TOPIC BRIEFING
Risk and compliance failures don't compound — they terminate. The stack of controls between your processor and a scheme termination notice is operational, regulatory, and increasingly technical.
Fraud prevention is a real-time optimisation problem; compliance is a structural obligation. Chargeback ratios trigger merchant account termination. Sanctions violations carry strict liability fines. PCI DSS 4.0 added obligations most merchants missed. Getting any one layer wrong costs more in remediation than the investment would have required.
Stack map
Six control layers between a transaction attempt and a compliant outcome. Each layer has distinct owners, distinct tooling, and distinct consequences for failure.
Fraud detection
Real-time scoring, behavioural signals, network intelligence — catches bad actors before authorisation.
Authentication
3DS2, SCA, device fingerprinting, network tokens — shifts liability and filters stolen credentials.
Authorisation
Decline codes, retry logic, liability shift mechanics — determines which transactions clear and who bears the loss.
Chargebacks
Dispute response, CE 3.0 evidence, VAMP / ECM monitoring — the last line before scheme termination.
Compliance
PCI DSS 4.0, PSD3/PSR, KYC/KYB, AML monitoring — structural obligations that survive individual transactions.
Sanctions
OFAC/EU/UK lists, wallet screening, chain analysis — strict liability with no knowledge defence.
The operator thesis
Stolen-credential fraud is declining as 3DS2 and network tokens mature. Friendly fraud and synthetic identity fraud — committed by real cardholders and fabricated identities — are now the dominant loss categories for most e-commerce operators.
VAMP's acquirer thresholds (≥0.50% Above Standard, ≥0.70% Excessive) and ECM's 1.5% chargeback threshold determine whether your merchant account survives the quarter. Programme exposure is the highest-stakes operational risk most operators do not model until they breach it.
Sanctions screening, AML monitoring, and PCI DSS 4.0 all require pre-transaction enforcement. Post-settlement compliance — reviewing transactions after they clear — is no longer sufficient under any major regulatory framework.
Start here
How both card schemes handle disputes, the dominant fraud category, and how to fight back.
The three attack vectors that don't look like traditional fraud — and how to detect them.
The three compliance obligations payment operators most often underestimate in production.
Briefings, grouped by decision
The fraud types that drive losses for payment operators — how each attack works, who commits it, and the defences that contain it.
Card testing validates stolen credentials against your payment endpoint. Auth costs, fraud signals, and VAMP exposure — attack anatomy and operator defence.
First-party fraud now dominates dispute volume at most e-commerce merchants. Why it's growing, who commits it, and the playbook for evidence-based defence.
Dispute management, representment evidence, and the scheme monitoring programmes that determine merchant account continuity.
Visa: VDMP/VFMP retired March 2025, CE 3.0 live October 2025. Mastercard: tightened arbitration, consolidated reason codes. Full dispute map for both schemes.
KYC, KYB, AML, PCI DSS 4.0, SCA, sanctions screening, and the compliance obligations that vary by jurisdiction and merchant type.
How KYB's beneficial ownership complexity, UBO screening requirements, and orchestration tooling differ from KYC — and what that means for embedded.
51 new PCI DSS 4.0 requirements enforced March 31, 2025. First assessment cycles are finishing. The eight failure patterns showing up most in production.
3-D Secure 2 reduces fraud but adds checkout friction that taxes authorization and conversion — how operators measure and manage the authentication cost.
Where PSD3 and PSR stand in 2026: legislative status, the 21-month implementation clock, and an operator checklist for the SCA, fraud, and access changes ahead.
Other briefings in this topic
A live fraud spike is an attack in progress, not a metric. An incident-command runbook to confirm, classify, contain with reversible controls, and recover.
The merchant you approved drifts. A lifecycle playbook for risk-tiering, re-screening, monitoring signals, graduated response, and offboarding.
Promo and referral abuse games growth rewards by exploiting eligibility, not stealing cards. An operator playbook for signals, controls, and response.
Capture and structure CE 3.0 evidence before a Visa 10.4 fraud dispute arrives: matching data elements, the prior-transaction logic, and a readiness scorecard.
What VoP and CoP results mean — Match, Close Match, No Match, Not Possible — the EU's four codes, the UK's reason codes, and how operators handle each.
Steps to exit Visa VAMP monitoring: confirm the TC40/TC15 ratio, stop it from worsening, and run parallel fraud and dispute remediation.
Chargeback management compared by operating model: network pre-dispute alerts (Verifi, Ethoca), representment automation, managed recovery, and in-house.
Sift, Forter, Riskified, Signifyd, and Kount compared by operating model: guarantee, managed decisioning, and risk scoring — which fits your fraud operation.
Fraud operations scorecard with 18 KPIs across loss, detection, friction, efficiency, model quality, and chargeback spillover.
A scorecard for dispute and risk teams: 16 KPIs across compliance, operational, outcome, quality, and cost — with targets, cadence, and escalation logic.
