Fraud — Card Not Present Defense Playbook | Premium

Shortest Window 20 Days Amex F29

Longest Window 45 Days Mastercard 4837

Merchant Difficulty High liability defaults to merchant

Networks All 4 Visa · MC · Amex · Discover

Share of Disputes ~40% of all e-commerce chargebacks

What This Dispute Means

A card-not-present (CNP) fraud chargeback is filed when a cardholder claims they did not authorize a transaction processed without the physical card being present — overwhelmingly e-commerce purchases. The cardholder is asserting that someone else placed the order using their card details, without their knowledge.

Unlike consumer dispute codes, there is no acknowledgment of a purchase relationship. The cardholder is not saying the item never arrived or wasn't what they expected — they are saying they had no involvement in the transaction at all. That makes it the most difficult dispute category to win, because the burden falls entirely on the merchant to prove the legitimate cardholder placed the order.

In a card-not-present environment, liability defaults to the merchant unless you can demonstrate that the legitimate cardholder was behind the transaction. If you processed with 3D Secure authentication and the cardholder authenticated, liability shifts to the issuer — and the chargeback should not be upheld. Without 3DS2, your defense relies on behavioral and technical evidence.

CNP fraud chargebacks are also the most common vehicle for friendly fraud — where the legitimate cardholder made the purchase, received the goods or service, and then disputed the charge to avoid paying. The evidence you need to defend against genuine third-party fraud is the same evidence that defeats friendly fraud claims: device fingerprints, IP geolocation, usage logs, and prior purchase history that proves the cardholder's identity was present at the transaction.

Network Coding

Each network uses a different code for this dispute type. The evidence requirements are similar across networks, but response windows, submission processes, and structural differences vary significantly. Our network-specific guides cover each one in detail.

Network	Code	Official Name	Response Window
Visa	10.4	Other Fraud – Card Absent Environment	30 days
Mastercard	4837	No Cardholder Authorization	45 days
American Express	F29	Card Not Present Fraud	20 days
Discover	UA02	Fraudulent Transaction – Card Absent	30 days (+ inquiry phase)

Required Evidence

Winning a CNP fraud chargeback is almost entirely a data exercise. These three categories apply across all four networks. Missing any one of them significantly reduces your probability of success, regardless of what else you submit.

#1 — Transaction authorization data

The technical record confirming the transaction was authorized — and that the cardholder's own security credentials were used.

Data Point	What to Submit
Authorization Approval Code	The approval code issued by the cardholder's bank at the time of authorization. This is the first thing network arbitrators look for on Mastercard and Amex disputes — include it in every response.
CVV / CID Result	The card security code verification result. Visa and Mastercard call this CVV2; Amex and Discover use CID. A passing result is corroborating evidence the cardholder had the physical card or the security code. Include the raw result code.
AVS Result	Address Verification System result showing whether the billing address entered at checkout matched the card on file. A full match is supportive; always include the result code, not just a summary.
3DS2 Authentication	If you used 3D Secure and the cardholder authenticated, include the authentication result. A successful 3DS2 authentication shifts liability to the issuer on Visa and Mastercard — this is your strongest possible defense and makes the chargeback non-viable.

#2 — Device and identity evidence

Technical data linking the session that placed the order to the cardholder's known identity and device history. This is the core of every winning CNP fraud response.

Evidence Type	What to Submit
IP Address & Geolocation	The IP address of the session that placed the order, with geolocation data showing city and region. Compare to the cardholder's billing address region and to prior authenticated sessions on the account.
Device Fingerprint	A browser or device fingerprint tied to the transaction session. If this matches prior authenticated sessions on the same account, include that history — it proves the same device has a legitimate relationship with the account.
Prior Purchase History	Records showing the same card, device, or account placed previous orders that were not disputed. A pattern of legitimate transactions from the same device directly undermines a total non-authorization claim.

#3 — Account and behavioral evidence

Evidence Type	What to Submit
Account Creation History	The date the account was created — must predate the disputed transaction. A long-standing account with consistent profile data is inconsistent with unauthorized third-party use.
Post-Transaction Activity	Account logins, product downloads, content access, or support contacts after the transaction date. Any meaningful engagement with the purchased product after the charge proves cardholder involvement.
Order Confirmation Engagement	Order confirmation email delivery and open records, including timestamp and IP where available. A cardholder who opened the confirmation email shortly after the purchase was aware of the transaction.

Strongly Recommended Evidence

Required evidence establishes that the transaction was technically authorized. Strongly recommended evidence establishes that the cardholder's specific identity was present — making the dispute claim implausible regardless of what the cardholder asserts.

#4 — Usage logs and product access

Product Type	Evidence to Submit
Software / SaaS	Login session logs with timestamps and IP addresses after the purchase date. Feature usage records showing meaningful platform engagement after the charge.
Digital Downloads	Download records with file size, date, download IP, and confirmation the same IP was used at checkout and download.
Content / Streaming	View counts, playback records, or reading history with timestamps after the transaction date.
Physical Goods	Carrier delivery confirmation, GPS coordinates, and signature records. Any post-delivery support contact, product review, or warranty registration.

