What is VAMP and what replaced it in April 2025?

VAMP (Visa Acquirer Monitoring Programme) is the consolidated programme Visa launched in April 2025, replacing two prior programmes: VDMP (Visa Dispute Monitoring Programme), which monitored chargeback rates, and VFMP (Visa Fraud Monitoring Programme), which monitored fraud rates separately. VAMP combines dispute and fraud monitoring under a single programme with a unified metric — the VAMP ratio — calculated as the number of disputes plus enumeration-flagged fraud transactions divided by total transactions, expressed as a percentage. The consolidation simplified the compliance framework for acquirers while tightening the standard that triggers monitoring.

How is the VAMP ratio calculated?

The VAMP ratio is: (number of disputes in the month + number of TC40 fraud reports not disputed + number of enumeration-flagged transactions) / total transactions in the month × 100. The dispute component includes all chargebacks and disputes filed by cardholders. The TC40 component captures fraud reported by issuers that the merchant did not resolve via chargeback (i.e., the issuer absorbed the loss internally and filed a TC40 fraud report). Enumeration-flagged transactions are card testing and account enumeration events identified by Visa's network-level fraud detection. The combination means a merchant with a low chargeback rate but a high card-testing attack rate can still trigger VAMP monitoring.

What are the VAMP thresholds?

Under VAMP as of April 2025: the standard threshold is a VAMP ratio above 0.9% for three consecutive months. The excessive threshold — which triggers accelerated enforcement — is above 1.8%. Volume requirements: VAMP monitoring applies to merchants processing at least 1,000 transactions per month. Below 1,000 monthly transactions, the volume is typically not sufficient to generate a statistically meaningful ratio, though Visa retains discretion. High-risk MCC categories (digital goods, travel, financial services) may face lower effective thresholds under individual acquirer policies even if the published Visa threshold applies uniformly.

What happens when a merchant triggers VAMP monitoring?

When a merchant breaches the VAMP threshold, the acquirer — not Visa directly — is notified and becomes responsible for remediation. The acquirer must place the merchant in a remediation programme, which typically involves: monthly reporting to the acquirer on dispute and fraud metrics; a remediation plan with specific milestones; fines payable by the acquirer to Visa (which the acquirer typically passes to the merchant). Fines begin at $50/month during the monitoring period and escalate to $25,000/month for merchants in the excessive tier or those not making remediation progress. If the acquirer cannot remediate the merchant within the required window, Visa can instruct the acquirer to terminate the merchant account.

How does VAMP change the approach compared to VDMP and VFMP?

Under the prior framework, merchants managed two separate metrics: chargeback rate (VDMP, monitored against a 0.9% threshold) and fraud rate (VFMP, monitored against a 0.9% threshold for standard, with separate Early Fraud Warning thresholds). A merchant could comply with VDMP by keeping chargebacks below 0.9% even if fraud was elevated, as long as issuers were absorbing fraud losses through TC40 rather than filing chargebacks. VAMP closes this loophole by combining disputes and TC40 fraud into a single ratio. The practical implication: merchants who managed chargebacks tightly but had significant fraud activity that issuers absorbed will now see that absorbed fraud count against their VAMP ratio.

Risk And Compliance 10 min read

VAMP: The Visa Acquirer Monitoring Programme That Replaced VDMP and VFMP

In April 2025, Visa replaced VDMP and VFMP with a single consolidated programme — VAMP. Here's what changed, how the new threshold model works, what triggers enforcement, and what acquirers and merchants need to do differently.

By Shaun Toh April 3, 2026

TL;DR

Visa consolidated VDMP and VFMP into a single programme — VAMP — in April 2025, with a unified 0.9% dispute rate threshold and new fraud enumeration metrics. What changed, how enforcement works, and how merchants respond.

Visa restructured its merchant monitoring programmes in April 2025, consolidating two separate compliance frameworks into a single programme. The Visa Dispute Monitoring Programme (VDMP) and the Visa Fraud Monitoring Programme (VFMP), which had operated in parallel for over a decade, were replaced by the Visa Acquirer Monitoring Programme — VAMP.

The consolidation was more than administrative. The new programme introduced a unified metric that combines chargeback disputes, issuer-absorbed fraud (TC40), and enumeration fraud into a single ratio. Merchants who managed VDMP carefully but had significant fraud that issuers were absorbing internally — never converting to chargebacks — can now find that absorbed fraud counting against them under VAMP.

What Changed and Why

The prior structure had a fundamental gap. VDMP measured the chargeback rate — disputes formally filed and processed through the scheme. VFMP measured TC40 fraud data reported by issuers. A merchant whose issuers were absorbing fraud losses (reimbursing cardholders directly without filing a chargeback) appeared clean on VDMP even if the underlying fraud rate was elevated. Issuers absorb losses when the chargeback cost and friction outweighs the recovery — common on small transactions and in markets with high chargeback resolution costs.

VAMP collapses this distinction. TC40 fraud data now counts in the ratio alongside chargebacks. The merchant that appeared compliant on VDMP while carrying a significant issuer-absorbed fraud burden will now see that burden in their VAMP ratio.

The second change is the inclusion of enumeration transactions. Card testing and enumeration attacks — systematic attempts to validate stolen card credentials against a merchant’s payment endpoint — generate authorisation and decline signals that Visa can detect at the network level. Under VAMP, merchants with elevated enumeration activity can trigger monitoring even if they have low fraud completion rates and low chargebacks. The logic: an enumerated merchant is a risk vector for the network even before fraud transactions are completed.

