Visa Reason Code 10.4: How to Fight Fraud Chargebacks and Actually Win

You spend 45 minutes building your dispute response. Delivery confirmation. Email chain. IP address logs. Screenshots of the order confirmation. You package it all up into a clean PDF and submit it through your payment processor's portal.

Thirty seconds later: denied.

No explanation. No feedback. Just a lost dispute and a $20 fee on top of the refund you already gave.

If that sounds familiar, you're not doing it wrong exactly. You're doing it incompletely. And the difference is worth understanding, because Visa reason code 10.4 is the most common fraud chargeback code in ecommerce, and most merchants are fighting it with the wrong tools.

I've spent years working dispute programs on both sides of the fence. Merchant-side, helping high-volume ecommerce operations build response strategies. And inside the systems that open and review these disputes on the issuer side (the customer's bank). What I saw from that second vantage point changed how I think about every aspect of chargeback response.

Here's what I know about Visa 10.4, what actually matters in a response, and why most submissions fail before a human ever reads them.

What Is Visa Reason Code 10.4?

Visa 10.4 is classified as "Other Fraud: Card Absent Environment." In plain English, it means the customer's bank is claiming that the cardholder did not authorize the transaction. It most commonly applies to online purchases where the card was not physically present.

When a bank files a 10.4 dispute, they are telling your payment processor (your acquirer) that their customer says they did not make this purchase. The bank has provisionally reversed the funds and is giving you an opportunity to prove they did.

Where 10.4 Fits in the Visa Reason Code System

Visa organizes its reason codes into categories. The 10.x codes cover fraud. The 11.x codes cover authorization issues. The 12.x and 13.x codes cover processing errors and customer disputes.

10.4 is distinct from 10.1 (EMV counterfeit fraud, which applies to in-person card chip transactions) and 10.2 (no card present for an in-store transaction). When you see 10.4, you are dealing with an online transaction where someone is claiming their card was used without their knowledge.

What the Customer's Bank Is Actually Claiming

This is important because merchants often misread the dispute. The bank is not saying your customer is lying. They are saying their customer reported the transaction as unauthorized, and under Visa rules, they are entitled to reverse the charge until you prove otherwise.

Sometimes it is genuine fraud, meaning someone actually stole the card. Sometimes it is friendly fraud, meaning the cardholder made the purchase and is disputing it anyway. Your response strategy is similar in both cases, but understanding the distinction matters when you decide whether a dispute is worth fighting.

Why Merchants Lose Visa 10.4 Disputes Most of the Time

The uncomfortable truth is that the majority of 10.4 disputes are decided before anyone reads your PDF.

The Auto-Adjudication Problem

At any meaningful volume, banks do not staff human reviewers to read every merchant dispute response. They run automated systems (software that scores and categorizes submissions based on predefined rules) that make the initial decision. If your response hits the required data fields in the expected format, it passes to the next stage. If it doesn't, it gets flagged as non-compelling and closed.

Your well-organized PDF with screenshots and delivery photos is not the problem. The problem is that the automated system may never have actually parsed it. It was looking for specific data strings, and if those weren't present and structured correctly, the rest of the submission didn't matter.

This is not a conspiracy. It is a scaling problem. Banks process millions of disputes. They cannot afford human review at that volume, so they built rules engines to handle the initial pass. Understanding this changes how you think about what to include in a response.

Submitting Evidence That Looks Good But Doesn't Work

The other common failure mode is submitting evidence that is compelling to a human but irrelevant to the system. Lengthy narrative letters. Detailed timelines. Customer service chat transcripts that show the buyer never complained. These are all reasonable things to include, but they are secondary. If you don't have the primary data fields covered, none of the supporting narrative will save you.

The evidence hierarchy for a 10.4 dispute is specific, and most merchants either don't know it or don't have access to all the pieces.

