Unauthorized Purchase Chargebacks on Shopify: What to Check Before You Submit

You can lose before the issuer ever reads your evidence

Unauthorized purchase chargebacks often mask operational failures more than evidence gaps. The merchant who shipped a $500 order with AVS Y, CVV match, and delivery confirmation — and still lost — didn't lose because the evidence was missing. They lost because the evidence didn't close the gaps the issuer was actually looking at.

Before you touch the response form in Shopify Admin, pull up the order and check four things: the fraud analysis flags, the AVS/CVV results stored under Payment Details, the fulfillment record including the shipping address used, and any customer communication logged in the order notes. If any of those are thin or missing, the evidence package you're about to submit has a structural problem that no cover letter fixes. Shopify Protect status — PROTECTED, ACTIVE, or absent — should also be confirmed before you decide whether to fight or accept. If the order is PROTECTED, Shopify absorbs the loss and a response isn't required from you.

Visa 10.4 and Mastercard 4837: what each network actually requires

Both reason codes mean the cardholder claims they didn't authorize the transaction. The network rules diverge on what you need to rebut them.

Visa reason code 10.4 — Card Not Present Fraud — requires you to show that the transaction was authorized and that you followed Visa's card-not-present acceptance procedures. In practice, Visa's rules give significant weight to 3D Secure authentication. If you have a fully authenticated 3DS result (ECI 05 for Visa), liability shifts to the issuer and the chargeback should not survive — Visa's rules prohibit the issuer from filing 10.4 on a fully authenticated transaction. If you have an attempted authentication (ECI 06), you have partial protection but the issuer can still file. No 3DS at all, and you're arguing on evidence alone. Visa also expects you to show that AVS was checked and that you acted on the result — shipping to an address that didn't match AVS without documentation of why you proceeded is a liability, not a neutral fact.

Mastercard reason code 4837 — No Cardholder Authorization — operates similarly but with different documentation expectations. Mastercard places more explicit weight on whether the transaction was processed with a valid authorization code and whether you can show the card data was entered by someone with access to the account. A fully authenticated 3DS result (ECI 02 for Mastercard) also shifts liability. Without 3DS, Mastercard expects you to demonstrate that the transaction data matched the cardholder's profile — billing address, device, behavioral history — and that you had reasonable grounds to believe the cardholder authorized it. Mastercard's rules also allow issuers to file 4837 even when AVS matched, so don't treat AVS Y as a network-level defense on its own.

The practical difference: on Visa 10.4, your strongest single defense is a fully authenticated 3DS result. On Mastercard 4837, the bar is slightly more holistic — Mastercard wants to see a pattern of authorization signals, not one silver bullet. In both cases, if you don't have 3DS, you're building a case from layered circumstantial evidence, and every gap in that layer is a point the issuer can use against you.

The authorization-evidence stack: what each signal proves and where it fails

Six signals appear most often in unauthorized purchase responses. None of them proves authorization alone. Here's what each one actually does and doesn't establish.

AVS (Address Verification Service). AVS Y confirms the billing address the cardholder provided at checkout matched the address on file with the issuer. It does not prove the cardholder typed that address — a fraudster with access to billing information passes AVS Y cleanly. Use AVS Y as a corroborating signal, not a standalone defense. AVS mismatch is worse than neutral: if AVS returned a partial match or no match and you shipped anyway without documentation, the issuer will treat that as evidence you ignored a fraud signal.

CVV/CVC match. CVV confirms the person at checkout had physical or digital access to the three- or four-digit security code. It's a meaningful signal because CVV is not stored on the magnetic stripe and shouldn't be in data breaches — but card-not-present fraud increasingly involves phishing and account compromise where the fraudster has the full card number, expiry, and CVV. CVV match is useful as part of a stack; alone it proves very little to an issuer who knows how card data is stolen.

3D Secure authentication. This is the strongest single signal in the stack. A fully authenticated 3DS result (ECI 05 Visa / ECI 02 Mastercard) shifts liability to the issuer and blocks the chargeback at the network level. An attempted authentication (ECI 06 Visa / ECI 01 Mastercard) provides partial protection. No 3DS means you're arguing on everything else. If you're not running 3DS on high-AOV transactions, you're absorbing liability that the network would otherwise transfer to the issuer.

