Cyber-fraud chargeback under Visa, Mastercard and RuPay rules

If you are short on time, jump to the fraud reason codes in one table and the sample chargeback request letter. Copy the letter, paste into a new email to your bank, send today.

Your card was used without your consent. You called the bank. The branch said “we will investigate, please wait 90 days”. The 90 days passed. The bank wrote back “the merchant says the transaction is genuine, refund declined”. You went home with the loss. This is the most common cyber-fraud outcome in India, and it is the wrong one. The bank did not tell you that you had a separate, parallel right under the card network rules, called a chargeback.

A chargeback is a refund forced by Visa, Mastercard or RuPay through the inter-bank settlement system. Your issuer bank does not adjudicate it, the network does. The bank's role is to file the dispute. If it refuses, that is a violation of the RBI Master Direction on Credit Card and Debit Card, 2022 and a complaint ground at the RBI Ombudsman. For the parallel RBI claim, see the golden-hour zero-liability article. For the 1930 call, see the 7-minute script. This page picks up where those two finish.

A chargeback is a reversal of a card transaction, initiated by the issuer, processed through the network's settlement system, and ultimately funded by the merchant or the acquirer. Money flows back from the merchant's bank to your bank by network rule, not by negotiation.

Three parties matter. The issuer bank issued your card. The acquirer bank is the merchant's bank. The network (Visa, Mastercard or RuPay) is the rulebook and referee. When you file, the issuer flags the transaction with a reason code and debits the acquirer. No or weak merchant response means the chargeback stands. A strong response triggers representment; rejection escalates to pre-arbitration then arbitration, decided by the network.

Your bank does not decide whether you get the money back. It files a process whose outcome the network decides. The bank is not entitled to refuse the filing because it disbelieves you.

When a chargeback is filed, the issuer temporarily debits the acquirer through the network. If the merchant defends successfully, the acquirer claws it back; if the merchant defaults, the acquirer absorbs the loss. Either way, the issuer bank is not at financial risk in a fraud chargeback. The risk sits with the acquirer and the merchant.

So why does your bank stall? Three reasons. Every chargeback adds dispute-handling cost; branch staff prefer phone-settlement. The bank loses interchange income when a transaction reverses. The compliance team watches chargeback ratios in case it also acquires some of the merchants. The bank's incentive is to keep the dispute off the network. You do not share that incentive; you want the money back.

Three networks matter. Each publishes its own rulebook. Reason codes, deadlines and evidence rules differ. Identify yours from the logo on the card face before you file.

Visa is the largest international card network in India by transaction value. It is governed by the Visa Core Rules and Visa Product and Service Rules, updated twice a year, summary at https://www.visa.co.in/ under “About Visa, Rules”. Visa's fraud reason codes were renumbered in April 2018 to the current dot-code system (10.4, 10.1 and so on). The dispute portal at every Visa issuer in India uses these codes by name.

Mastercard is the second international network in India, with a strong credit-card and prepaid-wallet presence. Governed by the Mastercard Chargeback Guide and the Mastercard Rules, published at https://www.mastercard.us/. Mastercard's reason codes are four-digit and have been stable since the 2016 simplification. The headline fraud code is 4837.

RuPay is the domestic network operated by the National Payments Corporation of India under licence from RBI. Governed by the RuPay Operating Regulations and RuPay Dispute Management Regulations, summary at https://www.npci.org.in/. Fraud codes sit in chapter 13 of the Dispute Management Regulations. RuPay's process is the simplest to navigate but the recovery rate is lower for international merchants, because RuPay does not run abroad; cross-border cases route through the international co-badge network printed alongside the RuPay logo.

The reason code is the single most important field on the chargeback form. Pick the wrong one and the form gets rejected on a technicality inside a shrinking 120-day window.

Three things to read off this table.

1. Visa 10.4 and Mastercard 4837 are the most-used codes for phishing and international card-not-present fraud. Default to these if your facts are not yet clean.
2. Lost-or-stolen codes (Visa 10.2, Mastercard 4871) require a police FIR alongside the chargeback. NCRP acknowledgement is not enough. File the FIR before the chargeback.
3. The bank cannot pick the code “to help” you. You pick it, citing the network rulebook. Insist in writing on the code that matches your facts; the wrong code costs you the dispute.