What Evidence Actually Matters for Visa 10.4

Authentication Data: The Most Important Thing in Your Response

For a card-absent fraud dispute, the single most powerful piece of evidence is payer authentication data. Specifically: whether 3D Secure (the system Visa uses to verify that the actual cardholder approved the transaction, often appearing as "Verified by Visa" prompts) completed successfully, what the outcome code was, and whether a cryptographic token was generated confirming cardholder authentication.

When 3D Secure completes successfully, liability for the transaction shifts from you to the bank. That is a Visa rule. If you have a completed 3D Secure authentication record on a 10.4 dispute, you have a very strong case and in many circumstances the dispute should not have been filed in the first place.

The problem is that most merchants do not know how to retrieve this data or where it lives. It does not automatically appear in your dispute portal. You have to request it from your payment processor specifically. Here is what to ask for:

Request your payment processor provide the 3D Secure authentication results for the transaction, including the ECI (Electronic Commerce Indicator) value, the CAVV (Cardholder Authentication Verification Value), and the transaction ID. If your processor cannot provide this, escalate. This data exists in the transaction record and you are entitled to it for dispute response purposes.

Device and Behavioral Signals

After authentication data, the next most useful evidence is device and behavioral information. This includes:

The IP address used during checkout, matched against the cardholder's known location. The device fingerprint. Whether the billing address matched the address on file with the bank (AVS match). Whether the CVV matched. Browser and session data if you have it.

None of these individually are decisive. Together they build a picture of a legitimate, authorized transaction. The key is presenting them in a structured format, not buried in a paragraph.

Order History and Delivery Confirmation

For physical goods, delivery confirmation from the carrier with the matching delivery address matters. For digital goods or services, proof that the product was accessed from a matching device or IP address is the equivalent.

Order history matters particularly if the same customer has ordered from you before without disputing. This connects directly to the next section.

Compelling Evidence 3.0: The 2023 Rule Change That Changed Everything

In April 2023, Visa introduced a significant update to how merchants can fight 10.4 disputes. It is called Compelling Evidence 3.0 (often shortened to CE3.0), and most small merchants have never heard of it.

What It Is and Who Qualifies

CE3.0 allows a merchant to dispute a 10.4 fraud chargeback by demonstrating that the same customer made at least two prior transactions with you that were not disputed. If you can show prior undisputed order history from the same cardholder, device, or IP address, Visa considers this compelling evidence that the current transaction was authorized by the same person who shopped with you before.

The qualifying conditions include: at least two prior undisputed transactions with the same device ID or IP address, at least one of which must be more than 120 days before the disputed transaction. There are specific field requirements for how this evidence must be submitted.

How to Use Prior Order History

If the customer who filed the 10.4 dispute against you has ordered from your store before, pull those transaction records immediately. Document the matching device ID, IP address, or cardholder information across the prior orders and the disputed order. Present this in your response alongside the authentication data.

CE3.0 does not guarantee a win. But it shifts the burden significantly. A bank claiming their customer did not authorize a transaction has a harder argument when you can show that the same device, from the same IP address, bought from you three times before without a complaint.

How to Structure Your Response

Step-by-Step Dispute Process

Step one: Pull the transaction record immediately and confirm the reason code is 10.4. Check your response deadline, which is typically 20 to 30 days from the date the dispute was filed. Do not wait.

Step two: Request your 3D Secure authentication data from your payment processor. Do this the same day you receive the dispute notification. Processors have their own timelines for responding to these requests and you cannot afford to lose days.

Step three: Pull your order data for the transaction. Device ID, IP address, AVS result, CVV result, billing address, delivery address, and carrier tracking.

Step four: Check for prior order history from the same customer. If CE3.0 applies, document the qualifying prior transactions.

Step five: Write a brief, structured rebuttal letter. Not a narrative. A structured summary of the data you are submitting and what each piece demonstrates. One to two pages maximum. Let the data do the work.

Step six: Compile everything into a single PDF in the order your rebuttal letter references it. Submit through your processor's dispute portal before the deadline.

What to Request From Your Processor

Many processors do not surface all available dispute data automatically. If your portal does not show 3D Secure results, contact your processor's disputes team directly and request: the full transaction authentication record, ECI value, CAVV, and any fraud screening results. If your processor cannot provide this data, that is worth escalating. Processors are required to maintain these records and they are relevant to your dispute rights.

Common Mistakes Merchants Make

Submitting the dispute response without requesting processor authentication data first. This is the biggest one. Many merchants respond with what they have in their portal rather than pulling the full transaction record.

Writing long narrative letters instead of structured data submissions. A bank reviewer, whether human or automated, is not reading your story. They are checking fields.

Missing the response deadline. Twenty days goes faster than you think. Set a calendar alert the day you receive a dispute notification.

Treating every 10.4 the same. A dispute for a $15 order from a first-time customer with no authentication data is a different calculation than a $300 order from a repeat customer with a completed 3D Secure. Know which disputes are worth fighting before you spend the time.

Not keeping records of undisputed transactions by device and IP. If you are not capturing this data today, CE3.0 is not available to you when you need it. Talk to your developer or platform about enabling device fingerprinting.

How the Bank Actually Evaluates Your Submission

When your response lands on the bank's side, here is roughly what happens. An automated system does an initial pass. It checks whether the required data fields are present, whether the format matches expected inputs, and whether the core liability question (authentication) has been addressed. If those boxes are checked, the case may pass to a human reviewer. If not, it is likely closed as non-compelling.

The human reviewer, if your case reaches one, is looking at the totality of the evidence against the Visa dispute rules. They are not judging the quality of your customer service. They are asking: does this merchant have evidence that the cardholder authorized this transaction? Authentication data answers that question directly. Everything else is supporting context.

Timelines matter too. Banks have their own internal SLAs (service level agreements, the time windows they set for reviewing and responding to cases). A response that arrives clean and complete moves faster than one that requires follow-up. Incomplete submissions are often the ones that time out against you.

Want to Skip the Guesswork?

The process above works, but it requires knowing what to request, how to format it, and what language to use when your processor pushes back on providing data.

I put together a complete chargeback playbook for merchants who want to stop losing disputes they should win. It includes step-by-step response templates for Visa 10.4 and 14 other common dispute codes, a tiered evidence checklist for each dispute type, and exact language to use when requesting authentication data from processors who don't surface it automatically.

It is available on Gumroad. If you have made it this far in this article, it was written for you.

Get the Chargeback Defense Bundle at WinTheChargeback.com

Frequently Asked Questions

What is Visa reason code 10.4? Visa 10.4 is a fraud chargeback code used when a cardholder claims they did not authorize an online transaction. It stands for "Other Fraud: Card Absent Environment" and is the most common fraud dispute code for ecommerce merchants.

How long do I have to respond to a Visa 10.4 chargeback? Typically 20 to 30 days from the date the dispute was filed, though this can vary by processor. Check your dispute notification for the exact deadline and do not wait until the last few days.

What is Compelling Evidence 3.0? Compelling Evidence 3.0 is a Visa rule introduced in April 2023 that allows merchants to fight a 10.4 fraud dispute by presenting prior undisputed transaction history from the same customer. If the same device or IP address made at least two prior undisputed purchases, that history can be used to argue the disputed transaction was also authorized.

What is the most important evidence for a Visa 10.4 response? 3D Secure authentication data. If the transaction completed with a successful authentication record, that shifts liability to the bank under Visa rules. This data must be requested from your payment processor separately and is not always available in the standard dispute portal.

Can I win a fraud chargeback if I don't have 3D Secure data? Yes, but it is harder. Without authentication data, you are relying on device signals, delivery confirmation, and order history to build your case. CE3.0 may apply if you have qualifying prior transaction history. The strength of your case depends on what data you have available.

Why do banks deny dispute responses so quickly? Most banks use automated systems to handle the initial review of dispute responses at volume. These systems check for specific data fields and formats. If the primary evidence is missing or not structured correctly, the submission may be closed automatically without human review.