IP address. IP address match suggests the transaction originated from a location associated with the cardholder. Issuers dismiss this when proxies or VPNs are plausible — and they're always plausible in card-not-present fraud. IP is useful as supporting context when it's consistent with prior purchase behavior from the same account. A single IP match on a first-time order proves almost nothing.

Device fingerprint. Device fingerprinting captures browser, OS, screen resolution, and other attributes to create a consistent identifier across sessions. If the disputed transaction came from the same device fingerprint as five previous orders on the same account, that's meaningful behavioral evidence. If it came from a device fingerprint that had never touched the account before, that's a red flag you should have caught pre-fulfillment. Device fingerprint data needs to be captured and stored at transaction time — it's not retroactively available from Shopify Admin.

Behavioral signals. Behavioral signals include things like: time between account creation and purchase, number of items added and removed from cart, typing cadence on checkout fields, and whether the session followed a normal browsing path. These are typically captured by fraud platforms layered on top of Shopify (Signifyd, NoFraud, Kount) rather than by Shopify natively. If you have a fraud platform generating a transaction score and a recommendation, include that output in your evidence package — it shows the issuer you ran a documented risk assessment before fulfilling.

The pattern: each signal proves something adjacent to authorization. Stack them to build a picture of a cardholder who was present, consistent, and engaged — not just a transaction that passed basic checks.

The $500 apparel order that had everything and still lost

An apparel merchant with a $250 average order value received a $500 order on January 5th. AVS returned Y. CVV matched. The order shipped January 6th. Delivery confirmation came back January 8th. The customer had received an order confirmation email. On paper, this looked like a clean transaction.

The chargeback arrived January 15th — unauthorized purchase. The merchant pulled the evidence: AVS result, CVV match, delivery confirmation, the order confirmation email. Response submitted January 20th. Dispute decision came February 10th. Cardholder won.

The loss wasn't about missing documents. The merchant had documents. The problem was that nothing in the evidence package proved the cardholder authorized the transaction or physically received the goods. The order confirmation email proved the email address received a notification — not that the account holder placed the order. Delivery confirmation proved the package arrived at the address — not that the cardholder was there. AVS Y proved the billing address matched — not that the cardholder used the card.

The fraud analysis in Shopify Admin had flagged the order as medium risk. The merchant had shipped anyway without logging a manual review decision or documenting why the risk flags were acceptable. That gap — no documented manual review, no explanation for why a medium-risk order was fulfilled without additional verification — left the issuer with no reason to override the cardholder's claim.

A stronger response would have included: the fraud analysis output with a written explanation of why the risk signals were reviewed and accepted; documented customer communication beyond the auto-generated confirmation email (a reply, a support interaction, anything showing the account holder engaged with the order); and evidence of consistent purchase behavior from this customer — prior orders, same shipping address, same device. None of that was in the file.

Decision lesson: A case with AVS Y, CVV match, and delivery confirmation is fightable if you can show the cardholder engaged with the order beyond the transaction itself. Without that — a reply email, a prior order, a support ticket — the evidence proves fulfillment, not authorization. Issuers know the difference.

The $180 electronics accessory order that won on behavioral evidence alone

A consumer electronics accessories merchant — average order value $90 — received a $180 order for two items. AVS returned a partial match (ZIP matched, street address didn't). CVV matched. No 3DS. Shopify's fraud analysis flagged the order as high risk. The merchant's fraud platform (Signifyd) returned a guarantee on the order, meaning Signifyd had assessed the behavioral signals and accepted liability. The merchant shipped.

Chargeback arrived 22 days later — Mastercard 4837. The merchant's response included: the Signifyd guarantee letter with the transaction score and the behavioral signals that drove the guarantee decision (device fingerprint consistent with three prior orders on the same account, session behavior consistent with a returning customer, shipping address used on a previous order six weeks earlier); the prior order history showing the same shipping address; a customer service email exchange from the prior order where the cardholder had replied from the same email address; and the partial AVS result with a written note explaining that the ZIP match combined with the prior order history was the basis for fulfillment despite the street address mismatch.