Every network sets a filing window measured from a fixed start date. The standard window for fraud chargebacks is 120 calendar days, but the start date is what catches citizens.

For Visa, the 120 days run from the transaction processing date, the date the transaction settled on your statement, not the date of the fraud SMS. For most online frauds the two coincide; for international transactions, settlement can lag by 1 to 3 days.

For Mastercard, the 120 days run from the transaction date on the statement, with two exceptions. For services-not-rendered disputes (a flight that did not fly, a hotel that did not honour the booking), the clock starts on the expected service date. For recurring transactions, the clock can be extended to 540 days for the first dispute on the chain.

For RuPay, the 120-day window is anchored to the transaction date under chapter 13.1, with no merchant-specific extensions. RuPay is the least forgiving on timing.

Three pitfalls.

1. 120 calendar days, not working days. Unlike the RBI 3-working-day window, the chargeback clock counts weekends and holidays.
2. The clock starts on the transaction date, not on the discovery date. Even if you discovered the fraud on day 90, you have only 30 days left.
3. The bank may impose its own internal deadline shorter than the network's. Most Indian banks ask for filings within 45 to 60 days. This is the bank's rule, not the network's. Escalate citing the network rulebook directly.

Diarise the 90-day mark in your phone calendar. By day 90, the chargeback must be on the network. If it is not, escalate that same day.

Assemble these before you walk into the branch or hit “send”.

1. The disputed-transaction list as it appears on your card statement: card number masked to last 4 digits, date, merchant name, INR amount, foreign-currency amount if any, transaction ID or ARN (acquirer reference number).
2. The bank's debit alert SMS or push notification, screenshotted with timestamp visible.
3. A short written statement of when you discovered the fraud and what you did in the first 24 hours.
4. The 1930 helpline complaint slip and the NCRP acknowledgement PDF.
5. A police FIR if you are filing under lost-or-stolen codes (Visa 10.2, Mastercard 4871) or for losses above ₹1 lakh.
6. Identity proof: Aadhaar or PAN, plus the card last 4 digits cross-matched to the account.
7. The bank's chargeback request form, available at every issuer's website under “Dispute”, “Chargeback” or “Card Dispute”.
8. An affidavit on plain paper declaring non-authorisation. Notarisation is not mandatory but helps at representment.

Banks sometimes demand extras like “name of the fraudster” or “merchant's bank statement”. These are not in any network rulebook. Refuse in writing.

Use the bank's dispute form, not its complaint form. They are different documents with different downstream routes. If the form says “Grievance” or “Complaint”, ask for the Chargeback Request Form or Transaction Dispute Form.

1. Identify the network. For co-badged cards the front-of-card primary network processes online transactions; the chargeback follows the primary.
2. Locate the dispute form on the bank's site under Customer Care. HDFC, ICICI, SBI, Axis, Kotak and BoB each publish one.
3. Cite the reason code on the form. Write it in full: “Visa Reason Code 10.4, Other Fraud, card-absent environment”. Do not just write “fraud”.
4. Attach evidence and submit. Stamp the form as received. Get the dispute reference number in writing. Ask separately for the chargeback case number once the bank uploads to the network.
5. Email a parallel copy to the bank's published dispute address and the principal nodal officer. Cc yourself.
6. Diarise the 30-day mark. The bank must file to the network within 30 days under the RBI Master Direction on Credit Card and Debit Card, 2022. If 30 days pass with no case number, that is the breach.

Stage 1: provisional credit (day 1 to day 10). Under the RBI Master Direction on Credit Card and Debit Card, 2022, the issuer must provisionally credit the disputed amount within 10 working days of filing. This is the card-side shadow-credit rule. Many banks credit only after the network decides; that is a violation. Write to the nodal officer if day 10 passes.

Stage 2: merchant rebuttal (day 11 to day 45). The acquirer typically has 30 days to collect a rebuttal. Silence equals acceptance on all three networks. The merchant either ignores it (most common in cross-border phishing) or responds with delivery proof, signed receipt or 3D-Secure log. Non-response means the chargeback stands and the refund is permanent.

