A Merchant’s Guide to the New Visa VAMP Program

Blog
Leanne Beattie, Content Marketing Writer, FlexPay
Jul 02, 2025
Blog

Online merchants face new compliance rules from Visa that directly impact how fraud and disputes are monitored. Here’s what the changes mean for your payments performance – and what you can do now to stay ahead.

As of April 1, 2025, Visa rolled out a new framework called the Visa Acquirer Monitoring Program (VAMP). While it’s aimed at strengthening fraud prevention, it also places tighter oversight on businesses that process card-not-present transactions.

Here’s what the new program means and what you should be doing to stay compliant.

A Shift in Visa’s Approach to Fraud and Risk

Previously, Visa managed fraud and chargebacks through two separate programs. With VAMP, those efforts are now unified under one set of rules. The goal? To help Visa—and the acquirers they work with—detect risk faster and respond more effectively when suspicious activity appears.

One major focus of VAMP is enumeration attacks. This happens when bad actors use bots or scripts to test a large number of stolen or generated card numbers on your checkout page. Even if none of the transactions are successful, the activity itself raises red flags—and now, it can hurt your standing with Visa.

Why This Matters to You

Rather than monitoring merchants directly, Visa is putting more responsibility on acquirers—the financial institutions that provide merchant accounts. These acquirers are now expected to closely monitor transaction patterns and step in when issues arise.

 

 

If your transaction activity crosses certain thresholds, your acquirer may be required to take action, which could mean increased scrutiny, penalties, or restrictions on your ability to process payments.

The Two Key Ratios to Watch

Under the new guidelines, Visa will assess merchants using two main performance indicators:

  1. VAMP Ratio
    This measures how many of your transactions result in fraud or disputes.
    • The acceptable limit is currently 1.5%.
    • As of January 2026, that limit drops to 0.9%.
  2. Enumeration Ratio
    This evaluates the percentage of transactions suspected to be card testing attempts.
    • If 20% or more of your transactions are flagged, your business is considered high risk.
 

 

Declined transactions count toward these thresholds. That means even unsuccessful fraud attempts can negatively affect your risk profile.

What’s at Stake

Exceeding these limits can have serious consequences. Your business may face financial penalties, lose payment privileges, or even be placed on the MATCH list—a database that flags merchants considered too risky. Once on the MATCH list, securing a new payment processor becomes extremely difficult.

In the past, enforcement largely targeted large or clearly negligent businesses. With VAMP, even smaller merchants with occasional issues may come under pressure, as acquirers take a more conservative stance to avoid liability.

What You Can Do to Protect Your Business

To stay on the right side of these new rules, it’s critical to take a proactive approach:

  • Use robust fraud detection tools that monitor for unusual patterns—like multiple failed transactions from a single IP address.
  • Ensure your checkout process and transaction metadata are properly configured to reduce the chances of false flags.
  • Regularly monitor your payment decline rates and investigate any sudden changes.
  • Treat Enumeration Alerts from Visa seriously—they’re early warnings that need fast attention.

Bottom line: it's no longer enough to optimize for conversion alone. Protecting your payments infrastructure from fraud and disputes is now essential to staying compliant and staying in business.

Common Questions

Q: Is the VAMP ratio the same thing as a chargeback rate?

A: Not exactly. While they sound alike, they track different things. The VAMP ratio measures the total dollar value of all fraud and non-fraud disputes, divided by your total approved transaction volume. For now, Visa expects that number to stay under 1.5%, but by January 2026, the threshold will drop to 0.9%.

Historically, fraud and chargebacks were reported and monitored separately—often by transaction count. VAMP changes that by consolidating everything into a single metric, giving Visa a clearer picture of how much of a merchant’s approved revenue ends up in dispute. Lower is better.

Q: Isn’t 0.3% a pretty low threshold for acquirers? Aren’t most already compliant?

A: This year, the acceptable dispute rate for acquirers (i.e., your merchant account provider) is 0.5%. In 2026, it tightens to 0.3% or 30 basis points.

