Mastercard Reason Code 4837: No Cardholder Authorization

Q: Does a CVV match alone prove the cardholder authorized the transaction?

No. A CVV match proves the person who made the purchase had the security code from the physical card, but it does not conclusively prove they were the legitimate cardholder. CVV data can be obtained through card theft, phishing, or data breaches. It is strong supporting evidence but must be combined with other authentication factors.

Reason Code 4837 Mastercard Fraud

Time Limit 120 days from transaction date

Difficulty Hard fraud claims favor cardholder

Win Rate ~35% ~80% with 3DS2 in place

Premium Guide CNP Fraud Full defense playbook

What Mastercard Reason Code 4837 Means

Mastercard reason code 4837, titled No Cardholder Authorization, is filed when a cardholder claims they did not authorize or participate in a transaction charged to their account. It is Mastercard's primary code for unauthorized transaction disputes and one of the most challenging chargebacks for merchants to fight without proper authentication infrastructure.

Importantly, Mastercard does not distinguish between true fraud (stolen card data used by a criminal) and friendly fraud (the cardholder or a household member actually made the purchase but denies it) at the reason code level. Both scenarios are filed as 4837. Your evidence package must address both possibilities — proving either that the cardholder authorized the transaction, or that you performed sufficient authentication to shift liability regardless.

Key Distinction

Code 4837 means the cardholder denies any knowledge of the transaction. If they recognize the purchase but claim they cancelled or didn't receive it, those are different codes (4853 or 4841). Misidentifying the dispute type leads to the wrong evidence strategy.

Cross-Network Equivalent Codes

Network	Code	Title	Notes
Mastercard	4837	No Cardholder Authorization	This page
Visa	10.4	Other Fraud – Card Absent Environment	Direct Visa equivalent; same 3DS2 defense applies
Amex	F29	No Cardholder Authorization	Direct Amex equivalent; Amex SafeKey provides liability shift
Discover	UA02	Fraud – Card Not Present	Discover's CNP fraud equivalent

Common Trigger Scenarios

True card fraud. Card credentials were stolen via phishing, a data breach, or the dark web and used to make purchases. The legitimate cardholder sees unfamiliar charges and disputes immediately. Without 3DS2, these are very difficult to win.
Account takeover. A fraudster gained access to an existing customer account through credential stuffing or social engineering and used saved payment methods. The real customer disputes all purchases made during the takeover period.
Unrecognized billing descriptor. The cardholder made the purchase but your company name on their statement doesn't match what they remember. They call their bank rather than you, and the bank files a 4837 dispute before investigating.
Family member purchase. A spouse, child, or household member used the cardholder's card or saved credentials without explicit permission. The cardholder disputes claiming no authorization.
Deliberate friendly fraud. The cardholder received goods or services but disputes using the fraud code because it carries a higher burden of proof for merchants than consumer dispute codes.

Key Deadlines & Timeframes

Milestone	Timeframe	Notes
Cardholder Filing Window	120 days	From the transaction processing date
Merchant Response Window	45 days	From the chargeback date — Mastercard allows more time than Visa's 30 days
Second Presentment	45 days	If issuer escalates after representment, merchant has 45 days to respond
Arbitration	45 days	Either party may escalate to Mastercard arbitration within 45 days of second presentment decision

Evidence You Will Need

Mastercard Identity Check (3DS2) authentication record — the ECI value confirming the cardholder completed identity verification, triggering full liability shift to the issuer
AVS full match on both street address and ZIP code with the issuer's records
CVV/CVC match confirmation proving the buyer entered the card's security code correctly
IP address and geolocation data showing the transaction originated from a location consistent with the cardholder's profile
Device fingerprint records linking the purchase device to previous undisputed transactions by the same customer
Customer account history showing prior purchases, logins, and activity from the same account and device that were never disputed
Delivery confirmation to AVS-verified address for physical goods
Order confirmation email delivery receipt to the cardholder's verified contact

Learn Exactly How to Package and Present This Evidence

The CNP Fraud Defense Guide covers the exact evidence sequence for 4837 representments, how to present authentication data that Mastercard issuers respond to, and the 3DS2 implementation guide that shifts liability permanently off your business.