Stage 3: representment, pre-arbitration, arbitration (day 45 to day 120). If the merchant responds, the acquirer represents. The issuer collects counter-evidence from you (usually a re-affidavit). Reply within 5 working days; missing it loses the dispute on procedure. Escalation goes to pre-arbitration then arbitration; fees can hit USD 500 per case under Visa and Mastercard rules, with the loser paying.

By day 45 with no merchant rebuttal, the chargeback is effectively final. Bank staff sometimes claim “still under investigation” past day 45 to delay closure; the network does not run open investigations past that point. Ask for the network case status in writing.

The most common failure mode. The branch says “we have looked at the transaction, it appears genuine, we cannot file”. This is wrong on the rules and is itself a complaint ground.

The bank's job is to file. Adjudication is the network's job. A refusal substitutes the bank's judgement for the network's, in breach of the RBI Master Direction on Credit Card and Debit Card, 2022, paragraph on customer grievance redressal, which requires the issuer to register the dispute and process it under network rules.

When the bank refuses, do these four things in order.

1. Demand the refusal in writing. Banks almost never put refusals in writing because no rule supports them. Many file the chargeback the moment a written refusal is asked for.
2. Escalate to the principal nodal officer for customer protection. Cite the Master Direction by paragraph.
3. File with RBI Ombudsman under RB-IOS 2021. A refusal to file a chargeback is a textbook ombudsman case. Portal: https://cms.rbi.org.in/. See the RB-IOS 2021 walkthrough.
4. File an RTI to the bank's PIO asking for the board-approved policy on chargeback filings and the chargeback count for the relevant network last quarter. Use the AI RTI Drafter. The RTI alone often pushes the bank to file.

The ombudsman directs filing in over 80% of such cases per the RBI Annual Ombudsman Report.

The chargeback right is identical for international and crypto-funded transactions; only the evidence path differs.

International card-not-present fraud. Settlement is in foreign currency. The chargeback flows through Visa or Mastercard's international settlement system; acquirers are typically in Hong Kong, Singapore, the UK or the US. The 120-day window is the same. Branch staff often resist with “we cannot reach the merchant”; reaching the merchant is the network's job. See international card transaction fraud recovery.

Crypto-funded cards. Some Indian fintechs and offshore wallets issue Visa or Mastercard cards funded by crypto balances. The network sees a normal Visa or Mastercard transaction. The chargeback right is identical. Ask the wallet provider in writing for the on-chain record preceding the spend; it corroborates your version. The 120-day window applies.

The biggest mistake is treating chargeback and the RBI zero-liability claim as alternatives. They are parallel remedies under different rulebooks and the law expects both.

The RBI customer-liability circular DBR.No.Leg.BC.78/09.07.005/2017-18 governs your relationship with the issuer-bank: 3-working-day window for zero liability, 10-working-day shadow-credit obligation. The card network rules govern inter-bank settlement: 120-day chargeback window, reason codes, merchant rebuttal.

The RBI rule forces your bank to refund fast. The network rule forces the merchant's side to bear the loss. If only the RBI rule operates, the issuer absorbs the loss. If only the chargeback operates, you may wait 45 to 120 days. Running both gives the fastest refund and the proper allocation of loss.

File both, in this sequence. Email the bank under the RBI circular for the shadow credit. File the chargeback form with the network reason code. Follow both clocks. The shadow credit and the chargeback resolve into a single net refund. If the bank tries to net them as a “settlement” before the network speaks, refuse and demand the chargeback continue.

The chargeback is a strong tool but it is not unlimited. Five fact patterns sit outside the right.

