How to Dispute Credit Card Fraud in the Philippines: Chargeback and Cybercrime Complaint Guide

Philippine-focused, practical, and comprehensive. This is general information, not legal advice.

Quick-start: what to do in the first hour

Block the card immediately. Call your issuer’s 24/7 hotline (or lock via mobile app) and ask for replacement. Record the time, agent name, and case/reference number.
Change credentials. Update your banking/app passwords and email password. Enable app-based 2FA.
Preserve evidence. Take screenshots of SMS/email alerts, app notifications, OTP prompts, transaction details, and your current device IP address if visible.
Note the timeline. Write down when you noticed, when transactions posted, where you were, and any suspicious messages/calls/links you received.

Understanding your rights (Philippine legal & regulatory landscape)

Credit card fraud is a crime. It can fall under:
- Access Devices Regulation Act (R.A. 8484) — e.g., unauthorized use, skimming/cloning.
- Cybercrime Prevention Act (R.A. 10175) — computer-related fraud, identity theft, illegal access.
- Revised Penal Code — estafa and allied offenses (depending on facts).
Cardholder protection & disputes.
- Philippine Credit Card Industry Regulation Law (R.A. 10870) sets governance for issuers and consumer redress mechanisms.
- Financial Products and Services Consumer Protection Act (R.A. 11765) requires financial providers (including banks) to have fair, efficient complaint handling and allows escalation to the Bangko Sentral ng Pilipinas (BSP) for supervised institutions.
Personal data rights.
- Data Privacy Act (R.A. 10173): if your personal data was compromised (phishing, SIM swap, merchant breach), you may complain to the National Privacy Commission (NPC).
Credit record corrections.
- Credit Information System Act (R.A. 9510): you can request correction of fraudulent entries with the Credit Information Corporation (CIC) after the bank resolves your dispute.

Practical take: you are not expected to pay for charges that you did not authorize. Liability turns on facts (e.g., card present vs. online, use of 3-D Secure/OTP, apparent negligence). Act fast and document everything.

The chargeback path (how the bank investigation works)

A chargeback is a network-governed reversal of a card transaction. While specifics vary by card network (Visa/Mastercard/JCB/Amex) and issuer policy, here’s the standard flow:

Report and dispute
- File a dispute with your issuer (phone + written follow-up via app/email/branch).
- Request a temporary hold or provisional credit while the case is investigated (availability is issuer-dependent and facts-based).
Issuer review & retrieval request
- The issuer asks the merchant’s bank for evidence (sales slip, device logs, AVS/CVV/3-D Secure results, IP/device fingerprints for e-commerce, CCTV if card-present).
Chargeback submission
- If evidence favors you (e.g., forged signature, mismatched device/location, no 3-D Secure) or is insufficient, the issuer raises a chargeback using a reason code (e.g., fraudulent transaction, services not provided).
Representment & (pre-)arbitration
- The merchant/acquirer may fight back with more evidence (representment).
- If still disputed, the case can proceed to pre-arbitration/arbitration under network rules (handled bank-to-bank, not by you).
Final outcome
- Successful: the transaction is reversed permanently and provisional credit (if any) is made final.
- Unsuccessful: the charge may be reinstated, but you may still pursue criminal and/or civil remedies and regulatory escalation.

Typical timing windows (what “ASAP” means in practice)

Report immediately once you discover the charge; many issuers set internal windows (e.g., 7–30 days from statement/notification).
Network windows to file a chargeback are often measured from the processing/posting date (commonly up to ~120 days for fraud, depending on reason code and network).
Bank investigations commonly run several weeks to a few months, depending on cross-border issues and merchant responsiveness.

Tip: Always ask your bank to give you the formal dispute acknowledgement (with case number), what documents they need, and the next milestones.

How to file an effective dispute (step-by-step)

A. Compile your evidence

Statement or app screenshot showing the fraudulent entries (post date, merchant, amount, country/city).
Proof of your whereabouts at the time (receipts, ride-hailing trip, work logs).
SMS/email alerts, suspicious links, call logs, vishing/phishing scripts if any.
Copies of your Affidavit of Loss/Fraud (if card was lost/stolen) and police blotter or cybercrime complaint (see below).
Device and network info (if available): device model, IP, app version; screenshots of 3-D Secure/OTP prompts you did not initiate.

