Premium / Reason Code Guides / Mastercard 4837
REASON CODE GUIDE · MASTERCARD

Mastercard 4837: No Cardholder Authorization Defense Playbook

Cardholder claims they never authorized the transaction. Here's how to build a response that proves they did — and what changes with Mastercard's 45-day window.

Response Window 45 days — longer than Visa
Network Mastercard all card types
Category Fraud unauthorized transaction
Threshold $0 no minimum
Arbitration Fee $500 if you escalate and lose

What This Dispute Means

Mastercard 4837 is Mastercard's primary fraud code for unauthorized card-not-present transactions. The cardholder denies placing the order and asserts that someone else — or no one — made the purchase using their account. This is not a quality complaint or a delivery dispute — it is a direct claim that the cardholder had no knowledge of or involvement in the transaction.

The issuer's default posture is to believe the cardholder, which means your response must proactively disprove their claim rather than simply denying it. A generic "the transaction was valid" statement carries no weight. You need layered technical evidence that ties the order session to the cardholder's known identity.

4837 disputes are common in card-not-present environments: e-commerce, software subscriptions, digital goods, and phone orders. They are also frequently filed as a form of friendly fraud — where the cardholder made the purchase but later disputes it to avoid paying. The evidence requirements are the same either way — your job is to prove the legitimate cardholder placed the order.

How 4837 Differs From Visa 10.4

While both codes address unauthorized card-not-present transactions, the procedural differences matter for how you manage your response:

Feature Mastercard 4837 Visa 10.4
Response Window 45 days 30 days
Authorization System Two-message clearing Single-message
Arbitration Fee $500 Varies by tier
Card Tiers World / World Elite rules Standard tiers
Evidence Core Approval code + device data Device data + IP

Required Evidence

A winning 4837 response is built on layered proof of authorization. No single piece of evidence is sufficient on its own. These three categories form the foundation of every response — missing any one of them weakens your position significantly.

#1 — Authorization record

The authorization approval code is the anchor of every 4837 response. It proves that the cardholder's issuing bank approved the transaction in real time.

Data Point What to Submit
Approval Code The authorization approval code issued by the cardholder's issuing bank at the time of the transaction. This is in your payment processor dashboard — locate it first, before building the rest of your response.
AVS Result The Address Verification System result code. A full match (billing address matched exactly) is strongest; a partial match is still useful. Include the raw result code.
CVV2 Result Confirmation that the card security code was correctly entered at checkout. A passing CVV2 result is corroborating evidence the cardholder had the physical card.
Key Insight

The authorization approval code is your anchor. Every response to 4837 must begin with the approval code issued by the cardholder's bank. This code proves the issuer authorized the charge at the time of transaction. Without it, the issuer can claim there was an authorization failure — and your entire response collapses. Locate this code in your payment processor dashboard before doing anything else.

#2 — Device and identity evidence

Technical data linking the session that placed the order to the cardholder's known identity. This is what separates a strong response from a generic denial.

Evidence Type What to Submit
Device Fingerprint A browser or device fingerprint tied to the transaction session. If this matches prior authenticated sessions on the same account, include that session history — it is among your strongest evidence.
IP Address & Geolocation The IP address of the session that placed the order, with geolocation showing city and region. Compare to the cardholder's billing address region and to prior authenticated sessions.
Prior Purchase History Records showing the same card, device, or account was used for prior orders that were not disputed. A pattern of legitimate transactions undermines a claim of total unauthorized use.

#3 — Account and behavioral evidence

Evidence Type What to Submit
Account Creation Date The date the account was created — must predate the disputed transaction. An account created months before the dispute, with the same email and shipping address, is inconsistent with unauthorized use.
Order Confirmation Engagement Order confirmation email delivery and open records. Any reply from the cardholder — even about an unrelated topic — proves account awareness.
Post-Transaction Activity Account logins, product usage, download logs, or support contacts after the transaction date. Any engagement with the purchased product undermines a claim of non-authorization.

Strongly Recommended Evidence

Required evidence establishes that the transaction was technically authorized. Strongly recommended evidence establishes that the cardholder's specific identity was present at the transaction session. Both layers are needed for a compelling response.

#4 — Account history and profile consistency

Evidence Type What to Submit
Profile Longevity Show that the email address, phone number, and shipping address on the account had been there since account creation — not added immediately before the disputed charge. Stable profile data is consistent with a real customer; new address additions before a large charge warrant scrutiny.
Purchase Pattern Transaction history showing similar purchases on the same account over time. A history of buying comparable products from you is strong counter-evidence to a claim of total unfamiliarity with the merchant.

