What Is Mastercard Reason Code 4837?
Mastercard reason code 4837, titled No Cardholder Authorization, is a fraud-related chargeback filed when a cardholder claims they did not authorize or participate in a transaction charged to their account. This is Mastercard's primary code for unauthorized transaction disputes and is one of the most challenging chargeback types for merchants to fight.
When a cardholder sees an unfamiliar charge on their statement and contacts their bank, the issuer may file a 4837 dispute. The underlying assertion is that the card was used without the legitimate cardholder's knowledge or consent — whether through stolen card data, account takeover, or some other form of fraudulent use.
What makes 4837 particularly difficult is that the burden of proof sits squarely on the merchant. You must demonstrate that the person who completed the transaction was, in fact, the legitimate cardholder — or that sufficient authentication was performed to shift liability. Without the right evidence infrastructure, these disputes are almost impossible to win.
When Do Issuers File Code 4837?
Understanding the scenarios that trigger a 4837 filing helps merchants distinguish between genuine fraud and friendly fraud, which require different defense strategies.
True Fraud: Stolen Card Data
The cardholder's card number was compromised through a data breach, skimming device, phishing attack, or dark web purchase. A fraudster used the stolen credentials to make purchases. In this scenario, the cardholder genuinely did not authorize the transaction, and without strong authentication measures in place, the merchant has limited defense options.
Account Takeover
A fraudster gains access to a legitimate customer's account on your platform — through credential stuffing, social engineering, or malware — and makes purchases using saved payment methods. The cardholder's stored card is charged without their knowledge. This scenario is increasingly common and particularly damaging because the account history may make the transaction appear legitimate.
Friendly Fraud
The cardholder (or someone in their household) actually made the purchase but claims they did not. This happens more than most merchants realize. Common triggers include buyer's remorse, not recognizing your billing descriptor, a family member making purchases without the cardholder's direct knowledge, or deliberate abuse of the dispute process to obtain goods for free.
Mastercard does not distinguish between true fraud and friendly fraud at the reason code level. Both are filed as 4837. This means your evidence package must address both possibilities — proving either that the cardholder did authorize the transaction, or that you performed sufficient authentication to shift liability.
Mastercard's Evaluation Criteria
Mastercard evaluates 4837 representments against specific criteria. The more authentication data points you can provide, the stronger your case. Here is what the network weighs most heavily:
| Evidence Type | Weight | What It Proves |
|---|---|---|
| 3D Secure 2 Authentication | Highest | Cardholder completed identity verification; triggers full liability shift to issuer |
| AVS Full Match | High | Billing address and ZIP match the issuer's records, suggesting cardholder involvement |
| CVV/CVC Match | High | The person had physical access to the card (for card-not-present transactions) |
| Device Fingerprint | Medium | The same device was used for the disputed transaction and previous legitimate purchases |
| IP Address Geolocation | Medium | Transaction originated from the cardholder's known geographic area |
| Purchase History Pattern | Supporting | The transaction is consistent with the cardholder's established buying behavior on your platform |
The Critical Role of 3D Secure 2
If there is one takeaway from this entire article, it is this: 3D Secure 2 (3DS2) is the single most powerful tool for defending against Mastercard 4837 chargebacks.
When a transaction is authenticated through 3DS2 (Mastercard's implementation is called Mastercard Identity Check), the liability for fraud-related chargebacks shifts from the merchant to the issuing bank. This means that even if the transaction turns out to be fraudulent, the merchant is protected from financial liability.
How the Liability Shift Works
When you implement 3DS2 and a cardholder successfully completes the authentication challenge (biometric verification, one-time password, or app-based confirmation), the Electronic Commerce Indicator (ECI) value changes to indicate a fully authenticated transaction. If a 4837 chargeback is later filed against this transaction, the liability falls on the issuer, not the merchant.
Transactions fully authenticated through Mastercard Identity Check (3DS2) are protected by a liability shift. Even if authentication was attempted but the issuer's system was unavailable, the liability shift still applies in most cases. This makes 3DS2 implementation one of the highest-ROI fraud prevention investments a merchant can make.
Frictionless vs. Challenge Flow
3DS2 introduced risk-based authentication, meaning low-risk transactions can be approved without requiring the cardholder to complete a challenge. This "frictionless" flow maintains the liability shift while minimizing cart abandonment. High-risk transactions are routed to a "challenge" flow where the cardholder must verify their identity. Both flows provide liability protection when properly implemented.
Evidence Requirements Without 3DS2
If you are not yet using 3D Secure 2 (or if the transaction was exempt), you need to build a multi-layered evidence case. No single piece of evidence is sufficient on its own — Mastercard evaluates the totality of your documentation.
