What you need to know
- EFM and ECP can both run simultaneously. EFM targets fraud-coded chargebacks; ECP captures all chargebacks. Exit from either requires three consecutive clean months.
- Visa estimates that friendly fraud accounted for up to 75% of all chargebacks in 2022. These disputes file under fraud reason codes and inflate both your EFM and ECP ratios.
- First-Party Trust deflects friendly fraud before it files as a formal chargeback, using device, delivery, and identity evidence you already hold.
- Device fingerprinting is the most persistent of the three Category 1 FPT signal options: it identifies the same cardholder across sessions more reliably than an IP address or basic device ID.
- The same evidence capture that wins Visa CE 3.0 cases provides the Category 1 signal for Mastercard FPT. Data captured by fingerprinting tools like cside integrate into both networks' submission pathways.
If your fraud-to-sales ratio crosses 0.50% on Mastercard card-not-present transactions, the Excessive Fraud Merchant (EFM) program will start fining you $500 in month two. By month 19, that fine reaches $100,000 per month.
The Excessive Chargeback Program (ECP) tracks all chargebacks, not just fraud. At the highest tier, ECP fines reach $200,000 per month. The only exit from either program is three consecutive months below threshold.
The friendly fraud connection
The source of most EFM ratio pressure is friendly fraud: cardholders disputing legitimate transactions under fraud reason code 4837 (No Cardholder Authorization). Mastercard retired reason code 4863 (Cardholder Does Not Recognize) and consolidated those disputes into updated fraud categories, but the pattern is the same.
Mastercard's answer is First-Party Trust (FPT), a structured dispute-deflection program that uses device fingerprinting and other transaction signals to resolve these disputes before they become formal chargebacks.
What EFM and ECP actually penalize
EFM targets card-not-present fraud chargebacks. ECP tracks all chargebacks regardless of reason code. Both escalate fines from the second month of non-compliance onwards. (Full program rules are in Chapter 8 of Mastercard's Security Rules and Procedures Merchant Edition.)
| Program | Tier | Monthly trigger | Ratio threshold | Additional condition |
|---|---|---|---|---|
| EFM | n/a | 1,000+ e-commerce transactions | 0.50%+ fraud-to-sales | $50k+ fraud CBs; 3DS <50% in regulated markets |
| ECP | ECM | 100-299 chargebacks | 1.50%-2.99% | n/a |
| ECP | HECM | 300+ chargebacks | 3.00%+ | n/a |
EFM enrollment conditions
All four thresholds must be crossed simultaneously in the same month:
- 1,000 or more Mastercard e-commerce transactions
- $50,000 or more in fraud chargebacks
- A fraud-to-sales ratio of 0.50% or above
- 3DS utilization below 50% in regulated markets
Your non-fraud activity does not offer protection because friendly fraud chargebacks file under fraud reason codes.
ECP tiers
The Excessive Chargeback Merchant (ECM) tier triggers at 100-299 monthly chargebacks and a 1.5%-2.99% ratio. The High Excessive Chargeback Merchant (HECM) tier triggers at 300+ chargebacks and a 3%+ ratio. Unlike EFM, ECP captures every chargeback: service disputes, non-receipt claims, and friendly fraud alike.
Exiting the programs
Both programs require three consecutive months below threshold. Fines are not forgiven on exit unless you qualify for the one-time extension option and meet threshold requirements by the extension deadline.
The 3DS threshold most teams miss
The threshold that surprises most Heads of Payments I work with is the 3DS utilization floor. Many teams focus on the fraud ratio and miss that all four EFM conditions must trigger simultaneously. Your 3DS authentication coverage decision directly affects whether you enter the program, not just how quickly you exit it.
Dual enrollment risk
A merchant can be enrolled in both EFM and ECP simultaneously. Fines are calculated independently. At HECM tier, ECP fines alone reach $200,000 per month, separate from any EFM fine running in parallel.
Addressing friendly fraud through FPT reduces exposure in both programs: deflected disputes reduce the fraud-coded chargebacks that drive EFM and the total chargeback count that drives ECP.
