A roadside box can’t sign a receipt
A chargeback is, at heart, an argument about who can prove what. In a shop, the merchant has a body of evidence: a cardholder physically present, a chip dipped or a wallet tapped, sometimes a PIN, sometimes a signature, a camera over the till. In a card-not-present world — a checkout form on a website — the merchant has almost none of that, which is why those transactions carry the liability and the fraud markups.
Unattended EV charging sits in a strange third place. It is card-present: a real terminal, a real chip or contactless tap, a real EMV cryptogram. But there is no merchant standing there, no clerk, no camera trained on a face, no human in the loop to notice anything is off. The cardholder walks up to a box they have never seen, keys in an amount, taps, and leaves. Then, days later: “I did not authorize this charge.”
That sentence means something different at an unattended charger than it does anywhere else. Pulling it apart is the whole game.
The three things a disputing cardholder can claim
Strip the dispute reason codes down and a charge at an unattended charger gets contested on one of three grounds:
- “It wasn’t me.” Someone else used my card. This splits two ways — a counterfeit card cloned from stolen data, or my genuine card, lost or stolen, used by someone else. And — quietly the largest bucket in unattended retail — friendly fraud: I used the card, I just don’t want to own the charge.
- “It was me, but the amount is wrong.” I authorized a charge, but not this charge — I was billed more than I agreed to, or for energy I never received.
- “It was me, the amount is right, but I never got what I paid for.” The session failed, the car didn’t charge, the box ate my money.
Each is winnable — but only if the right artifact exists at the right moment, and only if you didn’t architect the flow in a way that quietly concedes the point. The unsettling part of unattended charging isn’t that disputes happen. It’s that the default access methods give away the evidence that would have settled them.
EMV answers most of “it wasn’t me” — know which part
The first claim is the one card-present economics were built to defeat. But it pays to be precise about how far that goes. When a chip is dipped or a contactless card or wallet is tapped, the card computes a transaction-specific cryptogram from keys only it and the issuing bank hold. That cryptogram proves the genuine card — not a clone — was at that terminal at that moment.
Against counterfeit fraud, that is decisive. A cloned magstripe can’t produce a valid cryptogram. If you have one, the real card was physically present, and “someone forged my card at your charger” collapses. This is the EMV liability shift doing exactly what it was designed to do.
Be honest about the edge, though, because it’s the edge this article lives on. An unattended charger that takes a tap with no PIN and no signature is a cardholder-activated, no-verification transaction, and the card-network rules do not hand you a blanket liability shift for the lost-or-stolen case at that kind of terminal the way they do for counterfeit. So the cryptogram alone doesn’t automatically win “my card was stolen and tapped here.” It is strong corroboration — the genuine credential was present — but it leans on the rest of the file to carry the day. Which is the whole point: one artifact is never the case.
The good news is that the dominant flavor of “it wasn’t me” at an unattended charger is friendly fraud — the genuine cardholder disputing a charge they actually made. That’s the case the cryptogram-plus-session-record file wins most cleanly: the real card was provably present, the energy provably flowed, and the dispute evaporates.
This is also why a card terminal beats the alternatives for ad-hoc charging, and not only on driver friction. An app login, a static QR that dumps into a web form, a payment link — these are card-not-present flows wearing a roadside disguise. The driver is standing at the charger, but the transaction is processed as if they were shopping online from the couch.
The driver is standing at the charger, but the transaction is processed as if they were shopping online from the couch.
You inherit card-not-present economics on small sessions and card-not-present dispute liability: no cryptogram, full burden of proof, every “it wasn’t me” yours to disprove from logs.
Apple Pay and Google Pay don’t break this — they strengthen it. A wallet tap is a contactless EMV transaction with device-level authentication behind it, which is exactly the corroboration the no-verification case needs. The card-acceptance rules AFIR sets on 50 kW-and-above points — a card reader or contactless-capable device — aren’t just a compliance checkbox. They are the thing that keeps “it wasn’t me” from sticking by default.
The session record answers “the amount is wrong”
EMV proves who. It says nothing about how much or what for. That is the second and third claims, and that’s where the dispute at an unattended charger gets genuinely hard, because the cardholder has a point no cryptogram can rebut.
