Fraud Prevention and Chargebacks: A Guide for UK Businesses
How UK businesses prevent payment fraud and win chargebacks: CNP fraud controls, 3DS2, dispute evidence, and what acquirers expect from your risk setup.
For most UK businesses, fraud and chargebacks become real problems at the same time â usually when the first dispute arrives. By then, the controls that would have prevented it, or the evidence that would have won it, are already missing.
In this guide, we cover how payment fraud works, what the fraud prevention toolkit actually does, how chargebacks are processed, what evidence wins disputes, and what happens when your chargeback ratio gets too high.
How Payment Fraud Works Against UK Merchants
Card-not-present (CNP) fraud is the dominant type for UK e-commerce businesses. The fraudster uses stolen card credentials â obtained through data breaches, phishing, or card skimming â to place orders online. The physical card never changes hands. The legitimate cardholder disputes the transaction, triggering a chargeback.
Friendly fraud is different. Here the cardholder is genuine â they placed the order, received the goods or service, and then disputed the transaction anyway.
Motivations vary: some are deliberate, some result from family members using a card without the account holder’s knowledge, and some come from customers who could not find a returns process and went straight to their bank.
Account takeover (ATO) fraud targets your customers’ accounts on your platform rather than specific transactions. The fraudster gains access to a customer account, changes the delivery address or payment details, and places orders. The account holder disputes the resulting charges.
We set out the main fraud types in order of frequency for UK online businesses below. CNP fraud and friendly fraud together account for the vast majority of disputes UK merchants face â we cover each in turn.
The Fraud Prevention Toolkit for Online Payments
3D Secure 2 (3DS2) is the most important fraud control available to UK online merchants. When a customer authenticates through 3DS2 â using a bank app notification, biometric, or OTP â liability for any subsequent fraud claim shifts from you to the issuing bank.
Your chargeback exposure on authenticated transactions drops to near zero for fraud-related disputes.
Under the UK’s Strong Customer Authentication (SCA) rules, most online card payments above £30 require authentication. 3DS2 is the mechanism that handles this.
If you are not using 3DS2, you are both non-compliant with SCA and carrying avoidable fraud liability. We explain how to check your current 3DS2 status in the section on the fraud prevention toolkit.
AVS (Address Verification Service) checks whether the billing address provided at checkout matches the address on file with the card issuer. CVV checks verify the three-digit code on the back of the card.
Both are baseline filters â they catch simple fraud attempts but offer no protection against attackers who have obtained full card details including AVS and CVV data.
Velocity checks flag unusual patterns in real time: multiple transactions from the same IP address in a short window, rapid cycling through multiple card numbers, or high-value first orders from newly created accounts.
Most payment gateways include configurable velocity rules. Set them â the defaults are rarely tight enough for e-commerce.
Device fingerprinting tracks characteristics of the device used to place an order. Returning devices associated with previous fraud or shared across suspicious orders can be flagged or blocked. This sits in the fraud toolkits provided by Stripe Radar, Checkout.com’s risk engine, and third-party solutions like Signifyd.
3DS2 liability shift: what it covers and what it does not
The 3DS2 liability shift covers fraud-related chargebacks â cases where the cardholder claims they did not authorise the transaction. It does not cover service chargebacks (goods not received, significantly not as described). A fully authenticated order where you shipped the wrong product can still result in a chargeback you will lose.
How Chargebacks Work: The Full Process
A chargeback begins when a cardholder contacts their bank to dispute a transaction. The issuing bank reviews the dispute and, if it meets the threshold for a valid claim, initiates a reversal. The funds are pulled from your acquirer, who debits your account and notifies you of the chargeback.
You then have a response window â typically 20 to 45 days depending on the card scheme and reason code â to submit evidence challenging the reversal. Miss the window and you lose automatically.
Your acquirer or payment processor provides a portal or process for this. We cover what evidence to submit by dispute type in the section below.
Chargeback fees of £15â£25 per case are charged by most acquirers regardless of outcome. If you win the representment (the formal dispute submission), the transaction value is returned â but the chargeback fee usually is not. This means even winning a dispute has a cost.
