Premium / Case Studies / E-commerce Fraud: $2,400
Outcome: WON — Dispute Reversed
CASE STUDY

E-commerce Fraud: $2,400 Digital Goods

A software company defeats a “not authorized” dispute using IP matching, device fingerprints, and usage logs.

Outcome WON dispute reversed
Network + Code Visa 10.4 card-not-present fraud
Dispute Amount $2,400 annual subscription
Industry Digital/SaaS software
Resolution Time 28 days

The Dispute

A software-as-a-service company received a Visa 10.4 dispute for a $2,400 annual subscription. The cardholder claimed they had no knowledge of the charge and denied authorizing the transaction.

The company had no history of previous disputes with this customer, but the customer had been an active user for 11 months before filing the chargeback. The timing was telling: the dispute arrived just weeks after the annual renewal billing cycle, rather than at the time of the original sign-up charge.

Visa 10.4 is the single most common Visa dispute code, accounting for roughly 40% of all Visa chargebacks. Without a strong response grounded in behavioral and technical evidence, merchants lose the majority of these disputes by default. This merchant won — here is how.

Case Timeline

Day 1 $2,400 annual renewal charged. Customer’s card billed for the annual subscription renewal per the original agreement.
Day 3 Chargeback filed. Cardholder contacts bank claiming unauthorized transaction — states no knowledge of the charge.
Day 7 Dispute received by merchant. Merchant’s payment processor forwards the Visa 10.4 dispute notification.
Day 14 Response compiled and submitted. Full evidence package assembled and submitted well within the 30-day window.
Day 28 Dispute resolved in merchant’s favor. Issuer reviewed the evidence and sided with the merchant. Funds returned.

The Evidence

The merchant had been logging behavioral and technical data throughout the customer’s 11-month subscription. That discipline paid off. The evidence package included:

  • IP address at purchase matched the IP used for 47 previous logins over 11 months
  • Device fingerprint confirmed same browser and device used consistently throughout the subscription period
  • AVS full match on billing address at the time of the renewal charge
  • CVV match at authorization
  • 23 separate login sessions in the 30 days immediately before the renewal charge
  • Feature usage logs showing active use of premium features throughout the subscription
  • Automated renewal reminder email opened 3 days before the charge (email tracking confirmed open event with timestamp)
  • No cancellation request found in customer support logs at any point during the 11-month subscription

The Response Strategy

The merchant’s response led with the IP and device consistency data, not the AVS result. This was a deliberate choice: AVS matching alone is weak evidence. A pattern of 47 logins from the same IP and device over 11 months is almost impossible to explain as coincidence. The response structured its argument as follows:

  1. IP and device consistency as the centerpiece. Opened with the 47-login history from the same IP and device, presenting it as a clear pattern of authorized account use.
  2. Email open tracking as the awareness proof. Demonstrated that the cardholder received and opened the renewal reminder email three days before the charge — establishing actual knowledge of the upcoming billing.
  3. Usage logs as corroboration. Showed 23 logins and active feature use in the month preceding renewal, making “no knowledge of this account” implausible.
  4. AVS and CVV as supporting signals only. Included as corroboration, not as the primary argument.

The response opened with the following statement:

RE: Visa Chargeback — Reason Code 10.4 Dispute Reference: [REFERENCE_NUMBER] Transaction Date: [DATE] Transaction Amount: $2,400.00 Cardholder: [NAME] --- We are formally disputing this chargeback. The cardholder has been an active user of this account for 11 months. The transaction was authorized by the legitimate account holder. We submit the following evidence: 1. IP ADDRESS CONSISTENCY (47 SESSIONS OVER 11 MONTHS) Transaction IP: [IP_ADDRESS] This IP appears in 47 of 47 authenticated login sessions over the 11-month subscription period. No other IP has ever been used to access this account. 2. DEVICE FINGERPRINT CONSISTENCY Same browser and device fingerprint across all 47 sessions. No access from any other device has ever been recorded. 3. RENEWAL EMAIL OPEN EVENT Date: [DATE] — 3 days before the charge The renewal notification email was opened by the cardholder. Open event confirmed by email tracking (timestamp attached). 4. ACTIVE USAGE (PRIOR 30 DAYS) 23 login sessions in the 30 days before the renewal charge. Feature usage logs attached showing active product use. 5. AVS + CVV RESULTS AVS: Full match | CVV: Match 6. NO CANCELLATION REQUEST Zero cancellation requests found in support records for this account at any point in the 11-month subscription period. Based on this evidence, we respectfully request that this chargeback be reversed. [MERCHANT NAME] [CONTACT INFORMATION]

Why It Won

Why It Won

The combination of consistent device and IP data over 11 months, plus email open tracking proving the cardholder was aware of the renewal, gave the issuer no credible path to rule in the cardholder’s favor. The cardholder’s claim of “never authorized” was contradicted directly by their own usage history. Forty-seven logins from the same device. An opened renewal email. Twenty-three sessions in the preceding month. The issuer reversed the dispute.

The fundamental principle at work here: a Visa 10.4 dispute is a claim that the cardholder was not the person who placed the order. When a merchant can demonstrate that the “unauthorized” account was actively used for 11 months from the same device, from the same IP, and that the cardholder received and opened a renewal notice — the claim is not credible. Issuers are not required to side with a cardholder whose behavior contradicts their own dispute narrative.

Key Takeaways

Lessons From This Case
  1. Usage logs are evidence — log everything. Every login, feature activation, and session should be recorded with timestamps and IP addresses. This data becomes your defense when a dispute arrives.
  2. Open tracking on automated emails creates an awareness record. When a cardholder claims they had “no knowledge” of a charge, a tracked email open event on the renewal notice directly contradicts that claim.
  3. Lead with your most powerful evidence — IP and device consistency — not the boilerplate. AVS is a checkbox. A 47-session history from the same device is a story. Issuers respond to stories.

Related Content

Reason Code Guide · Visa Visa 10.4: Other Fraud – Card Absent Case Study · WON Subscription Cancellation: $890 SaaS Industry Guide Digital Goods & SaaS: Chargeback Defense