Why device fingerprinting is the strongest Category 1 signal
The problem with IPs and device IDs
IP addresses change between networks, mask behind VPNs, and vary by location. Basic device IDs (IMEI numbers, cookie-based identifiers) can be reset or are simply unavailable across platforms.
How fingerprinting solves it
Device fingerprinting combines 50 or more hardware and software browser signals into a persistent hash. Screen resolution, timezone, language settings, installed fonts, browser plugins, hardware identifiers. The resulting hash holds even when the IP address, network, or browser version changes.
Mastercard's AI is answering one question: is the cardholder who filed this dispute the same person who completed the original transaction? A device fingerprint answers that more reliably than an IP or a cookie.
Already running Visa CE 3.0?
If you are already using cside's browser-layer evidence for Visa Compelling Evidence 3.0 cases, the same device fingerprinting data that satisfies the CE 3.0 data element requirement is the Category 1 signal for Mastercard FPT. One evidence capture. Both card networks covered, with each network's submission pathway mapped independently.
Example breakdown of a merchant using FPT to exit EFM
A mid-size online retailer processing $5,000,000/month in Mastercard e-commerce volume gets an EFM notification. Their fraud-to-sales ratio has hit 0.54%, driven by reason code 4837 chargebacks, and their 3DS utilization is at 42% in a regulated market. All four EFM conditions are met.
Capture and submit
The merchant integrates browser-layer fingerprinting into their checkout flow, collecting 50+ signals per session (screen resolution, timezone, installed fonts, hardware identifiers, canvas hashes) and combining them into a persistent device hash stored with each transaction.
At checkout, the device fingerprint, email, and billing address are submitted via the 3DS Identity Check Insights payload. When a cardholder later files a dispute, the stored fingerprint, shipping confirmation, and login history are automatically submitted to the Ethoca Consumer Clarity API.
Deflection
The issuer presents the evidence to the cardholder. The device fingerprint matches their prior undisputed purchases, the shipping address matches their account, and login history confirms activity at the time of the transaction. The cardholder recognizes the purchase and withdraws the dispute. Because it was withdrawn before becoming a formal chargeback, it does not count toward EFM or ECP ratios.
The result
Over 60 days, the merchant's FPT deflection rate reaches 3.8%. Combined with lifting 3DS utilization from 42% to 55%, their fraud ratio drops to 0.47% and they break the 3DS condition of the four-part EFM trigger. After three consecutive clean months, they exit the program.
The same fingerprinting data simultaneously feeds into their Visa CE 3.0 evidence workflow, protecting their VAMP ratio with no additional instrumentation.
Why friendly fraud inflates your Mastercard ratios
Visa estimates that friendly fraud accounted for up to 75% of all chargebacks in 2022. Because EFM specifically tracks fraud reason code 4837, you cannot reduce your EFM ratio without directly addressing the friendly fraud generating those codes.
Mastercard and Stripe's joint 2025 conference research puts it more starkly: one in eight Americans admit to filing a fraudulent chargeback dispute. This is not an edge case. It is a structural pattern in the payment dispute system.
Why representment is not enough
Traditional dispute management responds to chargebacks after they are filed. At that point, the dispute has already registered in your EFM calculation window. Representment may recover the funds, but the ratio damage is done.
You reduce your EFM ratio by deflecting friendly fraud before it becomes a formal chargeback. That is precisely what Mastercard built First-Party Trust to do.
What Mastercard First-Party Trust is
First-Party Trust is Mastercard's program for deflecting friendly fraud disputes using transaction-time evidence. You share device, delivery, and identity data at checkout or at the point of dispute. Mastercard's AI matches that evidence against prior undisputed transactions and, when the match is strong, resolves the dispute before it becomes a formal chargeback.
Program timeline
- 2023: Pilot launch in the US, Canada, and Brazil
- October 2024: Full US availability
- June 2025: Global expansion (Latin America, the Caribbean, Asia Pacific)
FPT operates through two technical paths: an authorization-time path via Mastercard's 3DS Identity Check Insights interface, and a post-dispute path via the Ethoca Consumer Clarity Merchant Transactions API.
