If you sell online and you accept Visa, reason code 10.4 is the dispute you'll see most. It's the cardholder telling their bank, "I didn't make this purchase." Some of those claims are real. Most are not. The win rate on 10.4 disputes hinges almost entirely on whether your response is built around the few pieces of evidence that actually address a fraud claim — and whether you avoid quietly handing the bank's reviewer reasons to side with the cardholder.
What Is Reason Code 10.4?
Visa 10.4 is the network's code for fraud in a "Card Absent Environment" — meaning the card wasn't physically swiped, dipped, or tapped. In practice, that's almost every ecommerce order. The cardholder is asserting that someone else used their card without authorization. It's the most common reason code for online merchants, and it's also the one most often filed as friendly fraud — the customer placed the order, received it, and then disputed the charge anyway. Maybe they forgot. Maybe a family member used the card. Maybe they're trying to keep the product without paying. From the bank's perspective, none of that matters until you give them evidence that says otherwise.
Why Merchants Lose 10.4 Disputes
Most lost 10.4 disputes don't lose because the merchant didn't have evidence. They lose because the response was aimed at the wrong target. The cardholder is claiming their credentials were used without permission. A reviewer reading your response is asking one question: did the actual cardholder authorize this purchase? Common ways merchants miss:
- Generic responses. A canned template that includes tracking, return policy, and product photos but never directly addresses the fraud claim. Tracking doesn't matter on a 10.4 — the customer isn't claiming the product never arrived. They're claiming they never bought it.
- No AVS or CVV data. These are the two strongest pieces of evidence on a fraud dispute, and merchants leave them out constantly because they're buried in the gateway logs rather than the order details.
- Missing the deadline. Visa moves fast — often a 7- to 14-day evidence window. Late submissions don't get reviewed; they auto-lose.
- Submitting evidence that helps the cardholder. A high fraud-risk score, an IP from a different country, a first-time customer with a freshly-created email — any of those, included in the response, can flip a winnable case into a clear loss.
The Evidence That Wins 10.4 Disputes
Each item below answers the question "did the real cardholder authorize this?" That's the lens for everything you submit.
- AVS match. Address Verification System confirms the billing address entered at checkout matches what the issuing bank has on file. A full AVS match is hard to fake — a stranger with a stolen card number usually doesn't know the cardholder's billing address.
- CVV match. The three-digit code on the back of the card was entered correctly. CVV isn't stored after authorization, so a CVV match means whoever placed the order had physical access to the card or a recent record of it.
- IP address and geolocation. The IP from checkout, with a geolocation that places it in or near the cardholder's billing region. An order placed from the cardholder's home city is consistent with the cardholder placing it.
- Customer purchase history. Prior successful, undisputed orders from the same email, name, or device fingerprint. A repeat customer disputing a single charge looks far less like fraud than a one-time order from a brand-new account.
- Device fingerprint or browser data. If the same device or browser session was used for previous successful orders, that's a strong signal of consistent authorized use.
- Order confirmation email. Sent to the email tied to the cardholder's account, delivered without bouncing, and ideally opened. If the cardholder opened the receipt at the time of purchase and didn't dispute for weeks, that undermines the "I didn't authorize this" claim.
- Shipping to the verified billing address. Fraudsters don't ship stolen-card purchases to the actual cardholder's home. A delivery address that matches AVS is one of the cleanest fraud-defense signals there is.
- Signed delivery confirmation. Not required for fraud cases, but a signature at the billing address is close to ironclad.
How to Write the Rebuttal
Keep the rebuttal letter under 500 words, factual, and built in this order:
- Open by stating you're contesting the fraud claim. One line: "We are contesting this dispute. The transaction was authorized by the cardholder, as demonstrated by the evidence below."
- Lead with AVS and CVV verification. These prove the cardholder's own credentials — billing address and security code — were used at checkout. Cite them by name and reference the gateway log attachment.
- Follow with IP geolocation. Show the order originated from the cardholder's region. "The IP address used at checkout (203.0.113.45) geolocates to [city, state], consistent with the cardholder's billing address."
- Include customer history if it helps. "The cardholder has placed [N] prior orders with the same email and shipping address, all successfully delivered and undisputed."
- Close by requesting resolution. "We respectfully request this dispute be resolved in our favor based on the verification data submitted."
No accusations, no exclamation points, no commentary about how often this customer "tries this." The reviewer is looking for verification data, not a story.
Common Mistakes to Avoid
The fastest way to lose a winnable 10.4 dispute is to volunteer evidence that supports the cardholder. A few traps:
- Don't include the fraud risk score if it was medium or high. You're handing the reviewer a reason to side with the cardholder.
- Don't mention "first-time customer" if the customer has no order history. Silence on that point is fine; volunteering it is not.
- Don't include IP data if it shows a different country from the billing address. Submit IP only when it supports your case.
- Don't submit shipping data when shipping went to a different address than billing. On a fraud dispute, a mismatched ship-to address looks like exactly what fraud looks like — a stranger redirecting the package. Stick to billing-side verification.
The principle: every piece of evidence is either helping you or helping the cardholder. If it's not helping you, leave it out.
Paidback automatically identifies which evidence helps and which could hurt your case for each reason code. For 10.4 disputes, it prioritizes AVS, CVV, and IP verification while filtering out anything that could weaken your response. Learn more at paidback.io.