Visa 10.4 Chargeback: The Complete Merchant Response Guide (2026)

Visa 10.4 is the most common chargeback code in e-commerce — and one of the hardest to win without the right preparation. This guide covers everything: what it means, how to win it, what evidence to build, and what to write in your rebuttal letter.

If you sell online, you will receive Visa 10.4 reason code disputes. The code covers all card-not-present fraud claims — online orders, phone orders, mail orders. The cardholder, or their issuing bank, is asserting that a CNP transaction was unauthorised.

The problem is the statistics. The average merchant win rate on 10.4 disputes without 3DS authentication is around 15%. With 3DS authentication, that flips to 80% or higher. The difference is almost entirely in how merchants prepare — both the evidence they collect and the systems they have in place before the dispute ever arrives.

This guide covers everything: what 10.4 means, how to win it, what evidence to build, what to write in the rebuttal letter, and what Compelling Evidence 3.0 changes for merchants who don't have 3DS. Whether you're looking at your first dispute or your five hundredth, the framework here is the same.

What Visa 10.4 Actually Means

Visa 10.4 — formally titled "Other Fraud: Card-Absent Environment" — is a card-absent fraud claim. The cardholder or their issuing bank is asserting that a transaction occurred without the cardholder's knowledge or authorisation, in a context where the physical card was not present at the point of sale. In practice, this means online purchases, telephone orders, and mail-order transactions. It is the broadest fraud code in the Visa system and the most frequently filed.

Two main scenarios generate 10.4 disputes. The first is true fraud: a criminal obtained the cardholder's card details — through a data breach, phishing, skimming, or purchase on the dark web — and used them to place an order with your store. The real cardholder never saw the charge coming and genuinely did not authorise it. The second scenario is what the industry calls "friendly fraud": the cardholder did authorise the purchase, received whatever they ordered, but is now disputing it anyway — because they don't recognise the billing descriptor, want to avoid paying, or simply found it easier to call their bank than to contact you for a refund. Both scenarios land under the same reason code.

This is what makes 10.4 the hardest type of dispute for merchants to win. Unlike goods-not-received disputes, where a delivery confirmation resolves the matter, or quality disputes, where photos and service records are sufficient, 10.4 requires you to prove that the cardholder themselves authorised or participated in the transaction. That is a far higher bar. You are not just proving a parcel was delivered — you are proving that the specific person whose card was charged was the one who initiated the purchase. Without specific technical signals pointing to that person (authentication records, device fingerprints, IP address matches), this is genuinely difficult to establish.

The Three Paths to Winning a Visa 10.4 Dispute

Path 1: Visa Secure / 3DS Authentication

The cleanest path to winning a Visa 10.4 dispute is a fully authenticated 3DS transaction. When Visa Secure (3DS) authentication succeeds, liability shifts from the merchant to the issuing bank. This is the core mechanic of the 3DS system: in exchange for the merchant passing the transaction through the authentication protocol, Visa contractually transfers the fraud liability to the issuer. Even if the transaction was fraudulent — even if a criminal used stolen card details to complete the 3DS challenge — the liability no longer rests with you. You cannot lose a 10.4 dispute on a fully authenticated 3DS transaction.

To present 3DS evidence in your dispute response, you need three data points from your payment processor: the ECI (Electronic Commerce Indicator) code, the CAVV or AAV value (the cryptographic authentication token), and the authentication timestamp. Ask your processor or gateway for the full authentication record — Stripe, Adyen, Braintree, and most major gateways expose this in their dashboard or via API.

One important nuance: the protection only applies to fully authenticated transactions. ECI code 05 (for Visa) signals a fully authenticated transaction — this is the full liability shift. ECI code 06 signals an "attempted" authentication, meaning the cardholder's bank does not support 3DS but the merchant sent the request. ECI 06 gives partial protection and is treated differently by issuers — in most cases you will still need to provide supporting evidence. ECI 07 offers no 3DS protection at all. When you pull your authentication records, check the ECI code first: only ECI 05 gives you the clean liability shift that wins most disputes outright.

