Skip to content
Risk And Compliance 10 min read

VAMP: Visa Acquirer Monitoring That Replaced VDMP and VFMP

Visa replaced VDMP and VFMP with VAMP in April 2025. The new threshold model, enforcement triggers, and what acquirers and merchants need to do differently.

PB
By Shaun Toh
TL;DR

Visa consolidated VDMP and VFMP into a single programme — VAMP — in April 2025: a unified ratio of fraud (TC40) plus disputes (TC15) over settled transactions, with separate enumeration tracking. What changed, how enforcement works, and how merchants respond.

Operator Summary

VAMP (Visa Acquirer Monitoring Programme) replaced VDMP and VFMP in April 2025, combining chargeback and fraud monitoring into one programme. The VAMP ratio: count of Fraud (TC40) plus Disputes (TC15) divided by Settled Transactions (TC05). TC40 captures issuer-absorbed fraud not filed as a chargeback — a gap that let merchants appear clean on VDMP while carrying elevated fraud. Acquirer-portfolio thresholds: Above Standard ≥50 bps, Excessive ≥70 bps. Merchant excessive threshold: ≥220 bps (reducing to ≥150 bps from 1 April 2026 in AP/Canada/EU/US). Enumeration is tracked separately under Visa's enumeration ratio. Programme fees accrue to the acquirer and are typically passed to merchants by contract. Verify current thresholds with your acquirer — Visa periodically revises these values.

Visa restructured its merchant monitoring programmes in April 2025, consolidating two separate compliance frameworks into a single programme. The Visa Dispute Monitoring Programme (VDMP) and the Visa Fraud Monitoring Programme (VFMP), which had operated in parallel for over a decade, were replaced by the Visa Acquirer Monitoring Programme — VAMP.

The consolidation was more than administrative. The new programme introduced a unified metric that combines chargeback disputes, issuer-absorbed fraud (TC40), and enumeration fraud into a single ratio. Merchants who managed VDMP carefully but had significant fraud that issuers were absorbing internally — never converting to chargebacks — can now find that absorbed fraud counting against them under VAMP.

What Changed and Why

The prior structure had a fundamental gap. VDMP measured the chargeback rate — disputes formally filed and processed through the scheme. VFMP measured TC40 fraud data reported by issuers. A merchant whose issuers were absorbing fraud losses (reimbursing cardholders directly without filing a chargeback) appeared clean on VDMP even if the underlying fraud rate was elevated. Issuers absorb losses when the chargeback cost and friction outweighs the recovery — common on small transactions and in markets with high chargeback resolution costs.

VAMP collapses this distinction. TC40 fraud data now counts in the ratio alongside chargebacks. The merchant that appeared compliant on VDMP while carrying a significant issuer-absorbed fraud burden will now see that burden in their VAMP ratio.

The second change is the inclusion of enumeration transactions. Card testing and enumeration attacks — systematic attempts to validate stolen card credentials against a merchant's payment endpoint — generate authorisation and decline signals that Visa can detect at the network level. Under VAMP, merchants with elevated enumeration activity can trigger monitoring even if they have low fraud completion rates and low chargebacks. The logic: an enumerated merchant is a risk vector for the network even before fraud transactions are completed.

The VAMP Ratio Mechanics

The VAMP ratio for a given month is calculated as:

Count of Fraud (TC40) + Disputes (TC15) / Count of Settled Transactions (TC05) × 100

Each component has specific accounting rules:

Disputes (TC15): Chargebacks and disputes filed through the Visa dispute resolution process. Disputes resolved through pre-dispute solutions (such as Visa RDR) are excluded, contingent on timing — merchants should clarify with their acquirer how resolved disputes are treated.

TC40 fraud reports: TC40 is the issuer's reporting mechanism for cardholder fraud complaints they resolved directly without a chargeback. Issuers file TC40 reports to Visa's network for fraud tracking purposes. TC40 data is not typically visible to merchants directly — it appears in acquirer-level fraud reporting where provided. Merchants who have not historically tracked TC40 exposure will likely have a gap in their VAMP ratio estimation. TC40 fraud that qualifies for Compelling Evidence 3.0 is excluded from the ratio, contingent on timing.

Enumeration (tracked separately): Visa monitors card testing and enumeration under a separate enumeration ratio rather than inside the core VAMP ratio. Merchants cannot directly control which transactions Visa flags as enumeration, but they can reduce enumeration activity through rate limiting, CAPTCHA, velocity checks on declined authorisations, and bot detection — all of which reduce the supply of enumerable endpoints available to attackers.

Settled transactions (TC05): The denominator is the count of settled transactions (TC05). The ratio is transaction-count-based, not value-based — a $5 transaction and a $5,000 transaction each count as one.

The Threshold Levels and Consequences

VAMP applies thresholds at two levels — the acquirer portfolio and the individual merchant.

Acquirer-portfolio thresholds:

  • Above Standard: VAMP ratio ≥50 bps (0.50%)
  • Excessive: VAMP ratio ≥70 bps (0.70%)
  • When a portfolio breaches these, Visa assesses programme fees to the acquirer and requires a remediation plan

Merchant excessive threshold:

  • ≥220 bps (2.2%) in AP, Canada, the EU, and the U.S.
  • Reduces to ≥150 bps (1.5%) from 1 April 2026
  • Because acquirers are measured on their portfolio ratio, many police individual merchants well below this level — a merchant can face acquirer action long before reaching the merchant excessive threshold

Visa periodically revises these thresholds and applies a minimum-transaction-volume floor for monitoring; confirm the current values and your acquirer's internal thresholds with your acquirer or Visa representative.