#5 — Customer communications

  • Order confirmation email open and click records — timestamp and IP where available.
  • Shipping notification emails that were opened, including tracking link clicks.
  • Any support contact after the purchase referencing the order or product by name or order number — a cardholder who "never authorized" an order would not follow up about it.
  • No pre-dispute fraud report: confirm from your records that the cardholder never contacted you to report unauthorized access before the chargeback was filed.

#6 — Two-message clearing system data

  • For Mastercard transactions, request both the authorization message and the clearing message from your processor. Mastercard uses a two-message clearing system for most card types — authorization data is captured separately from settlement. Having both messages provides a more complete authorization record.
  • If the card involved is a World or World Elite tier Mastercard, note this in your response — different liability rules may apply in some international markets.

Supporting Evidence

These items round out your case and become critical if the dispute escalates to Mastercard arbitration.

#7 — Product and delivery documentation

  • Order confirmation showing exactly what was purchased, when, and at what price.
  • For physical goods: carrier tracking and delivery confirmation to the address provided at checkout.
  • For digital goods: access logs and usage data showing the product was downloaded or actively used.
  • Signed terms of service or checkout consent record showing the cardholder agreed to purchase terms.

#8 — Fraud tool and risk signal outputs

  • Output from any fraud scoring tool showing a low-risk assessment for this transaction at the time of authorization.
  • Any positive identity verification results — email verification, phone number verification, or knowledge-based authentication.
  • Evidence the shipping address was verified before fulfillment — USPS address validation or similar.
  • For subscription transactions: the original signup authorization with full timestamp confirming the cardholder consented to recurring billing.

Critical Mistakes

These mistakes appear consistently in losing responses to Mastercard 4837 disputes. Audit your response against each one before submitting.

Mistake #1: Not including the authorization approval code

This single omission can doom an otherwise strong response. The approval code proves the cardholder's bank authorized the transaction in real time. Without it, the issuer can claim there was an authorization failure — and the rest of your evidence becomes irrelevant. It is the first thing an arbitrator looks for.

What to do instead

Pull the authorization approval code from your payment processor dashboard immediately when you receive the dispute notification. Log in to your processor, find the transaction, and copy the approval code verbatim. It is typically a 6-character alphanumeric string. Include it on the first page of your response.

Mistake #2: Relying solely on AVS results

AVS confirms that an address was entered correctly — it does not prove the cardholder entered it. A fraudster with stolen card data that includes the billing address will also pass AVS. Submitting AVS as your primary defense signals that you have nothing stronger, and issuers know this.

What to do instead

Use AVS as a corroborating signal alongside device fingerprint, IP geolocation, and prior purchase history. AVS is one data point in a layered case — it cannot carry the case alone.

Mistake #3: Letting the 45-day window create false urgency relief

The extended window compared to Visa creates a false sense of security. Merchants who receive 4837 notifications and think "I have 45 days, I'll get to it" frequently miss the deadline or scramble to assemble evidence in the final week. Suboptimal responses are the result.

What to do instead

Begin building your response within 48 hours of receiving the dispute notification. Set a hard internal deadline of Day 30 for submission. Use the extra 15 days as a buffer for review, not for evidence collection.

Mistake #4: Submitting evidence that addresses the wrong dispute

A 4837 dispute is about authorization, not delivery. Submitting carrier tracking, delivery photos, and shipping policies does not respond to "I never authorized this charge." If you send delivery evidence to an authorization dispute, the reviewer will either reject it as non-responsive or read it as a deflection.

What to do instead

Read the dispute reason code carefully before assembling evidence. For 4837, everything in your response should speak to the question: did the legitimate cardholder authorize this transaction? Delivery evidence belongs in 4853 disputes, not 4837.

Mistake #5: Failing to document account creation history

An account that was created alongside the disputed charge — same day as the transaction, or recently — looks very different from an account that has been active for months or years. Showing account creation history that predates the transaction is powerful counter-evidence that an unauthorized user would not have.

What to do instead

Include the account creation date, the date the current payment method was added, and the date the current shipping address was added. If these all predate the disputed transaction by a significant margin, include prior orders from the account to establish a history of legitimate use.

Winning Response Framework

Lead with the approval code and layer evidence from most to least conclusive. Mastercard arbitrators work through responses methodically — a clear, well-organized rebuttal reaches the decision-maker exactly as you submit it.

