TrustLens’s Chargeback Evidence Report: CE3.0, Tamper-Proof Fingerprints, and Independent Verification
Plugin Guides · Chargeback Response
Evidence That Proves Its Own Integrity
TrustLens 1.3.0 Pro’s Chargeback Evidence Report assembles your Visa Compelling Evidence 3.0 case automatically — and then lets any reviewer confirm the document is genuine and unaltered at a neutral public page, without trusting only the merchant’s word.
Every chargeback guide tells you to gather evidence. Order records, shipping confirmation, customer communication, prior purchase history — the standard package. Merchants who fight disputes learn quickly what to include and where to upload it. What nobody asks, until a reviewer does, is: how does the card issuer know you didn’t assemble that package after the fact?
This is a structural problem. A PDF you hand-produced looks identical whether you built it on the day the order shipped or the day you received the dispute notification. Screenshots can be staged. Timestamps in Word documents are editable. There’s no neutral authority that can say “this summary of the customer’s purchase history is what TrustLens recorded on the day of the order, and it hasn’t been altered since.”
TrustLens 1.3.0 Pro’s Chargeback Evidence Report addresses that gap directly. The report is a print-optimized, processor-ready document that builds your Visa Compelling Evidence 3.0 case automatically from the customer’s order history stored in your site — and then, at generation time, registers a tamper-evident SHA-256 fingerprint with a neutral public verification service at webstepper.io/verify. Any reviewer, card issuer, or dispute analyst can go to that page, enter the Report ID printed on the document, and confirm the fingerprint and key figures match what TrustLens received from your store. The document is what you say it is, and anyone can check.
This post explains how the report works, what it contains, how Visa CE3.0 matching actually functions, what the independent verification system does and doesn’t prove, and how to use the report effectively when you’re building a representment case.
The problem with chargeback evidence as it normally works
When you contest a chargeback, you’re arguing a factual case to a reviewer who hasn’t seen your store, your customer, or your systems. Their job is to evaluate whether your evidence supports your position under the card network’s rules. In most cases, all they have is what you give them.
For disputes involving fraud codes — where the cardholder is claiming they didn’t make the purchase at all — the most powerful evidence is often behavioral: this customer has ordered from your store six times over the past two years, always to the same shipping address, and paid without issue. Now, on the seventh order, they’re claiming it was unauthorized.
That’s a compelling story. But to tell it, you need a document that organizes that history clearly. And when that document comes only from the merchant — as all documents in a standard dispute response do — a skeptical reviewer might reasonably wonder whether the historical context was accurately represented.
The verification layer TrustLens 1.3.0 adds doesn’t make your data independently audited. The figures in the report are still supplied by your store. But it adds a meaningful element of integrity: the report that’s registered with the verification service is the report as generated, and if anyone alters the document after the fact, the fingerprint comparison will fail. The question “did this merchant modify their evidence” gets a concrete answer.
For the full tactical workflow of assembling an evidence package and writing a rebuttal letter, see How to Respond to a WooCommerce Chargeback Dispute (and Actually Win). This post focuses on the TrustLens report specifically.
What the Chargeback Evidence Report contains
The Chargeback Evidence Report is a self-contained HTML document that renders as a clean, professionally formatted single page — designed to be saved as a PDF through the browser’s print function and uploaded directly to a processor dispute portal. It doesn’t require any third-party tool. The “Print Report” button in the toolbar handles it.
The report is organized into these sections:
Verdict hero
A banner at the top of the report that summarizes the evidential situation at a glance — “Compelling evidence: Strong,” “Compelling evidence: Moderate,” or “Limited matching evidence” — based on how many prior orders qualify for Visa CE3.0. It includes the count of CE3.0-qualifying orders, the number of identifier types matched, the customer’s trust score and segment, and their return rate compared to your store average. This is the first thing a reviewer sees.
Prior orders from this same customer (the CE3.0 section)
A table listing every prior order that shares at least one identifying detail with the disputed order — billing address, shipping address, IP address, device fingerprint, saved payment token, or phone number. Each row shows the order number, date, total, which identifiers were shared, and whether the order meets Visa CE3.0 criteria. CE3.0-qualifying orders are sorted to the top.
