Mastercard Reason Code 4840: Fraudulent Processing of Transactions

What Mastercard Reason Code 4840 Means

Mastercard reason code 4840 falls under the Fraud category and is titled Fraudulent Processing of Transactions. It is filed when multiple unauthorized transactions are processed on a cardholder's account — typically by the same merchant or at the same location — after the account was compromised. The code implies either that the merchant's operations are implicated in the original card compromise, or that the merchant continued processing transactions after receiving signals that the account was being used fraudulently.

Unlike code 4837 (No Cardholder Authorization), which covers a single unauthorized transaction, 4840 carries the additional allegation of a fraudulent pattern. This makes it one of the more serious fraud codes for merchant risk scoring and account standing.

Cross-Network Equivalent Codes

Common Trigger Scenarios

• Card testing attacks on your checkout. Fraudsters use scripts to test stolen card numbers on your payment page with small transactions. Each successful test generates a real charge on a real cardholder's account. When those cardholders notice and dispute, the pattern triggers 4840 coding.
• Merchant data breach leading to fraud. If cardholder data was stolen from your systems and used at your location or by connected parties, 4840 chargebacks will cluster from cardholders whose data was compromised in your breach.
• Continued processing after fraud notification. Processing additional transactions on an account after the cardholder has already flagged fraud or after the issuer has blocked the card is a direct trigger for 4840.
• Collusion or internal fraud. Staff or insiders copying card data and processing unauthorized additional transactions is a severe form of 4840 violation with criminal liability beyond the chargebacks.
• Recurring billing on compromised stored credentials. If stored payment credentials are compromised and used to process recurring charges after the cardholder has reported fraud, each charge becomes a 4840 dispute.

Key Deadlines & Timeframes

Evidence You Will Need

• 3D Secure / EMV 3DS authentication records showing the cardholder completed step-up authentication for the disputed transaction
• Device fingerprint and IP geolocation data showing the transaction originated from a device and location consistent with the legitimate cardholder's history
• Order history and account behavior data showing prior successful orders by this cardholder using the same credentials, delivery address, and device
• Delivery confirmation to the cardholder's verified address — if goods were delivered, this demonstrates the legitimate cardholder benefited from the transaction
• Fraud screening tool results from your risk system at the time of authorization, showing the transaction scored within acceptable risk thresholds
• Response to card testing allegation — if the dispute involves a card testing pattern, provide documentation of your velocity controls, CAPTCHA implementation, and bot detection measures

How Merchants Lose This Dispute

• No 3DS authentication. For CNP transactions, the absence of 3D Secure shifts liability entirely to you. Against a pattern fraud code like 4840, no authentication is nearly always a losing position.
• Card testing transactions. If the disputed charge was a small-dollar test transaction, the cardholder clearly did not authorize it. There is no delivery to show, no legitimate order to document. Accept these and fix your checkout fraud controls.
• Multiple 4840s from different cardholders. A cluster of 4840 chargebacks pointing at your merchant ID is a serious signal. Defending individual disputes while ignoring the systemic issue leads to account-level consequences that dwarf the individual chargeback losses.
• Ignoring the pattern allegation. Responding to a 4840 with the same evidence package you use for a 4837 misses the fraud pattern component. Address the pattern explicitly in your representment.

Response Framework Overview

1. Determine if the transaction was genuinely authorized. Pull 3DS results, device data, IP history, and order records to assess whether the legitimate cardholder was actually the buyer.
2. Address the pattern allegation. If you are receiving multiple 4840s, document your fraud controls — what you have in place to detect and stop fraudulent transaction patterns.
3. Lead with authentication evidence. 3DS authentication that passed the cardholder through the issuer's authentication system is the strongest available defense.
4. Document delivery to legitimate address. Shipment to the cardholder's billing address with delivery confirmation is supporting evidence that a legitimate transaction occurred.
5. Acknowledge any systemic issues and remediation. If you have identified a card testing attack or other fraud pattern and have taken corrective action, documenting this demonstrates good-faith merchant conduct.

Prevention Tips

• Implement 3D Secure 2 on all card-not-present transactions. 3DS2 liability shift is the single most effective protection against 4840 chargebacks. With successful authentication, the issuer cannot file a fraud chargeback against you.
• Deploy velocity controls on your checkout. Limit the number of card attempts from a single IP or device per hour. Card testing attacks rely on the ability to test hundreds of cards rapidly — velocity limits break the attack.
• Monitor for small-dollar transaction clusters. Card testing transactions are typically small ($1–$10). An unusual spike in low-value authorizations from new or unrecognized accounts is a card testing signal.
• Stop processing immediately when fraud is reported. When a cardholder reports a fraudulent transaction, immediately review all other transactions linked to the same stored credentials and cancel any pending orders. Continuing to ship after a fraud report generates additional 4840 chargebacks.

Frequently Asked Questions

What makes 4840 different from Mastercard 4837 (No Cardholder Authorization)?

Code 4837 covers a single unauthorized transaction. Code 4840 is specifically about a pattern — multiple fraudulent transactions processed on a compromised account, often by the same merchant or a connected set of merchants. Code 4840 implies the merchant knew or should have known about the fraud and continued processing, or that the merchant's systems are implicated in the card compromise itself.

Can a merchant receive a 4840 chargeback for a transaction that was authorized?

Yes. An authorization approval does not protect you from a 4840 chargeback. The issuer is asserting that the authorized transaction was part of a fraudulent pattern. Authorization confirms the card was valid and funds were available at that moment — it does not confirm the cardholder authorized the transaction or that the transaction was legitimate.

What is the time limit for a Mastercard 4840 chargeback?

The cardholder has 120 days from the transaction date to file a Mastercard 4840 dispute. Your acquirer will notify you and you typically have 45 days to respond to a first chargeback, though your processor may impose a shorter internal deadline.

If my business was the victim of card testing, will I still get 4840 chargebacks?

Yes. If fraudsters used your checkout to test stolen card numbers (card testing attacks), the legitimate cardholders whose numbers were tested will file chargebacks. These can be coded as 4840 when a pattern is identified. Even though you were also a victim, the chargebacks still stand unless you can prove cardholder authorization. The best response is to demonstrate you have implemented fraud controls (velocity checks, CAPTCHA, bot detection) to prevent recurrence.

Related Codes & Resources