Visa Compelling Evidence 3.0 – Introduction of VFRMP

(VFDMP as of October 14, 2023)

Online purchase volumes are at an all-time high, leading to increased instances of first-party misuse (friendly fraud). On April 15, 2023, Visa released updated rules, called Compelling Evidence 3.0 or CE3.0 for short, to help card-not-present merchants mitigate the problem of friendly fraud.

Compelling Evidence 3.0 looks to evolve the Visa dispute program by ridding the ecosystem of friendly fraud through collaborative transaction data exchange between issuer, merchant, cardholder, and acquiring parties. If a merchant provides at least two of the following evidentiary data points, the liability for a dispute will shift from the merchant to the issuer for pre-arbitration responses. These same rules apply when a merchant is using Verifi’s Order Insight® to prevent disputes, when inquiries are raised at the pre-dispute phase.

Qualification Criteria

At least two of the core data elements match between prior transactions and the disputed transaction and one of the two must be either IP address, or Device ID or Device Fingerprint.

Core Data Elements:

  • User ID
  • IP Address
  • Shipping Address
  • Device ID or Device Fingerprint

Merchants must provide a minimum of two transactions on the same payment method that settled between 120 and 365 days prior to the dispute date to serve as the link that indicates a prior, established transactional relationship exists between the cardholder and the merchant.

Merchants have two options to take advantage of the updated Compelling Evidence 3.0 rules – in the pre-dispute and post-dispute phases of the dispute cycle. With pre-dispute, merchants can use Verifi’s Order Insight to deflect first-party misuse disputes at cardholder inquiry. At post-dispute, merchants can follow the traditional pre-arbitration process to respond to disputes through their acquirer.

Clarification of Data Elements for Compelling Evidence 3.0

When providing qualification data for Compelling Evidence 3.0, Visa expects acquirers and merchants provide data elements with the following attributes:

IP address:

  • Must be the cardholder’s public IP address.
  • Must be in clear text and must not be hashed.
  • Must meet prevalent industry formats, which are currently IPV4 and IPV6.

Device ID:

  • Must be a unique identifier of the cardholder’s device, such as a device serial number (e.g., International Mobile Equipment Identity [IMEI]).
  • Must be at least 15 characters.
  • Must be in clear text and not hashed.

Device fingerprint:

  • Must be a unique identifier of the cardholder’s device.
  • Must be at least 20 characters.
  • Can be derived from a combination of at least two hardware and software attributes such as the operating system and its version or device model (e.g., iPhone 14.5), etc.
  • May be hashed.

Account ID:

  • Must be a unique identifier that the cardholder uses to authenticate themselves on the merchant’s e-commerce site or application.
  • Must be a value that the cardholder recognizes.
  • Must contain only one value.
  • Must be in clear text and not hashed.

Shipping address:

  • Must be the cardholder’s full shipping address, including the street address, city, state / province / region (if applicable in the cardholder’s country), postal code and country.
  • Must be in clear text and must not be hashed.

Introduction of the Visa Fraud Remedy Monitoring Program (VFRMP)

To maintain the integrity and trust of the dispute flow, all parties’ provided data and their adherence to the program will be monitored for accuracy.

On April 27, 2023, Visa released details on support for CE3.0 monitoring via the new Visa Fraud Remedy Monitoring Program (VFRMP). This program is intended to validate that the criteria mentioned about is met for data elements provided in CE3.0 eligible merchant responses. If any of the above data elements provided in response to CE3.0 eligible disputes are found to contain invalid data, they will be flagged, and the response will be deemed invalid. These updates to the Visa dispute program through Compelling Evidence 3.0 only work if all parties work together in an honest and collaborative fashion. Data accuracy is a critical component to a merchant’s success in achieving liability shift for qualifying transactions.

As of May 1, 2023, should the VFRMP identify that data submitted by a merchant be invalid or falsified, the following will apply:

  • The merchant will no longer be able receive the CE3.0 protections offered through the Card-Absent Fraud Remedy rule until the acquirer, merchant, or their service provider confirms in writing to Visa that the underlying issues have been addressed.
  • The acquirer, merchant, or their service provider will be contacted and notified of the merchant’s violation of Visa’s rules.

As of October 14, 2023 some changes will be made to the Visa Fraud Monitoring program around CE3.0.

A recap of the changes can be found here:

  • Name of Visa Fraud Remedy Monitoring Program (VFRMP) changed to Visa Fraud Dispute Monitoring Program
  • Update to the Device ID data element – clarifying language added, “Must be in clear text and not hashed”
  • Update to the Device Fingerprint data element – clarifying language added, “May be hashed”
  • Updates to the Account ID data element – referencing new language:
    • “Must contain only one value”
    • “Must be in clear text and not hashed”

Verifi has implemented monitoring to support merchants and partners participating in Order Insight for CE3.0 Systematic Dispute Deflection, as well, to ensure success in the program. Monitoring at the pre-dispute phase will enable all players in the ecosystem to provide and review accurate data, while allowing for illegitimate disputes to be deflected. Pre-dispute support for CE3.0 through Order Insight was released in July 2023 for general availability. Additional details can be found here.

Updated August 3, 2023