The fines accrue to the acquirer, not the merchant directly. However, virtually all acquirer-merchant agreements include provisions for passing scheme monitoring fines to the merchant. Merchants should read this clause in their PSP contract before they are in a monitoring situation — the contractual pass-through is standard and the amounts escalate quickly.

What Merchants Need to Monitor

Under the prior framework, merchants could track their chargeback rate (visible in PSP reporting and scheme-level dashboards) as the primary compliance metric. VAMP requires monitoring three inputs:

Chargeback rate: Still tracked the same way — chargebacks received / total transactions. Available in most PSP reporting dashboards. The calculation period and timing of when chargebacks are counted matter; confirm with your acquirer how they calculate the ratio period.

TC40 exposure: This is the new blind spot for many merchants. TC40 data requires requesting fraud reporting from your acquirer — most PSPs do not surface TC40 data in standard merchant dashboards. Ask your acquirer for monthly TC40 reporting. If they cannot provide it, that is a significant gap in your VAMP compliance visibility.

Enumeration activity: Measured by the ratio of declined to approved authorisations on new card credentials, velocity of failed authorisations per IP or device, and patterns consistent with sequential BIN testing. Payment gateway and fraud tool reporting should surface these signals. If your fraud tooling does not have enumeration detection, VAMP creates a compliance reason to add it.

The Acquirer Relationship in VAMP

VAMP is primarily an acquirer monitoring programme — Visa holds the acquirer responsible, not the merchant directly. The merchant's relationship with their acquirer is therefore the first point of VAMP management.

Acquirers are required to:

  • Monitor VAMP ratios at the merchant level
  • Notify merchants when they approach thresholds
  • Enrol non-compliant merchants in remediation programmes
  • Report remediation progress to Visa
  • Terminate merchants who cannot achieve compliance within the required timeline

Merchants should confirm with their acquirer or PSP:

  • What ratio thresholds trigger internal review (many acquirers have lower internal thresholds than the published Visa ceiling)
  • How TC40 data is shared with merchants
  • What the remediation programme looks like and what obligations it creates for the merchant
  • What contractual fine pass-through provisions apply

For merchants in high-risk MCC categories — digital goods, subscription services, travel, financial services, marketplaces — the VAMP programme creates additional monitoring obligations because these categories historically have higher dispute and fraud rates.

Remediation: What Moves the Ratio

When a merchant is in VAMP monitoring, the remediation plan must address each component of the ratio:

Reducing disputes: The standard chargeback reduction playbook — clearer billing descriptors, improved refund policy and execution speed, pre-dispute resolution programmes (Visa RDR or CDRN), and order validation improvements that reduce fulfillment-related disputes. Dispute volume by Visa reason code category — which codes fall under Allocation workflow versus Collaboration — determines where dispute reduction effort moves the VAMP ratio most efficiently; the reason-code lookup tool breaks out the response window and evidence checklist per code.

Reducing TC40 exposure: The TC40 signal indicates fraud that issuers are absorbing. Reducing it requires reducing the fraud rate on transactions, not just the chargeback rate. 3DS2 authentication shifts liability and may cause issuers to stop absorbing and start filing chargebacks — which could temporarily worsen the dispute component. This is a sequencing problem to model with your acquirer before deploying broad 3DS2.

Reducing enumeration: Rate limiting on failed authorisations, CAPTCHA on high-risk form fields, velocity rules on new card credentials per device or IP, and integration with anti-fraud tools that have network-level enumeration intelligence (Sift, Kount, Stripe Radar at the network level).

VAMP is a more comprehensive compliance framework than its predecessors. Merchants who managed purely to a chargeback rate will find the additional TC40 and enumeration components expand the surface area of fraud management required for compliance — and the fine structure for non-compliance is significant enough that investment in fraud tooling has a clear ROI case against the monitoring penalties.

For the full operational scorecard — how to set internal VAMP ratio targets with appropriate buffer, what cadence to track TC40 exposure, and how to build escalation logic before you are in a monitoring situation — see Chargeback Operations KPIs: Metrics, Targets, and Escalation Triggers. If you have already entered a monitoring situation, see VAMP Remediation Checklist: Steps to Exit Visa Acquirer Monitoring for the sequenced remediation plan.

To act on the ratio rather than just monitor it, these are the adjacent operator decisions:

  • The true cost of a chargeback — how to price VAMP threshold exposure into your cost of acceptance, so the ratio becomes a P&L input rather than a compliance afterthought.
  • How chargeback representment actually works — disciplined dispute defence reduces the ratio component you control most directly, without the false-positive cost of over-tightening fraud rules.

For the full chargeback operator reading list — scheme rules, reason codes, unit economics, fraud categories, representment, and this VAMP guide — see the Chargeback Operator Reading List.

Sources & methodology (1)

VAMP ratio = Fraud (TC40) + Disputes (TC15) / Settled transactions (TC05); acquirer thresholds Above Standard ≥0.50% and Excessive ≥0.70%; merchant excessive threshold ≥2.2% (≥1.5% from 1 April 2026, AP/Canada/EU/U.S.); pre-dispute- and CE 3.0-resolved items excluded contingent on timing; enumeration tracked separately

Visa periodically revises VAMP thresholds; verify current values with your acquirer or Visa representative

Checked:

Source types explained in our Methodology.

Shaun Toh By Shaun Toh · Director, Digital Payments · Razer

More Risk And Compliance briefings