The Liability-Shift Playbook
How to tell which chargebacks are liability-shift eligible under Visa Compelling Evidence 3.0 and Mastercard First-Party Trust — and stop losing the ones you should win.
You're sending evidence to a rulebook that retired.
Most Shopify merchants fight chargebacks the same way they did in 2018: attach the tracking number, paste the customer's order confirmation, write a paragraph explaining the product was delivered, and hope. That's the legacy representment model — and for first-party fraud (the "I don't recognize this charge" disputes), it loses far more than it wins.
Here's the part nobody tells you: the card networks built entirely new programs to handle exactly these disputes — and those programs don't reward a good paragraph. They reward specific, structured evidence that matches a precise rulebook. Send the right data and liability legally shifts to the issuer. Send a tracking number, and you're playing a game that no longer exists.
Fightable means you're allowed to respond. Liability-shift eligible means the network's own rules force the issuer to eat the loss if you supply the qualifying evidence. Every merchant fights. Almost none check eligibility first — so they fight disputes they can't win and fumble the ones they could.
Why this is getting worse, not better
First-party fraud — friendly fraud, where a real customer disputes a charge they actually made — is the fastest-growing category of chargebacks. The networks know it. That's why Visa and Mastercard each shipped a dedicated program to let merchants push back with hard evidence. The merchants who learn the rules win. The merchants who keep attaching tracking numbers subsidize everyone else.
This playbook gives you the two rulebooks in plain language, plus a five-minute test you can run on your next dispute to know — before you spend an hour writing — whether it's winnable, and how.
Don't argue the dispute. Disqualify it.
A normal representment argues: "we believe this charge was legitimate, here's why." A liability-shift submission does something colder and more effective — it demonstrates that, under the network's published criteria, this transaction no longer qualifies as fraud at all. The issuer isn't being persuaded; they're being shown a rule.
Both Visa and Mastercard built this around one insight: a genuine fraudster doesn't have a history with you. If the same person who's disputing this charge has bought from you before, from the same device, same IP, shipping to the same address — that's not card-absent fraud. It's a customer with buyer's remorse, a forgotten subscription, or a family member's purchase. The evidence of relationship is what shifts liability.
The two programs you need to know
They solve the same problem on different networks, with different rules. The single most valuable habit you can build is a 30-second triage at the top of every dispute: which network, which reason code, which program — if any? Get that right and everything downstream gets easier. The next two pages give you each rulebook; the page after that turns them into a test.
No tool — including DisputeDesk — can guarantee a liability shift. The issuer makes the final call. What you can control is whether your evidence actually meets the criteria before you submit. That's the entire game, and it's almost entirely winnable with discipline.
CE 3.0 vs. First-Party Trust
Tape this to your wall. Before you write a single word of evidence, find your dispute in this table.
| Visa CE 3.0 | Mastercard FPT | |
|---|---|---|
| Network | Visa only | Mastercard only |
| Trigger reason code | 10.4 — Other Fraud, Card-Absent | 4837 / 4863 — first-party fraud |
| Needs prior transactions? | Yes — at least 2 undisputed priors | No — a brand-new customer can qualify |
| The time window | Priors must fall 120–365 days before the disputed order | Not prior-dependent |
| The core test | 2+ matching data points across orders, with at least one being IP or device | Evidence across all three categories: Device, Delivery, Identity |
| Region | Global | US (2024) · rolling out to more markets (2025+) |
| Shortcut | 3DS / Visa Secure authenticated orders are auto-qualified | Strong device + identity signals can carry a new customer |
Notice the asymmetry: CE 3.0 wins disputes from returning customers (it needs the prior orders), while FPT can win disputes from brand-new ones (it doesn't). Run both checks and between them you cover most friendly-fraud disputes that land in your queue.
Compelling Evidence 3.0, in plain English
CE 3.0 applies to exactly one reason code: Visa 10.4 (Other Fraud — Card-Absent Environment), the most common card-not-present fraud code. If your dispute isn't Visa 10.4, CE 3.0 is off the table — go check FPT instead. If it is, here is the test, in order.
Find two prior undisputed orders from the same cardholder
The same customer must have bought from you at least twice before, and those orders must not themselves have been disputed.
Confirm those priors fall in the 120–365 day window
The qualifying prior orders must be at least 120 days old but no more than 365 days before the disputed transaction. Too recent or too old and they don't count.
Match at least two data points — one of them an anchor
Across the disputed order and the priors, at least two of {IP address, device fingerprint, shipping address, customer account ID} must match — and at least one must be IP or device. That's the anchor requirement, and it's where most "obvious" cases quietly fail.