How FPT compares to Visa CE 3.0
The program is Mastercard's direct equivalent to Visa's Compelling Evidence 3.0. Where Visa CE 3.0 requires you to match two prior undisputed transactions using device ID, IP address, account data, and transaction details, FPT applies Mastercard's AI to a three-category evidence set to reach the same outcome.
| Visa CE 3.0 | Mastercard First-Party Trust | |
|---|---|---|
| Purpose | Post-dispute representment defense | Pre-auth deflection + post-dispute review |
| Evidence structure | 4 elements from 2 prior undisputed transactions | 1 element from each of 3 categories (Device, Delivery, Identity) |
| Prior transaction history | Required (120-365 days prior) | Required for post-dispute path; not required for pre-auth path |
| Device signal | Device ID + IP address (2 of 4 required elements) | IP address, device ID, or device fingerprint (choose one) |
| Outcome | Win shifts liability to issuer | Deflected dispute: no formal chargeback filed |
| Monitoring program | VAMP | EFM + ECP |
| Network tool | Visa Resolve Online | 3DS Identity Check Insights + Ethoca Consumer Clarity |
When FPT triggers a liability shift
When the evidence meets FPT standards, liability shifts from you to the issuing bank. A deflected dispute does not become a formal chargeback. It does not count in your EFM or ECP ratios.
The three-category evidence framework
FPT requires one data element from each of three categories. You need all three covered at transaction time to qualify for FPT protection on that transaction.
Category 1 - Device. One of: IP address, device ID, or device fingerprint. Ties the disputed transaction to the cardholder's actual hardware and software environment.
Category 2 - Delivery. One of: shipping address, email address, or telephone number. Ties the transaction to the cardholder's known delivery identity on their issuer account.
Category 3 - Identity. One of: account ID or login history, device name, device location, or billing address. Ties the transaction to the cardholder's account-level identity rather than just the payment credential.
Where most merchants fall short
You likely have Category 2 and Category 3 covered through standard transaction and account data. The gap is typically Category 1.
IP addresses and basic device IDs appear in many transaction records, but neither provides the cross-session identity durability that Mastercard's AI needs to make a strong match against prior undisputed transactions.
How FPT prevents disputes from counting in your ratios
When FPT intercepts a dispute before it becomes a formal chargeback, the dispute does not register in your EFM or ECP ratio calculations. Consumer Clarity data from 2025 shows a 1-4% dispute rate reduction on this pathway, which at EFM threshold levels represents meaningful ratio headroom.
Pre-authorization path: 3DS Identity Check Insights
You submit FPT data at checkout via Mastercard's 3DS Identity Check Insights flow. The device fingerprint, email address, and billing address travel with the transaction in the 3DS data payload.
Mastercard's AI assesses the risk profile in real time. Higher-confidence legitimate transactions receive a lighter dispute touch from issuers, making the cardholder less likely to receive the dispute prompt that precedes a fraudulent filing. A dispute that is never filed does not touch your EFM or ECP ratios.
Post-dispute path: Ethoca Consumer Clarity
When a dispute is filed, the Ethoca Consumer Clarity Merchant Transactions API lets you submit transaction evidence the issuer uses to re-evaluate before processing the formal chargeback cycle. If the cardholder recognizes the transaction and withdraws, the dispute does not become a formal chargeback.
This is the Mastercard equivalent of what TC40 removal via CE 3.0 does on the Visa network: resolving the dispute at the program level so it does not count against your monitoring ratio.
What the numbers look like at threshold
Consider a merchant with $4,000,000 in Mastercard e-commerce GMV per month and a 0.52% fraud-to-sales ratio. They have crossed the EFM trigger.
| Deflection rate | Fraud CBs deflected | New fraud ratio | EFM outcome |
|---|---|---|---|
| 0% (no FPT) | n/a | 0.52% | Warning, month 1 fine incoming |
| 2% (Consumer Clarity floor) | $416 | 0.510% | Still over trigger |
| 4% (Consumer Clarity ceiling) | $832 | 0.499% | Below 0.50% trigger, no fine |
At higher starting ratios (0.55% and above), FPT alone may not be sufficient. The fastest exit combines dispute deflection with lifting 3DS utilization above 50%, which breaks the four-condition EFM trigger simultaneously.
FPT's pre-authorization path via 3DS Identity Check Insights does both: it improves your 3DS coverage rate and provides the device signal that deflects disputes before they file.
How cside provides the browser-layer evidence FPT requires
What cside captures
cside captures device fingerprints at the browser layer, the same environment where card-not-present transactions originate. Every session on your site generates a persistent device hash.
That hash feeds into both FPT's pre-authorization path (via 3DS / Identity Check Insights) and its post-dispute evidence path (via Ethoca Consumer Clarity). The same evidence that wins Visa CE 3.0 cases also powers Mastercard FPT.
What most chargeback and anti-fraud tools miss
Many chargeback and anti-fraud solutions focus on transaction-level data: the order record, payment confirmation, and shipping address. What they often lack is deep visibility into the device environment the cardholder used to complete the transaction.
Even when a fraud suite includes device fingerprinting, it is frequently a secondary feature rather than a purpose-built evidence layer. The signal may not be persistent or detailed enough for dispute evidence matching. cside captures that layer as its core function.
One evidence layer, both networks
For Visa, cside's data satisfies the device element in CE 3.0's four-point evidence requirement. For Mastercard, it satisfies Category 1 of FPT's three-category framework. The evidence standard is different in structure; the underlying data is the same.
The Chargebacks911 partnership
cside works with Chargebacks911 in a partnership that combines browser-layer evidence capture with specialist dispute representment operations. When you integrate cside's evidence into your FPT workflow, you gain device fingerprint data that enriches both the pre-authorization Mastercard signal and the post-dispute Ethoca Consumer Clarity submission.
Fastest path to FPT
In my experience working with merchants across e-commerce, subscriptions, and travel, the teams that onboard fastest are the ones already running browser-layer evidence for Visa CE 3.0. The device fingerprint is already captured. Mapping it to FPT's Category 1 requirement is a configuration step, not a new implementation.
The same evidence capture that protects your Visa VAMP ratio also protects your Mastercard EFM and ECP ratios. One evidence layer. Both card networks covered.
Note on sources
EFM and ECP threshold and fine data: sourced from Mastercard program documentation and corroborated across Chargebacks911, Braintree/PayPal developer documentation, and ChargebackStop. All four EFM trigger conditions and fine escalation schedule ($500 month 2 through $100,000 month 19+) are consistent across sources.
Dispute rate reduction (1-4%): Mastercard and Stripe joint presentation, Stripe Sessions 2025: "Mastercard: Strategies for Reducing Chargebacks". Figure represents the range observed across Consumer Clarity deployments; merchants in digital goods verticals with higher first-party misuse concentration typically see results toward the upper end of the range.
First-party misuse prevalence (up to 75% of chargebacks): Visa's "Fraud as a Service Trends" knowledge hub. The figure refers to friendly fraud as a share of all chargebacks in 2022, not exclusively fraud-coded chargebacks. Industry reporting from multiple sources is consistent with this estimate.
FPT program timeline: 2023 pilot in the US, Canada, and Brazil; October 2024 US full availability; June 2025 global expansion (Latin America, Caribbean, Asia Pacific). Sourced from Mastercard developer documentation, Mastercard Newsroom, and corroborating merchant acquirer communications.
One in eight Americans (first-party fraud admission): Mastercard and Stripe joint research, cited in Stripe Sessions 2025.
About the author
Mike Kutlu is Head of GTM at cside. He works directly with Heads of Payments, Risk, and Finance at e-commerce, subscription, and digital goods merchants on implementing browser-layer chargeback evidence for Visa Compelling Evidence 3.0 and Mastercard First-Party Trust. He covers VAMP, EFM, ECP, TC40 mechanics, and dispute evidence strategy for enterprise merchants. His focus is the operational gap between how card networks define dispute evidence and what most chargeback tools actually capture.
