HomeBlogMastercard 4837 vs Visa 10.4 — same CNP fraud, different rules
Reason codes

Mastercard 4837 vs Visa 10.4 — same CNP fraud, different rules

Mastercard 4837 and Visa 10.4 both cover card-not-present fraud — but the rules diverge in ways that matter. Deadlines differ. Liability shift works differently. And CE 3.0 doesn't cross networks.

Published July 14, 2026 · 6 min read
Start free — pay per win →

Visa 10.4 gives you 30 days; Mastercard 4837 gives you 45. Visa CE 3.0 doesn't apply to Mastercard cases. 3DS works on both but Mastercard SecureCode has slightly different liability triggers than Visa Secure. Multi-network merchants can't build one CNP-fraud defense and use it for both — the evidence stack overlaps 80%; the network-specific rules that determine wins live in the other 20%.

Deadline: 30 vs 45 days

Visa 10.4 gives merchants 30 calendar days from the chargeback date to submit representment. Mastercard 4837 gives 45 days. Same fraud, 15 more days on Mastercard. For merchants without automation, that extra 15 days can be the difference between meeting the deadline and losing by default.

Both clocks start from the network's chargeback date, not the acquirer's notification date. Stripe surfaces the acquirer date, so if you're eyeballing Stripe's `evidence_details.due_by`, you're already accounting for acquirer buffer. On PayPal Braintree the field is `replyByDate` — same semantics.

Some acquirers apply their own internal caps below the network limits. Chase Paymentech typically caps Visa at 20 days and Mastercard at 30. First Data and Adyen use the full network windows.

3DS liability shift differences

Both networks support 3-D Secure authentication with liability shift to the issuer when authentication is completed. But the ECI values and shift rules differ subtly.

Visa Secure (3DS): ECI 05 (fully authenticated) = full liability shift. ECI 06 (attempted, issuer signature) = full liability shift. ECI 07 (attempted, no issuer signature) = no shift.

Mastercard SecureCode (3DS): ECI 02 (fully authenticated) = full liability shift. ECI 01 (attempted) = full liability shift for Mastercard — this is different from Visa.

Mastercard is actually more merchant-friendly on attempted authentication. If you saw an attempted-but-not-completed 3DS on Mastercard, you probably still have liability shift — check the ECI value.

Why CE 3.0 doesn't cross over

Compelling Evidence 3.0 is a Visa Core Rules provision. It doesn't apply to Mastercard. Mastercard has its own compelling-evidence framework under the Mastercard Chargeback Guide, and the rules are similar but not identical.

Mastercard's version: two prior transactions from the same cardholder, no minimum time window (Visa requires 120 days), matched by any identifier. Slightly looser than CE 3.0 — but issuer acceptance is *not* mandatory the way it is under Visa CE 3.0. Mastercard issuers retain discretion.

Practical impact: if you have qualifying identity-continuity data, use it on both networks. On Visa, cite CE 3.0 explicitly for mandatory acceptance. On Mastercard, cite the equivalent rule but expect analyst discretion.

The shared evidence stack

80% of your evidence works for both networks. The core stack:

  • AVS + CVV match records
  • 3DS authentication result (with ECI value)
  • IP + device fingerprint
  • Delivery proof to AVS-verified address
  • Prior transaction history (identity continuity)
  • Customer communication history

Don't build two separate evidence packets. Build one comprehensive packet, then adjust the cover narrative per network. On Visa, reference §11.4 (CE 3.0). On Mastercard, reference the Chargeback Guide's compelling-evidence provision.

Multi-network playbook

Rules for a merchant fighting both:

  1. Always check the ECI value. Mastercard's shift on ECI 01 is often overlooked; merchants concede attempts they should have won.
  1. Use CE 3.0 on Visa, plain identity continuity on Mastercard. Same data, different narrative framing.
  1. Prioritize Visa deadlines. Visa gives you 15 fewer days. Missing Visa auto-loses; missing Mastercard auto-loses. Sort by earliest due date, not by network.
  1. Watch acquirer caps. Chase's 20/30 day caps effectively erase the 45-day Mastercard advantage. Know your acquirer's rules.

Frequently asked questions

What's the response deadline for Mastercard 4837?

45 calendar days from the chargeback date. Some acquirers apply an internal cap (typically 30 days).

Does CE 3.0 apply to Mastercard 4837?

No. CE 3.0 is Visa-specific. Mastercard has its own compelling-evidence framework, but issuer acceptance is not mandatory — analysts retain discretion.

Do 3DS ECI values mean the same thing on Visa and Mastercard?

No. Visa uses ECI 05/06/07; Mastercard uses ECI 01/02. Mastercard shifts liability on attempted authentication (ECI 01), which Visa often doesn't.

Post reflects public documentation, industry surveys, and Aurai's own book of disputes as of the publish date. Visa, Mastercard, American Express, Discover, Stripe, PayPal, and Shopify are trademarks of their respective owners; Aurai is independent and not endorsed by any of them. Network rules change — always verify current official rules before acting on any specific tactic.

Automate your chargeback response

Aurai reads every dispute, assembles the right evidence, and submits before the deadline. Pay 25% only on wins.

Start free →