Customer risk profile
The customer’s trust score (0–100), risk segment, and how long they’ve been a customer. Below that, a list of active risk signals from TrustLens’s scoring engine — the factors that pushed the score up or down — shown with their individual point values.
Disputed order detail
The WooCommerce order details for the specific order that was disputed: order number, date, total, status, payment method, and shipping address. All line items are listed.
Order history
A full order history table (up to 50 orders) showing every order associated with the customer’s email address or account — date, total, status, and whether any refund was applied. This is the historical context that makes the behavioral argument.
Return analysis
The customer’s return rate compared to your store’s average, with counts of full and partial refunds and the total value refunded. When the customer’s return rate is above or below your store average, the report flags it with a colored note and the multiplier.
Linked accounts
Any other accounts in your store that share identifying information with this customer — same shipping address, device fingerprint, IP address, payment token, or phone number. Linked accounts with negative segments or blocked status are noted.
Event timeline
A chronological log of up to 12 recent events for this customer: orders placed, refunds, disputes, blocks, and unblocks. Positive events (completed orders) and negative events (refunds, disputes, blocks) are color-coded.
Verification block
At the bottom of the report: the Report ID (formatted as TL-XXXX-XXXX-XXXX), the SHA-256 fingerprint, the verification URL (webstepper.io/verify/[Report ID]), and a scannable QR code linking directly to the verification page. This is the tamper-evidence layer. A reviewer who wants to confirm the document’s integrity can go to that URL without contacting you.
How Visa CE3.0 matching works in the report
Visa Compelling Evidence 3.0 is Visa’s framework for allowing merchants to rebut “unauthorized transaction” dispute claims by demonstrating transaction continuity — showing that the same customer made prior undisputed purchases using the same identifying details. If you can meet CE3.0’s threshold, you shift the liability from merchant to issuer for disputes that would otherwise be nearly impossible to win.
The threshold, verified against TrustLens’s code in TrustLens_Dispute_Evidence:
- The prior order must have been placed 120 to 365 days before the disputed order (constants
CE3_MIN_DAYS = 120,CE3_MAX_DAYS = 365). - The prior order must share at least two identifying details with the disputed order (
CE3_MIN_SHARED = 2). - The prior order must not have been refunded and must not itself have been disputed — both conditions would disqualify it.
- You need two or more qualifying prior orders to meet CE3.0’s “strong” threshold. One qualifies for “moderate.”
The identifiers TrustLens compares between the disputed order and each prior order are: shipping address, billing address, IP address, device fingerprint, saved payment token, and phone number. These are compared as one-way hashes stored in your database — the actual values are not stored in plaintext.
For each prior order that shares any identifier with the disputed order, the report shows exactly which identifiers matched (displayed as label chips: “Address,” “Billing,” “IP,” “Device,” “Card,” “Phone”), the number of days before the disputed order it was placed, and whether it qualifies for CE3.0. Orders that qualify are sorted to the top of the table and labeled with a green “CE3.0” badge.
CE3.0 counts orders, not identifiers
The 120–365 day window is strict. An order placed 115 days before the dispute doesn’t qualify. An order placed 400 days before doesn’t qualify either. The window is intentional — Visa’s definition of “prior undisputed transaction” requires the order to have been recent enough to establish behavioral continuity, but old enough to predate any scheme the cardholder might have planned.
If your customer ordered regularly for two years but all their recent orders fall outside the 120-day minimum, the CE3.0 count in the report will be zero. The report will show those orders in the history section, but they won’t count toward CE3.0. This is the correct behavior — TrustLens does not pad the count.
One-sentence continuity statement
Below the verdict banner, the report includes a plain-English summary built from the data: something like “This customer has placed 14 orders totaling $2,340 since March 2023, 6 of them shipped to the same address as the disputed order, and only this order has been disputed.” This sentence is generated automatically from the report data and is included verbatim in the document — it’s exactly the kind of direct, factual opening line that belongs in a rebuttal letter.
The verdict hero: what the report tells you before you file
Before you invest time writing a rebuttal, the verdict banner at the top of the Chargeback Evidence Report tells you where you stand:
- “Compelling evidence: Strong” (green) — two or more qualifying prior orders. You have what you need for a CE3.0 representment.
