Skip to content
Back to Journal
Fraud Prevention

How to Reduce Chargebacks with IP Detection

13 min readHusnain
How to Reduce Chargebacks with IP Detection

Every merchant meets the chargeback the same way. A card clears, the order ships, and forty days later the money is pulled back out of your account along with a fee — sometimes a fee larger than the sale. Do it often enough and you are no longer arguing about individual orders. You are arguing with Visa and Mastercard about whether you get to keep processing cards at all.

Most anti-chargeback advice treats the dispute as the event. It is not. The dispute is the invoice for a decision you already made — the moment you authorized a transaction you should have screened, or shipped against a customer whose order you never recorded well enough to defend. IP detection is not a way to argue better after the fact. It is a way to move the decision back to the two points where it can still go your way: the authorization, and the evidence.

A Chargeback Is Really Two Different Problems

Before any tooling, get the taxonomy right, because the two kinds of chargeback need opposite responses.

True fraud is a stranger using a stolen card. Someone else's number, your store, goods shipped to a drop address. This is the chargeback you want to prevent — every one that gets through is lost inventory plus a fee plus a mark against your ratio. IP detection fights this one at the front door, before you ship.

Friendly fraud — also called first-party misuse — is your actual customer disputing a charge they actually made. They forgot the subscription, a family member ordered, or they simply learned that "I don't recognize this" claws the money back. By Visa's own accounting, this kind of first-party misuse accounts for up to 75% of all chargebacks. You cannot prevent it at checkout, because the transaction was legitimate. You win it afterward, with evidence — and the IP address is a named piece of that evidence.

One field, two jobs: it screens out the true fraud before it disputes, and it helps you reverse the friendly fraud after it does. That is why it is the highest-leverage place to start.

Why the Ratio Is Now Existential

The reason chargebacks stopped being a cost of doing business and started being a survival question is that the card networks rewrote their monitoring programs, and both new versions point straight at online orders.

Visa consolidated its two old programs — the Visa Dispute Monitoring Program and the Visa Fraud Monitoring Program — into a single Visa Acquirer Monitoring Program (VAMP), effective April 2025. Read the mechanics from Visa's own VAMP fact sheet, because two details change how you should think about the problem:

  • Only card-absent transactions count. The VAMP ratio is built from card-not-present activity. The chargebacks that threaten your merchant account are, by definition, the online orders — the exact orders where you have the customer's IP address to work with.
  • Fraud and disputes are counted together, and often twice. The ratio combines TC40 fraud reports and TC15 disputes over settled transactions. Because a reported-fraud transaction usually becomes a dispute too, a single bad order can land on your ratio twice. Preventing it once removes both.
  • The bar is dropping. The merchant "Excessive" threshold launched at 2.2% and falls to 1.5% from April 2026 in the US, Canada and the EU. The floor is moving toward you.

Mastercard runs the parallel track. Its Excessive Chargeback Program flags an Excessive Chargeback Merchant (ECM) at a 1.5% ratio with 100–299 chargebacks in a month, and a High Excessive Chargeback Merchant (HECM) at 3.0% with 300 or more. Fines escalate the longer you stay over, and the terminal outcome for a merchant who cannot recover is the MATCH list — an effective five-year exile from card processing.

The takeaway is not the exact number — check your own acquirer, since regions and rollout dates vary. It is the direction. The networks have decided that your card-not-present chargeback ratio is a compliance metric, the threshold is falling, and the traffic it measures is precisely the traffic an IP lookup can read.

Where IP Detection Fits the Chargeback Lifecycle

A card-not-present order passes three gates where the IP is decisive. Reducing chargebacks means using all three, not just the first.

Most merchants only ever use the first gate, and even then only crudely. The compounding wins are in using the IP to decide who sees a 3DS challenge, and in having captured it so you can win the disputes that reach representment. We cover the front gate first, because it is where the highest-confidence, lowest-false-positive signals live.

The IP Signals That Predict a Chargeback

Here is what to read from the address behind an order, roughly in order of signal-to-noise for card-not-present payments.

Note the direction of the last two rows. A scoring model that only adds points will grind your legitimate mobile audience into false declines, and a false decline at checkout is not a blocked login — it is a paying customer you turned away. A model that also subtracts — treating a residential ISP or a CGNAT range as a reason for leniency — is what keeps chargeback prevention from quietly becoming revenue prevention. That balance is the entire subject of how IP risk scoring turns 40+ signals into one number, and it matters more at checkout than almost anywhere else.

Crucially, the IP is evidence, not a verdict. Do not ban the address — one public IP is shared by many unrelated people, so a hard block deletes real customers along with the fraud. Score it, weight it against the other signals, and act on the composite. We make that case in full in detecting anonymized traffic without blocking real customers, and it is the same discipline that separates a smart checkout filter from a blunt one in stopping AI-shopping-agent and bot fraud at checkout by IP.