Path 2: Compelling Evidence 3.0

Compelling Evidence 3.0 (CE 3.0) was introduced by Visa in April 2023, and it is the most significant rule change for merchants disputing 10.4 disputes in years. It creates a formal mechanism for merchants who do not have 3DS authentication to still shift the liability back to the issuer — provided they can demonstrate a pattern of prior undisputed transactions from the same device or user.

Here is how CE 3.0 works: instead of proving that this specific transaction was authenticated, you prove that the cardholder had a pre-existing relationship with your store. You do this by identifying two or more prior transactions from the same buyer — using the same device or IP address — that were never disputed. The logic is that a fraudster using stolen card details would not have placed multiple prior legitimate orders from the same device. The existence of those prior transactions is evidence that the cardholder is a repeat customer, not a fraud victim.

The five requirements for CE 3.0 in plain English are: (1) you must identify at least two prior transactions from the same buyer; (2) those prior transactions must fall within 120–365 days before the date of the disputed transaction — transactions from more than 365 days ago or fewer than 120 days ago do not qualify; (3) each prior transaction must share at least two matching data elements with the disputed transaction, chosen from this list: IP address, device ID, device fingerprint, email address, or shipping address; (4) none of the prior transactions can have been reported to Visa as fraudulent at any point; and (5) the disputed transaction itself must match at least one element from the prior transactions — you cannot use completely unrelated transaction records.

What this means in practice is that CE 3.0 only works if you have been collecting and retaining device fingerprints and IP addresses on every transaction for at least 400 days. If you are not logging this data, you cannot use CE 3.0 — and retroactively creating records is not possible. Implementing this data collection now protects you on future disputes, not past ones.

The benefit is substantial: if CE 3.0 is accepted by Visa, the chargeback is shifted to the issuer and removed from your VAMP ratio — the metric Visa uses to monitor your fraud performance. Qualifying CE 3.0 disputes do not count against your threshold. For merchants near the VAMP threshold, this can be the difference between staying in good standing and entering a monitoring programme.

Path 3: Non-Fraud Explanations

Sometimes a 10.4 dispute is not fraud at all — it is a cardholder who authorised the purchase but does not recognise the charge on their bank statement. This is the billing descriptor problem: if your payment processor is displaying your company legal name instead of your trading name, legitimate customers will dispute charges they actually made. In this case, the evidence is simple: show the billing descriptor exactly as it appears on statements alongside the customer's order confirmation email, proving they were informed of what the charge would look like. This is not a liability shift — it is a factual rebuttal.

A third non-fraud scenario covers cases where you have already issued a refund before the chargeback was filed. This happens when a customer calls their bank before contacting you, or when the refund is in transit. If you have already refunded the transaction, document it clearly: provide the refund transaction ID, the date it was processed, and the expected settlement date. Submit this with a polite request for the chargeback to be reversed on the grounds that the credit has already been issued. Most issuers will accept this — the cardholder should not receive both a refund and a successful chargeback.

The Exact Evidence Package for a Visa 10.4 Response

Every piece of evidence in your response should be purposeful. The reviewer processing your dispute has dozens of cases to assess — your job is to make their decision easy. Here is the complete evidence checklist, with an explanation of what each item proves and why it matters.