#5 — Checkout consent and signed terms

A screenshot or record of the checkout consent flow, showing the cardholder agreed to purchase terms at the time of the transaction.
Signed terms of service if your checkout requires explicit acceptance.
For subscription products: the original recurring billing authorization with full timestamp and IP address.

#6 — No pre-dispute fraud report

Export your support records, CRM, and email history showing no report of unauthorized card use was received from the cardholder before the dispute was filed.
A cardholder who "discovered fraud" but did not contact the merchant before filing the dispute is a consistent signal of friendly fraud.

Critical Insight

CNP fraud disputes are won or lost on device and IP data. If you cannot tie the transaction to a device fingerprint or IP that matches the cardholder's known location and account history, your chances of winning drop significantly. This data must be captured at checkout — it cannot be reconstructed after a dispute is filed.

Supporting Evidence

These items round out your case and become important if the dispute escalates to network arbitration.

#7 — Fraud tool outputs

Risk score or fraud assessment from any tool you use (Kount, Signifyd, Stripe Radar, etc.) showing the transaction was assessed as low-risk at authorization.
Any positive identity verification results — email verification, phone number verification, or knowledge-based authentication.
Evidence the shipping address was verified against a postal database before fulfillment.

#8 — Account profile stability

Evidence that the email address, phone number, and shipping address on the account had been there since account creation — not recently added before the disputed charge.
Billing address match between the account profile and the card on file, confirming the cardholder established this card at account setup.
Login history showing regular, prior engagement with the account from the same device and IP range as the disputed transaction.

Critical Mistakes

These mistakes appear in the majority of losing CNP fraud responses. They are avoidable — but only if you know what to look for before submitting.

Mistake #1: Submitting AVS and CVV as your primary defense

AVS confirms an address was entered correctly. CVV confirms the security code was entered. Neither proves the cardholder entered them — a fraudster with stolen card data that includes the billing address and security code will also pass both checks. Submitting AVS and CVV as your core evidence signals to arbitrators that you have nothing stronger.

What to do instead

Use AVS and CVV as corroborating signals alongside device fingerprint, IP geolocation, prior purchase history, and post-transaction activity. These are supporting data points, not a foundation.

Mistake #2: Missing network-specific deadlines

Amex gives you 20 days. Visa gives you 30. Mastercard gives you 45. Discover has an inquiry phase before the 30-day formal window. Missing any deadline is an automatic loss regardless of evidence strength. The variance across networks means you cannot apply a single mental deadline to all disputes.

What to do instead

Identify the network on every dispute notification immediately and set a deadline reminder the same day. Target your internal deadline 10 days before the network deadline to allow time for review. For Amex disputes, begin evidence collection the day you receive the notification.

Mistake #3: Submitting delivery evidence in an authorization dispute

A CNP fraud dispute is about authorization, not delivery. Submitting carrier tracking, shipping confirmations, and delivery photos does not address the cardholder's claim that they never placed the order. Delivery evidence is appropriate for "Item Not Received" disputes — not fraud codes.

What to do instead

Always read the dispute reason code before assembling your response. For CNP fraud codes, every piece of evidence should answer the question: did the legitimate cardholder authorize this transaction? Authorization evidence and identity evidence — not logistics documentation.

Mistake #4: Ignoring Discover's inquiry phase

Discover sends an inquiry before most formal chargebacks — giving you the opportunity to resolve the dispute before it becomes a chargeback with associated fees and dispute rate impact. Merchants who ignore inquiries consistently receive formal chargebacks that a timely inquiry response would have prevented.

What to do instead

Treat Discover inquiries with the same urgency as formal chargebacks. Build your complete evidence package immediately upon receiving an inquiry notification and submit it through Discover's inquiry portal. Do not wait to see whether it escalates.

Mistake #5: Not capturing device and IP data at checkout

This is a structural problem, not a response problem. If your checkout does not capture and archive device fingerprints, IP addresses, and geolocation at the moment of authorization, you have no device-level identity evidence to submit — ever. This data cannot be reconstructed after the fact.

What to do instead

Implement a fraud tool or payment processor feature that captures and archives device fingerprints, IP addresses, and geolocation with every transaction, linked to the order record. This is the single highest-impact operational improvement you can make to your CNP fraud dispute win rate.

Key Differences by Network

The evidence requirements for CNP fraud disputes are substantially similar across all four networks — device data, IP geolocation, prior purchase history, and post-transaction activity are relevant everywhere. But each network has structural differences that affect your timeline and submission process.

Network	Response Window	Key Structural Difference	Priority Evidence
Visa 10.4	30 days	Four-party model; Visa arbitrates neutrally	Device fingerprint + IP geolocation
Mastercard 4837	45 days	$500 arbitration fee; two-message clearing system	Authorization approval code first
Amex F29	20 days	Amex acts as issuer and acquirer; internal adjudication	CID match + Amex rebuttal form compliance
Discover UA02	30 days (formal)	Pre-dispute inquiry phase before formal chargeback	Respond to inquiry immediately with full package

Use the network-specific guides below for the complete response framework, real-world examples, before-you-submit checklists, and process walkthroughs for each network.