Reading It in One Call

Concretely, this is one lookup against the IP that placed the order, before you decide whether to approve, challenge, or review it.

GeoIPHub API
curl -H "x-api-key: YOUR_API_KEY" \ https://api.geoiphub.com/v1/lookup/45.83.220.7

The fields that matter for a card-not-present order sit across four groups of the response:

GeoIPHub API
const res = await fetch(`https://api.geoiphub.com/v1/lookup/${orderIp}`, { headers: { "x-api-key": process.env.GEOIPHUB_API_KEY }, }); const ip = await res.json(); ip.asn.asn_type; // "hosting" — a checkout should not originate here ip.asn.connection_type; // "datacenter" | "residential" | "mobile" ip.detection.is_hosting; // true — datacenter origin on a consumer payment ip.detection.is_vpn; // deliberate concealment — weigh, don't ban ip.detection.vpn_provider; // the named provider, when concealment is present ip.geo.country_code; // compare against the billing country on the card ip.threat.blocklist_count; // corroboration across abuse feeds ip.threat.is_cgnat; // shared mobile address — a reason for leniency ip.scoring.fraud_score; // 0–100 composite ip.scoring.recommended_action; // "allow" | "review" | "step_up" | "block" ip.scoring.detection_methods; // exactly which signals fired — your audit trail

detection_methods is the field that turns this from a black box into a decision you can defend. When an order is challenged or held, you can name why — hosting ASN, VPN concealment, billing country mismatch, listed on two feeds this week — rather than shrugging at a score. And country_code is the one to line up against the billing address on the card: a card billed to Germany paying from a hosting network in another country is the oldest CNP story there is.

You can try the scoring output on any address with the free IP fraud score check before you wire it in, and the same lookup is documented as a reusable primitive in adding real-time IP fraud detection to your app.

3-D Secure Without the Friction Tax

The second gate is where reducing chargebacks stops being purely defensive.

When a card-not-present transaction is authenticated through EMV 3-D Secure, liability for a subsequent fraud chargeback generally shifts from the merchant to the card issuer. That is the single most powerful lever you have against true-fraud chargebacks: an authenticated order that later turns out to be fraud is usually not your loss.

So why not send every order through 3DS? Because a challenge is friction, and friction is abandoned carts. Force a step-up on every shopper and you will lose more revenue to cart abandonment than you ever lost to fraud.

This is exactly the trade-off an IP risk score resolves. Instead of challenging everyone or no one, you challenge by risk:

  • Low score (residential ISP, clean history, matching country): let it pass frictionlessly. Most of your traffic lives here.
  • Elevated score (VPN, country mismatch, thin signals): route to a 3DS challenge — you get the liability shift on precisely the orders where you want it.
  • High score (hosting ASN, active blocklist hits): decline or hold for review; do not even spend the 3DS attempt on obvious infrastructure.

The IP score decides who sees the challenge. That is how you capture 3DS's liability protection on the risky slice while leaving your clean majority untouched — the same per-action thinking we lay out in what IP fraud score you should block at, applied to the checkout step specifically.

Winning the Friendly-Fraud Dispute

The third gate is the one most merchants leave completely unarmed, and it is where up to three-quarters of chargebacks actually live.

When a real customer disputes a purchase they genuinely made, you cannot have prevented it at checkout — the order was legitimate. What you can do is prove it was them. Visa built a standard for exactly this: Compelling Evidence 3.0, effective April 2023, which lets a merchant reverse a card-absent fraud dispute (Visa reason code 10.4) by demonstrating a historical footprint with the cardholder.

Read the requirement closely, because the IP address is written into it:

  • You supply two prior undisputed transactions on the same credentials, between 120 and 365 days old.
  • Those transactions must share core data elements with the disputed order — the elements Visa names are IP address, device ID/fingerprint, user ID, and shipping address.
  • At least two elements must match across all three transactions, and at least one of them must be the IP address or the device ID/fingerprint.
  • If the evidence qualifies, liability shifts to the issuer — you keep the money.

The IP address is not a nice-to-have here. It is one of the two anchor elements Visa will accept as proof that the person disputing the charge is the same person who has been buying from you for months. But — and this is the part that quietly costs merchants their winnable disputes — you can only submit this evidence if you captured the IP on every order in the first place, and stored it long enough to reach back a full year.

That reframes the pre-auth lookup entirely. The IP you record at checkout is not only a fraud signal for today's order. It is the raw material for winning a friendly-fraud dispute a year from now. Capture it on every transaction, store it against the customer's history, and Compelling Evidence 3.0 turns from a rule you cannot use into a chargeback you get to reverse.