Chargeback reason codes tell you why the dispute was raised. Common codes: “cardholder does not recognise” (potential CNP fraud), “goods not received”, “goods not as described”, “credit not processed”. Your defence strategy depends on the reason code â evidence for a fraud claim differs from evidence for a service dispute.
Building a Chargeback Defence: What Evidence Wins
The single most common reason merchants lose chargebacks is not that they were wrong â it is that they could not produce the evidence quickly enough or in the right format. We set out what winning evidence looks like by transaction type.
For physical goods: signed proof of delivery is your strongest asset. Courier tracking showing delivery to the cardholder’s address, order confirmation sent to the cardholder’s email, IP address and device data from the order, and a copy of your terms and conditions showing the cardholder agreed to the purchase.
For digital goods and downloads: proof of access or delivery â login timestamps, download logs, activation records â sent to the email address on the account. IP address matching the billing address region.
Screen captures of account activity after the claimed dispute date (showing the cardholder continued using the service) are particularly compelling.
For services: signed contract or written agreement showing what was agreed. Evidence of delivery â meeting notes, files delivered, access logs, communications sent. Any response from the customer acknowledging receipt or quality of the service before the dispute was raised.
For friendly fraud specifically: evidence that the customer engaged positively after the claimed dispute date â a follow-up email, a renewal, a login â can be decisive. Stripe, PayPal, and most acquirers provide order data exports you can pull into a dispute response quickly if your records are in order.
Chargeback Evidence by Dispute Type
We have set out the key evidence required by dispute type. Requirements vary by card scheme and reason code â check your acquirer’s dispute guide for scheme-specific rules.
| Dispute type | Key evidence | Common weak spots |
|---|---|---|
| CNP fraud (“didn’t authorise”) | 3DS2 authentication record, device fingerprint, IP match to billing region | No 3DS2 = automatic liability; missing device data |
| Goods not received | Signed proof of delivery, tracking to cardholder address, dispatch confirmation | Tracking shows delivery but no signature; wrong address used |
| Goods not as described | Product description at time of purchase, photos of item shipped, return policy shown at checkout | Vague product descriptions; no timestamped product page |
| Digital goods / services not received | Access logs, download records, login timestamps, email delivery confirmation | No usage logs; access granted but not recorded |
| Credit not processed | Refund confirmation with date, bank transfer record, email to cardholder | Refund issued to different card; delay between refund and dispute |
| Friendly fraud (genuine purchase disputed) | Post-dispute customer activity (logins, emails, renewals), signed T&Cs, full order history | No post-dispute activity record; no T&Cs acceptance captured |
Chargeback Ratios and What Happens When You Breach Them
Visa and Mastercard both monitor chargeback ratios at the merchant level. Your ratio is calculated as chargebacks received in a month divided by transactions processed in the same month.
Visa’s Dispute Monitoring Programme triggers at 1% chargeback ratio or 100 chargebacks per month. Mastercard’s Excessive Chargeback Programme triggers at 1.5% ratio or 100 chargebacks. Both programmes involve additional fees, mandatory remediation plans, and â if ratios persist â potential termination of your merchant account.
Your acquirer applies its own thresholds, which are typically stricter. Some act at 0.5% ratio, adding fees or restricting daily processing volumes before you reach scheme-level thresholds. Read your acquiring contract for the specific trigger points.
Merchants placed on monitoring programmes are required to submit monthly remediation reports. Continued breach results in account termination and placement on the MATCH list â a database of terminated merchants that makes obtaining a new merchant account difficult for up to five years.
We explain what the MATCH list is in the FAQs below.
Reducing Chargebacks From Friendly Fraud
Friendly fraud â genuine purchases disputed by the cardholder â accounts for a growing share of UK chargeback volume. Most of it is preventable through better operational practices rather than better fraud controls.
Your billing descriptor is the name that appears on the customer’s bank statement. If it reads as an opaque code or a parent company name the customer does not recognise, “I don’t recognise this charge” disputes follow. Set your descriptor to your trading name as it appears on your website.
