Visa CE 3.0 Explained for Merchants (2026)
Feb 13, 2026
A chargeback for “First-party fraud” can feel like a rigged coin toss. These disputes often arise from a Card-not-present transaction. You shipped the product or delivered the service, but the issuer still sides with the cardholder.
In 2026, Visa CE 3.0 (Compelling Evidence 3.0) gives merchants a clearer path to Chargeback prevention for Reason code 10.4 disputes. It helps mitigate Merchant fraud loss by identifying Friendly fraud, as long as you can prove a pattern: the same person has bought from you before, and key identifiers match.
The catch is simple: if you do not collect the right data, or you miss the timing windows, you can lose automatically, even when the customer is wrong.
Visa Compelling Evidence 3.0 in 2026: what it is, and what changed from earlier rules
Visa Compelling Evidence 3.0 is Visa’s updated “compelling evidence” standard for fighting specific fraud disputes (often the ones that smell like friendly fraud). Instead of relying on a single detail, Visa lets you use a customer’s purchase history to show they are a known, returning buyer.
Two big changes matter for merchants.
First, Visa loosened what “matching” means. Under older approaches, merchants often had to match several specific data points. With Visa Compelling Evidence 3.0, you generally need at least two matching identifiers, and you can choose from a wider set (for example IP address, shipping address, device fingerprinting, account). That flexibility helps, but only if you actually store those identifiers consistently.
Second, Visa raised the bar on history. Visa Compelling Evidence 3.0 typically expects two or more prior, undisputed transactions to establish a pattern, not just one.
Timing matters too. Those prior transactions must fall inside Visa’s 120-day rule window, commonly between 120 and 365 days before the disputed transaction. That rule pushes merchants to retain usable logs for at least a year, not just for last month’s disputes.
Here is the simplest way to think about the shift. Tracking these metrics is vital for maintaining a healthy VAMP ratio and ensuring compliance:
| Topic | Before Visa Compelling Evidence 3.0 (simplified) | With Visa Compelling Evidence 3.0 (merchant impact) |
|---|---|---|
| What you prove | “This looks like the same buyer” | “This buyer has a repeat history with us” |
| How many past purchases | Often 1 was enough | Usually 2 or more, undisputed |
| What must match | More rigid set of fields | Pick from broader identifiers, meet the match count |
| Biggest reason merchants lose | Missing required fields | Missing history, missing identifiers, or wrong time window |
Visa has also tied Visa Compelling Evidence 3.0 readiness more closely to network security signals. Services like Verifi and Order Insight provide deeper data layers. If you run authentication programs such as 3D Secure and Visa Resolve Online (or send data-only authentication where it fits), your transaction data tends to be more complete, which can reduce friction when you need to defend a dispute. For a deeper, merchant-friendly explanation of the rule intent, see Checkout.com’s CE 3.0 overview.
If Visa Compelling Evidence 3.0 feels like “bring receipts,” that’s close, but it’s really “bring receipts plus consistent identifiers.”
What evidence wins under Visa CE 3.0 (and what usually fails)
CE 3.0 wins when your evidence tells one clear story: the same cardholder (or the same user behind that card) has bought from you before, from the same digital footprint.
In practice, “winning evidence” is less about one perfect screenshot and more about clean, consistent data across transactions. The strongest packages usually combine a historical footprint with device and account signals.
A quick guide to high-impact identifiers (not exhaustive):
| Identifier type | Why it helps in CE 3.0 |
|---|---|
| Device fingerprinting | Harder for a cardholder to explain away, strong continuity signal |
| Account login ID | Shows the buyer authenticated into an existing profile |
| IP address (with timestamp) | Supports repeat access patterns, useful when paired with device or account login |
| Shipping address | Helps for physical goods, less useful alone |
| Email or phone | Common, but easy to recycle, best as supporting evidence |
Device data deserves special attention. As of 2026, many merchants say they are using CE 3.0, yet fewer consistently attach device fingerprinting to their dispute workflow. That gap matters because device continuity is one of the hardest points to challenge.
On the other hand, CE 3.0 often fails for predictable reasons:
- Your prior orders are “too recent”: If the customer only purchased last week, you might not meet the 120-day lookback requirement.
- Your prior orders are “too old”: If the customer bought 18 months ago, you might fall outside the 365-day limit.
