Frequently Asked Questions

What are Visa's formatting requirements for CE 3.0 data?

The Visa® CE 3.0 initiative offers many very valuable protections. But you'll only benefit if you know how to comply with expectations. 

Review: Visa CE 3.0 data elements

Visa launched the CE 3.0 initiative — now called the remedy rule — to address friendly fraud. The logic behind the new rule revolves around a simple but effective assumption: if a cardholder has made other purchases with your business and those purchases weren’t disputed, the current dispute isn’t actually fraud.

To tie the current dispute to previously undisputed transactions, you'll need to prove certain data elements match. To qualify for CE 3.0 protection, at least two of the following need to be consistent across all the interactions being reviewed.  

  • Customer account or login ID
  • Delivery address
  • Device ID or device fingerprint
  • IP address

One of the two data elements must be either the IP address or the device ID/fingerprint.

Check our Visa CE 3.0 article to learn more. 

How data needs to be formatted

While the data elements themselves seemed pretty straightforward, it was less clear how that data should be communicated to Visa. 

In an attempt to standardize processes, Visa released the following definitions and explanations. 

IP Address

  • IP address must be the cardholder’s public IP address.
  • IP address must be in clear text and must not be hashed.
  • IP address must meet prevalent industry formats (currently IPV4 and IPV6).

Device ID

  • Device ID must be a unique identifier of the cardholder’s device such as a device serial number (e.g.International Mobile Equipment Identity [IMEI]).
  • Device ID must be at least 15 characters.
  • Device ID must be in clear text and not hashed (effective October 14, 2023).

Device Fingerprint

  • Device fingerprint must be a unique identifier of the cardholder’s device.
  • Device fingerprint must be at least 20 characters.
  • Device fingerprint can be derived from a combination of at least two hardware and software attributes such as the operating system and its version or device model (for example, iPhone 14.5).
  • Device fingerprint may be hashed (effective October 14, 2023).

Account ID

  • Account ID must be a unique identifier that the cardholder uses to authenticate themselves on the merchant’s ecommerce site or application.
  • Account ID must be a value that the cardholder recognizes.
  • Account ID must contain only one value (effective October 14, 2023).
  • Account ID must be clear text and not hashed (effective October 14, 2023).

Shipping Address

  • Shipping address must be the cardholder’s full shipping address including street address, city, state/province/region (if applicable in the cardholder's country), postal code, and country.
  • Shipping address must be in clear text and must not be hashed.

Consequences of invalid data

It might seem like these are just suggestions or nuances that aren't that important in the grand scheme of things. But in reality, failing to meet Visa's expectations could severely damage your bottom line. 

What happens if you don't follow Visa's formatting requirements? You could be enrolled in the new Visa Fraud Dispute Monitoring Program. 

The VFDMP "identifies merchants that provide invalid or falsified data", and enrollment means you no longer qualify for Visa CE 3.0 protections. 

Check this article to learn more. 

Need help? Have questions? 

Do you have questions about Visa CE 3.0 or the formatting requirements specifically? Reach out to our team of experts. We'll share any tips and insights we have to make this new process as effective as possible. 

Schedule a call

Questions about disputes and chargebacks

See more questions about disputes and chargebacks