Professional discussion — dispute resolution and collaboration
Policy update

Card Network Policy Shifts: CE 3.0, Mastercard's Dispute Revisions, and What Shopify Payments Changed

Visa CE 3.0, Mastercard's dispute rule updates, and Shopify Payments policy changes have quietly moved the goalposts on evidence requirements. Here's what changed, when, and what it costs you to miss.

DE

DisputeDesk Editorial

Jun 1, 2026
9 min read
English

The rules changed. Most merchants found out when they lost.

Three overlapping policy shifts — Visa's Compelling Evidence 3.0, Mastercard's dispute resolution rule revisions, and Shopify Payments' own submission requirements — have collectively tightened what counts as a valid fraud dispute response. None of them were announced loudly. All of them have operational consequences that show up in loss rates before merchants realize the framework shifted.

This is not a summary of chargeback basics. It's a breakdown of what specifically changed, when it took effect, and where the gaps are showing up in Shopify Admin under Payments → Disputes.

Visa Compelling Evidence 3.0 (CE 3.0)

Formal name: Visa Compelling Evidence 3.0
Effective date: April 15, 2023
Applies to: Visa disputes globally, reason code 10.4 (Other Fraud — Card Absent Environment). Does not apply to 10.5, 13.x, or non-fraud codes.

CE 3.0 created a new dispute response pathway specifically for 10.4 fraud claims. Before CE 3.0, a merchant responding to a 10.4 dispute needed to show that the transaction was authorized — delivery confirmation, AVS match, device fingerprint, IP address. CE 3.0 flips the frame: instead of proving the disputed transaction was legitimate, you prove the cardholder previously completed undisputed transactions with matching device or customer data.

The specific requirement: The merchant must produce at least two prior undisputed Visa transactions from the same cardholder that share at least two matching data elements with the disputed transaction. Matching elements include: IP address, device ID, shipping address, and email address. The prior transactions must have occurred between 120 and 365 days before the disputed transaction. Transactions within 120 days do not qualify.

That date window is where most CE 3.0 attempts fail. A merchant with a 90-day order history can't satisfy it. A merchant whose customer created a new account for the disputed order can't satisfy it. CE 3.0 is structurally unavailable to a large share of the disputes it nominally covers.

When CE 3.0 applies and is properly documented, it shifts liability back to the issuer — meaning the issuer cannot re-present the chargeback. That's the actual value. But the documentation burden is precise: the two prior transactions must be clearly identified, the matching data elements explicitly labeled, and the evidence formatted so the issuer reviewer can verify the match without inference.

Merchants using Shopify Payments submit CE 3.0 responses through the standard dispute interface. Shopify does not automatically flag CE 3.0 eligibility — that determination is on the merchant or their dispute management workflow. Third-party gateway users should confirm with their processor whether CE 3.0 submissions are supported in their dispute portal, as not all acquirer interfaces handle the structured data requirements the same way.

What CE 3.0 does not do: It does not apply retroactively to disputes filed before April 15, 2023. It does not cover Mastercard disputes. It does not help with INR or SNAD codes. Merchants who have been submitting CE 3.0-style evidence for non-10.4 codes are wasting response space.

Mastercard's Dispute Resolution Rule Revisions

Formal name: Mastercard Dispute Resolution Initiative (MDRI) and subsequent rule updates
Key effective dates: MDRI phased in from 2018 onward; the most operationally significant recent changes to pre-arbitration timelines and excessive dispute monitoring thresholds took effect in 2023. Confirm specific current thresholds with your processor — Mastercard has revised these figures across multiple bulletins and the operative version depends on your acquirer's implementation date.

Applies to: All Mastercard transactions globally. Merchant category and region affect monitoring program thresholds but not core dispute timelines.

What changed operationally:

  • Pre-arbitration timing: Mastercard compressed the pre-arbitration window. Issuers can now move to pre-arbitration faster after a merchant's first chargeback response. The practical effect: a merchant who submits a response close to the deadline has less buffer before the case escalates. Confirm the exact pre-arbitration window with your processor — it varies by reason code category.
  • Excessive Dispute Monitoring Program (EDMP): Mastercard's EDMP thresholds were revised. Merchants who exceed the dispute-to-transaction ratio trigger monitoring status, which carries monthly fees and can escalate to program termination. The specific ratio and transaction volume thresholds should be confirmed with your acquirer — Mastercard has adjusted these and the operative numbers depend on your program enrollment date.
  • Reason code consolidation: Mastercard has continued consolidating reason codes under its current framework. The codes most Shopify merchants see — 4837 (No Cardholder Authorization), 4853 (Cardholder Dispute), 4855 (Goods or Services Not Provided) — remain active, but the evidence requirements mapped to each have been updated in Mastercard's chargeback guide. If your response templates were built before 2022, the evidence mapping may be stale.
  • First chargeback vs. second presentment: Mastercard's framework distinguishes between the first chargeback (issuer-initiated) and second presentment (merchant re-presentment). The evidence required at second presentment is more specific than at first response — a common failure point is submitting the same evidence package twice instead of addressing the issuer's specific objection at second presentment.