Mastercard Mastercom dispute categories — all 7 codes, cardholder filing windows, merchant response deadlines, and ECP/HECM thresholds as of 2026.
Complete reference for Visa Claims Resolution codes — all four categories, workflow assignment, filing deadlines, and 2024–2026 consolidations.
From topic to market
Reference
Visa's VAMP (Visa Acquirer Monitoring Programme) replaced VDMP and VFMP in 2025. Key thresholds: above-standard (0.50% chargeback ratio and 0.30% fraud ratio for the acquirer) and excessive (0.90% chargeback, 0.50% fraud). Breaching excessive triggers monthly fines and mandatory remediation. Mastercard's ECM (Excessive Chargeback Merchant) programme triggers at 1.5% chargeback ratio; excessive at 3.0%+. These are acquirer-level thresholds but enforcement flows to individual merchant IDs — a single merchant with a high chargeback ratio will put their MID at risk. Operators should monitor chargeback ratio monthly by MID, not just in aggregate, and maintain dispute-win evidence documentation.
PCI DSS 4.0 is the current version of the Payment Card Industry Data Security Standard, with additional requirements that became mandatory from March 2025. The obligations that catch most merchants off-guard: Requirement 6.4.3 (inventory and authorise every JavaScript on payment pages), 11.6.1 (change-detection mechanism for payment page HTTP headers and content), and 8.4.2 (MFA for all access to the cardholder data environment). SAQ-A merchants (outsourced checkout, no card data handled directly) are often surprised that 6.4.3 and 11.6.1 apply to their hosted payment pages — the requirement covers any page where the cardholder enters data, even if the data goes directly to the PSP.
KYC (Know Your Customer) verifies individual identity: name, date of birth, address, government ID, sometimes biometric. It is the standard for consumer onboarding in banking, fintech, and regulated payment flows. KYB (Know Your Business) verifies legal entity identity: company registration, beneficial ownership (who owns 25%+ of the entity), directors, authorised signatories, and business purpose. For payment operators, KYB is the relevant obligation when onboarding merchants or business customers. The distinction matters because KYB is structurally harder: beneficial ownership chains can be opaque, shell companies obscure ultimate beneficial owners, and regulated entities (PSPs, payment facilitators) bear liability for inadequate KYB at onboarding. Most AML enforcement actions in payments involve KYB failures, not KYC.
SCA (Strong Customer Authentication) under PSD2 requires two-factor authentication for payment initiation — combining two of: something you know (PIN/password), something you have (device/card), something you are (biometric). It is legally mandatory for card payments in the EEA and UK for customer-initiated transactions, with defined exemptions (low-value <€30, TRA, recurring MIT, merchant-initiated). Outside Europe: SCA equivalents exist in India (RBI two-factor mandate for all card transactions), Australia (partial), Singapore (for high-risk transactions). The US has no statutory SCA equivalent, though Visa and Mastercard's network rules for 3DS2 authentication provide similar mechanics on a voluntary basis. For global operators, the SCA question is: which markets require two-factor authentication by law, and which transactions are exempt.
AML (Anti-Money Laundering) transaction monitoring for payment operators involves: real-time or near-real-time screening of transactions against sanctions lists (OFAC, EU, UN) for blocked entities; behavioural monitoring for structuring (breaking large amounts into smaller transactions to avoid reporting thresholds); suspicious activity reporting (SAR) filing with the relevant FIU when a transaction or pattern warrants it; and record-keeping for the mandatory retention period (typically 5–7 years by jurisdiction). For most non-bank PSPs, the practical minimum is sanctions screening on every transaction and a documented SAR process. Regulated entities (EMIs, payment institutions) face more extensive obligations including enhanced due diligence for high-risk customers and periodic AML programme audits.
Fraud prevention is a real-time optimisation problem; compliance is a structural obligation. The stakes are asymmetric: underperforming on fraud increases costs incrementally — declining auth rates, rising chargeback ratios, higher fraud provisioning. Getting compliance wrong terminates the business — scheme termination removes card acceptance rights; AML enforcement removes the licence to operate. Most operators underinvest in both until one of these outcomes forces remediation, at which point the cost is multiples of what proactive investment would have required.
The compliance landscape in 2026 is more demanding than in 2022. PCI DSS 4.0 added requirements that most SAQ-A merchants did not anticipate — JavaScript inventory, HTTP change-detection, and MFA scope extension. PSD3 and PSR are now finalised in the EU with transposition underway. Visa’s VAMP programme replaced the previous monitoring programmes with stricter thresholds. KYB obligations for payment facilitators and marketplace operators have been enforced more aggressively across the FCA, BaFin, and MAS jurisdictions. None of these developments are surprising in isolation; the pattern is a consistent tightening of what “adequate compliance” means.
The briefings in this topic cover the operational realities: how fraud models and rule engines work together, what chargeback thresholds mean for your merchant account, and which compliance requirements have teeth versus which are largely theoretical.