Here is what most articles about Visa's Acquirer Monitoring Program get wrong: they focus on Visa's published thresholds. Those thresholds are almost irrelevant to your day-to-day risk as a merchant.
What actually gets merchant accounts terminated is the gap between Visa's official limits and the internal, unpublished limits your payment processor quietly enforces on its own portfolio. That gap is where high-risk merchants — subscription businesses, nutraceuticals, travel, adult, firearms accessories, online gaming, and others — are most exposed.
This guide explains exactly how VAMP works, what the real enforcement numbers look like at the acquirer level, and how to evaluate a processor's VAMP readiness before you sign anything.
What VAMP Is — and Why Visa Replaced the Old System
Effective April 1, 2025, Visa retired its two separate merchant monitoring programs — the Visa Fraud Monitoring Program (VFMP) and the Visa Dispute Monitoring Program (VDMP) — and replaced them with a single unified framework: the Visa Acquirer Monitoring Program (VAMP).
VAMP consolidated not just those two programs but five existing monitoring systems and 38 separate remediation processes into one set of rules. The stated goal is to create globally consistent fraud and dispute thresholds for card-not-present transactions, giving acquirers and merchants a single metric to manage instead of tracking multiple parallel programs.
The name reveals the intent. This is an Acquirer Monitoring Program. Visa's primary compliance target is your payment processor — not you. But the trickle-down effect on merchants, particularly those in high-risk verticals, is significant and often misunderstood.
The Old System vs. VAMP
| Feature | Old System (VFMP + VDMP) | VAMP (2025+) |
|---|---|---|
| What it tracked | Fraud and disputes separately | Fraud + disputes combined into one ratio |
| Number of programs | 5 programs, 38 remediation processes | 1 unified program |
| Value vs. volume | Value-based (favored low-volume, high-ticket merchants) | Volume-based (impacts high-transaction-count businesses more) |
| Early warning category | Yes — formal Early Warning tier | No formal Early Warning tier; acquirers may receive informal notifications |
| Primary compliance target | Merchant | Acquirer (with downstream merchant consequences) |
The shift from value-based to volume-based monitoring is a meaningful change for high-risk merchants. Under the old system, a business processing a moderate number of high-ticket transactions faced greater scrutiny per dollar of fraud. Under VAMP, a business with high transaction volume — even at low average order values — faces more exposure simply because more transactions means more opportunities to generate TC40 and TC15 events.
How the VAMP Ratio Is Calculated — and the Double-Count Problem
The VAMP Ratio is a single percentage calculated at the merchant descriptor level using card-not-present transactions only:
VAMP Ratio = (TC40 Fraud Reports + TC15 Non-Fraud Disputes) ÷ Total Settled Transactions
Two things make this formula more punishing than it first appears.
The Double-Count
When a customer successfully disputes a fraudulent charge, the transaction generates both a TC40 (the fraud report filed by the issuing bank) and a TC15 (the actual dispute). Both count toward your VAMP Ratio. One fraudulent transaction that results in a chargeback effectively hits your ratio twice. This means merchants with any meaningful fraud exposure will see VAMP ratios climb faster than their raw chargeback rates suggest.
Additionally, TC40 reports are filed by issuing banks even for transactions where the dollar amount is too small for the bank to bother pursuing a formal chargeback. You take the fraud hit without even receiving a dispute notification.
What Reduces the Ratio
Not all disputes count. TC15 disputes that are resolved through pre-dispute solutions — specifically Visa's Rapid Dispute Resolution (RDR), Verifi's CDRN network, or Ethoca Alerts — are excluded from the dispute count. However, any TC40 fraud reports associated with those same transactions still count. Early resolution tools reduce your exposure but do not eliminate it entirely.
Fraud resolved through Compelling Evidence 3.0 — Visa's enhanced data-sharing framework — also does not count toward the ratio. If your business has not integrated with Visa's Compelling Evidence framework yet, this is now a compliance-tier decision, not just a chargeback management option.
Minimum Volume Threshold
VAMP only applies to merchants and acquirers generating at least 1,500 combined TC40 and TC15 events per month. Below that count, you are not subject to VAMP identification or fees — though your acquirer may still apply internal monitoring. The enumeration component has a separate and much higher minimum threshold, covered in its own section below.