1. Push-payment fraud (UPI, IMPS, NEFT). Chargebacks exist only for card transactions. UPI/IMPS/NEFT remedies are the NPCI UPI Dispute Management process and the RBI customer-liability framework. See UPI deducted but not received and recover money from UPI fraud.
2. Friendly fraud and family disputes. A relative used the card with apparent authority. The network will reject on rebuttal evidence of IP, device or delivery address match. Pursue civilly, not through the network.
3. Consent fraud where you approved a 3D-Secure prompt. If the transaction was authenticated by Verified by Visa, Mastercard SecureCode or RuPay PaySecure and you approved it, the chargeback right is weaker. The network presumes authenticated transactions are genuine. You can still try Mastercard 4863 but the success rate is low. Pivot to the RBI zero-liability claim, where the test is “unauthorised”, not “unauthenticated”.
4. Social-engineering, fraudster impersonated the merchant. If you knowingly paid a genuine merchant who turned out to be a front, the merchant rebuttal usually wins. Remedy is the FIR plus the 1930 freeze.
5. Time-barred cases past 120 days. Once 120 days pass, only the RBI framework and the consumer commission remain.

If you fall into one of these buckets, see debit card fraud recovery for alternative paths.

Each scenario is anonymised; the timeline and rule references are exact.

[Resident A] is a software engineer in Bengaluru with a Visa Signature card from a private bank. On Tuesday 21 April 2026, three transactions of USD 250 each cleared at a Hong Kong-routed e-commerce merchant she had never heard of. INR equivalent ₹62,400.

She called 1930 the same evening, emailed the bank under the RBI circular on day 1, and walked into the branch on day 4 with the chargeback form pre-filled, citing Visa 10.4, Other Fraud, card-absent environment. The branch initially asked her to “wait for our investigation”; she handed over a printed extract of the Master Direction 2022 and the form was filed the same day. Bank shadow-credited ₹62,400 on day 11. The merchant did not respond within 30 days. Network closed in her favour on day 38. Recovery: ₹62,400 in 38 days.

[Resident B] is a retired schoolteacher in Pune with a Mastercard credit card. On Saturday 7 March 2026, ₹18,500 cleared at an Indian e-commerce merchant for an “iPhone case bulk order”. He noticed on the statement two weeks later, on day 17.

He went to the branch the same day with screenshots and NCRP acknowledgement. The branch filed under Mastercard 4837, No Cardholder Authorisation. The merchant responded on day 28 with a delivery proof to an address that did not match. The bank prepared counter-evidence and re-filed on day 41 after [Resident B] emailed the nodal officer asking for case status. Network ruled in his favour on day 67. Recovery: ₹18,500 in 67 days.

[Resident C] is a small-business owner in Hyderabad with a co-badged RuPay-Visa card from a public-sector bank. On Friday 9 January 2026, ₹35,000 cleared at a foreign merchant later flagged by the cyber-crime unit as a fraudulent storefront.

The branch manager refused to file a chargeback, citing “the transaction is OTP-authenticated, rules do not allow a chargeback”. She demanded the refusal in writing. The branch declined. She filed at the RBI Ombudsman under RB-IOS 2021 on day 19, citing breach of the Master Direction 2022 and the Visa Core Rules requirement that issuers must file disputes.

The ombudsman issued a notice on day 38. The bank filed the chargeback under Visa 10.4 on day 42, beating the 120-day window with a month to spare. The merchant did not respond. Network credit landed on day 78. The ombudsman closed the file with a directive that the bank publish a corrective notice. Recovery: ₹35,000 in 78 days, plus a regulator-recorded breach.

The lesson: a refusal in writing is the bank's weakest weapon and the citizen's strongest evidence. Always ask for it.

Copy verbatim, replace the bracketed fields, email to the bank's dispute address, the branch manager and the nodal officer. Cc yourself. Print, sign and hand-deliver at the branch within 48 hours.

Subject: Chargeback request under [Visa / Mastercard / RuPay] network
         rules, Card ending [XXXX], Transaction date [dd-mm-2026]

To,
The Branch Manager, [Bank name], [Branch address]
And, The Nodal Officer, Customer Protection,
[Bank name], [Head office address]

Date: [dd-mm-2026]

Sir/Madam,

I, [Name], hold [credit / debit] card ending [last 4 digits] under
account [account no.] at your [branch] branch. I request you to file
a chargeback with the [network] in respect of the unauthorised
transactions below.

1. Disputed transactions
   Date and time: [dd-mm-2026, hh:mm]
   Merchant name on statement: [exact text]
   Amount: Rs. [figure] / [foreign currency figure if any]
   Transaction ID / ARN: [12-23 digit string]
   [Repeat per transaction.]