An easy refund process is a direct substitute for chargebacks. Customers who can get a refund in two clicks will use it. Customers who cannot find a refund policy, or face friction in the returns process, go straight to their bank.
We have seen businesses reduce chargeback rates by 30â40% simply by making the refund flow more visible.
Pre-dispute alerts from services like Verifi (Visa) and Ethoca (Mastercard) notify you of an impending dispute before it becomes a formal chargeback. You can issue a refund to close it, avoiding the fee and protecting your ratio.
Both services charge per alert resolved, but the cost is lower than a chargeback fee plus ratio risk.
Order confirmation emails sent immediately after purchase reduce “I forgot I ordered this” disputes. Including a clear description of what was purchased, the amount charged, and how to contact customer support gives the customer an alternative to disputing before the charge even appears on their statement.
Bottom line: Enable 3DS2, set your billing descriptor correctly, and build a refund flow that is easier than disputing. Most UK merchant chargebacks are preventable through operational fixes rather than technical fraud controls.
Frequently Asked Questions
How long do I have to respond to a chargeback?
The response window varies by card scheme and reason code. Visa disputes typically allow 20 days for the first response. Mastercard allows 45 days in most cases. Your acquirer or payment processor will specify the deadline in the dispute notification â missing it means automatic loss. Some acquirers have shorter internal deadlines, so respond as quickly as possible rather than waiting until the last day.
Does winning a chargeback dispute get my fee back?
Usually not. The chargeback fee (typically £15â£25) is charged when the dispute is filed and is not refunded even if you win the representment. If you win, the transaction value is returned to your account, but the fee remains. Some acquirers have policies on this â check your contract.
What is the MATCH list and how do I avoid it?
MATCH (Member Alert to Control High-Risk Merchants) is a shared database maintained by Mastercard listing merchants whose accounts have been terminated for excessive chargebacks, fraud, or other breaches. Visa operates an equivalent system (VMSS). Placement on MATCH makes it very difficult to open a new merchant account with most acquirers for up to five years. Avoiding it requires keeping your chargeback ratio below acquirer and scheme thresholds and resolving any remediation programme requirements promptly.
Does 3D Secure guarantee I won’t lose a chargeback?
No. 3DS2 provides a liability shift specifically for fraud-related chargebacks â cases where the cardholder claims they did not authorise the transaction. It does not cover chargebacks raised for other reasons: goods not received, goods not as described, credit not processed, or service disputes. A fully 3DS2-authenticated order where you failed to deliver the product will still result in a chargeback you are liable for.
Can I dispute every chargeback?
You can submit a representment for any chargeback, but you should assess each one before doing so. If the customer has a legitimate grievance â goods were not delivered, the product was defective â disputing wastes your response resources and you will lose. Focus your representment efforts on clearly fraudulent claims and friendly fraud where you have strong evidence. Winning rate matters: high volumes of unsuccessful representments signal poor dispute management to your acquirer.
What happens if my chargeback ratio goes above 1%?
Above 1%, you enter Visa’s Dispute Monitoring Programme or Mastercard’s Excessive Chargeback Programme. You will face additional fees per chargeback (often £25â£50 on top of the standard fee), be required to submit a monthly remediation plan, and risk acquirer-imposed processing restrictions. If ratios stay above threshold for several months, the acquirer will typically terminate the merchant account. Your acquiring contract will specify exactly what thresholds and penalties apply.
How we put this guide together
This guide draws on published Visa Dispute Monitoring Programme rules, Mastercard’s Excessive Chargeback Programme documentation, UK Finance fraud data, and the Strong Customer Authentication requirements under the Payment Services Regulations 2017.
Chargeback thresholds and fee ranges are based on published scheme rules and publicly available acquirer documentation as of April 2026. We recommend confirming specific thresholds and procedures directly with your acquirer, as they vary by contract.
This is editorial guidance, not legal or regulated financial advice. We have no commercial relationship with any acquirer, fraud tool provider, or dispute resolution service named in this article.