The bank considered the transactions were authorised because:

• Mastercard’s 3DS authorisation protocol had been used, meaning transaction requests had required an approval in response to a text message or email request.
• The transactions had required the entry of the card number, the expiry date, the name on card and the card verification number.
• Patrick had a history of disputing transactions at gambling websites, including this latest website.

Patrick insisted he had not made the transactions, and his bank charged back the transactions. The merchant responded with evidence that:

• The person making the first transaction had the card details.
• Accounts created with it had to be verified with a four-digit code sent to the mobile number or email address registered on the gaming account.
• Patrick’s phone number was registered with the merchant.
• The person making the transactions needed access to the device, the customer’s account with the merchant and all other username and password information. 
• The pattern of gambling indicated it was a genuine customer making the transactions.
• During the time deposits were made to the player’s account with merchant, the player had logged in from the same device and IP that had been used consistently on the account.

The bank declined to reimburse the transactions, saying the evidence showed they were authorised.

Our investigation

We reviewed the evidence and concluded that, on the balance of probabilities, it was more likely than not that Patrick had made the disputed transactions or that someone else with his knowledge and consent had made them. We considered the bank acted reasonably in accepting the merchant’s evidence, which was compelling.

Outcome

We did not uphold the complaint.