Dispute decision: merchant won. The issuer had a documented risk assessment, behavioral evidence of a returning customer, and a prior communication showing the account holder was real and engaged. The partial AVS result — which looked like a liability — was neutralized by the prior order history showing the same address had been used successfully before.

Decision lesson: A fraud platform guarantee doesn't win disputes by itself, but the behavioral data behind the guarantee decision does. If you're using Signifyd, NoFraud, or a similar platform, the transaction score and the signals driving it are evidence — include them. And prior order history from the same account is one of the strongest signals you can put in front of an issuer on an unauthorized claim.

Friendly fraud vs. true fraud: reading the signal pattern

Not every unauthorized purchase claim is a stranger using a stolen card. A meaningful share — estimates vary, but industry data consistently puts it above 40% of unauthorized claims — is friendly fraud: the cardholder authorized the transaction and is now denying it. The evidence pattern is different, and so is the right response strategy.

True fraud signals: first-time customer with no prior account history; shipping address different from billing address with no prior use of that shipping address; device fingerprint not previously associated with the account; transaction placed at an unusual hour with no browsing history preceding checkout; multiple high-value items in a single order; expedited shipping selected. When you see this cluster, the cardholder's claim is probably legitimate. The question is whether your pre-fulfillment controls should have caught it.

Friendly fraud signals: established customer with multiple prior orders; shipping address matches billing address or a previously used address; device fingerprint consistent with prior sessions; customer contacted support after the order (tracking inquiry, delivery question); order placed during normal hours with a browsing session preceding checkout; single item at or near the customer's typical spend level. When you see this cluster, fight the dispute. The cardholder's behavior pattern contradicts the claim of no authorization.

The mixed case — a returning customer whose account was compromised — is the hardest to read. An account-takeover (ATO) attack will show a returning customer's history but a new device fingerprint, a new shipping address, and often a higher-than-typical order value. If you see a returning customer with a sudden change in device, address, and spend level, treat it as probable ATO and consider whether the order should have been held for verification. If you already shipped, the dispute is likely legitimate — concede it and focus on tightening your ATO detection.

When to concede instead of fight

Not every unauthorized purchase chargeback is worth the response time. Three situations where conceding is the right call:

Low-AOV unauthorized claims with thin evidence. If the disputed amount is under $50 and you don't have 3DS authentication or prior customer history, the cost of assembling and submitting a response often exceeds the recovery value — especially when win probability is low. Set a floor: if the order is below your response-cost threshold and the evidence stack is weak, accept the chargeback and move on.

Repeat-customer unauthorized claims with a new device and new address. This is the ATO pattern. The cardholder's account was compromised, a fraudster placed the order, and the real cardholder is now disputing it. Your prior order history with this customer doesn't help you here — it helps the cardholder prove their account was targeted. Concede, flag the account for review, and check whether other recent orders from the same account need to be proactively refunded before more chargebacks arrive.

Orders where Shopify's fraud analysis flagged high risk and you shipped without documentation. If the fraud analysis returned high risk, you fulfilled anyway, and you have no documented manual review decision explaining why — you have no credible story for the issuer. Submitting a response without that documentation often makes the case worse, not better, because it draws attention to the gap. Concede, document the fulfillment decision gap internally, and fix the pre-fulfillment review process.

The retrieval-window trap: data that disappears before you need it

Chargeback responses are assembled weeks or months after the transaction. Several categories of evidence have expiration windows that most merchants don't account for until the data is already gone.

Carrier signature scans are the most common casualty. Many carriers retain proof-of-delivery signature images for 30 to 90 days before archiving or deleting them. If the chargeback arrives at day 45 and you request the signature scan at day 60, it may no longer exist. Pull and save carrier signature scans for any high-AOV order at the time of delivery confirmation — not when the dispute arrives.

Customer service message threads get archived or deleted when support platforms rotate storage. If a customer replied to an order confirmation, asked a tracking question, or contacted support about the order, that communication is evidence of account-holder engagement. Export and attach it to the order record in Shopify Admin or your CRM at the time of the interaction, not retroactively.

