Pillar Guide
Visa CE 3.0 for Gambling: The Dispute Remedy Casinos Already Hold
Casinos generate the evidence Compelling Evidence 3.0 wants on every deposit: login ID, device, IP. We read Visa's 923-page rules for what matters to gambling: the US carve-out that strips 3DS protection from casino MCCs, the payout detail nobody noticed, and the April 2026 VAMP interaction.
Editorial Team
VerifiediGaming Payment Solutions
Visa processed 106 million disputes in 2025, up 35% since 2019, and by the network's own research the majority of card-absent fraud claims are first-party: the cardholder was there, the purchase was real, the "fraud" is regret. No vertical knows this pattern better than gambling, where the Monday-morning dispute on a weekend of losing deposits is practically a product feature. Visa built a remedy aimed squarely at this pattern, and it runs on evidence a casino cashier captures by default: the login ID, the device, the IP address. This article is what came out of reading the 923-page April 2026 edition of the Visa Core Rules for the gambling angles, and two of them we have not seen documented anywhere else.
Compelling Evidence 3.0 gets covered plenty in generic terms; the VAMP math for gambling is our own companion piece and the ratio side of this story. What follows is the CE 3.0 mechanics in full, because for a US-facing casino this is not one dispute tool among several. Buried in the dispute-validity tables is a carve-out that means 3DS never protected US gambling from fraud disputes in the first place, which quietly makes CE 3.0 the only liability lever the vertical has.
What this is based on
The mechanics below are verified against Visa's own documents: the Core Rules edition of April 18, 2026 (dispute tables 11-27 and 11-28, remedy rule 11.7.5), Visa's CE 3.0 Merchant Readiness guide and client FAQs, the Verifi Order Insight merchant FAQ, and the published fact sheet. One load-bearing item, the April 2026 extension to undisputed fraud reports, exists in acquirer-side bulletins rather than the public rules, and is flagged as such where it appears.
A remedy, not an argument
Compelling evidence in the old sense, which still exists in the rules as a parallel track, is an argument: photographs, signed receipts, a delivery confirmation to an AVS-matched address, submitted for the issuer to weigh and free to reject. CE 3.0, live since April 15, 2023, is a different legal object. When the qualification criteria are met, the dispute is remedied: blocked before it is born if the match happens at the pre-dispute stage, or formally shifted to issuer liability afterward. Visa's own FAQ draws the line plainly: the acquirer remedies the dispute "rather than supply compelling evidence that the cardholder could dispute further."
The scope is narrow and it happens to be the gambling scope. CE 3.0 applies to one dispute condition only: 10.4, Other Fraud, Card-Absent Environment, which is where bet-regret arrives when a player tells their bank they never made those deposits.
The qualification math
The rule wants a history. Specifically: at least two prior undisputed transactions on the same card, aged between 120 and 365 days counting back from the dispute's processing date, each sharing data elements with the disputed transaction. The window anchors to the dispute date, not the transaction date; enough vendor write-ups get this wrong that it is worth stating from the rules directly.
The matching rule is the load-bearing clause. The prior transactions must match the disputed one on at least two of four elements: customer account or login ID, full delivery address, IP address, and device ID or device fingerprint, and one of the two must be the IP address or the device identifier. Device ID and device fingerprint count as the same class; the rules explicitly bar submitting both. The April 2026 edition also pins formats: the login ID in clear text as the cardholder would recognize it, device IDs of at least 15 characters, device fingerprints of at least 20 characters built from two or more device properties (hashing allowed there and only there), public IPs in clear text. Two more boundaries matter in practice: the prior transactions must be clean of fraud reports themselves, and Visa grants one submission attempt per dispute, so the data goes in right the first time or not at all.
For a merchant that ships goods, assembling this history is an engineering project. For a casino it is a description of the session log. Every deposit carries a login ID because there are no guest checkouts in gambling; KYC saw to that. Every session carries a device and an IP. The one element a casino lacks, the delivery address, is the one element the rule does not require, and Visa's FAQ confirms billing address cannot stand in for it precisely because digital merchants are expected to qualify on the other three.
3 of 4
CE 3.0 data elements a gambling cashier captures by default: login ID, device, IP; delivery address is the fourth, and not required
The wider catalog view: 15 of the 75 providers we track carry zero operator chargeback liability by rail design (wallets, A2A, crypto). For the card share of a casino's mix, CE 3.0 is the equivalent lever, and it runs on data the cashier already logs.