- “Compelling evidence: Moderate” (blue) — exactly one qualifying prior order. Partial CE3.0 support. Worth filing with appropriate expectations.
- “Limited matching evidence” (amber) — no prior orders qualify under CE3.0 criteria. The report may still help (order history, return rate, linked accounts) but not for CE3.0-specific liability shift.
When there’s no disputed order context — if you generate the report from a customer profile rather than a specific dispute — the banner switches to a customer risk assessment, showing the trust score and segment with a representment recommendation (“strong representment candidate,” “review before representment,” or “representment not advised”).
This is a decision-support signal, not a guarantee. Whether to contest a dispute is still your call, and the reasons to accept or contest go beyond what any automated assessment can weigh. But having the CE3.0 picture up front — before you spend an hour assembling evidence — is useful.
Independent verification — the part no competitor does
Every report generated by TrustLens 1.3.0 Pro carries four verification elements, all printed in the verification block at the bottom of the document:
- SHA-256 fingerprint — a 64-character hex string computed from the report’s verifiable facts (trust score, CE3.0 count, total orders, total order value, return rate, and the matched-order data). The fingerprint is deterministic: identical report data always produces the same hash.
- Report ID — a human-readable identifier in the format TL-XXXX-XXXX-XXXX, derived from the first 12 characters of the fingerprint. It’s stable and collision-resistant for practical purposes.
- Verification URL — the link to the public verification page:
webstepper.io/verify/[Report ID]/. - QR code — a scannable code that encodes the verification URL directly. Generated entirely in PHP, no external library, no network request, no third-party service at generation time.
When the report is generated and verification is enabled (the default), TrustLens sends the fingerprint, Report ID, and a small set of non-personal metadata to webstepper.io. A reviewer who receives the printed PDF can scan the QR code, visit the verification URL, and see the fingerprint and figures that TrustLens registered. If those numbers match the report in their hands, the document is what it claims to be. If they don’t match, the document has been altered.
What the verification page shows
The webstepper.io/verify page shows: the Report ID, the SHA-256 fingerprint on record, the date TrustLens received the attestation, the merchant’s store URL, and the “reported figures” — CE3.0 count, trust score, segment, and return rate. There’s also a paste-to-compare field where a reviewer can paste the fingerprint from their copy and get an instant match or mismatch result. No login required. No account. Anyone with the Report ID can check.
What happens if the verification service is unavailable at generation time
Registration with the verification service is non-blocking. If webstepper.io is temporarily unreachable when you generate the report, TrustLens will note the pending registration in the toolbar and automatically retry at the next visit. The report still prints with the SHA-256 fingerprint and Report ID — those are always computed locally and are always valid regardless of network status. If verification registration fails, TrustLens queues the registration and retries automatically on an hourly schedule (up to 48 attempts over two days).
What verification confirms, and what it doesn’t
The verification page is intentionally honest about its scope. A prominent note on the page states: “This page confirms only that a report fingerprint was received and stored. Webstepper does not certify, endorse, or guarantee the underlying claims in the report — the figures and order data are supplied by the merchant.”
That wording matters. Here’s what the verification system actually confirms:
- Receipt — the fingerprint was registered with TrustLens at the time shown.
- Integrity — the document in the reviewer’s hands has not been altered since it was generated. If the fingerprint matches, the numbers are exactly what TrustLens calculated.
Here’s what it does not confirm:
- Accuracy of the underlying data — the order history in your WooCommerce database is yours. TrustLens reads what’s there. If your WooCommerce data is wrong, the report reflects that wrongness. Verification doesn’t audit your database.
- Whether the customer is a fraudster — the report presents behavioral evidence. It doesn’t determine guilt.
- That you’ll win the dispute — CE3.0 compliance is one part of a representment case. Reviewers have discretion, and dispute outcomes depend on factors beyond what any evidence report can control.
This distinction matters for how you describe the report in a rebuttal. You can say the evidence summary was produced and registered at the time of dispute — and that the attached document can be independently verified. You cannot say that an independent authority certified the customer’s behavior.
