Chris W. Smith

Visa Enhanced Evidence (CE 3.0) Stripe Integration

A stack of Visa credit cards, with a single Mastercard in the middle of the stack.

Device Fingerprinting: Tackling Visa CE 3.0 Requirements

When you’re running an e-commerce platform, chargebacks are one of those things that can really eat into your profit margins. They’re annoying, time-consuming, and cost you both the revenue from the sale and additional processing fees. So when Visa announced their Enhanced Evidence (CE 3.0) requirements, it presented both a challenge and an opportunity for our team.

For those unfamiliar, Visa’s CE 3.0 program (launched in April 2023) is essentially a way to fight illegitimate chargebacks, what the industry calls “friendly fraud,” by providing stronger evidence that a transaction was legitimate. Under the new framework, if you can prove that certain elements of a disputed transaction match elements from previous undisputed transactions from the same card, you have a much better chance of winning the dispute and ensuring the fraud claim is overturned.

The catch? One of the required matching elements must be either an IP address or a device fingerprint and Visa will only accept prior transactions that are at least 120 days old but fewer than 365 days old. This created a technical hurdle for our platform since we weren’t consistently capturing device fingerprinting data.

Our payment processing was already integrated with Stripe, and we were already using their JavaScript library for checkout flows. But the problem was that we weren’t collecting device fingerprinting data systematically across all our user interfaces. Some were capturing IP addresses (though not consistently), but device fingerprinting was entirely missing.

Without this data, we were missing out on a key component of Visa’s CE 3.0 requirements, which meant we were likely losing disputes we could have won. And in the e-commerce world, every lost dispute impacts not just your bottom line but also your overall fraud ratios with card networks.

We knew we had to add device fingerprinting, but we wanted to do it in a way that wouldn’t disrupt the user experience or introduce performance issues. After evaluating various options, we decided to implement a third-party fingerprinting library that would work well with our existing Stripe integration.

The plan was straightforward in concept but needed careful execution across our platform: implement device fingerprinting everywhere, ensure consistent IP address capture, and update our backend to properly store and transmit this data to Stripe.

The implementation needed to work across all our various interfaces without requiring extensive reworking of each one. Since we already had Stripe’s JavaScript on our checkout pages, we added our third-party fingerprinting solution alongside it. The key was ensuring this happened early in the checkout process, so we could capture the fingerprint before any payment attempt.

For the backend (PHP), we modified our payment processing code to always include the required data when creating charges through Stripe’s API. This involved consistently passing along the IP address, customer email, shipping address, and most importantly, the device fingerprint with each transaction.

One tricky aspect was handling mobile applications, where device fingerprinting works differently than on the web. We had to implement a solution that would work consistently across platforms while still meeting Visa’s requirements.

The most elegant part of the solution was how we handled historical data. We couldn’t go back in time to collect fingerprints for past transactions, but we could ensure that from implementation forward, every transaction would have the necessary data for future dispute cases. This meant that over time, our dispute win rate would naturally improve as more transactions contained the required evidence.

After rolling out the implementation, we started seeing the benefits almost immediately. Stripe’s system was able to automatically identify qualifying previous transactions when disputes came in, reflecting this eligibility in dispute notifications. This made it much easier for our team to counter fraudulent disputes.

The impact on our dispute management process was significant: higher success rate in countering fraudulent disputes, reduced time spent gathering evidence, improved fraud ratios with card networks, and better data for overall fraud analysis and prevention.

The most satisfying part was seeing cases where a seemingly legitimate chargeback claim was denied because our system could prove the same device had been used for multiple undisputed purchases in the past. This is exactly what Visa’s CE 3.0 program was designed to do, protect merchants from friendly fraud while still allowing legitimate dispute claims to proceed.

Implementing this solution taught us several valuable lessons about payment processing and fraud prevention. First, seemingly minor technical details like device fingerprinting can have outsized impacts on your bottom line. Second, implementing industry-standard tools rather than building everything yourself can save enormous amounts of time and effort. Finally, fraud prevention is never “done,” it’s an ongoing process of adaptation as the rules and technologies change.

For anyone running an e-commerce platform, I strongly recommend reviewing your payment flows to ensure you’re capturing all the data needed for CE 3.0 eligibility. The upfront investment is minimal compared to the ongoing savings from reduced chargebacks. And remember, the best defense against chargebacks isn’t just winning disputes, but preventing fraud in the first place.