Visa Compelling Evidence 3.0 – Introduction of VFRMP

Online purchase volumes are at an all-time high, leading to increased instances of first-party misuse (friendly fraud). On April 15, 2023, Visa released updated rules, called Compelling Evidence 3.0 or CE3.0 for short, to help card-not-present merchants mitigate the problem of friendly fraud.

Compelling Evidence 3.0 looks to evolve the Visa dispute program by ridding the ecosystem of friendly fraud through collaborative transaction data exchange between issuer, merchant, cardholder, and acquiring parties. If a merchant provides at least two of the following evidentiary data points, the liability for a dispute will shift from the merchant to the issuer for pre-arbitration responses. These same rules apply when a merchant is using Verifi’s Order Insight® to prevent disputes, when inquiries are raised at the pre-dispute phase.

Qualification Criteria

At least two of the core data elements match between prior transactions and the disputed transaction and one of the two must be either IP address, or Device ID or Device Fingerprint.

Core Data Elements:

  • User ID
  • IP Address
  • Shipping Address
  • Device ID or Device Fingerprint

Merchants must provide a minimum of two transactions on the same payment method that settled between 120 and 365 days prior to the dispute date to serve as the link that indicates a prior, established transactional relationship exists between the cardholder and the merchant.

Merchants have two options to take advantage of the updated Compelling Evidence 3.0 rules – in the pre-dispute and post-dispute phases of the dispute cycle. With pre-dispute, merchants can use Verifi’s Order Insight to deflect first-party misuse disputes at cardholder inquiry. At post-dispute, merchants can follow the traditional pre-arbitration process to respond to disputes through their acquirer.

Clarification of Data Elements for Compelling Evidence 3.0

When providing qualification data for Compelling Evidence 3.0, Visa expects acquirers and merchants provide data elements with the following attributes:

IP address:

  • Must be the cardholder’s public IP address.
  • Must be in clear text and must not be hashed.
  • Must meet prevalent industry formats, which are currently IPV4 and IPV6.

Device ID:

  • Must be a unique identifier of the cardholder’s device, such as a device serial number (e.g., International Mobile Equipment Identity [IMEI]).
  • Must be at least 15 characters.

Device fingerprint:

  • Must be a unique identifier of the cardholder’s device.
  • Must be at least 20 characters.
  • Can be derived from a combination of at least two hardware and software attributes such as the operating system and its version or device model (e.g., iPhone 14.5), etc.

Account ID:

  • Must be a unique identifier that the cardholder uses to authenticate themselves on the merchant’s e-commerce site or application.
  • Must be a value that the cardholder recognizes.

Shipping address:

  • Must be the cardholder’s full shipping address, including the street address, city, state / province / region (if applicable in the cardholder’s country), postal code and country.
  • Must be in clear text and must not be hashed.

Introduction of the Visa Fraud Remedy Monitoring Program (VFRMP)

To maintain the integrity and trust of the dispute flow, all parties’ provided data and their adherence to the program will be monitored for accuracy.

On April 27, 2023, Visa released details on support for CE3.0 monitoring via the new Visa Fraud Remedy Monitoring Program (VFRMP). This program is intended to validate that the criteria mentioned about is met for data elements provided in CE3.0 eligible merchant responses. If any of the above data elements provided in response to CE3.0 eligible disputes are found to contain invalid data, they will be flagged, and the response will be deemed invalid. These updates to the Visa dispute program through Compelling Evidence 3.0 only work if all parties work together in an honest and collaborative fashion. Data accuracy is a critical component to a merchant’s success in achieving liability shift for qualifying transactions.

As of May 1, 2023, should the VFRMP identify that data submitted by a merchant be invalid or falsified, the following will apply:

  • The merchant will no longer be able receive the CE3.0 protections offered through the Card-Absent Fraud Remedy rule until the acquirer, merchant, or their service provider confirms in writing to Visa that the underlying issues have been addressed.
  • The acquirer, merchant, or their service provider will be contacted and notified of the merchant’s violation of Visa’s rules.

Verifi is implementing monitoring to support merchants and partners participating in Order Insight for CE3.0 Systematic Dispute Deflection, as well, to ensure success in the program. Monitoring at the pre-dispute phase will enable all players in the ecosystem to provide and review accurate data, while allowing for illegitimate disputes to be deflected. Additional details about data monitoring will be shared in May 2023, in anticipation of pre-dispute CE3.0 support through Order Insight.