2. Reason code requested:
   [Visa 10.4, Other Fraud, card-absent environment] OR
   [Mastercard 4837, No Cardholder Authorisation] OR
   [RuPay Dispute Management Regulations, Chapter 13.1,
    Unauthorised Transaction]

3. I did not authorise these transactions. The physical card was in
   my possession. I have not shared the card number, CVV, PIN or any
   3D-Secure code.

4. I have, on [date], registered the matter at 1930 (reference
   [number]) and at NCRP (acknowledgement [number]). Copies enclosed.
   This letter is served within [N] days of the transaction date,
   well inside the 120-day network window.

5. This is a parallel filing alongside my notice under RBI circular
   DBR.No.Leg.BC.78/09.07.005/2017-18 dated 6 July 2017. The two
   filings are not in the alternative.

6. I require the bank to:
   a. Provisionally credit Rs. [figure] within 10 working days under
      the RBI Master Direction on Credit Card and Debit Card, 2022.
   b. File the chargeback with the [network] within 30 days under
      the same Master Direction.
   c. Share the network case number in writing and update me at
      every stage of representment, pre-arbitration and arbitration.

7. Failure to file will be escalated to the principal nodal officer,
   the Banking Ombudsman under RB-IOS 2021, and the District
   Consumer Disputes Redressal Commission under the Consumer
   Protection Act 2019. A refusal to file, if any, is requested in
   writing with the specific network rule cited.

Yours faithfully,

[Signature]
[Full name]
[Address] [Registered mobile] [Email]

Enclosures:
  - Statement extract with disputed transactions highlighted
  - Debit SMS screenshots
  - 1930 complaint slip and NCRP acknowledgement
  - Self-affidavit on plain paper
  - Aadhaar and PAN copies
  - Police FIR (only if Visa 10.2 or Mastercard 4871)

If you have just spotted a fraudulent card transaction, do these in order.

1. Save the statement entry and the debit SMS. Screenshot both.
2. Call 1930 and complete the 7-minute script.
3. File at NCRP at https://cybercrime.gov.in/ and save the acknowledgement.
4. Identify the network from the card face and read off the reason code. Visa 10.4 or Mastercard 4837 by default.
5. Email your bank using the sample letter. Cc the nodal officer.
6. File the bank's chargeback form in person at the branch within 48 hours.
7. Email separately under the RBI circular for the shadow credit. See the golden-hour zero-liability article.
8. Diarise day 10 (shadow credit), day 30 (chargeback filed) and day 45 (likely outcome).
9. Forward this article to every family member who carries a card.

No, not lawfully. Filing is the bank's role; adjudication is the network's. A refusal to file is a breach of the RBI Master Direction on Credit Card and Debit Card, 2022. Demand the refusal in writing. If the bank declines, you have your evidence. Escalate to the nodal officer and to the RBI Ombudsman under RB-IOS 2021. Banks usually file the chargeback the moment a written refusal is asked for.

The 120-day headline window is standard across Visa, Mastercard and RuPay for fraud chargebacks. The start date differs. Visa runs from the transaction processing date, Mastercard from the transaction date with extensions for services-not-rendered and recurring, RuPay from the transaction date with no extensions. Always file by day 90. Non-fraud disputes can carry shorter windows.

Under all three networks, silence equals acceptance. After the acquirer's 30-day rebuttal window, if no compelling evidence is filed, the chargeback stands and the provisional credit becomes the final credit. This is the most common outcome in cross-border phishing cases because the fraudulent merchant accounts are often shut down before the window opens.

No. Chargebacks exist only for card transactions on Visa, Mastercard or RuPay. UPI runs under NPCI's UPI specification with its own dispute mechanism called UDIR. See recover money from UPI fraud and UPI deducted but not received. The RBI customer-liability framework covers both card and UPI; the chargeback right itself is card-only.

OTP authentication does not automatically defeat a chargeback. It defeats the easiest filing under Visa 10.4 or Mastercard 4837 because the network can ask “the cardholder approved it, what is the dispute?”. But the chargeback can still be filed under Mastercard 4863, Cardholder Does Not Recognise, or under social-engineering grounds in some Visa rulings. The RBI circular's contributory-negligence carve-out resets after you report; pursue the RBI track even if the chargeback is weak.