A merchant processing $40,000/month in Mastercard volume, with a dispute rate that crossed the EDMP threshold in Q3, received a monitoring notification and a per-dispute fee schedule — retroactive to the month the threshold was crossed. The merchant had been submitting responses consistently but hadn't tracked the ratio. The fees were not waived.

Shopify Payments Policy Changes

Shopify Payments operates as a payment facilitator, which means its dispute policies layer on top of network rules — and those policies have their own update cadence that doesn't always align with Visa or Mastercard announcement cycles.

Evidence submission interface: Shopify updated the dispute response interface in Shopify Admin under Payments → Disputes → [dispute ID] → Respond. The structured fields — shipping carrier, tracking number, customer communication — are now more granular. Merchants who copy-paste a single evidence block into the free-text field without populating the structured fields are submitting incomplete responses by Shopify Payments' own formatting standards, regardless of what the evidence says.

File size and format limits: Shopify Payments enforces file size caps on uploaded evidence. PDFs over the limit are silently truncated or rejected in some configurations — confirm the current limit in your Shopify Admin before uploading multi-page evidence packages. Merchants have lost disputes because the issuer received a partial document.

Shopify Protect eligibility: Shopify Protect (fraud protection for eligible Shop Pay orders) has specific eligibility criteria that have been updated. Not all orders processed through Shop Pay qualify. Merchants who assume Protect coverage without verifying eligibility per order are building dispute responses for cases that were never covered. Check eligibility at the order level in Shopify Admin under Orders → [order] → Fraud analysis.

Payout holds during disputes: Shopify Payments holds the disputed amount from payouts when a chargeback is filed. The hold policy has not changed materially, but the interaction with high-volume dispute periods — where multiple holds stack — has caught merchants off guard on cash flow. This is not a new rule, but it's operationally relevant when dispute volume spikes.

What Changed for Merchants: Concrete Operational Impacts

  • CE 3.0 eligibility screening is now a required pre-submission step for every Visa 10.4 dispute. If you're not checking whether the cardholder has two qualifying prior transactions before building the response, you're either missing a liability shift opportunity or wasting time on a pathway that isn't available.
  • Mastercard response templates built before 2022 are likely misaligned with current evidence requirements. The reason code consolidation and updated chargeback guide changed what issuers expect to see at first chargeback and second presentment. Stale templates produce technically complete but substantively weak responses.
  • Shopify Payments' structured evidence fields are not optional. Populating only the free-text narrative and skipping the carrier/tracking fields produces a submission that fails Shopify's own formatting standards before the issuer evaluates it.
  • The CE 3.0 date window (120–365 days prior) eliminates eligibility for new customers and thin order histories. Merchants with high new-customer acquisition rates will find CE 3.0 structurally unavailable for a significant share of their 10.4 disputes.
  • Mastercard's pre-arbitration compression means late first responses leave almost no time to react to escalation. Submitting on day 19 of a 20-day window is operationally riskier than it was under the prior timeline.
  • Dispute ratio monitoring is cumulative and retroactive in its fee application. Crossing the EDMP threshold in one month doesn't give you a grace period — fees apply from the month of breach.

The Case That Exposed the Gap

A merchant selling consumer electronics processed a $620 Visa transaction in June 2023. The cardholder filed a 10.4 dispute in August. The merchant had delivery confirmation, AVS match, and a signed carrier receipt. Under the pre-CE 3.0 framework, that evidence stack would have been competitive. Under CE 3.0, the issuer evaluated whether the merchant had submitted qualifying prior transaction data — they hadn't, because the customer was a first-time buyer. The delivery confirmation didn't matter. The dispute resolved in the cardholder's favor.

The merchant's response was built on the old framework. The evidence was real. The loss was structural — CE 3.0 changed what the issuer was looking for, and the merchant didn't know the question had changed.

This is the pattern: merchants lose not because the evidence is fabricated or weak, but because the evidentiary standard shifted and the response workflow didn't.