Ed25519 signing: the cryptographic layer
Beyond the SHA-256 fingerprint stored in the TrustLens database, the webstepper.io verification service adds a second layer: the attestation record is signed with Ed25519 before storage. The signed message is the Report ID, content hash, and the date TrustLens first received the attestation, concatenated. The public key is available via the REST API at webstepper.io/wp-json/trustlens/v1/pubkey.
For most merchants, this layer is invisible — the verification page handles it. But it means the server-side record of your attestation is also tamper-evident: if anyone were to alter the webstepper.io database, the signature verification would fail. A developer who wants to verify the attestation entirely offline can fetch the signed message, signature, and public key from the JSON endpoint and run the Ed25519 verification independently.
This is the sort of thing that matters more to enterprise buyers and legal teams than to the average WooCommerce merchant. It’s mentioned here because it’s part of the system and worth understanding — not because you’ll need to reach for it to fight most chargebacks.
Privacy: what leaves your server, and what doesn’t
When a report is generated and verification is enabled, TrustLens sends the following to webstepper.io:
- The Report ID
- The SHA-256 content fingerprint
- The report’s generation timestamp
- Your store’s URL (as the merchant identifier)
- The disputed order number (for reviewer cross-reference — no order data, just the reference number)
- The “figures”: CE3.0 qualifying count, trust score, segment, and return rate
What is never sent: customer name, email address, billing address, shipping address, IP address, device fingerprint, payment token, or any personally identifiable information. The identifiers in the matching engine are compared as one-way hashes locally — they don’t leave your site. This is confirmed in TrustLens’s readme.txt External Services disclosure and in the attestation code (TrustLens_Dispute_Attestation::build_payload()).
If you want to disable the verification feature entirely, the toggle is at TrustLens → Settings → Chargebacks → Report Verification. When disabled, reports still generate with the SHA-256 fingerprint and Report ID printed locally, but no registration occurs and the QR code is omitted. The fingerprint is still useful as a self-referential integrity check even without the public verification service.
How to generate the report from a disputed order
The report can be generated in two ways:
From an order edit page
Open the disputed order in WooCommerce admin (Orders → [order number]). In the TrustLens order metabox on the right side, you’ll see a “Dispute Report” link. Clicking it opens the report in a new tab, pre-loaded with that order’s context. The report includes the CE3.0 matching section, the disputed order detail, and all other sections described above. This is the most common workflow — you receive a dispute notification, open the order, and generate the report immediately.
From a customer profile
In TrustLens → Customers, open the customer’s profile. A “Dispute Report” button appears in the profile actions area. This generates the report for that customer without a specific disputed order context — the CE3.0 section is omitted, and the verdict banner shows the customer risk assessment instead. This is useful for reviewing a customer’s behavioral profile before deciding whether to contest.
Both entry points require the manage_woocommerce capability and pass through nonce verification. The report renders as a standalone HTML page in a new tab — not inside the WooCommerce admin frame — so the print layout is clean and uncluttered by admin chrome.
Saving as PDF
The toolbar at the top of the report page includes a “Print Report” button and instructions: choose “Save as PDF” as the destination, set margins to “None,” and turn on “Background graphics” for full color. The print CSS removes the toolbar and all browser chrome so the saved PDF is clean. Most dispute portals accept PDF uploads directly.
How to actually use the report in a representment
The Chargeback Evidence Report is not a complete representment submission by itself. It’s one component of your evidence package — the most important component when the dispute involves a fraud code and you have prior purchase history to point to. Here’s how it fits into a real workflow:
Step 1: Generate the report before deciding whether to contest
Open the disputed order and generate the report immediately. Look at the verdict banner. If the CE3.0 count is zero and the customer is a first-time buyer with a low trust score, contesting a fraud-coded dispute is likely to lose. If the CE3.0 count is two or more and the customer has a long, clean purchase history, contesting becomes a genuine option.
Making this decision in two minutes at the start of the workflow — before writing a rebuttal letter — is more efficient than spending 45 minutes building a case and then discovering the evidence doesn’t support CE3.0.
