of multi-accounting.

After a recent internal analysis of our customer data, SEON discovered that scaled fraudsters rarely, if ever, have the bandwidth to consistently work around our device fingerprinting technology. Doing so requires enough time and resources that fraud is difficult, or at least unprofitable. 

While friendly fraudsters initiating chargebacks under false pretenses may not be looking to scale their efforts, SEON’s ability to track a unique device fingerprint remains invaluable.

In terms of the required data points – user ID, device hash, IP address, and delivery address – SEON offers tools to dive into each point, which can then be submitted as Compelling Evidence.

• Device fingerprint: Our device hash is a highly unique identifier of a single user, based on dozens of granular points within a user’s particular device and browser setup.
• IP address: SEON keeps records of the connecting IP address, an important part of CE 3.0, but also keeps tabs on IP reputation scores, and knows if a user is connecting via a location-spoofing service like a virtual private network (VPN). 
• Delivery address: Customers using SEON’s real-time fraud monitoring platform not only have access to all a customer’s individual transaction data, including their address, but fraud teams can also investigate the address in the platform, to check if it seems legit or has signs of potential fraud, such as the listed delivery address being an industrial park.
• User ID: One of SEON’s fraud targets is multi-accounting abuse, a common problem across many online business verticals. If a customer is attempting to bypass CE 3.0 rules by changing accounts and initiating a chargeback, their connection with another user ID can be unearthed through SEON’s other ID confidence tools, such as the browser fingerprinting, connection data, or device fingerprint.

Chargebacks will continue to be a problem for the foreseeable future, just as shoppers of the pre-digital revolution will remember the “just keep the receipt” mentality. While complete automation may never be possible in the fight against fraudulent chargebacks, SEON gives security teams all the tools they need to reduce the damage that friendly fraudsters do to your bottom line.