1. 1. Visa Secure / 3DS authentication result. This is the single most important document in any 10.4 response. Ask your payment processor for the full authentication record: ECI code, CAVV/AAV value, and the exact authentication timestamp. Most processors expose this in their dispute or transaction dashboard. If you have ECI 05, lead with this in your response — nothing else you submit comes close to its evidential weight. If you have ECI 06, include it but do not rely on it alone.
2. 2. Order confirmation with full metadata. Not just the order receipt the customer sees. You need the full back-end record: IP address at the time of checkout, email address used, shipping address entered, device type and browser string, and the exact timestamp of order placement. Most payment processors and e-commerce platforms log this automatically — check your Stripe dashboard under the payment intent, your Shopify admin under the order detail, or your PayPal transaction record. Export this as a structured document, not a screenshot of a shopping cart.
3. 3. AVS and CVV2 match results. The exact response codes returned at the time of authorization. AVS "Y" (full address match) and CVV "M" (CVV match) are the strongest signals — they show you performed verification and the cardholder's details matched at the point of entry. Even partial AVS matches (postcode only, for example) help establish that you ran verification checks. Include the raw response codes, not just a summary statement.
4. 4. Shipping tracking with delivery confirmation. The full carrier tracking URL showing "Delivered" status, with date, time, and destination address. For physical goods disputes, this is essential. It establishes that someone at the delivery address received the parcel — which, combined with the order metadata, strengthens the argument that the cardholder or someone in their household placed and received the order. For digital products, provide the access log showing when and from which IP the content was accessed.
5. 5. Prior non-disputed transactions from the same device or IP (CE 3.0). This is the core CE 3.0 evidence. Pull your transaction logs and find two or more orders from the same IP address or device fingerprint, placed within 365 days before the dispute and no more recent than 120 days before it, that were never disputed. Export these as a structured report showing the transaction date, amount, IP, device fingerprint, email, and shipping address for each qualifying transaction. The more matching data elements you can show, the stronger the case.
6. 6. Your billing descriptor. A screenshot showing exactly how your charge appears on a consumer bank statement. This directly addresses the "I don't recognise this charge" variant of 10.4. If your descriptor says your full trading name clearly, this defuses the argument that the cardholder genuinely had no idea what the charge was. Many issuers will close the dispute when shown a clear descriptor match.
7. 7. Customer email correspondence. Any pre-dispute communications relating to the order. An order confirmation email that the customer opened — email open tracking from your ESP is admissible — is particularly powerful. It demonstrates the customer received and engaged with the order confirmation, making it harder to argue they had no knowledge of the transaction. Chat transcripts, support ticket logs, and delivery notification emails all fall into this category.
8. 8. Device fingerprint and IP geolocation. If available, a map or structured report showing the device IP at time of order matches the shipping city or region. Third-party fraud tools like MaxMind, Sift, or Kount can generate geolocation reports for specific IP addresses. A match between the IP's physical location and the shipping destination significantly reduces the plausibility of the "stolen card details" scenario, since true card-not-present fraud often involves orders shipped to a different country or city than where the card was issued.
9. 9. Account login history. If the customer placed their order while logged into a registered account, your login history for that account is powerful supporting evidence. Show the login log: timestamps, IP addresses, and device identifiers. Multiple prior logins from the same device as the disputed transaction establish a relationship pattern that is inconsistent with a stranger using stolen card details for a one-time order.

How to Write the Rebuttal Letter for Visa 10.4

The rebuttal letter is the cover document that frames your evidence. It is read by a human reviewer — often a junior analyst at the acquirer or card scheme — who is assessing dozens of disputes at once. Your goal is to make their decision as easy as possible: state your position clearly, reference your evidence explicitly, and keep the letter short and factual. A well-written rebuttal letter takes under five minutes to read and leaves no ambiguity about what you are claiming and why.

Open by stating your position in the first sentence. Do not start with company history, a customer service apology, or background context. The reviewer does not need to know when your company was founded. The first sentence should be: "We dispute this chargeback under Visa reason code 10.4." From there, move immediately to your strongest evidence.

Lead with your strongest piece of evidence first. If you have 3DS authentication, it goes in paragraph two. If you are using CE 3.0, your prior transaction summary goes in paragraph two. Name every attached document and explain what it proves — do not assume the reviewer will read each attachment and independently connect it to your argument. If Exhibit A is your 3DS authentication record, say so: "Exhibit A is the full Visa Secure authentication record, showing ECI code 05 and CAVV value, confirming full authentication and liability shift." Every attachment should be named and explained.