Required Actions Before Your Next Submission

  1. For every Visa 10.4 dispute: Before building the response, check whether the cardholder has two prior undisputed Visa transactions in your system from 120–365 days before the disputed transaction, with at least two matching data elements. If yes, build a CE 3.0 response. If no, build a standard fraud response — and don't waste space on CE 3.0 language that doesn't apply.
  2. Audit your Mastercard response templates. Pull the current Mastercard Chargeback Guide (available through your acquirer or Mastercard's published resources) and verify that your evidence mapping for 4837, 4853, and 4855 matches the current requirements. If your templates predate 2022, assume they need revision.
  3. Check Shopify Payments structured fields on every submission. In Shopify Admin under Payments → Disputes → [dispute ID] → Respond, confirm that carrier name, tracking number, and customer communication fields are populated — not just the narrative block.
  4. Verify Shopify Protect eligibility at the order level, not the account level. Protect coverage is per-order. Check Fraud analysis on each disputed order before assuming coverage.
  5. Track your Mastercard dispute ratio monthly. If you're approaching the EDMP threshold, confirm the current operative numbers with your acquirer — don't rely on published figures that may reflect an earlier bulletin version.
  6. Build internal deadlines two business days before network deadlines. Mastercard's compressed pre-arbitration window makes late first responses materially riskier than before.

Where Processor and Acquirer Variation Matters

CE 3.0 is a Visa network rule, but how it's implemented in your dispute portal depends on your acquirer. Some acquirer interfaces have CE 3.0-specific submission fields; others require merchants to structure the evidence manually within a generic upload. If your processor hasn't communicated how CE 3.0 submissions are handled in their system, ask explicitly — the network rule exists, but the submission mechanics vary.

Mastercard's EDMP thresholds, pre-arbitration timelines, and fee schedules are published by Mastercard but administered by acquirers. The operative numbers in your agreement may differ from the most recently published bulletin. Confirm with your processor before assuming any specific threshold applies to your account.

Shopify Payments merchants operate within Shopify's payment facilitator agreement, which means Shopify's dispute policies are the immediate operational layer — not the network rules directly. Where Shopify's policies are more restrictive than network minimums, Shopify's policies govern. Where they're silent, network rules apply. That distinction matters when you're trying to determine whether a submission format issue is a Shopify problem or a Visa problem.

Key Takeaways

CE 3.0 applies only to Visa 10.4 disputes and requires two prior undisputed transactions from 120–365 days before the disputed transaction — first-time buyers structurally disqualify most merchants from using it.
Mastercard's pre-arbitration compression means a late first response leaves almost no time to react before escalation; submitting on the last day is operationally riskier than it was under the prior framework.
Shopify Payments' structured evidence fields — carrier, tracking, customer communication — are not optional formatting; skipping them produces an incomplete submission before the issuer evaluates anything.
Mastercard EDMP fees apply retroactively from the month the threshold is crossed — there is no grace period, and the operative thresholds vary by acquirer and enrollment date.
Merchants who built Mastercard response templates before 2022 are likely submitting evidence that's misaligned with current reason code requirements — audit before the next submission, not after the next loss.

FAQ

Does CE 3.0 apply to all Visa chargebacks?
No. CE 3.0 applies only to Visa reason code 10.4 (Other Fraud — Card Absent Environment). It does not apply to 10.5, 13.x series codes, or any Mastercard disputes. Submitting CE 3.0-style evidence for other reason codes wastes response space and doesn't affect the outcome.
What are the two prior transactions CE 3.0 requires?
Two prior undisputed Visa transactions from the same cardholder, each sharing at least two data elements with the disputed transaction — from IP address, device ID, shipping address, or email address. Both transactions must have occurred between 120 and 365 days before the disputed transaction. Transactions within 120 days don't qualify.
Where do I find the Mastercard EDMP thresholds that apply to my account?
Confirm with your acquirer. Mastercard publishes thresholds in its rules bulletins, but the operative numbers in your agreement may reflect an earlier version. Don't rely on third-party summaries — get the current figures directly from your processor.
Does Shopify Protect cover all Shop Pay orders?
No. Shopify Protect has specific eligibility criteria that apply at the order level. Check the Fraud analysis section on each disputed order in Shopify Admin to verify coverage — account-level assumptions about Protect eligibility are a common source of response errors.
If my acquirer's CE 3.0 submission interface doesn't have dedicated fields, how do I submit?
Structure the CE 3.0 evidence manually within your evidence upload — clearly label the two prior transactions, identify the matching data elements explicitly, and format it so the issuer reviewer can verify the match without inference. Ask your processor how they handle CE 3.0 submissions before your next 10.4 response.

Disclaimer

This content is for informational purposes only and does not constitute legal advice.

Automate Your Chargeback Responses

DisputeDesk automatically tracks deadlines, collects evidence, and generates winning responses so you never miss a deadline again.