B. Send a written dispute package to your issuer

Include:

Your full name, last 4 digits of the card, case number (if already given).
A concise timeline: discovery time, steps you took, and when you reported.
A transaction table: date, merchant, amount, currency, why unauthorized.
A statement of non-authorization (you did not give consent, card was in your possession / or lost at [time], you did not share OTP/PIN, etc.).
Clear requests: reverse the charges; provide provisional credit; block and replace card; provide investigation updates in writing.

C. Keep a case file

Save PDFs of every email/letter and a call log (date/time/agent/summary).
Calendar follow-ups (e.g., 10, 30, 45 days) to request status updates.

Filing a cybercrime complaint (criminal route)

Criminal complaints are separate from the bank dispute. You can proceed in parallel.

Where to file

PNP Anti-Cybercrime Group (PNP-ACG) — for police blotter and investigation.
NBI Cybercrime Division — for investigation, subpoenas, coordination with platforms.
DOJ Office of Cybercrime — prosecution guidance; cases are filed with appropriate courts.

Venue is flexible in cybercrime cases (e.g., where any element occurred or where digital devices were used). Officers will guide you.

What to bring

Two government IDs and photocopies.
Sworn Affidavit describing the events (see template below).
Annexes: bank statements, app screenshots, SMS logs, email headers, photos of any skimming device/compromised ATM/terminal if applicable, SIM replacement documents if you suffered a SIM swap.
Proof you reported to the bank (acknowledgement email/letter, case number).

Outcome to expect

Case verification → Forensic preservation → Subpoenas to banks, telcos, platforms → Filing with the prosecutor under R.A. 8484, R.A. 10175, RPC estafa, etc.
You may be asked to execute additional affidavits or appear for clarificatory hearings.

Escalation if your issuer denies or stalls

Demand a written explanation. Ask for the complete basis of denial and the evidence relied upon (e.g., 3-D Secure data, device fingerprint, signed charge slip).
Regulatory escalation (for banks and other BSP-supervised institutions):
- File a complaint with the BSP consumer assistance channel. Attach your dispute, the bank’s response (or lack of it), and all evidence.
Data breach angle (if applicable): File a complaint with the NPC if your personal data was mishandled or a breach was not properly notified.
Civil remedies: Consult counsel on damages or contractual claims if losses persist.
Credit record: After resolution, request correction with your bank and, if needed, with the CIC so fraud does not harm your credit score.

Special scenarios & how to argue them

Card-not-present (online) with OTP/3-D Secure you didn’t initiate
- Argue phishing/social engineering or account takeover. Point to device/IP mismatch, impossible travel, or multiple rapid-fire attempts.
- Note that liability shifts under 3-D Secure depend on authentication outcome and role (issuer vs. merchant). Request the authentication log.
Card-present fraud (skimming/cloning)
- Emphasize that you physically had your card at the time; request retrieval of CCTV and terminal logs; highlight signature mismatch or EMV fallback anomalies.
Lost/stolen card with in-store use
- Provide your Affidavit of Loss and police blotter promptly; show you reported without delay.
Recurring/subscription you cancelled
- Provide cancellation proof and dates. Reason codes exist for “cancelled recurring charge” and “services not rendered.”
SIM-swap leading to OTP interception
- Submit telco logs or SIM replacement records. Explain how you lost mobile service around the time of fraud.

Do’s and Don’ts

Report immediately; keep written records; follow up in writing.
Use separate, strong passwords for email and banking; enable app-based 2FA.
Ask your bank to block merchant tokens and de-link the compromised credentials.

Don’t

Don’t delete suspicious SMS/emails; archive them as evidence.
Don’t share OTPs/PINs—even with someone claiming to be bank staff.
Don’t ignore small “test” charges; they often precede larger fraud.

Practical templates (copy, fill, and send)

1) Dispute Letter to Issuer

Subject: Dispute of Unauthorized Credit Card Transactions – [Last 4 digits XXXX], Case No. (if any)

To [Bank Name] Dispute Resolution Team:

I am disputing the following transactions on my credit card ending in XXXX. I did not authorize these charges, nor did I receive any benefit from them.