Learn exactly how to package and present this evidence →

How Merchants Lose This Dispute

No 3DS2 authentication infrastructure. Without Mastercard Identity Check in place, merchants are fighting 4837 disputes with one hand tied behind their back. The liability shift alone makes 3DS2 the single most impactful investment a CNP merchant can make.
Treating AVS/CVV match as conclusive proof. These are supporting evidence points, not definitive authorization proof. Mastercard evaluates the totality of authentication data — no single data point is sufficient alone.
Addressing delivery instead of authorization. A 4837 dispute is about whether the cardholder authorized the charge. Responding with delivery proof without addressing the authorization question misses the point entirely.
Missing the 45-day response window. Even with Mastercard's longer response window, many merchants miss it due to processor internal deadlines that are shorter. Confirm your processor's actual deadline the day you receive the dispute.

Get the Step-by-Step Winning Strategy

Our CNP Fraud Defense Guide includes copy-paste representment language for 4837 disputes, the complete 3DS2 implementation checklist, Ethoca alert integration guidance, and cross-network strategies for Visa 10.4 and Amex F29.

Get the step-by-step winning strategy →

Response Framework Overview

Lead with 3DS2 authentication data. If you have Mastercard Identity Check authentication, present the ECI value and authentication result first. This immediately triggers the liability shift argument.
Layer authentication evidence. Present AVS match, CVV match, device fingerprint, and IP/geolocation as a combined package demonstrating the transacting person matches the cardholder profile.
Show account history. Prior undisputed transactions from the same account, device, and address undermine the "no authorization" claim and suggest the cardholder was familiar with the merchant.
Reference Ethoca/RDR status. If you participate in Mastercard's Ethoca alert program or RDR, note this — it demonstrates your commitment to fraud prevention which can influence issuer review.

Prevention Tips

Implement Mastercard Identity Check (3DS2). The liability shift this provides is the most effective protection against 4837 chargebacks. Modern 3DS2 frictionless flow approves low-risk transactions without customer challenge steps, preserving conversion rates.
Use a clear, recognizable billing descriptor. Your company name on statements should match your brand exactly. Include a customer service phone number or URL so confused cardholders contact you instead of their bank.
Enroll in Mastercard's Ethoca program. Ethoca delivers near-real-time fraud alerts that allow you to refund transactions before they become chargebacks, reducing both fees and ratio impact.
Deploy velocity checks and behavioral analytics. Flagging unusual transaction patterns before they process is more cost-effective than fighting chargebacks after the fact.

Frequently Asked Questions

What is the difference between Mastercard 4837 and 4863?

Code 4837 is a fraud allegation — the cardholder says they did not authorize the transaction at all. Code 4863 (Cardholder Does Not Recognize) is softer — the cardholder sees an unfamiliar charge but may not be claiming outright fraud. In practice, 4863 is often a billing descriptor issue while 4837 is a more serious claim requiring stronger authentication evidence.

If I have 3DS2, can I still receive a 4837 chargeback?

Yes, you can still receive the chargeback notification. However, if the transaction was fully authenticated through Mastercard Identity Check, the liability shift means the issuer bears the financial responsibility. Your acquirer should automatically reverse the chargeback based on the authentication data.

Does a CVV match alone prove the cardholder authorized the transaction?

No. A CVV match proves the person had the security code from the physical card, but it does not conclusively prove they were the legitimate cardholder. It is strong supporting evidence but must be combined with other authentication factors.

How long do I have to respond to a Mastercard 4837 chargeback?

Mastercard allows 45 days from the chargeback date to submit a representment — slightly longer than Visa's 30-day window. However, your payment processor may enforce a shorter internal deadline. Confirm the exact deadline with your processor immediately upon receiving the dispute notification.