Many acquirers do stay below that line, but a big part of that is due to the nature of their portfolios—many of their transactions come from low-risk environments, such as face-to-face payments. Acquirers serving higher-risk sectors (like some online-only businesses) may need to re-evaluate their merchant mix and risk policies as the new standards take hold.

Q: Can merchants use VAMP compliance as a business advantage?

A: Absolutely. Being proactive about fraud prevention isn’t just about staying out of trouble, it’s also a way to build trust with partners and card networks.

Merchants who adopt smarter fraud controls, retry strategies, and real-time monitoring will not only protect their revenue but also stand out as responsible operators. Reducing fraud and disputes helps improve customer retention, which directly benefits long-term value and business growth.

Q: What should SaaS companies with built-in payment features pay attention to?

A: Two major red flags: declining approval rates and losing your MID (merchant account). Either one can severely impact revenue and erode customer trust.

SaaS platforms that embed payments need strong systems to minimize disputes and improve transaction success. High chargebacks can signal risk to acquirers, and low approval rates mean money left on the table. Having the right fraud defenses in place—and a reliable strategy to reduce declines—is critical.

Q: Do disputes through RDR or CDRN impact your VAMP score? And what’s the difference between TC40 and TC15?

A: Some do. If an RDR or CDRN case is identified as confirmed fraud (a TC40), it counts toward your VAMP ratio. Non-fraud cases (marked as TC15) don’t affect it.

To clarify:

  • TC40 = fraud dispute
  • TC15 = non-fraud dispute

Only TC40s are included in the VAMP calculation for now—but policies can shift, so it’s important to keep an eye on updates from Visa.

Q: Is Visa reconsidering its stance on including RDR alerts in VAMP scoring?

A: Unlikely. While Visa initially suggested RDR and CDRN alerts wouldn’t be counted, they later clarified that confirmed fraud cases—those flagged as TC40s—will be included in your VAMP score.

Visa is focused on identifying merchants with frequent fraud issues, regardless of how the fraud is reported. That makes strong fraud prevention—not just resolution—a critical part of staying compliant.

Q: How does Visa detect card testing activity?

A: Visa uses both AI models and rules-based systems to flag unusual activity. If a merchant normally processes 100 transactions a day and suddenly spikes to 1,000 in an hour, that’s a signal of possible card testing.

These attacks involve criminals using stolen card numbers to find which ones still work. Fortunately, Visa can distinguish between legitimate Merchant-Initiated Transactions (like a subscription retry) and suspicious Customer-Initiated ones typical of fraud attempts.

Q: Is Visa mainly trying to prevent mass-scale card testing attacks?

A: Exactly. Their primary goal is to stop automated attacks where thousands of card numbers are tested in a very short period. These are often high-speed, high-volume assaults—and VAMP is designed to detect and shut them down.

Q: Are VAMP thresholds tracked per MID?

A: Yes, in most cases. Visa calculates VAMP compliance on a per-MID (Merchant ID) basis. However, if a merchant operates multiple MIDs under one acquirer, and those accounts aren’t clearly distinct businesses, they may be grouped together for risk evaluation.

If the MIDs are with different acquirers, they’ll generally be assessed separately. But it’s ultimately up to the acquirer to monitor activity—and if they see anything suspicious, like traffic being split across MIDs to avoid detection, they can escalate the issue.

Q: What does the “1,000 dispute” number refer to?

A: That figure acts as a threshold for Visa’s enforcement actions. Merchants or acquirers with over 1,000 combined fraud and non-fraud disputes in a single month are more likely to land in Visa’s “Above Standard” or “Excessive” risk categories—especially if their VAMP ratio is also too high.

Reaching that volume signals a potential systemic issue, prompting closer review and possible penalties.

Contact Us
FlexPay helps subscription businesses accelerate revenue and profit growth by recovering all types of failed payments and minimizing customer churn. Contact us to learn more.

Tagged:
Blue-tinted background of a man watching a webinar

Host a Webinar with the MRC

Help the MRC community stay current on relevant fraud, payments, and law enforcement topics.
Submit a Request

Publish Your Document with the MRC

Feature your case studies, surveys, and whitepapers in the MRC Resource Center.
Submit Your Document

Related Resources

View All Resources