Step 1 — Identify the chargeback clearly

Template Language
Case Number [DISPUTE_REFERENCE_NUMBER] We are submitting this representment in response to Mastercard 4837 chargeback claim against the [MM/DD/YYYY] transaction in the amount of [$AMOUNT] by [CARDHOLDER_NAME]. Please find our response and supporting documentation attached.

Step 2 — Summarize your case explicitly

State the facts of the authorization in plain language — lead with the approval code and identity evidence, not with logistics or policies.

Template Language
We respectfully dispute this chargeback. The transaction was authorized by the cardholder's issuing bank and was placed by the authorized cardholder. We submit the following evidence: 1. AUTHORIZATION Approval Code: [APPROVAL CODE] Issued by the cardholder's bank at [TIME] on [DATE], confirming real-time authorization of the $[AMOUNT] charge. 2. DEVICE AND IDENTITY VERIFICATION IP Address: [IP_ADDRESS] — Geolocation: [CITY, STATE] Device ID: [DEVICE_ID] The order was placed from a device and IP consistent with [NUMBER] prior authenticated sessions on this account. 3. ACCOUNT HISTORY Account created: [DATE — predates transaction by X months] Prior transactions: [DATE_1], [DATE_2] — no disputes filed. 4. AVS / CVV2 AVS Result: [FULL/PARTIAL MATCH] CVV2 Result: [MATCH] 5. POST-TRANSACTION ACTIVITY [DATE]: Customer logged into account after order was placed. [DATE]: Order confirmation email opened. The cardholder did not contact us prior to filing this dispute to report any unauthorized account access. Based on the above, we respectfully request that this chargeback be reversed.

Step 3 — Sequence your evidence by strength, not chronology

Priority Evidence Type
First Authorization approval code — the foundation of every 4837 response.
Second Device fingerprint and IP geolocation, linked to prior authenticated sessions.
Third Post-transaction account activity — logins, product use, email engagement after the charge date.
Last AVS/CVV2 results, account creation history, order confirmation details.

Step 4 — Label and explain each exhibit

Attach all referenced documents as clearly labeled exhibits. Reference each exhibit by letter in the body of your response. Do not include irrelevant material — Mastercard arbitrators may discard submissions that are difficult to navigate.

Template Language
Exhibit A: Authorization Record Payment processor transaction log showing authorization approval code [CODE] issued at [TIME] on [DATE] by the cardholder's issuing bank. Full authorization record included on page 2.

Real-World Examples

Winning Example — Digital Marketplace

The situation: $225 purchase of digital design assets. Cardholder filed a 4837 dispute 30 days after purchase claiming "I never made this purchase."

Opening statement submitted:

Opening Statement
"The transaction was authorized by the cardholder's issuing bank under approval code 847291. The order was placed from device ID D-4782k, which matches 8 prior authenticated sessions on this account going back 6 months. The account was created 11 months before this transaction. The cardholder's IP at checkout — 104.28.33.191 — geolocates to Chicago, IL, consistent with their billing zip code. The purchased assets were downloaded on the same day of purchase from IP 104.28.33.195 — same /24 subnet as the purchase IP. The customer has not contacted us prior to filing this dispute."

Evidence provided (in order submitted):

Page Evidence
1 Payment processor record showing authorization approval code 847291, issued at 3:14 PM on purchase date, by the cardholder's issuing bank. AVS: full match. CVV2: match.
2 Device session history showing device ID D-4782k with 8 authenticated sessions across 6 months, including a session 4 days before and the disputed purchase session. IP geolocation report showing 104.28.33.191 in Chicago, IL.
3 Download log showing the purchased assets were downloaded at 4:02 PM on the same day as purchase — within 48 minutes of the charge — from IP 104.28.33.195. File sizes and asset names match the purchased bundle.
4 Account creation record dated 11 months before disputed transaction. Prior order history: 4 purchases on the same account with no disputes. CRM export: zero support contacts related to this order.

Result: Chargeback successfully represented. Claim withdrawn.

Why it won:

  • Authorization approval code anchored the response and proved the issuer itself approved the charge in real time
  • Device fingerprint matching 8 prior sessions over 6 months directly contradicts "I never made this purchase" — the device had an established account history
  • Same-day download within 48 minutes of purchase proves the cardholder immediately used the purchased assets
  • IP geolocation consistent with billing address removes any suggestion of unauthorized use from a different location
Losing Example — E-commerce Retailer

The situation: $380 clothing purchase. Cardholder filed 4837 dispute claiming "I did not authorize this transaction."

What they submitted:

Response Submitted
"We dispute this chargeback. The order passed address verification and the CVV code matched. We shipped the order to the billing address and it was confirmed delivered. Our fraud system approved this transaction. Please find the tracking number and shipping confirmation attached. We have been processing payments for 8 years without issues."

