On 17 October 2025, Visa began automatically qualifying card-not-present transactions for Compelling Evidence 3.0 (CE 3.0) when authentication runs through Visa Secure (3-D Secure 2) or Visa Data Only across all major regions. cside, the browser-layer security platform, helps merchants produce the deterministic device ID and real client IP that strengthen an auto-qualified case into a winnable representment. Auto-qualification shifts the paperwork burden upstream but does not guarantee a reversal; evidence quality still decides the outcome.
Visa quietly changed the Compelling Evidence 3.0 workflow on 17 October 2025. Transactions secured via Visa Secure or Visa Data Only across all major regions are now automatically qualified for CE 3.0 evidence submission. Merchants no longer need to manually assemble the two-prior-transaction packet for every eligible dispute.
That sounds like a win, and for some merchants it is. It is also a signal about where Visa thinks the evidence chain is going. Auto-qualification shifts the burden from representment paperwork to upstream authentication quality. The merchants who benefit most are the ones whose checkout session captures the evidence Visa now expects to read automatically.
This piece covers what changed, who benefits, and where the browser-layer evidence gap still sits after auto-qualification.
What changed on 17 October 2025?
Visa began auto-qualifying card-not-present transactions for CE 3.0 when authentication runs through Visa Secure (3-D Secure 2) or Visa Data Only. The change applies across all major regions. Qualifying transactions inherit CE 3.0 eligibility without the merchant having to construct the two-prior-transaction evidence packet manually.
Before the change, CE 3.0 eligibility required the merchant or their acquirer to identify two prior undisputed transactions between 120 and 365 days old and match at least two of four data elements (User ID, shipping address, IP address, device ID) between prior and disputed transactions. That lookup and match work sat inside the representment process.
After the change, transactions authenticated via Visa Secure or Visa Data Only carry the authentication metadata directly into the CE 3.0 evaluation. When a dispute lands on those transactions under reason code 10.4, the case enters representment pre-qualified. The merchant still submits the rebuttal packet, but the data elements needed for qualification are already attached.
Who actually benefits
Merchants running high 3-D Secure adoption on their checkout, with stable billing descriptors and clean device identity, benefit immediately. Merchants who skip 3DS on mobile flows, use inconsistent descriptors, or cannot produce device-level session data at representment time benefit less than the headline suggests.
Three conditions stack to decide the real value.
3DS penetration
Visa Secure is the Visa brand for 3-D Secure 2, so auto-qualification only attaches to transactions that actually route through 3DS authentication. Merchants in regions where 3DS is mandatory (for example, PSD2 markets) benefit most. Merchants who exempt most traffic from 3DS for conversion reasons see less benefit.
For subscription merchants, stored-credential charges typically bypass 3DS step-up, so the auto-qualification benefit is limited on renewal volume.
Data cleanliness
Auto-qualification attaches the evidence, but it does not overwrite merchant-side data quality. Mismatched descriptor first-six across billing cycles still breaks qualification at the representment stage. Inconsistent cardholder identity across guest and authenticated flows still leaves the acquirer without a clean match.
Authenticity of the device match
Visa Data Only uses the 3DS data exchange without the cardholder authentication step. That gives the issuer a data packet, but it does not guarantee that the device which completed the prior transaction is the same device now completing the disputed one. If the merchant does not capture device-level session data at checkout via browser-layer capture, the auto-qualified case can still be decided against you if the issuer wants a deeper look.
What auto-qualification does not do
Auto-qualification does not produce the evidence itself. It attaches authentication metadata that qualifies the case for CE 3.0 evaluation. If the underlying evidence is thin (inconsistent device match, drifted descriptors, missing session context), the case is still weak on its merits.
CE 3.0's qualification rules have not changed. Two prior undisputed transactions, 120 to 365 days old, with at least two of four data elements matching including either IP or device ID. What changed is who does the lookup. Auto-qualification lets Visa's infrastructure do it in line with the authentication record. It does not change the quality bar an issuer applies when they evaluate the evidence.
This is where merchants get surprised. A case can be auto-qualified and still lose. Issuers look at device continuity across the prior and disputed transactions. If the device ID on the prior transaction came from a JavaScript fingerprint that was captured opportunistically and the device ID on the disputed transaction came from a different source, the match may fail evidentially even if the qualification box ticks.
The browser-layer evidence gap after auto-qualification
Auto-qualification raises the value of consistent, cross-session device identity captured at the browser layer. Merchants who can produce a replayable checkout session for both prior and disputed transactions turn an auto-qualified case into an auto-win. Merchants who cannot still lose the cases they should have won.
From cside data: cside analysis shows that auto-qualified CE 3.0 cases still lose at a meaningful rate when the underlying device ID match is from an inconsistent or opportunistic capture source. cside measures this by comparing case outcomes for auto-qualified disputes where browser-layer device ID was and was not deterministically captured at checkout.
cside captures browser-layer evidence at checkout: device-level session data, network fingerprint, script-verified transaction context. The same device identity runs across every session on the same merchant, which means the match that CE 3.0 now auto-qualifies is also deterministically producible by the merchant when the issuer asks. For a representment case, the practical effect is simple: the auto-qualified packet plus a matching browser-layer session artefact gives the issuer a strong basis to reverse the chargeback in one pass. Without the browser layer, the auto-qualified packet is a ticket to the next queue, not a guaranteed outcome.
For a full breakdown of the four core data points Visa evaluates, see the CE 3.0 requirements guide. For the VAMP ratio context that makes winning those cases urgent, see the VAMP 2026 merchant playbook.
What to do this week
Confirm 3DS / Visa Secure penetration on your Visa card-not-present traffic. Audit descriptor first-six consistency. Instrument browser-layer evidence on checkout. Re-test the last 30 days of reason code 10.4 disputes under the new auto-qualification rules to see which cases became winnable.
For a Head of Payments, the operational action is a three-step check:
- Pull the current Visa Secure authentication rate across your CNP volume. If it is below what your acquirer considers adequate for auto-qualification benefit, there is room to lift the share of auto-qualified cases by routing more traffic through 3DS at low-friction points.
- Confirm that the first six characters of your billing descriptor are identical across every payment method and every billing cycle. This is the cheapest fix in the entire CE 3.0 pipeline and it is the most common reason qualified cases fail at representment.
- Verify that your chargeback stack captures device-level session data at checkout, not just server-side order data; if it does not, the auto-qualification value is capped.
For iGaming operators, note that deposit flows on stored credentials generally do not trigger auto-qualification and manual CE 3.0 representment remains the primary route.
Further reading on cside
- cside Chargeback Evidence product page
- VAMP 2026 Merchant Playbook
- Device Fingerprinting in CE 3.0
- CE 3.0 Requirements: The Ten Data Points
- How to Remove a TC40 via CE 3.0
This article reflects cside's analysis of VAMP and friendly-fraud regulations as of 2026-05-01. Threshold values, deadlines, and programme rules are subject to change by Visa, Mastercard, and acquirer-specific contracts. Verify with primary sources before operational decisions.
About the author
Mike Kutlu is Head of GTM at cside, where he works with Heads of Payments, Risk, and Finance on instrumenting browser-layer chargeback evidence for Compelling Evidence 3.0 representment. He writes about VAMP, friendly fraud, and the mechanics of dispute evidence for enterprise merchants.