Step 2: Use the continuity statement as your rebuttal opening
The one-sentence continuity statement in the report’s verdict section (“This customer has placed X orders totaling $Y since Z, N of them shipped to the same address as the disputed order, and only this order has been disputed”) is exactly the kind of specific, factual opening that belongs at the top of a rebuttal letter. Lift it verbatim or adapt it slightly. It’s more persuasive than anything you could write from scratch because it’s drawn directly from the data.
Step 3: Upload the report PDF alongside your other evidence
Save the report as PDF and include it in your evidence package. In the rebuttal letter, reference it explicitly: “The attached TrustLens Chargeback Evidence Report summarizes this customer’s purchase history and behavioral continuity with this store. The report can be independently verified at the URL printed in the verification block at the bottom of the document.”
That last sentence is the part that no self-produced screenshot can say.
Step 4: Gather the standard supporting documents
The Chargeback Evidence Report replaces the manual order-history section of your evidence package. It does not replace shipping confirmation, carrier tracking records, customer email correspondence, or product page screenshots. For the full evidence checklist by reason code, see How to Respond to a WooCommerce Chargeback Dispute (and Actually Win).
The difference a verified history makes
Consider two merchants contesting the same type of dispute — a fraud code, first-party misuse suspected. The first merchant uploads a series of WooCommerce admin screenshots showing previous orders and writes “this customer has ordered from us before.” The second merchant attaches a TrustLens Chargeback Evidence Report that shows those same orders in a formatted table, identifies two CE3.0-qualifying orders with matching shipping address and device fingerprint, and includes a QR code linking to a third-party verification page. Both merchants have the same underlying facts. The second makes a more credible case — not because the data is different, but because the presentation is harder to dismiss.
When the report won’t help — and what to do instead
There are situations where the Chargeback Evidence Report will be generated but won’t meaningfully strengthen your position. It’s worth naming them honestly:
First-time buyers
CE3.0 requires prior orders. If this is the customer’s first purchase from your store, the CE3.0 section will be empty. The report will still show the customer’s trust score, return rate, and event timeline — but those are thin evidence for a fraud-coded dispute. The honesty of the verdict banner is useful here: it tells you clearly when the evidential situation is weak.
Orders outside the 120–365 day window
A customer with five prior orders, all placed more than 365 days ago, will show zero CE3.0-qualifying orders. Their history is too old for CE3.0. Similarly, a customer who ordered last month won’t have any orders in the 120+ day lookback window. In these cases the order history section still tells a story, but CE3.0 liability shift isn’t on the table.
Prior orders that were refunded or disputed
Refunded and previously-disputed orders are automatically excluded from CE3.0 qualification. A customer with ten prior orders who returned seven of them has fewer qualifying orders than they appear to on paper. The report handles this correctly and won’t overstate the CE3.0 count.
Disputes where behavioral history isn’t the issue
If the dispute is “item not received” with a legitimately missing shipment, or “not as described” where the product description was genuinely ambiguous, CE3.0 and customer history don’t address the actual claim. For non-fraud dispute categories, the behavioral report is background context, not the centerpiece of your defense. See the store owner’s guide to chargebacks for category-specific strategy.
Guest checkout customers with limited data
TrustLens identifies customers primarily through email address and device/IP fingerprints. A guest buyer who used a different email address for previous orders, purchased on a different device, and accessed your store from a different IP will have fewer shared identifiers to match against. The CE3.0 match quality depends on how much fingerprint data is available from prior orders.
Key takeaways
What to remember
- TrustLens 1.3.0 Pro’s Chargeback Evidence Report is a print-ready representment document that builds your Visa CE3.0 case automatically from the customer’s order history in your WooCommerce database.
- Visa CE3.0 requires two or more prior orders that each share at least two identifying details with the disputed order, were placed 120–365 days before the dispute, and were neither refunded nor previously disputed. TrustLens checks all four conditions against the actual code constants and reports honestly when orders don’t qualify.
- Every report carries a SHA-256 fingerprint, a Report ID (TL-XXXX-XXXX-XXXX), and a QR code linking to webstepper.io/verify — where any reviewer can confirm the fingerprint and key figures match the version TrustLens registered at generation time.