Winning Response Framework

This framework applies across all four networks. Adapt it to each network's specific form and submission process using the network-specific guides.

Step 1 — Identify the chargeback clearly

Template Language

Case Number [DISPUTE_REFERENCE_NUMBER] We are responding to the [NETWORK CODE] chargeback against the [MM/DD/YYYY] transaction made by [CARDHOLDER_NAME] in the amount of [$AMOUNT]. Please find our response and supporting documentation attached.

Step 2 — Lead with authorization and identity evidence

Do not make the reviewer infer authorization from raw data. State the facts of the authorization and identity match in plain language, then reference your exhibits.

Template Language

This transaction was authorized by the cardholder's issuing bank [Authorization Code: XXXXXX] and was placed by the legitimate cardholder. The order was submitted from IP address [IP_ADDRESS], located in [CITY, STATE] — consistent with the cardholder's billing address region. The device fingerprint matches [NUMBER] prior authenticated sessions on this account over the past [TIMEFRAME]. The customer account was created on [DATE] — [X] months before this transaction. [NUMBER] prior orders have been placed on this account from the same device without dispute. Following this transaction, the cardholder [logged in / accessed the product / opened the order confirmation email] on [DATE] — [X] days after the charge. The cardholder did not contact us prior to this dispute to report any unauthorized account access.

Step 3 — Sequence your evidence by strength, not chronology

Priority	Evidence Type
First	Authorization approval code + CVV/CID result. For Amex: CID match leads. For Mastercard: approval code leads.
Second	Device fingerprint and IP geolocation matched to prior authenticated sessions on the account.
Third	Post-transaction account activity — logins, product access, email engagement after the charge date.
Last	Account creation history, prior transaction records, AVS result, checkout consent records.

Step 4 — Label and explain each exhibit

Every piece of documentation should be named, numbered, and given a one-sentence explanation. Context shapes how evidence is perceived — do not make reviewers guess what they are looking at.

Template Language

Exhibit A: IP Address and Device Fingerprint Report IP 104.28.33.191 geolocates to [CITY, STATE] — within [X] miles of the cardholder's billing zip code. Device fingerprint D-29581 matches [NUMBER] prior authenticated sessions on this account, with the most recent prior session on [DATE].

Before You Submit

Run through this checklist before finalizing your response. Use the network-specific guides for additional process steps (Amex form compliance, Discover inquiry phase, Mastercard approval code requirements).

Authorization data

Authorization approval code from payment processor included
CVV / CID verification result included and explicitly labeled
AVS result code included
3DS2 authentication result included if applicable

Device and identity evidence

IP address of checkout session recorded and included
Geolocation of IP address compared to cardholder's billing address
Device fingerprint or session ID from transaction
Prior sessions from the same device documented with dates

Account and behavioral evidence

Account creation date included — must predate the transaction
Prior orders without disputes documented
Post-transaction account activity documented
No pre-dispute fraud report confirmed from CRM or support records

Response structure

Opening statement addresses authorization — not delivery
Evidence organized by strength, not chronology
Each exhibit labeled with one-sentence explanation
Submitted through the correct network portal within the applicable deadline

Proactive Prevention

The most effective CNP fraud defense is the evidence you collect before a dispute is ever filed. These steps reduce your exposure and build the documentation trail that makes responses straightforward.

Action	Why It Matters
Implement 3DS2 for high-risk transactions	A successful 3DS2 authentication shifts chargeback liability to the issuer for fraud codes on Visa and Mastercard. This is the single most effective structural protection against CNP fraud chargebacks.
Capture and archive device fingerprints at checkout	Device fingerprint data must be captured at the moment of transaction. It cannot be reconstructed after the fact. Use your payment processor or a fraud tool that captures and stores this automatically.
Log IP addresses with geolocation at every transaction	Store the full IP address plus resolved geolocation in your transaction records. Many merchants capture the IP but not the geolocation — both are needed for a credible fraud defense.
Enable usage tracking for all products	Log every login, download, and significant usage event with timestamp and IP address. For digital products, this data is automatically generated — you just need to retain it. It is among your strongest post-purchase evidence.
Build post-purchase email sequences with tracking	Order confirmations, shipping notifications, and follow-up emails create an engagement record. Track open events and clicks. Every email the cardholder interacts with is documented evidence of their awareness of the transaction.
Set up immediate dispute alerts by network	Amex gives you only 20 days. Disputes need to be identified, assigned, and actioned within hours — not days. Real-time dispute alerts ensure no network deadline is ever missed due to notification lag.

About This Guide

This playbook is updated at least twice annually to reflect changes in network rules and issuer practices. Document Version: 2026.1 · Last Updated: March 2026 · Covers: Visa 10.4 / Mastercard 4837 / Amex F29 / Discover UA02

Network-Specific Guides

Each network has different response deadlines, submission processes, and priority evidence. Select your network for the complete playbook: