Visa on April 15 is changing its chargeback resolution model, ostensibly to standardize disputes between cardholders and merchants.

Visa Inc. on April 15 is changing its chargeback resolution model, ostensibly to standardize disputes between cardholders and merchants and encourage more automation and better workflows by aggregating nearly two dozen chargeback codes in four more simplified groups.

The new rules will also limit merchants to respond within 30 days, rather than the previous 45; and issuers will be limited to disputing a maximum of 35 e-commerce transactions within any 120-day period.

The change will likely mean more work for online merchants and a reduction of as much as 15% in disputes, especially since merchants will be required to offer more detailed evidence of a valid transaction, experts say.

The change comes amid significant shift in the number of global investigations to e-commerce from bricks-and-mortar merchants among Visa’s clients, says Glen Jones, Visa’s senior director for risk and authentication products.

“Cybercriminals are likely following the money,” he says.


As online retail has grown in leaps and bounds in recent years, so too have the interests of cybercriminals looking to cash in by defrauding or stealing from this sector. Indeed, e-commerce sales have increased year-over-year with some in the industry reporting that global e-commerce sales figures of $2.3 trillion in 2017, compared to just $1.9 trillion in 2016 and $1.5 trillion in 2015, according to Visa’s data.

Aside from the growth in overall transactions and money involved, Jones claims that online attackers are looking to internet retailers with a typical attack scenario that involves “taking advantage of unprotected web server administrative consoles accessible from the internet, many times with weak authentication, unpatched web servers and payment applications or insecure file and web form upload functionality.

“These [vulnerabilities] allow attackers to introduce malware onto the web server,” he says, adding that “one of the biggest risks online retailers face is being unprepared for very aggressive adversaries. Cybercriminals are constantly scanning systems and attempting to exploit any vulnerability they can identify to obtain access to payment data.” Hence, if online retailers lack the capacity to “act quickly” it becomes a race between the retailer’s ability to fix vulnerabilities and the attackers who are quick to exploit them, Jones points out.