- Verification confirms receipt and integrity only. The figures in the report are supplied by your store’s WooCommerce database. Webstepper does not certify, audit, or endorse the underlying data — this distinction is stated explicitly on the verification page.
- No customer personal data is sent to the verification service. Only the fingerprint, Report ID, store URL, order reference number, and four aggregate figures (CE3.0 count, trust score, segment, return rate) leave your server.
- The verification feature can be disabled in TrustLens → Settings → Chargebacks. Reports still print with the SHA-256 fingerprint when verification is off.
- The report is most useful for fraud-coded disputes where behavioral continuity is the core argument. For first-time buyers or disputes outside the CE3.0 window, the report’s evidential value is limited — the verdict banner tells you this upfront so you don’t waste time on unwinnable cases.
Common questions
Do I need a Pro license to generate the Chargeback Evidence Report?
Yes. The Chargeback Evidence Report is a Pro-only feature in TrustLens, available from version 1.3.0. The Chargebacks module must also be active in your settings. The free version of TrustLens does not include the dispute report, the independent verification system, or the CE3.0 matching logic.
Where exactly does the “Dispute Report” link appear in WooCommerce?
In the order edit screen, it appears in the TrustLens metabox on the right side as a small link labeled “Dispute Report →”. On the customer profile page in TrustLens → Customers, it appears as a button in the profile action area. Both open the report in a new browser tab.
Can I generate the report before I receive the official dispute notification?
Yes. If a customer contacts you complaining about a charge before filing a formal dispute, you can generate the report immediately from the order or their customer profile. Early generation is useful — the verification registration timestamp shows when the report was created, which can matter if the dispute arrives later and the question of whether evidence was assembled before or after the dispute becomes relevant.
What happens if the verification page shows “No verification record found”?
This means either the report was generated with verification disabled, or the registration attempt failed and hasn’t succeeded yet. The SHA-256 fingerprint printed on the report is still valid — it’s computed locally regardless of whether remote registration succeeded. The verification page’s own “not found” state notes this: “a genuine report may not have reached us. The SHA-256 fingerprint printed on the report itself remains the source of truth.” You can still use the report in a dispute response; verification is an enhancement, not a requirement.
How many files can I attach to a Stripe dispute response, and where does the report PDF go?
Stripe accepts up to 8 files per dispute response, each up to 1.5 MB, in JPG, PNG, or PDF format. The TrustLens report PDF is typically one of those files, labeled with a clear name (e.g., trustlens-chargeback-evidence-report.pdf). Reference it explicitly in your rebuttal text and point the reviewer to the verification URL.
Does TrustLens’s CE3.0 matching replace the need to submit delivery confirmation or tracking records?
No. CE3.0 addresses the fraud claim — demonstrating this customer made prior authorized transactions with your store. Delivery confirmation addresses a separate question: whether the disputed order arrived. For a dispute coded as “unauthorized transaction” where you also have tracking data showing delivery to the billing address, submit both. They address different aspects of your case and work better together than either does alone.
How is the TrustLens Chargeback Evidence Report different from a standard WooCommerce order export?
A WooCommerce order export is a data extract from your database, produced under your control with no verification layer. It shows what you choose to export. The TrustLens Chargeback Evidence Report is structured for dispute response specifically: it applies CE3.0 logic automatically, surfaces behavioral signals the order export doesn’t show (risk profile, return rate, linked accounts, event timeline), and registers a tamper-evident fingerprint with a neutral verification service so a reviewer can confirm the document’s integrity independently. Those three differences — structured CE3.0 analysis, behavioral context, and independent verification — are what make it more useful in a representment than a CSV export.
For a broader look at TrustLens Pro’s chargeback tools — including the Chargeback Monitor, the Open Disputes worklist, and how the dispute deadline tracking works — see Never Miss a Dispute Deadline: A Walkthrough of TrustLens’s Chargeback Monitor.
TrustLens — Customer Risk Intelligence for WooCommerce
The Chargeback Evidence Report is part of TrustLens Pro. It also includes automation rules, the advanced Chargeback Monitor with per-brand breakdown, card-testing defense, and behavioral scoring across every customer in your store.