Visa blocked $40 billion in fraudulent transactions in the twelve months ending September 2023, nearly double its prior-year figure, according to CNBC. Before any CFO signs a multi-year contract based on that number, they need to know what it actually measures, what it does not, and where comparable results collapse inside real organizations.

What the Studies Actually Tested

AI fraud detection ROI is real at network scale but not uniformly replicable. Visa’s $40 billion in prevented fraud (October 2022–September 2023), Mastercard’s finding that 42% of issuers saved $5 million or more over two years, and JPMorgan Chase’s $1.5 billion in AI-driven savings all reflect genuine economic value — but each measures a different thing using a different methodology, and none includes a control group.

The $40 billion figure comes from Visa’s own reporting on its AI and machine learning fraud prevention stack, confirmed publicly by James Mirfin, Visa’s global head of risk and identity solutions, in a July 2024 CNBC interview. Visa’s system evaluates more than 500 transaction attributes per transaction in real time across approximately 300 billion annual transactions on its network, according to Visa’s published technical documentation.

The measurement period runs October 2022 through September 2023. The “prevented fraud” figure represents the estimated value of transactions the system scored high-risk and declined or flagged, where post-hoc analysis determined those transactions were likely fraudulent. No third party independently audits this figure. Visa generates the estimate using its own models to classify what would have been lost without the intervention.

Mastercard’s data comes from a different methodology. Its 2025 Payment Fraud Prevention Report, produced with Financial Times Longitude, surveyed issuers and acquirers directly. According to Mastercard, 42% of issuers reported saving more than $5 million over two years from AI fraud prevention. This is self-reported savings data from institutions running Mastercard’s Decision Intelligence product, not a controlled trial.

JPMorgan Chase’s figures are the most internal of the three. The bank saved $1.5 billion through AI-powered fraud detection and operational improvements in 2024, according to Modernize.io citing JPMorgan’s own disclosures. The bank does not publish a methodology that cleanly separates fraud detection ROI from broader operational AI savings.

One limitation applies across all three datasets: none use a control group. No study compares outcomes against a parallel network running pre-AI rules-based systems in the same period. Fraud volumes and tactics both changed between 2022 and 2024, including increased use of AI by fraudsters themselves. Attributing the full delta to AI detection models is an assumption embedded in all three datasets.

The underlying technology: Visa’s system applies machine learning across more than 500 transaction attributes — including device fingerprinting, velocity checks, geolocation, and behavioral biometrics — evaluated in real time in under 100 milliseconds per transaction. Mastercard’s Decision Intelligence Pro scans one trillion data points per transaction in under 50 milliseconds, according to Mastercard. JPMorgan’s fraud stack combines graph analytics via TigerGraph, supervised machine learning on labeled fraud cases, and continuous model retraining on live transaction flows. These are not single-model deployments. They are layered systems built over years of iteration.

What the Results Show

Large-scale AI fraud detection systems measurably outperform rules-based predecessors at the transaction level, and the savings at network scale are real and substantial. Visa’s $40 billion represents roughly 0.07% of the $5.9 trillion in payments volume it processed in fiscal year 2023. The industry average fraud-to-sales ratio sits near 0.05% to 0.06%, meaning Visa claims to have suppressed fraud below baseline industry levels at a scale no rules engine has matched.

42% of issuers saved $5M+ over two years from AI fraud prevention — Mastercard 2025 Payment Fraud Prevention Report

Mastercard’s issuer data translates more directly to a budget decision. According to Mastercard’s report, if 42% of issuers save more than $5 million over two years from AI deployment, the median ROI threshold sits between $2.5 million and $5 million annually per institution. For a mid-size issuer processing $10 billion in annual card volume, that represents a five to 10 basis point improvement in fraud economics. For large issuers, the figure scales proportionally.

JPMorgan’s $1.5 billion figure is the most persuasive to a board but the least actionable for a mid-market CFO. JPMorgan spent $17 billion on technology broadly in 2024, according to Modernize.io. Its fraud AI operates at a transaction depth and data richness that no regional bank or fintech can replicate by purchasing a SaaS product.

One result receives less attention: Mastercard’s same report found that 26% of acquirers saved more than $5 million, compared with 42% of issuers. Acquirers, who sit further from the authorization moment and operate with more fragmented data, capture meaningfully less value. That asymmetry matters for every payments firm that processes transactions without owning the issuing relationship.

Key Takeaway: The $40 billion Visa figure and Mastercard’s 42% issuer benchmark are both real but measure different things. The Visa number is a network-level estimate from a proprietary model. The Mastercard number is self-reported savings from surveyed institutions. Neither is a randomized trial. Decision-makers should treat Mastercard’s issuer benchmark — $5 million saved per institution over two years — as the more actionable ROI floor for budget conversations.

Why These Results Are Often Misused

Vendor presentations routinely strip context from the Visa $40 billion figure and present it as proof that any AI fraud detection deployment will produce equivalent proportional returns. Three misuses appear consistently in enterprise sales processes.

First, vendors strip out the network effect. Visa’s accuracy depends on training across 300 billion annual transactions from thousands of issuers, merchants, and geographies. A single institution’s AI model, trained on its own transaction history, does not inherit that signal density. Smaller data sets produce noisier models with higher false positive rates. According to Mastercard’s technical documentation, industry estimates put false declines on legitimate transactions at 10 to 15% for models with limited training data.

Second, the period selection flatters the results. The measurement window of October 2022 to September 2023 coincided with a surge in enumeration attacks, where fraudsters use automated scripts to test stolen card numbers at scale. Visa’s system is specifically optimized for this attack type. Deploying a comparable system outside a high-enumeration attack environment will not produce the same prevented-fraud dollar figure.

Third, vendors conflate prevented fraud with net savings. Prevented fraud is a gross figure. Net savings require subtracting the cost of false positives, which include declined legitimate transactions, customer service escalations, cardholder attrition, and model maintenance. Payments Intelligence’s 2025 consumer behaviour survey found that 37% of adults in the UK had experienced a declined transaction they believed was legitimate, according to The Payments Association. That attrition carries a revenue cost that does not appear in prevented-fraud headlines.

What the Studies Do NOT Prove

One: AI fraud detection produces equivalent ROI across institution sizes. Mastercard’s data covers issuers broadly, but the $5 million savings threshold is more likely concentrated among larger issuers with richer transaction histories. The report does not publish median savings by institution size.

Two: AI systems eliminate the need for rules-based controls. Visa’s system applies AI scoring on top of a rules infrastructure, not instead of one. Replacing rules entirely with model-driven decisioning introduces brittleness when models encounter attack patterns outside their training distribution — a risk the headline ROI figures do not address.

Sources