The payout detail nobody noticed
One footnote in the rules deserves more attention than it gets: the 120-day minimum age does not apply when the prior undisputed transactions are Original Credit Transactions. OCTs are push payments, and in gambling that means card payouts: the winnings a casino pushes back to the same card that deposited. The Verifi FAQ states the same rule from the other side: OCTs qualify from zero to 365 days old.
Read that as an operator. A new player deposits, wins, cashes out to their card, and disputes the deposits a week later. The deposits themselves are too young to serve as history, but the payout is not: an OCT pushed yesterday is already a valid prior transaction carrying the same login, device and IP. A cashier that pays winners by push-to-card is not just doing retention work; it is manufacturing dispute evidence with no aging requirement. We have not seen this documented in any of the generic CE 3.0 coverage, and for a vertical where money flows both directions it changes the cold-start math for new players, the exact cohort where first-party fraud concentrates.
The US carve-out that changes the whole frame
The standard story about 3DS and Visa fraud disputes goes: authenticate the transaction, and dispute condition 10.4 becomes invalid, since liability shifted to the issuer at authentication. That story is true in most of the world, and it is why European operators treat CE 3.0 as a tool for the residual unauthenticated traffic.
The rules tell a different story for the United States. Dispute table 11-27 carries a US-domestic exception: the fraud dispute applies "regardless of the Electronic Commerce Indicator value" for merchants under a short list of MCCs, and the list is money movement and gambling: 4829, 5967, 6051, 6540, and then 7801 (government-licensed online casinos), 7802 (licensed horse and dog racing), 7995 (betting). In plain terms: for US-domestic traffic on gambling MCCs, 3DS does not block a fraud dispute. The issuer keeps the right to file 10.4 against a fully authenticated deposit.
That inverts the usual advice. A US casino cannot authenticate its way out of fraud disputes the way an EU merchant can; the liability shift everyone assumes simply is not there for these MCCs. Which means CE 3.0 is not the fallback tool for the non-3DS remainder; it is the only mechanism in the rules by which a US gambling merchant gets 10.4 liability off its book. Our Mastercard EFM piece made the point that on Visa, 3DS buys probability rather than absolution; for US gambling MCCs it is literal, and we have yet to find a dispute-vendor write-up that accounts for it. One adjacent rule completes the picture: before filing any 10.4, the issuer must report the fraud to Visa, so every disputed fraud deposit exists as both a fraud record and a dispute, a pairing that matters as soon as starts counting.
Two delivery paths, two different cleanups
CE 3.0 reaches the issuer through one of two doors, and they are not equivalent.
The front door is pre-dispute, through Verifi's Order Insight. When the issuer's inquiry comes in, Visa searches up to five historical transactions, pulls the merchant's order data through the Order Insight API in real time, and if two of them qualify, the dispute is blocked before it exists and liability stays with the issuer. Nothing posts. The price of the front door is integration: an Order Insight connection through your acquirer or directly with Verifi, and order data retrievable for 365 days.
The back door is post-dispute: the chargeback posts, and the acquirer submits the CE 3.0 questionnaire through the dispute system at pre-arbitration. Qualify and the fraud record is removed with liability shifting to the issuer; but the dispute itself has already been counted. Visa's FAQ is precise about the asymmetry: pre-dispute qualification keeps both the fraud ratio and the dispute ratio clean, post-dispute cleans only the fraud side.
| Scenario | Chargeback | TC40 fraud record | VAMP count |
|---|---|---|---|
| Pre-dispute CE 3.0 (Order Insight) | Blocked before creation | Removed | Never enters |
| Post-dispute CE 3.0 (pre-arbitration) | Won, liability shifts | Removed | Dispute already counted |
| Undisputed TC40, before April 2026 | None | Stays | Counted |
| Undisputed TC40, after April 18, 2026 | None | Challengeable via Order Insight (acquirer bulletins) | Excluded when qualified |
The VAMP interaction, and what April 2026 added
VAMP counts fraud records plus non-fraud disputes against settled card-absent volume, with the merchant Excessive line at 1.5% since April 1, 2026 and the acquirer line at 0.5% doing the real day-to-day enforcement. Because the rules force a before every 10.4, a fraud-coded dispute contributes two countable items, which is the arithmetic behind our working figure of ~0.75% effective tolerance for a book whose disputes arrive fraud-coded. The published fact sheet names precisely two exits from the count: items resolved through pre-dispute solutions, and TC40s qualified under CE 3.0, both subject to a monthly extract-timing caveat. Note what is not an exit: RDR, the auto-refund rail, removes the dispute but leaves the fraud record standing. CE 3.0 is the only mechanism that deletes TC40s.