Keep the letter under 400 words. Long rebuttal letters are not more persuasive — they are harder to process and increase the chance that the key evidence gets buried. Concise, factual, professional. One paragraph per evidence category, then a closing sentence requesting the chargeback be reversed in your favour.

Template: 3DS Variant

"We are writing to contest chargeback [reference] filed under Visa reason code 10.4. The transaction was authenticated via Visa Secure (3DS) on [date] at [time], with ECI code [05] and CAVV value [XXXX]. Authentication was fully successful, and under Visa's rules, liability for this transaction transferred to the issuing bank at the time of authentication. We have attached the complete Visa Secure authentication record (Exhibit A), the full order confirmation including IP address and device details (Exhibit B), and the shipping delivery confirmation (Exhibit C). We respectfully request that this chargeback be reversed in the merchant's favour on the basis of the liability shift established by the 3DS authentication."

Template: Compelling Evidence 3.0 Variant

"We are writing to contest chargeback [reference] filed under Visa reason code 10.4 using Compelling Evidence 3.0. We have identified [X] prior undisputed transactions from the same [IP address / device fingerprint] within the qualifying window of 120–365 days prior to the dispute date. These transactions share [IP address / email / shipping address] with the disputed transaction, meeting the CE 3.0 requirements under Visa's dispute resolution procedures. We request that Visa shift this chargeback to the issuing bank. Full prior transaction records are attached as Exhibit A. The disputed transaction order details and matching data elements are attached as Exhibit B."

What NOT to Write in Your Response

Poorly written rebuttal letters lose disputes that should have been won. Here are the five most common mistakes and why they undermine otherwise solid cases.

• 1. Emotional language. Phrases like "This customer is a fraud artist," "This is completely unfair," or "We cannot believe this is happening" are invisible to dispute reviewers. They are not adjudicating on fairness — they are applying a rule set. Emotional language reads as unprofessional and has no evidential value.
• 2. Irrelevant information. Pages of company history, generic return policies, mission statements, or testimonials from other customers add length without adding weight. Keep the letter focused on the specific facts of this specific dispute. Irrelevant content buries your key evidence.
• 3. Unsupported claims. Assertions like "Our customers always authorise their purchases," "We have never had a fraud case," or "This customer is a regular buyer" — without documents to back them up — are worthless in a dispute context. Every claim needs an attached exhibit. If you say the customer has purchased before, show the prior transaction records.
• 4. Missing evidence references. Attaching five documents without naming them in the letter means the reviewer has to guess what each attachment proves. Name every exhibit in the letter body: "Exhibit A is the Visa Secure authentication record. Exhibit B is the order confirmation including IP address." Do not leave this to inference.
• 5. Typos and formatting errors. They signal a rushed, unprofessional response. A dispute rebuttal with spelling mistakes and inconsistent formatting does not inspire confidence in the accuracy of the supporting evidence. Proofread before you submit. The reviewer notices — and it influences how carefully they read the rest of your case.

When to Accept a 10.4 Chargeback Instead of Fighting

Not every 10.4 dispute is worth responding to. If you have no 3DS authentication record and no CE 3.0 evidence — no prior transactions from the same device, no device fingerprint, no matching IP — your win rate on a 10.4 dispute is less than 15%. At those odds, you need to calculate whether the dispute fee and the internal cost of building a response justifies the fight.

The typical chargeback dispute fee is $15–25 (this is charged regardless of outcome). Building and submitting a thorough dispute response — pulling evidence, writing the letter, uploading documents through your processor portal — takes 2–4 hours of internal time. At $25 per hour, that is $50–100 in staff cost before you even consider win rates. On a $60 transaction with no authentication records, the economics rarely work in your favour.