Getting Started This Week

  • Capture the IP on every order. Store it against the transaction and the customer, with a timestamp, and retain it for at least 18 months so it is available for a Compelling Evidence 3.0 submission. You cannot score — or defend — what you did not record.
  • Score, don't ban. Run each checkout IP through a lookup and store the score with the order, so you can segment disputes by risk band and tune from real outcomes.
  • Start with the datacenter floor. A hosting ASN or connection_type: "datacenter" on a consumer checkout is the highest-confidence, lowest-false-positive signal there is. It is the cheapest chargeback you will ever prevent.
  • Check the country match. Compare geo.country_code against the billing country on the card. A mismatch alongside any concealment flag is a strong reason to step up.
  • Route 3DS by score, not by default. Send the risky slice to the challenge for the liability shift; let the clean majority pass frictionlessly.
  • Protect real customers. Treat CGNAT and residential/mobile ISPs as exonerating. The guardrail against false declines is what keeps this profitable.

The chargeback already told you where it came from, twice — at the order and at the dispute. Reducing them is mostly a matter of listening at both moments instead of neither.

Start Scoring Every IP in Real Time

GeoIPHub gives fraud, security, and engineering teams a single API for IP geolocation, VPN & proxy detection, threat intelligence, and an explainable 0–100 risk score.

Complete response on every lookup
VPN, proxy, residential-proxy & Tor detection
Explainable 0–100 IP risk score
Free tier with 1,500 requests/day

Get Your Free API Key

Sign up in minutes — no credit card required. Upgrade only when you need more volume.

Frequently Asked Questions

How does IP detection reduce chargebacks?

In two places. Before the sale, an IP lookup on the order flags the highest-risk transactions — a hosting/datacenter connection, an anonymizing VPN or Tor exit, a billing country that does not match the network's country, or an address already listed on threat feeds — so you can route them to 3-D Secure or manual review instead of shipping into a guaranteed dispute. After the sale, when a real customer files a friendly-fraud chargeback on a purchase they actually made, the IP address is one of the named 'core data elements' in Visa's Compelling Evidence 3.0, so a captured, matching IP helps you win the representment. The same field lowers both the fraud that becomes a chargeback and the friendly fraud you can reverse.

What chargeback ratio gets a merchant in trouble?

Under Visa's Acquirer Monitoring Program (VAMP), which replaced the old VDMP and VFMP programs in April 2025, a merchant is 'Excessive' at a 2.2% ratio at launch, dropping to 1.5% from April 2026 in the US, Canada and the EU — and, critically, only card-absent (online) transactions count toward that ratio. Mastercard's Excessive Chargeback Program flags an Excessive Chargeback Merchant at a 1.5% ratio with 100–299 chargebacks, and a High Excessive Chargeback Merchant at 3.0% with 300 or more. Sustained breaches lead to escalating fines and, ultimately, the MATCH list, which can block a business from card processing for five years.

Can you stop a chargeback just by blocking risky IP addresses?

No — blocking is the wrong tool and it costs more than it saves. One public IP is routinely shared by many people through carrier-grade NAT, and plenty of legitimate shoppers use a VPN, so a hard block on an address or range deletes real customers along with the fraud. The IP is evidence, not a verdict: score it as one weighted input, route only the genuinely high-risk orders to step-up authentication or review, and reserve outright blocks for unambiguous infrastructure like a datacenter address on a consumer checkout.

Does 3-D Secure eliminate chargebacks?

It shifts liability rather than eliminating disputes. When a card-not-present transaction is authenticated through EMV 3-D Secure, liability for a subsequent fraud chargeback generally moves from the merchant to the card issuer. The problem is that challenging every customer with a 3DS step-up adds friction and loses sales. An IP risk score lets you apply 3DS selectively — send the risky orders through the challenge and let the clean ones pass frictionlessly — which is how you get the liability protection without taxing your good customers.

How is IP address used as chargeback evidence?

Visa's Compelling Evidence 3.0, effective April 2023, lets a merchant fight a card-absent fraud dispute (reason code 10.4) by showing a 'historical footprint': two prior undisputed transactions on the same credentials, 120 to 365 days old, that share core data elements with the disputed order. The IP address is one of those core elements, and at least one of the two required matches must be the IP address or the device ID/fingerprint. If the evidence qualifies, liability shifts to the issuer. That only works if you captured and stored the IP on every order in the first place.

Which IP signals predict a chargeback?

The highest-signal fields are the connection type and ASN type (a checkout from a hosting/datacenter network is not a normal shopper), anonymizer flags (VPN, public proxy, Tor), a mismatch between the network's country and the billing country, and threat-feed listings weighted by recency. Carrier-grade NAT and a plain residential ISP work the other way — they are reasons to be more lenient, not less. A good risk score combines all of these into one explainable number with the exact signals that fired, so a declined or challenged order can be justified rather than guessed.