The VAMP Ratio Mechanics

The VAMP ratio for a given month is calculated as:

(Disputes + Unadjusted TC40 reports + Enumeration-flagged transactions) / Total transactions × 100

Each component has specific accounting rules:

Disputes: Standard chargebacks and disputes filed through the Visa dispute resolution process. Disputes resolved in the merchant’s favour before the ratio is calculated may not count, depending on timing — merchants should clarify with their acquirer how resolved disputes are treated.

TC40 fraud reports: TC40 is the issuer’s reporting mechanism for cardholder fraud complaints they resolved directly without a chargeback. Issuers file TC40 reports to Visa’s network for fraud tracking purposes. TC40 data is not typically visible to merchants directly — it appears in acquirer-level fraud reporting where provided. Merchants who have not historically tracked TC40 exposure will likely have a gap in their VAMP ratio estimation.

Enumeration-flagged transactions: Visa’s network-level detection of card testing and enumeration events. Merchants cannot directly control which transactions Visa flags as enumeration, but they can reduce enumeration activity through rate limiting, CAPTCHA, velocity checks on declined authorisations, and bot detection — all of which reduce the supply of enumerable endpoints available to attackers.

Total transactions: The denominator. The ratio is transaction-count-based, not volume-based — a $5 card-testing transaction and a $5,000 legitimate purchase both count as one transaction.

The Threshold Levels and Consequences

VAMP operates on two enforcement tiers:

Standard Monitoring (VAMP ratio above 0.9%):

The acquirer is notified and required to enrol the merchant in remediation
Monthly fines assessed to the acquirer, typically starting at $50/month and escalating with time in monitoring
Acquirer required to submit a remediation plan to Visa
Monitoring continues until the merchant achieves compliance for three consecutive months

Excessive Tier (VAMP ratio above 1.8%):

Accelerated fines beginning at $25,000/month
Immediate escalation requirements
Acquirer may be required to suspend the merchant account if ratio does not improve within specified windows
Visa can instruct account termination if remediation fails

Volume threshold for monitoring: 1,000 transactions per month. Merchants below this volume are not subject to VAMP monitoring, though acquirers may apply their own internal thresholds.

The fines accrue to the acquirer, not the merchant directly. However, virtually all acquirer-merchant agreements include provisions for passing scheme monitoring fines to the merchant. Merchants should read this clause in their PSP contract before they are in a monitoring situation — the contractual pass-through is standard and the amounts escalate quickly.

What Merchants Need to Monitor

Under the prior framework, merchants could track their chargeback rate (visible in PSP reporting and scheme-level dashboards) as the primary compliance metric. VAMP requires monitoring three inputs:

Chargeback rate: Still tracked the same way — chargebacks received / total transactions. Available in most PSP reporting dashboards. The calculation period and timing of when chargebacks are counted matter; confirm with your acquirer how they calculate the ratio period.

TC40 exposure: This is the new blind spot for many merchants. TC40 data requires requesting fraud reporting from your acquirer — most PSPs do not surface TC40 data in standard merchant dashboards. Ask your acquirer for monthly TC40 reporting. If they cannot provide it, that is a significant gap in your VAMP compliance visibility.

Enumeration activity: Measured by the ratio of declined to approved authorisations on new card credentials, velocity of failed authorisations per IP or device, and patterns consistent with sequential BIN testing. Payment gateway and fraud tool reporting should surface these signals. If your fraud tooling does not have enumeration detection, VAMP creates a compliance reason to add it.

The Acquirer Relationship in VAMP

VAMP is primarily an acquirer monitoring programme — Visa holds the acquirer responsible, not the merchant directly. The merchant’s relationship with their acquirer is therefore the first point of VAMP management.

Acquirers are required to:

Monitor VAMP ratios at the merchant level
Notify merchants when they approach thresholds
Enrol non-compliant merchants in remediation programmes
Report remediation progress to Visa
Terminate merchants who cannot achieve compliance within the required timeline

Merchants should confirm with their acquirer or PSP:

What ratio thresholds trigger internal review (many acquirers have lower internal thresholds than the published Visa ceiling)
How TC40 data is shared with merchants
What the remediation programme looks like and what obligations it creates for the merchant
What contractual fine pass-through provisions apply

For merchants in high-risk MCC categories — digital goods, subscription services, travel, financial services, marketplaces — the VAMP programme creates additional monitoring obligations because these categories historically have higher dispute and fraud rates.

Remediation: What Moves the Ratio

When a merchant is in VAMP monitoring, the remediation plan must address each component of the ratio:

Reducing disputes: The standard chargeback reduction playbook — clearer billing descriptors, improved refund policy and execution speed, pre-dispute resolution programmes (Visa RDR or CDRN), and order validation improvements that reduce fulfillment-related disputes.

Reducing TC40 exposure: The TC40 signal indicates fraud that issuers are absorbing. Reducing it requires reducing the fraud rate on transactions, not just the chargeback rate. 3DS2 authentication shifts liability and may cause issuers to stop absorbing and start filing chargebacks — which could temporarily worsen the dispute component. This is a sequencing problem to model with your acquirer before deploying broad 3DS2.

Reducing enumeration: Rate limiting on failed authorisations, CAPTCHA on high-risk form fields, velocity rules on new card credentials per device or IP, and integration with anti-fraud tools that have network-level enumeration intelligence (Sift, Kount, Stripe Radar at the network level).

VAMP is a more comprehensive compliance framework than its predecessors. Merchants who managed purely to a chargeback rate will find the additional TC40 and enumeration components expand the surface area of fraud management required for compliance — and the fine structure for non-compliance is significant enough that investment in fraud tooling has a clear ROI case against the monitoring penalties.

By Shaun Toh · Director, Digital Payments · Razer

Subscribers get the PSP Selection RFP Kit — 60+ structured questions, evaluation scorecard, and negotiation playbook — delivered to your inbox instantly.

Related briefings

Risk & Compliance 11 min read