How to Prevent Visa 10.4 Chargebacks Long-Term

Winning individual disputes is important, but the merchants with the lowest 10.4 chargeback rates are not winning by being great at dispute response — they are winning by not generating the disputes in the first place. Here are the five prevention strategies with the biggest impact.

1. Implement Visa Secure (3DS2)

This is not optional for serious e-commerce merchants. 3DS2 is the modern version of 3DS authentication — it is far less friction than the original 3DS, which required customers to enter a password in a pop-up window. In 3DS2, most authentications happen silently through the "frictionless flow": the issuer authenticates the transaction using device, behavioural, and contextual data without any customer interaction at all. The customer never sees a challenge screen. Only high-risk transactions trigger the "challenge flow," which prompts a one-time code via SMS or banking app. The liability shift applies in both cases. The implementation effort pays for itself on your first significant dispute — talk to your payment processor or gateway about enabling it this week.

2. Fix Your Billing Descriptor Today

Log into your payment processor and check what your charge looks like on a consumer bank statement. It should display your recognisable trading name — the name your customers know you by. A descriptor like "FINCORO LTD" when your store is called "TechGadgets" will generate disputes from entirely legitimate customers who genuinely do not recognise the charge. This is the easiest 10.4 prevention step available and it costs nothing to fix. Most processors allow you to update the descriptor within their dashboard. Add your website domain or phone number to the descriptor if character limits allow — a URL in the statement description dramatically reduces "I don't recognise this" disputes.

3. Start Collecting CE 3.0 Data on Every Transaction

Device fingerprint, IP address, email, and shipping address should be logged and retained for at least 400 days on every single transaction. Many e-commerce platforms do this by default — Shopify logs device fingerprints; Stripe logs IP addresses on every payment intent. The question is whether you can access this data for dispute evidence when you need it. Check your platform now: can you export a list of prior transactions by IP address or device fingerprint? If not, this is a data retention gap. Third-party fraud tools like Sift, Kount, or Signifyd integrate with your checkout and capture richer device signals than most platforms store natively — and they generate exportable dispute evidence packages.

4. Use Fraud Detection Before Authorisation

The cheapest chargeback is the one you never process. Tools like Stripe Radar, Shopify's built-in fraud analysis, or dedicated third-party solutions like Signifyd or Sift score orders for fraud risk before the card is charged. High-risk orders can be blocked automatically, flagged for manual review, or routed to a 3DS challenge without affecting low-risk orders. The false positive rate on modern fraud detection is low enough that the conversion cost is small relative to the chargeback savings. If you are not running any pre-authorisation fraud scoring, you are taking on preventable disputes every day.

5. Send a Clear Post-Purchase Email Immediately

Send an order confirmation email the moment the purchase completes. That email should include: the exact item name and description, the total amount charged, the shipping address on the order, an estimated delivery date, and — critically — exactly how the charge will appear on their bank statement. Many 10.4 disputes come from customers who genuinely authorised the purchase but, two weeks later when their statement arrives, cannot connect the charge back to your store. A clear, detailed order confirmation email closes that gap entirely. Track opens using your email service provider — if the customer opened the confirmation email, that is additional evidence that they received and acknowledged the charge. Several merchants have won 10.4 disputes on email open records alone, combined with matching metadata.

Conclusion

Visa 10.4 is hard to win retroactively but relatively straightforward to prevent prospectively. The merchants who win the majority of their 10.4 disputes are not doing anything unusually clever — they implemented 3DS2, fixed their billing descriptor, log their device and IP data on every order, and built a documentation process that captures useful evidence before disputes arrive. If you have a dispute to respond to right now, use the evidence checklist and rebuttal templates in this guide. If you are looking ahead, the prevention steps in the final section are where the real leverage is. A 3DS2 implementation today eliminates a category of dispute permanently — every future 10.4 on an authenticated transaction is automatically a win.

For a full reference on what Visa looks at when adjudicating these cases, see the full chargeback reason codes library. And if you would rather have the response written for you — or have a whole backlog to clear — see the options below.