Cardholder Name: [Full Name]
Registered Address: [Address]
Contact: [Mobile/Email]
Case/Reference No.: [If already assigned]

Discovery & Reporting Timeline:
- [Date/Time]: I first noticed suspicious activity.
- [Date/Time]: I reported to your hotline/app. Agent: [Name], Reference No.: [Ref].

Disputed Transactions:
1) [Date – Merchant – Amount – City/Country] – Unauthorized
2) [Date – Merchant – Amount – City/Country] – Unauthorized
Total: [PHP amount]

Facts & Grounds:
- I was at [location]; I possessed my card at all times / the card was lost at [time] (reported immediately).
- I did not share my PIN/OTP/CVV. I did not initiate any 3-D Secure authentication.
- Evidence attached: [Statements/screenshots/police blotter/cybercrime complaint/affidavit/etc.]

Requests:
1) Immediate reversal of the disputed charges and corresponding fees/interest.
2) Provisional credit while the investigation is ongoing.
3) Replacement card and de-tokenization of stored credentials.
4) A written update on the investigation and copies/summaries of the merchant evidence relied upon.

I certify under oath that the above statements are true and correct.

Sincerely,
[Name and signature]
[Date]

2) Sworn Affidavit (Fraud/Cybercrime)

Swear and sign before a notary public; attach ID photocopies.

AFFIDAVIT

I, [Name], Filipino, of legal age, residing at [Address], after having been duly sworn, depose and state:

1. I am the holder of credit card no. XXXX-XXXX-XXXX-[Last 4], issued by [Bank].
2. On [Date/Time], I discovered unauthorized transactions, as follows:
   a) [Date – Merchant – Amount – Location]
   b) [Date – Merchant – Amount – Location]
3. I did not authorize these transactions, did not disclose my PIN/CVV/OTP, and did not benefit from them.
4. On [Date/Time], I reported the matter to [Bank] via [hotline/app/branch], Ref. No. [Ref].
5. Attached as Annexes “A–__” are true copies of my statement, screenshots, SMS/email alerts, and related evidence.
6. I request investigation and appropriate criminal/civil action against the perpetrators under R.A. 8484, R.A. 10175, and other applicable laws.

IN WITNESS WHEREOF, I have hereunto set my hand this [Date] at [City], Philippines.

[Signature]
[Printed Name]

SUBSCRIBED AND SWORN to before me this [Date] in [City], Philippines, affiant exhibited [ID Type/No.].

Frequently asked questions

Q: Will I automatically get my money back? A: Not automatically. The issuer must investigate under card-network rules and local law. Strong documentation and fast reporting materially improve outcomes.

Q: The bank says there was an OTP. Am I liable? A: An OTP by itself is not conclusive. If it was phished or intercepted (SIM swap), present evidence (sudden loss of signal, SIM replacement records, login/device logs) and demand the network authentication details.

Q: Do I need a police blotter to dispute? A: Many issuers require or strongly prefer it for lost/stolen or skimming scenarios. For online fraud, a cybercrime complaint is persuasive evidence and helps law enforcement trace the actors.

Q: The merchant refuses a refund. A: That’s exactly what chargebacks are for. Dispute with your issuer; don’t argue directly with the merchant once you’ve filed.

Q: My credit score got hit because of the fraud. A: After resolution, request correction from your issuer and, if needed, with the CIC under R.A. 9510.

Prevention checklist (going forward)

Use virtual card numbers or one-time cards for online purchases where available.
Keep separate email for banking with strong, unique password and app-based 2FA.
Prefer merchants with 3-D Secure checkout; avoid saving card details on numerous sites.
Inspect POS terminals/ATMs; avoid machines with loose card slots/overlays.
Never share OTPs or click links from unsolicited messages; type URLs yourself.
Regularly review statements and enable real-time spend alerts.

One-page plan (you can print this)

Block card & get case number
Change passwords & enable 2FA
Gather evidence (screens, statements, logs)
File bank dispute (send written package)
File police blotter/cybercrime complaint
Calendar follow-ups (10/30 days)
If denied, escalate to BSP; consider NPC (data breach)
After resolution, clean up CIC record and subscriptions; replace card, tokenizations, and auto-bills

If you want, I can turn this into a fillable dispute pack (editable templates + checklist) you can download and use right away.