- Identifiers are inconsistent: A new checkout flow, a new fraud tool, or a changed formatting rule can break matching.
- You can’t tie the buyer to an account: Guest checkouts are not bad, but they can reduce the strength of repeat evidence.
- You submit the wrong kind of proof: Refund policies, support emails, and “we shipped it” can still matter, but CE 3.0 is mainly about identity continuity, not fulfillment.
One more nuance trips teams up: even if you win with CE 3.0 via the representment process—leading to a liability shift back to the issuer for reason code 10.4 cases—the dispute can still count in your chargeback rate reporting. Visa uses TC40 fraud reports and TC15 chargebacks to monitor merchant health, although it may not count the same way for fraud metrics. That means CE 3.0 protects revenue and liability, but first-party fraud still impacts the bottom line, so you still want prevention upstream.
For a detailed checklist-style breakdown of CE 3.0 requirements and examples, see Corepay’s CE 3.0 guide.
Gotcha: Keep at least 13 months of dispute-ready logs. You need enough history to cover the 120 to 365-day window plus processing time.
How to avoid CE 3.0 auto-losses: build a dispute workflow that starts before the dispute
Chargeback prevention requires a pre-dispute phase strategy. Auto-losses from cyber-shoplifting rarely happen because a merchant “had no case.” They happen because the case was not formatted for the rule, or the data was not captured when the customer checked out.
Start with three practical moves.
1) Treat evidence collection like a checkout requirement, not a dispute task.
Capture and retain IP address, device fingerprinting, account login ID, timestamps, and delivery details in a consistent schema. If you swap payment providers, fraud tools, or analytics tags, confirm you are not breaking identifier continuity.
2) Reduce the number of disputes that ever become chargebacks.
Alerts and pre-dispute tools can stop many cases before they hit your ratios. This is where Chargebase fits well for e-commerce and SaaS teams that want fewer disputes without adding headcount. Chargebase connects to your payment provider with a no-code setup, then uses networks and programs like Ethoca alerts, Verifi’s CDRN alerts, Rapid Dispute Resolution (RDR), and Order Insight to flag disputes early in an automated dispute deflection workflow. Verifi and Order Insight are crucial for stopping disputes before they escalate. You can set automation rules (for example when to refund), and you pay per alert rather than signing up for a big fixed contract. In Chargebase’s current model, alert pricing varies by program (for example around $25 per Ethoca alert and around $15 for CDRN or RDR), so costs track with the volume you actually prevent.
3) Put speed controls around refunds and responses.
When an alert arrives, the “save” is often a fast refund within the program window. After that window, your next chance may be representment, where missed deadlines or incomplete data can end in an instant loss.
This table captures common auto-loss triggers and the clean fix:
| Auto-loss trigger | What to change this week |
|---|---|
| No 2 prior undisputed transactions available | Improve retention and customer accounts, reduce guest-only flows where possible |
| Missing IP address, device or account login ID data | Add IP address capture, device fingerprinting and persist account login ID |
| Prior orders outside the 120-day rule to 365-day window | Keep longer logs and segment who qualifies for CE 3.0 before submitting |
| Unclear billing descriptors | Standardize billing descriptors for clear transactions |
| Duplicate refunds (refund plus alert refund) | Add checks to block a second refund on the same order or dispute |
| Evidence scattered across tools | Centralize dispute artifacts and standardize exports |
If chargeback ratios are also a concern, pair CE 3.0 readiness with ongoing chargeback prevention basics like clear billing descriptors, instant order confirmations, and faster support responses. Chargebase’s docs include practical guidance on how to keep chargeback rates low, which complements CE 3.0 by lowering the volume you need to fight in the first place.
Conclusion
Visa Compelling Evidence 3.0 rewards merchants who can prove repeat behavior with consistent identifiers inside strict time windows. Collecting the right data at checkout, then acting quickly on alerts, prevents the “we could’ve won” losses that sting the most while reducing merchant fraud loss and boosting chargeback prevention performance. Proactive data management also helps protect against first-party fraud and friendly fraud. If you want fewer disputes while you improve your evidence stack, tools like Chargebase can help stop many cases before they turn into chargebacks. The best outcome is still the one you never have to fight.
You might also want to read
Uncategorized
Feb 23, 2026
Uncategorized
Feb 22, 2026
Uncategorized
Feb 21, 2026
Uncategorized
Feb 20, 2026