Since October 17, 2025, any transaction authenticated with Visa Secure (3DS2) or Visa Data Only is automatically pre-qualified for CE 3.0 — no priors, no matching packet required. The catch: from April 17, 2026, Visa charges a per-qualification fee on successful auto-qualifications. Net: turning on 3DS is still one of the highest-leverage things you can do, but know the fee exists.
First-Party Trust, in plain English
FPT covers Mastercard first-party-fraud disputes — most commonly reason codes 4837 (No Cardholder Authorization) and 4863 (Cardholder Does Not Recognize). Unlike CE 3.0, it does not require prior transactions, which means it can win disputes for brand-new customers. The trade-off: you must show evidence across all three categories.
The three categories — you need strength in each
- Device — the signals that identify the machine and connection used: device fingerprint, IP address, user agent, login state at checkout.
- Delivery — proof the goods or services reached the cardholder: tracking with delivery confirmation, delivery address consistency, access logs for digital goods.
- Identity — proof the buyer is who the account says: account age, login history, AVS / CVV match, email and phone on file, purchase history.
An empty category sinks the submission — strong Device and Delivery won't save you if Identity is blank. FPT rewards breadth, where CE 3.0 rewards matched priors.
FPT went live in the US in Oct 2024 and has been rolling out to additional markets since 2025 (Canada, parts of LATAM and APAC); it is not yet available in the EU. A perfect evidence package in an ineligible region still loses — region is a gate, not a tiebreaker, so confirm your market first.
The five-minute eligibility test
Before you write anything, walk these five gates in order. The first "no" tells you exactly where you stand — and saves you from fighting a dispute you can't win.
Which network?
Visa → check CE 3.0 (gate B). Mastercard → check FPT (gate D). Amex / other → liability shift doesn't apply; fall back to a strong standard representment.
Visa: is the reason code 10.4?
Yes → continue to C. No → CE 3.0 is out; build the best standard rebuttal you can, speaking the specific reason code's language (e.g. 13.1 Merchandise Not Received needs delivery proof).
Visa 10.4: priors + match + anchor?
2 undisputed priors in the 120–365 day window, 2+ matching data points, at least one IP or device? Yes → CE 3.0 eligible. Authenticated via 3DS? Auto-qualified — skip the priors entirely.
Mastercard: eligible code + region?
Reason code 4837 / 4863 and your market is FPT-live (US plus expanding markets)? Yes → continue to E. No → standard representment.
FPT: evidence in all three categories?
Non-trivial Device and Delivery and Identity evidence? Yes → FPT eligible. Any category empty → gather it first, or fall back to standard.
An eligible dispute submitted with qualifying evidence isn't a coin flip — it's the issuer being shown their own rule. That's the difference between a ~stable single-digit win rate on friendly fraud and a materially higher one. Eligibility is the leverage.
The evidence you should be capturing today
Here's the catch with both programs: you can't go back and collect IP, device, and session data for an order that already happened. Eligibility for future disputes is built by what you capture now. The merchants with high qualification rates didn't get lucky — they started logging the right signals before the disputes arrived.
- IP address per order — the most common anchor for CE 3.0 matching.
- Device fingerprint & user agent — the second anchor, and an FPT Device signal.
- Login state & account ID at checkout — ties the order to a known customer.
- Delivery confirmation, not just tracking — "shipped" isn't "delivered."
- AVS / CVV results & account age — the backbone of FPT Identity.
Five mistakes that cost merchants winnable disputes
- Fighting everything. Submitting on ineligible disputes burns time and can hurt your win-rate metrics. Triage first.
- Missing the anchor. Two matching data points that are both address fail CE 3.0 — you need IP or device.
- Treating "shipped" as "delivered." A tracking number without delivery confirmation is a weak Delivery signal.
- Generic reason-code language. "The customer claims they didn't receive it" is weaker than citing the exact code and proof.
- Leaving an FPT category empty. Breadth wins FPT; one blank category sinks an otherwise strong case.
You now know more about liability shift than most merchants — and most agencies.
The hard part isn't understanding the rules. It's running the five-minute test on every dispute, every time, while you're also running a business. That's the part worth automating.
DisputeDesk is the only Shopify-native tool that checks each dispute against the CE 3.0 and FPT rulebooks automatically — it tells you, per dispute, whether it qualifies and exactly why, then builds the formatted evidence package. We're transparent about what we send and honest about what we can't: you submit the finished pack via Shopify Admin, the issuer still decides, and we don't claim otherwise.
Run this on your real disputes — automatically.
DisputeDesk checks every Shopify dispute against the CE 3.0 and FPT rulebooks for you, tells you which ones qualify and why, then builds the evidence pack. Free to install. No credit card to start.
Free plan available · install in ~10 minutes · the issuer always decides — we're honest about that.