EV charging is the awkward case the whole pre-authorization machinery exists for. You don’t know the final amount when the card is presented. The driver declares a target, or you place a hold, and the real number lands only when the electrons stop. So a defensible dispute file has to reconstruct the entire arc: the amount the driver agreed to at the terminal, the energy actually delivered, the tariff in force, and the final settled figure — and show they reconcile.
That’s the session record and the CDR doing evidentiary work. The charge data record says how many kWh flowed and when — the metering the charger reports back over OCPP. The pre-authorization says what the driver consented to. The Financial Advice Confirmation — OCPI’s final-settled-amount message — says what was actually captured. When those three agree, “you billed me for energy I never got” collapses: here is the consent, here is the meter, here is the capture, and they match.
When they don’t agree, you have a reconciliation problem, not a dispute you can win — and reconciliation is precisely the non-happy path OCPI’s connection layer leaves to you. The charger and the acquirer can disagree. A session can drop mid-charge. A hold can be larger than the final capture, and the unused portion has to be refunded — visibly, traceably — or the driver disputes the difference, and they are right. The defensible posture isn’t “we never have to refund.” It’s “every refund and partial capture is logged, tied to the session, and surfaces before the cardholder ever calls their bank.” A dispute you have already pre-empted with a refund is a dispute that never reaches a reason code.
What a bank actually does with your evidence
Here is the asymmetry that decides cases. A bank reviewing a dispute knows the merchant produced the cryptogram, the session record, and the CDR. They are admissible, and they are persuasive when they line up. But they are all the merchant’s own paperwork, and an adjudicator discounts self-authored evidence accordingly.
A fiscal receipt is different in kind. It carries a fiscal signature obtained through the country-specific round trip between the invoicing provider and the unattended terminal — the round trip OCPI carries nothing for, that has to be bridged both ways, per country. It is not a PDF you generated after the fact. It is a record stamped by an authority outside the dispute, tied to a number the merchant was legally obligated to report and couldn’t fabricate later.
In an evidence file, that is leverage. “Here is a legally registered fiscal receipt for this transaction, issued at the time of sale, with this signature” is a qualitatively stronger statement than “here is our internal invoice.” The receipt that was already a compliance requirement turns out to be the strongest single artifact in the dispute file — the same document, doing double duty. It is, in effect, the signature the roadside box can’t produce on its own: an attestation signed by an authority instead of a clerk.
Defensibility is an architecture, not a customer-service script
The trap is thinking the answer is “collect all four artifacts.” It isn’t. A bank handed a cryptogram from one system, a CDR from another, a capture record from a third, and a receipt from a fourth — none of them referencing the others — is handed a pile, not a case. The load-bearing requirement is that they are linked: one authorization reference threading the pre-authorization, the CDR, the capture, the Financial Advice Confirmation, and the fiscal receipt back to a single session.
Unlinked evidence is just assertions in four fonts.
None of that is something you scramble to assemble after a chargeback notice arrives. The trail either exists as a coherent, stitched record at the moment of the session, or it doesn’t. The card-not-present web flows that feel easier to ship are the ones that quietly throw away the cryptogram and leave you arguing from logs. The unattended terminal, paired with an engine that captures consent, meter, capture, and fiscal signature as one linked record, hands a bank an evidence trail instead of an assertion. And because it holds nothing more than each artifact needs, it keeps card data scope tight rather than sprawling.
That engine is the work the OCPI payments module doesn’t specify. The connection standardizes the terminal, the pre-authorization, the start/stop, the Financial Advice Confirmation. The dispute trail — keeping cryptogram, CDR, capture, refund, and fiscal receipt stitched together and correct as acquirer APIs, OCPI versions, and CSMS releases move underneath — is the product. Bolt builds that once, neutrally: the CPO stays the merchant, funds settle to their own acquirer on card-present economics, and the evidence to defend the charge accrues automatically because the money flow and the audit trail are the same flow.
The driver who leaves the charger and forgets about it is the goal. The driver who calls their bank three days later is the test. On an unattended box with no one standing there, you don’t win that argument by being right. You win it by being able to prove it — linked, signed, and assembled before the dispute, not after.