Until this spring, that mechanism had a gap Visa's own FAQ acknowledged: it only triggered once a dispute was filed. A fraud report that never became a chargeback, the silent from a cardholder who called their bank but let the charge stand, was untouchable, and it still counted in your ratio. The April 2026 update closes that gap. Per Visa's April 18, 2026 change, documented in acquirer-side bulletins (the underlying procedures live in Visa's non-public program guides, so the vendor sourcing is worth being honest about), qualified CE 3.0 evidence now also reaches undisputed TC40s through Order Insight, taking them out of the numerator. Visa's April 1 press release confirms the delivery half: CE 3.0 now operates inside Order Insight. For a casino, undisputed TC40s from repeat depositors are the cheapest items in the ratio to remove, because the qualifying history is sitting in the session log.
What is already live, and what lands in October
The CE 3.0 timeline
Apr 15, 2023
CE 3.0 goes live: dispute condition 10.4, two-transaction footprint, remedy instead of argument.
Oct 17, 2025
Automatic qualification through Visa Secure begins (data collection from April 2025), per Visa Business News AI15461.
Apr 1, 2026
VAMP merchant Excessive threshold drops to 1.5%; Visa announces dispute-resolution modernization, CE 3.0 inside Order Insight.
Apr 18, 2026
CE 3.0 reach extends to undisputed TC40s per acquirer bulletins; rules edition pins evidence format requirements.
Oct 24, 2026
Announced in the rules: multi-merchant footprints qualify, with the two prior transactions allowed at one or more merchants.
The October 2026 change deserves a casino-specific read. Today the two qualifying transactions must be yours. From October 24, the rules extend the framework to footprints built across more than one merchant, and few verticals share players the way gambling does: the average multi-book bettor deposits with the same card, device and IP across half a dozen brands. A first-time depositor at your casino with a year of history at three competitors becomes remediable. How the data plumbing works across merchants in practice, presumably through Order Insight's network view, is one to watch as acquirer bulletins land; we will update this piece when the mechanics are public.
Mastercard runs its own version of this thinking, First-Party Trust, live in the US since October 2024 and expanding internationally through 2025, with a similar identity-footprint logic and its own evidence categories. The architecture differences are covered in our EFM and ECP breakdown; the short version is that a dispute stack tuned only for Visa's version will leave the Mastercard share of the same behavior unremedied.
Building for it without building a project
The engineering ask is smaller than the acronyms suggest, and it is mostly retention of things a casino already has. Store 365 days of order-level data keyed to card and session: login ID as the player sees it, device identifier or fingerprint in the required formats, public IP, timestamps. Wire that store to whichever path you use: Order Insight enrollment through your acquirer or Verifi for the pre-dispute block, or your acquirer's pre-arbitration flow for filed disputes, remembering the one-attempt rule. Ask your PSP two questions in procurement: whether they pass CE 3.0 qualification through Order Insight at the pre-dispute stage, and whether their dispute tooling submits the questionnaire with your session data or expects you to. The fraud-prevention guide covers the wider stack this sits inside.
And one warning from the same rulebook: Visa polices the remedy through a dedicated monitoring program, and merchants found supplying falsified CE 3.0 data get removed from the remedy entirely. The evidence has to be real, which, for once, is the easy part in this vertical. The data was always there; CE 3.0 is the first rule that pays out for having kept it.
Sources (8)
- 01Visa Core Rules and Visa Product and Service Rules (18 April 2026 edition, public PDF)
- 02Visa: Compelling Evidence 3.0 Merchant Readiness (March 2023, PDF)
- 03Visa: Evolution of Compelling Evidence, Client FAQs (PDF)
- 04Verifi/Visa: Order Insight Systematic Dispute Deflection, Merchant FAQ (hosted copy)
- 05Visa Acquirer Monitoring Program fact sheet (2025, PDF)
- 06Visa press release: dispute resolution modernization (April 1, 2026)
- 07Verifi: CE3.0 in pre-dispute
- 08Chargebacks911: Compelling Evidence 3.0 update, April 2026