VAMP Enforcement Timeline: What Is Already in Effect
| Date | What Happened |
|---|---|
| April 1, 2025 | VAMP goes live. VFMP and VDMP officially retired. Monitoring begins but no penalties yet. |
| June 1, 2025 | 1,500-transaction minimum count takes effect. Merchants above this count are formally tracked against VAMP thresholds. |
| June–September 2025 | Advisory period. Merchants in the Excessive category are identified and notified. No Visa-level fines assessed, but acquirers are already adjusting merchant terms. |
| October 1, 2025 | Enforcement begins. Merchants and acquirers in the Excessive category begin receiving $8-per-transaction fees on every TC40 and TC15 event. This is now in effect. |
| January 1, 2026 | Above Standard acquirer tier enforcement begins. Acquirers with VAMP ratios between 0.50% and 0.70% now face $4-per-transaction fees. |
| April 1, 2026 | Merchant Excessive threshold tightens. In the U.S., Canada, and EU, the merchant Excessive threshold drops from 2.2% to 1.5%. Other regions may remain at 2.2% temporarily. |
Bottom line on timing: Enforcement is not coming — it is here. If your VAMP ratio is above the Excessive threshold today, you are already accruing $8-per-event fees. If you are in a high-risk vertical and your acquirer has not communicated anything about VAMP, that silence is not reassurance. It may mean you are not getting visibility into data that is actively being used to evaluate your account.
The Thresholds That Actually Matter
There are two sets of thresholds under VAMP, and understanding the difference between them is the single most important thing a high-risk merchant can take away from this guide.
Visa's Official Merchant Thresholds
| Status | Merchant VAMP Ratio (through March 2026) | Merchant VAMP Ratio (from April 2026, U.S./Canada/EU) | Fee per TC40/TC15 Event |
|---|---|---|---|
| Standard (safe) | Below 2.2% | Below 1.5% | None |
| Excessive | ≥ 2.2% | ≥ 1.5% | $8 per event |
Visa's Acquirer Portfolio Thresholds
| Status | Acquirer Portfolio VAMP Ratio | Fee per TC40/TC15 Event |
|---|---|---|
| Standard (safe) | Below 0.50% | None |
| Above Standard | ≥ 0.50% and < 0.70% | $4 per event (in effect January 2026) |
| Excessive | ≥ 0.70% | $8 per event |
The Threshold Gap — and Why It Puts You at Risk
This is the number most merchants never see: your processor's internal VAMP threshold — the ratio at which they will act against your account before Visa ever gets involved.
The math makes it obvious why that internal number is much lower than Visa's public limits. An acquirer's entire portfolio must stay below 0.50% to avoid Above Standard status. A single merchant running a 1.5% VAMP ratio — technically "Standard" under Visa's merchant rules — creates massive drag on the acquirer's portfolio average. If that acquirer has hundreds of merchants, a handful of accounts above 0.50% can jeopardize the whole portfolio's compliance standing.
The practical result: most processors set internal merchant thresholds somewhere between 0.5% and 1.0%, regardless of what Visa's public merchant limits say. A merchant at 0.7% may be fully compliant with every published Visa rule and still face account termination, sudden reserve increases, or processing holds — because the acquirer's math does not add up with that account on the books.
This internal threshold is almost never disclosed upfront. Getting it in writing before signing is one of the most important things a high-risk merchant can do.
Why High-Risk Merchants Face Disproportionate Exposure Under VAMP
VAMP's volume-based calculation hits certain business models harder than others. If your business has any of the following characteristics, your VAMP ratio will be structurally higher than a standard e-commerce merchant, independent of how well you manage fraud:
- Subscription billing: Recurring transactions generate a higher rate of friendly fraud disputes, particularly after free trial periods. Each dispute that does not get resolved through RDR or a pre-dispute network hits both TC40 and TC15.
- High-ticket or luxury goods: Fraud is more likely on high-value transactions. Each fraudulent transaction that results in a chargeback double-counts against your ratio.
- Digital goods and downloads: Low-friction delivery makes chargebacks easier for customers to file and harder to fight with compelling evidence. Dispute-to-sale ratios run structurally higher.
- CNP-heavy verticals (travel, nutraceuticals, adult content): Card-not-present transactions are the only ones counted in the VAMP ratio. Businesses that are 100% CNP have no in-person transaction volume to dilute their ratio denominator.
- International customer bases: Cross-border fraud rates are higher, and international issuers file TC40 reports more aggressively than domestic ones.
For merchants in these categories, the question is not just "am I below 2.2%?" It is "am I below whatever internal threshold my processor is using, and do I even know what that number is?"
The MATCH List Risk
If an acquirer terminates your account for VAMP-related reasons, you may be reported to the MATCH list (Member Alert to Control High-Risk merchants). MATCH list placement makes it extremely difficult to obtain a new merchant account — sometimes for years. Proactive VAMP management is not only about compliance fees; it is about protecting your ability to process payments at all.
The Enumeration Component: Card Testing Under VAMP
VAMP introduced a separate monitoring metric specifically targeting card testing fraud, which Visa calls enumeration.