Result: Dispute ruled in cardholder's favor.

Why it lost:

Mistake Explanation
No authorization approval code The most critical piece of evidence was absent. "The fraud system approved it" is not a substitute for the actual approval code from the issuing bank.
Delivery evidence in an authorization dispute Tracking and shipping confirmation do not address whether the cardholder authorized the purchase. They address delivery — a completely different dispute type.
No device or IP data AVS and CVV were cited but no device fingerprint, IP address, or session data was included — the actual evidence arbitrators look for.
8 years of experience cited Merchant history is irrelevant to whether this specific cardholder authorized this specific transaction. It reads as deflection.

What they should have submitted:

  • Authorization approval code from the payment processor dashboard
  • IP address of the order session with geolocation data
  • Device fingerprint matched to prior account sessions
  • Account creation date and prior order history without disputes
  • Post-transaction account activity — any login or email engagement after the charge

Before You Submit

Run through this checklist before finalizing your Mastercard 4837 response.

Authorization record

  • Authorization approval code located and included — first item in your response
  • AVS result code included
  • CVV2 result included
  • Both authorization and clearing messages requested from processor if needed for arbitration

Device and identity evidence

  • IP address of order session recorded and included
  • Geolocation of IP compared to cardholder billing address
  • Device fingerprint or session ID from transaction
  • Prior sessions from the same device documented with dates

Account and behavioral evidence

  • Account creation date included — must predate the transaction
  • Prior orders without disputes documented
  • Post-transaction account activity documented (logins, downloads, support contacts)
  • Confirmation that no pre-dispute fraud report was received from the cardholder

Response structure

  • Opening paragraph explicitly addresses authorization — not delivery
  • Evidence organized by strength: approval code first, then device data, then behavioral
  • All exhibits labeled with one-sentence explanation
  • No irrelevant documents included
  • Response submitted within 45 days — target Day 30 internally to build in review time

Proactive Prevention

These steps reduce your 4837 exposure and ensure the evidence you need is captured before a dispute ever arrives.

Action Why It Matters
Archive authorization approval codes with every transaction Your payment processor generates an approval code for every authorized transaction. Store it linked to the order record — it is the single most important piece of evidence in a 4837 response and the most commonly missing.
Capture device fingerprints at checkout Device fingerprint data must be captured at the moment of transaction. Use your payment processor or a dedicated fraud tool that captures and archives device data linked to each order record.
Implement 3DS2 for high-risk transactions For Mastercard, EMV 3-D Secure authentication shifts dispute liability to the issuer for fraud codes including 4837. This is the most effective structural protection for high-risk CNP transactions.
Log IP and geolocation at every transaction Store the full IP address and resolved geolocation in your transaction records alongside the device fingerprint. These two data points together are the core of a strong 4837 defense.
Build post-purchase engagement sequences Order confirmation, shipping notification, and post-delivery follow-up emails create an engagement record. Track opens and clicks. Every touchpoint that the cardholder engages with is documented evidence of awareness and authorization.
About This Guide

This playbook is updated at least twice annually to reflect changes in Mastercard's dispute rules and issuer practices. Document Version: 2026.1 · Last Updated: March 2026 · Covers: Mastercard 4837 / No Cardholder Authorization

What Happens at Arbitration

If you submit a representment and the issuer upholds the dispute — rejecting your evidence and maintaining the chargeback — you have one further option before accepting the loss: Mastercard arbitration.

In arbitration, Mastercard's dispute resolution team reviews the full case file, including your representment evidence and the issuer's rebuttal. Mastercard renders a binding decision. The losing party pays a $500 arbitration filing fee. This fee structure means arbitration is typically only worth pursuing for disputes above a minimum dollar threshold.

Before filing for arbitration, consider:

  • Is your evidence genuinely strong? Arbitration with weak evidence results in a fee on top of the original loss.
  • Is the dispute amount large enough? For small transactions, the $500 fee can exceed the disputed amount.
  • Did the issuer violate any Mastercard rules in handling the dispute? If so, your arbitration case is significantly stronger.

Mastercard's pre-arbitration filing deadline is strict: 30 days from the issuer's response to your representment. Miss that window and you permanently forfeit the right to escalate.

Related Guides

Reason Code Guide · Visa Visa 10.4: Other Fraud — Card Absent Reason Code Guide · Mastercard Mastercard 4841: Cancelled Recurring Transaction Case Study · E-commerce E-commerce Fraud — $2,400 Digital Goods