- AVS response showing full match (both street address and ZIP code match the issuer's records)
- CVV/CVC2 verification match confirming the security code from the physical card was entered correctly
- IP address logs showing the transaction originated from a location consistent with the cardholder's profile
- Device fingerprint data matching the purchase device to previous successful, undisputed transactions by the same customer
- Customer account history showing prior purchases from the same account, same device, or same address that were not disputed
- Delivery confirmation to AVS-verified address proving goods were shipped and delivered to the cardholder's confirmed billing address
- Email or SMS confirmations sent to the cardholder's verified contact information with order details
- Velocity check logs showing the transaction did not trigger any abnormal purchasing pattern alerts
Common Scenarios and How to Respond
Scenario 1: Legitimate Customer, Unrecognized Charge
The customer made the purchase but does not recognize your billing descriptor on their statement. This is pure friendly fraud driven by confusion. Evidence focus: show the billing descriptor, link it to the customer's order confirmation email, and demonstrate previous successful transactions.
Scenario 2: Family Member Purchase
A spouse, child, or household member used the cardholder's saved payment method. The cardholder did not directly authorize the specific transaction. Evidence focus: demonstrate the transaction originated from the same household IP, same device, or a device previously associated with the account.
Scenario 3: Genuine Card Theft
The card data was truly stolen and used by an unauthorized third party. If you did not have 3DS2 in place and lack strong authentication evidence, this is the hardest scenario to win. Your best defense is demonstrating that you followed industry-standard security practices and presenting whatever authentication data you do have.
Get Full Access to Every Defense Playbook
Subscribe to get the full Mastercard 4837 defense playbook with copy-paste response templates, complete evidence checklists, 3DS2 implementation guidance, and every other reason code guide.
Subscribe for Full AccessTime Limits for Mastercard 4837
| Timeline | Duration | Details |
|---|---|---|
| Cardholder Filing Window | 120 days | From the transaction processing date (statement date in some cases) |
| Merchant Response Window | 45 days | From the chargeback date to submit a representment (Mastercard allows slightly more time than Visa) |
| Second Presentment | 45 days | If the issuer escalates, the merchant has 45 days to respond to the second chargeback cycle |
| Arbitration | 45 days | Either party can escalate to Mastercard arbitration within 45 days of the second presentment decision |
Prevention Strategies
Preventing 4837 chargebacks is far more cost-effective than fighting them. These strategies address both true fraud and friendly fraud vectors:
- Implement 3D Secure 2 on all card-not-present transactions. This is the single most impactful step. The liability shift alone justifies the implementation investment, and modern 3DS2 has minimal impact on conversion rates.
- Use a clear, recognizable billing descriptor. Ensure your company name on card statements matches what customers expect. Include a phone number or URL in the descriptor so confused cardholders contact you instead of their bank.
- Require CVV on every transaction. Never store or reuse CVV codes. Requiring CVV entry proves the purchaser had physical access to the card at the time of purchase.
- Deploy device fingerprinting and behavioral analytics. These tools identify suspicious transactions before they are processed, blocking true fraud at the point of sale.
- Send immediate order confirmation emails. A prompt confirmation email to the cardholder's verified email address creates a paper trail and gives the cardholder an opportunity to report unauthorized use before shipment.
- Implement velocity checks. Flag accounts or cards that show unusual purchasing patterns — multiple orders in rapid succession, high-value orders from new accounts, or orders from geographic anomalies.
- Monitor and respond to Mastercard's Ethoca alerts. Ethoca provides near-real-time fraud alerts that let you refund fraudulent transactions before they become chargebacks, saving you the chargeback fees and ratio impact.
Frequently Asked Questions
What is the difference between Mastercard 4837 and 4863?
Reason code 4837 covers transactions where the cardholder claims no authorization at all — they say they never made the purchase. Reason code 4863 (Cardholder Does Not Recognize) is used when the cardholder sees a charge they do not recognize but is not necessarily claiming fraud. In practice, 4863 is often a billing descriptor issue, while 4837 is a more serious fraud allegation. The evidence strategies differ significantly.
If I have 3DS2, can I still receive a 4837 chargeback?
You can still receive the chargeback notification, but if the transaction was fully authenticated through 3DS2, the liability shift means the issuer bears the financial responsibility, not you. Your acquirer should automatically reverse the chargeback based on the authentication data. If this does not happen automatically, contact your processor with the 3DS2 authentication proof.
Does a CVV match alone prove the cardholder authorized the transaction?
No. A CVV match proves that the person who made the purchase had the security code from the physical card, but it does not conclusively prove they were the legitimate cardholder. CVV data can be obtained through card theft, phishing, or data breaches. It is strong supporting evidence but should be combined with other authentication factors.
How does friendly fraud differ from true fraud in a 4837 context?
From Mastercard's perspective, there is no difference at the reason code level — both are filed as 4837. However, your defense strategy differs significantly. For friendly fraud, you focus on evidence that ties the cardholder to the transaction (device data, account history, delivery to their address). For true fraud prevention, you focus on authentication barriers (3DS2, CVV, velocity checks) that should have been in place before the transaction was processed.
What happens if I lose a 4837 representment?
If your representment is rejected, the issuer may file a second chargeback. You then have 45 days to either accept the loss or escalate to Mastercard arbitration. Arbitration involves a filing fee (typically $150-$500), and Mastercard makes the final binding decision. Only escalate to arbitration if you have compelling evidence that was not adequately considered in the first representment cycle.