Fraud platform transaction scores and behavioral data are sometimes only accessible for a limited window through the platform's dashboard. If you're using Signifyd, NoFraud, or Kount, check the data retention policy and export the transaction detail for high-AOV orders at fulfillment time.

Device fingerprint session data from your analytics or fraud platform may roll off after 60 to 90 days depending on your data retention settings. If a chargeback arrives at day 75, the session data that would have shown consistent device behavior across orders may already be gone.

The fix is procedural: for any order above your chargeback-response threshold, capture and store the full evidence package at fulfillment — carrier confirmation, customer communications, fraud platform output, device and session data. Don't wait for a dispute to trigger the collection process.

Pre-fulfillment controls that stop the dispute from arriving

The best unauthorized purchase chargeback response is the one you never have to write. Most of the evidence gaps that kill dispute responses are created at fulfillment, not at the response stage.

Enable 3DS on high-AOV transactions. If your payment processor supports 3DS2, configure it to trigger on orders above your average chargeback threshold. A fully authenticated 3DS result eliminates Visa 10.4 and Mastercard 4837 liability at the network level. The friction cost on legitimate customers is real but manageable; the liability shift is absolute.

Build a documented manual review step for medium- and high-risk orders. Shopify's fraud analysis flags are a starting point, not a decision. If an order is flagged medium or high risk, the fulfillment decision should be logged — who reviewed it, what signals were evaluated, why the order was approved or held. That log is evidence in a dispute response. Without it, you have no story.

Match shipping and billing addresses before fulfillment on first-time customers. A mismatch on a first-time order with no prior account history is a meaningful fraud signal. Either hold the order for verification or document why you proceeded. Shipping to a mismatched address without documentation is a liability you're creating for yourself.

Require phone or email verification on high-value first-time orders. A verification step — even a simple confirmation reply — creates a communication record showing the account holder engaged with the order. That record is worth more in a dispute response than AVS Y and CVV combined.

Flag and hold orders that show ATO patterns: returning customer account, new device fingerprint, new shipping address, higher-than-typical order value. ATO attacks on established accounts are harder to catch than new-account fraud, but the signal cluster is recognizable. A 24-hour hold with an email confirmation to the account's registered address catches a meaningful share of ATO attempts before fulfillment.

DisputeDesk's automation handles evidence assembly, deadline tracking, and response formatting — but the controls above determine whether you have anything worth assembling. Build the pre-fulfillment process first; the dispute response is what you do when that process misses something.

What to check before you submit

Work through this before you open the response form. Shopify Admin > Orders > [the disputed order] is your starting point for all of it.

First, confirm the dispute deadline. Shopify surfaces this in the Disputes section — missing it means automatic loss regardless of evidence quality. Second, check Shopify Protect status. If the order shows PROTECTED, stop — Shopify covers the dispute and no response is needed from you. Third, pull the fraud analysis output. Note any risk flags and decide now whether you have a documented explanation for why the order was fulfilled. If you don't, that's a gap in your response. Fourth, verify the AVS and CVV results under Payment Details. If either check was incomplete or returned a mismatch, your evidence package needs to address that directly — don't bury it. Fifth, check the shipping address against the billing address. A discrepancy that wasn't resolved before fulfillment is a liability in the response; issuers cite it as evidence of potential fraud. Sixth, review every customer communication logged in the order notes. If the only communication is the auto-generated confirmation email, assess whether that's enough to show the account holder engaged with the order — usually it isn't. Seventh, check whether you have 3DS authentication data. If you have an ECI 05 (Visa) or ECI 02 (Mastercard) result, lead with it — that's your strongest single piece of evidence. Eighth, match your evidence package to the unauthorized purchase reason code specifically. Generic evidence bundles — tracking number, order summary, terms of service — rarely move issuers on unauthorized claims. The package needs to address authorization and possession, not just fulfillment.

Once you've confirmed the evidence addresses what the issuer is actually evaluating — not just what you have available — submit the response.