Friendly fraud is the dispute you lose even though you did nothing wrong. A cardholder forgets the trial converted, sees a charge they do not recognize on the statement, and tells their bank it was fraud. The charge was real, the service was delivered, and the card was used by the legitimate account holder. That last fact is the opening Visa and Mastercard now give you, and subscription businesses are unusually well positioned to use it.
This lesson is about the two networks' first-party misuse frameworks: Visa's Compelling Evidence 3.0 and Mastercard's First-Party Trust. The general dispute system, representment mechanics, and acquirer monitoring programs live in their own modules. Here we stay on the recurring-charge seat: how a billing history becomes admissible evidence, and how to capture the data that makes it work.
Why recurring billing changes the math
Most fraud disputes are hard to defend because the merchant has one transaction and the cardholder's word against it. A subscription merchant almost never has just one transaction. We have a signup, an initial customer-initiated charge, and a chain of merchant-initiated renewals, all tied to the same account.
That chain is the asset. Both networks have rebuilt their first-party fraud rules around the idea that a documented pattern of prior, undisputed use is stronger evidence than any receipt or terms-of-service screenshot. If you can show the same customer transacted with you before and never complained, the fraud claim collapses.
The catch is that you only get to use the chain if you captured the right fields at the right moments. The defense is built at signup, not at dispute time.
Visa Compelling Evidence 3.0
CE3.0 applies specifically to Visa dispute reason code 10.4, "Other Fraud, Card-Absent Environment." It lets a merchant rebut the fraud claim by pointing to two prior transactions from the same cardholder that share matching data with the disputed one.
The qualifying criteria
To qualify, you need two prior transactions that were paid, undisputed, and never reported as fraud. Validation or authorization-only charges do not count. Each must be between 120 and 365 days older than the disputed transaction. The 120-day floor does not apply when the prior transactions were original credit transactions.
Across all three transactions (the two priors plus the disputed one) you must match at least two data elements from this set: customer login ID, device ID or fingerprint, IP address, and delivery address. At least one of the two matches must be the IP address or the device ID or fingerprint. A login ID plus a shipping address alone is not enough.
When the criteria are met and submitted, Visa treats the fraud claim as invalid and liability shifts to the issuer. Critically, this works in the pre-dispute window through Verifi's Order Insight, so a qualifying case can be deflected before it ever becomes a chargeback and counts against your dispute ratio.
Where subscriptions get an edge
For recurring billing, Visa allows data elements captured during the initial customer-initiated transaction or subscription setup to be used for the later merchant-initiated renewals. That matters because a renewal charge runs server-side with no live customer device or IP. Without this carry-forward rule, renewals would have no device or IP to match and would never qualify. With it, the signup session's device ID and IP become the matching elements for every renewal that follows.
A worked example
A streaming service charges a customer $14.99 per month. The customer signed up in January 2025 from a logged-in session, and the service captured the login ID, device fingerprint, and IP address at that moment. Renewals ran in February, March, and onward.
In December 2025 the customer disputes the November charge as fraud under 10.4. To defend it, we pull two prior undisputed renewals: the September and October charges. Both are paid, undisputed, never reported as fraud, and both fall inside the 120-to-365-day window relative to the November dispute. Each carries the device fingerprint and login ID inherited from the January signup.
We submit device fingerprint plus login ID as the two matching elements across all three transactions, with the device fingerprint satisfying the required device-or-IP element. The criteria are met, the fraud claim is invalidated, and liability shifts to the issuer. Had we only stored the renewal amounts and dates, we would have had nothing to match on and would have eaten the loss.
Mastercard First-Party Trust
Mastercard runs a parallel program. First-Party Trust launched in the United States in October 2024 and expanded internationally through 2025. It applies to first-party fraud disputes, most often reason code 4837, "No Cardholder Authorization."
The data model is structured differently from Visa's. To qualify, merchants submit at least one data point from each of three categories: device identity (IP address or device fingerprint), delivery information, and an additional identity factor such as account login or phone number. Mastercard validates the evidence and, if it holds, grants liability protection on that transaction.
The practical implication is that you should instrument for both networks at once. Visa wants two matching elements with a device-or-IP anchor across three transactions; Mastercard wants one element from each of three categories. A signup-time capture of device fingerprint, IP address, account login, phone number, and delivery address satisfies both.
What to instrument now
Capture and store, per account, at the customer-initiated signup: device ID or fingerprint, IP address, account login ID, phone number, and delivery or billing address. Stamp each subsequent renewal with the carried-forward signup identifiers so a renewal can be matched as a CE3.0 transaction.
Keep these fields queryable for at least 14 months, the 365-day ceiling plus a buffer, so the 120-to-365-day window is always reachable. This is operational guidance, not a network mandate. Wire the data into a pre-dispute deflection feed (Order Insight for Visa, the equivalent Mastercard path) so qualifying cases never become chargebacks. A dispute you deflect pre-chargeback does not touch your ratio; a representment you win still counts as a dispute received.
The takeaway
CE3.0 and First-Party Trust reward merchants who treated billing data as evidence before they needed it. The subscription model hands you a transaction history that the networks now accept as proof of legitimate use, but only if you captured device, IP, and identity fields at signup and carried them forward to every renewal. Build that capture into your billing architecture and friendly fraud stops being a write-off and becomes a case you win automatically.