No. A chargeback is a dispute on a single transaction, not a default. CIBIL and other bureaux do not record individual chargebacks. The only credit-score risk arises if you stop paying the rest of the credit-card bill during the dispute. Always pay the undisputed portion on time; the disputed amount is excluded from the minimum-due calculation by RBI direction. Confirm in writing that the disputed amount is flagged out of the billing for the dispute duration.

The chargeback right is identical. The refund comes back in the original currency, converted to INR at the prevailing rate plus markup on the credit leg. If the rates differ significantly, ask for the FX differential as a goodwill credit; it is not automatic. See international card transaction fraud recovery.

Yes. The network does not see the funding source; it sees a Visa or Mastercard transaction with a normal flow. The chargeback right is identical. The wallet provider becomes an additional party; ask in writing for the on-chain record preceding the spend. Some smaller offshore fintech-issuing banks ignore chargeback requests; if so, file at the RBI Ombudsman, which has jurisdiction over the partner Indian bank.

Representment is the acquirer's right to push the chargeback back with compelling merchant evidence. It is routine in maybe 30% of cases. If your facts are clean (no IP match, no home-address delivery, no 3D-Secure approval), representment is unlikely to succeed. If your facts are murkier, the bank will ask for counter-evidence; reply within 5 working days. Representment is not a sign you are losing.

Search for “transaction dispute”, “chargeback request” or “card dispute”. Every Indian bank publishes one by RBI direction. If the form is missing or buried, file an RTI to the bank's PIO asking for the board-approved policy on chargeback filings and the standard form template. Use the AI RTI Drafter. The RTI itself usually surfaces the form within seven days.

1. RBI Master Direction on Credit Card and Debit Card, Issuance and Conduct, 2022, chapter on dispute resolution and grievance redressal, available at https://rbi.org.in/Scripts/BS_ViewMasDirections.aspx (search for “credit card debit card”).
2. RBI circular DBR.No.Leg.BC.78/09.07.005/2017-18 dated 6 July 2017, Customer Protection, Limiting Liability of Customers in Unauthorised Electronic Banking Transactions, at https://rbi.org.in/.
3. Visa Core Rules and Visa Product and Service Rules (public summary), https://www.visa.co.in/about-visa/visa-rules.html.
4. Mastercard Chargeback Guide (public version), https://www.mastercard.us/content/dam/public/mastercardcom/na/global-site/documents/chargeback-guide.pdf.
5. NPCI RuPay Operating Regulations and RuPay Dispute Management Regulations, summarised at https://www.npci.org.in/what-we-do/rupay/dispute-management.
6. Reserve Bank-Integrated Ombudsman Scheme 2021, complaint portal https://cms.rbi.org.in/.
7. National Cyber Crime Reporting Portal, https://cybercrime.gov.in/.
8. National Cyber Crime Helpline, dial 1930.
9. Information Technology Act 2000, §66C (identity theft) and §66D (cheating by personation using computer resource).
10. Bharatiya Nyaya Sanhita 2023, §318 (cheating).
11. Consumer Protection Act 2019, the deficiency-in-service ground for parallel relief at the District Commission.

1. Golden-hour zero-liability, the parallel RBI claim
2. 1930 cyber fraud helpline, the 7-minute script
3. Bank freeze process after cyber fraud
4. Lien amount in bank account, how to remove
5. Debit card fraud recovery, all channels
6. International card transaction fraud recovery
7. UPI deducted but not received, action plan
8. Recover money from UPI fraud, 2026 walkthrough
9. RB-IOS 2021 banking ombudsman walkthrough
10. Citizen RTI playbook, the pillar guide
11. AI RTI Drafter, generate the parallel RTIs in two minutes

Last reviewed: 16 May 2026. RTI Wiki editorial team. Verify the current network rulebooks at visa.co.in, mastercard.us and npci.org.in before citing in a legal notice. Reason codes occasionally renumber on twice-yearly rulebook updates.