Visa Dispute Rules Updates

The Covid Pandemic has catalyzed a sizeable shift in the digital movement of money – from a significant increase in electronic commerce to brick-and-mortar businesses switching to cashless payments; every aspect of commerce has seen a rise in the demand for electronic payment options as well as an increase in disputes/chargebacks. According to Visa, e-commerce growth was 20% per year, and person-to-person payments grew to $378 billion in 2021.

In the exchange between a merchant and an issuing bank, the request for authorization to identify trusted customers is vital to safeguarding payments in our electronic commerce environment. A few effective options are available to secure the communication between a merchant and issuing bank, including 3-D Secure (3DS), which is compulsory by statute for merchants with a merchant account issued by a European acquirer. Digital wallets and tokenization of Payment Account Numbers (PAN) on the gateway are two other options that work to safeguard cardholder data and maintain the integrity of the payments network.

Visa has made enhancements to the data exchange to support and promote the security of the authorization request message. These enhancements include modifying the dispute rules and creating a card-not-present (CNP) dispute remedy.

Effective April 15, 2023, disputes that are processed on or after this date, Dispute Condition 10.4 – Other Fraud – Card-Absent Environment and Dispute Condition 13.2 – Cancelled Recurring Transaction will include the following remedies:

10.4. These disputes can be remedied by providing evidence of all the following: A description of the merchandise or services provided, history of the same PAN listed in the dispute being used in at least two previous transactions that have not been reported as fraud, and were processed more than 120 days before the dispute processing date, the device ID, device fingerprint, or the IP address and an additional one or more of the following for both the disputed transaction and undisputed transaction for more than 120 days before the date of the dispute in question: customer account/login ID, delivery address (for physical products), device ID or device fingerprint, and IP address.

If you can provide any of the combinations of the items listed above, the issuing bank will not be allowed to continue the dispute.

For example, let’s say you run a membership site, and you have a member who signed up in June 2022, and now it’s December 2022, and he just noticed that he’d been charged $24.95 per month for the last seven months. He forgot to cancel his membership, and instead of calling you, he calls his credit card company and tells them, “It wasn’t me.” The credit card company will issue a dispute under dispute condition 10.4, and you will receive a chargeback.

From here, effective April 15, all you’ll need to do is log into your customer relationship manager (CRM) software and pull the device ID, device fingerprint or the IP address, and at least one of the following: customer account/login ID, delivery address, device ID/device fingerprint (if you didn’t already include it), or the IP address (if you didn’t already include it). Of course, the more information you provide, the better – especially if the information from the older transaction is identical to the information on the disputed transaction.

If you can prove that this cardholder signed up with you at least four months before the date of the dispute in question and has not disputed the older transactions, the issuing bank cannot proceed with the dispute.

Dispute Condition 13.2 – Cancelled Recurring Transaction. This is when a cardholder calls their bank instead of the service he subscribed to and notifies his bank that he attempted or requested to cancel his subscription but was billed the following month anyway. We’ve all seen those, and mysteriously, there is no e-mail chain, support ticket, or incoming phone call for this cardholder anywhere to be found. Visa has seen an increase in this practice over the last two years, too.

Effective April 15, the issuer will be required to provide the details of when and how the cardholder contacted the subscription service to cancel his membership. This requirement will help tremendously with the misuse of Dispute Condition 13.2 and align it closer to its original intention when it was created.

Disputes that are processed on or after April 15 under Condition Code 13.2 must include the following information from the issuing bank: certification that the cardholder withdrew permission for membership renewals to be charged to this card, the date the cardholder withdrew authorization, and the specific method the cardholder used to contact the merchant such as an e-mail address, telephone number, or physical address.

The dispute must stop if the cardholder or issuing bank cannot provide this information.

It’s not often that the card brands do something in favor of the merchants, but this is a step in the right direction. However, just because the rules have changed in the merchant’s favor doesn’t mean we should be less vigilant or relax our standards. The data retention timeframe is defined as 120 days. Still, I recommend holding on to all the specifics of a transaction, such as IP address, device ID, username and password, etc., for a minimum of 180 days. When it comes to dispute responses, the more information you can provide in support of the validity of your sale, the better chance you have of winning that dispute.

Another excellent tool is a suite of chargeback prevention systems that are easily integrated and operate in the background of your business. Order Insight, for example, provides a real-time description of what was purchased to the issuing bank and cardholder. This API-driven system can stop a dispute before it even gets started, and we’ve seen tremendous success with it, and the other dispute prevention services we offer. Drop us a line if you want to learn more about stopping chargebacks before they happen. We’re always happy to help.