What Enumeration Is
Enumeration — also called card testing or card cracking — is when fraudsters use automated scripts to run large numbers of stolen or algorithmically generated card numbers through a merchant's checkout page. The goal is to identify valid card credentials by seeing which ones authorize successfully. Most attempts fail, but the successful ones are then used for larger fraudulent purchases elsewhere.
The damage to merchants is significant: declined card testing attempts generate authorization fees, can trigger velocity blocks from issuers, and under VAMP now also affect your risk profile directly — even if no transaction is ultimately settled.
The VAMP Enumeration Thresholds
A separate enumeration ratio is calculated as:
Enumeration Ratio = Confirmed Enumerated Transactions (Approved + Declined) ÷ Total Authorization Transactions (Approved + Declined)
Visa uses its Visa Account Attack Intelligence (VAAI) Score system to identify confirmed enumerated transactions, which Visa claims reduces false positives by approximately 85%.
Enumeration monitoring applies only when both of the following thresholds are met:
- Enumeration ratio ≥ 20% (2,000 basis points)
- Confirmed enumerated transaction count ≥ 300,000 per month
The high minimum count means most small and mid-size merchants are not at immediate enumeration risk. However, for high-volume merchants — particularly those running marketplace models, subscription platforms, or open checkout pages without strong front-end fraud controls — both thresholds can be reached faster than expected during an active attack.
What Protects Against Enumeration
Standard fraud filters are not sufficient. Effective enumeration prevention requires tools that operate at the authorization layer, before a transaction reaches settlement:
- CAPTCHA and bot detection at checkout
- Velocity rules on declined authorization attempts per IP, card BIN, device fingerprint, and email address
- AI-based anomaly detection that flags rapid sequential authorization attempts
- Visa's VAAI Score integration (available through some acquirers and fraud platforms)
Ask any prospective processor whether they provide real-time declined-transaction monitoring, not just settled-transaction fraud alerts. VAMP's enumeration component means declined traffic now has compliance implications.
VAMP vs. Mastercard ECP: How the Two Networks Differ
If you accept both Visa and Mastercard — which most merchants do — you are operating under two parallel monitoring programs with meaningfully different structures. Understanding both is necessary for complete compliance management.
| Feature | Visa VAMP | Mastercard ECP |
|---|---|---|
| What it tracks | Fraud (TC40) + Disputes (TC15) combined | Chargebacks only |
| Primary target | Acquirer portfolio compliance | Merchant chargeback volume |
| Merchant Excessive threshold | 2.2% (dropping to 1.5% in April 2026 for U.S./Canada/EU) | 1.5% for ECM tier; 3.0% for HECM tier |
| Double-counting risk | Yes — fraud + resulting dispute both count | No — chargeback counted once |
| Penalty structure | Per-transaction fee ($8/event for Excessive merchants) | Flat escalating monthly fines |
| Enforcement speed | Single month can trigger identification; no consecutive-month requirement | Typically requires two consecutive months above threshold to trigger |
| Enumeration monitoring | Yes — separate ratio and threshold | No dedicated enumeration metric |
| Early warning | No formal Early Warning tier under VAMP | Formal Early Warning tier exists |
For high-risk merchants, the most important difference is enforcement speed. Mastercard's ECP typically requires two consecutive months above threshold before formal action begins. VAMP has no such buffer — a single bad month can result in identification and fee assessment. This makes real-time VAMP monitoring significantly more important than a monthly review cycle.
5 Questions to Ask Any Processor Before Signing
Given the gap between Visa's published thresholds and the internal limits processors actually enforce, choosing a processor without asking these questions is accepting significant hidden risk.
1. "What is your internal VAMP ratio threshold for merchants in my vertical?"
Do not accept a reference to Visa's public 2.2% limit as an answer. That is not what you will be held to. Push for a specific number — the ratio at which they will place your account on a monitoring watch list, raise your rolling reserve, or initiate termination proceedings. For most acquirers that work with high-risk merchants, that number sits somewhere between 0.5% and 1.0%. Get it in writing if you can.
2. "Do you provide access to my TC40 data, and how quickly?"
TC40 fraud reports are filed by issuing banks and not always visible to merchants directly. If your processor cannot give you near-real-time access to your TC40 counts, you cannot calculate your true VAMP ratio, which means you cannot manage it. Processors who provide TC40 visibility — ideally broken out by merchant descriptor and MID — are meaningfully more useful in a VAMP environment than those who only report chargebacks after they have already posted.
3. "Do you offer RDR, Verifi CDRN, or Ethoca Alerts, and are they included or add-on fees?"
Pre-dispute resolution tools are the primary lever for removing TC15 disputes from your VAMP count before they post as chargebacks. Rapid Dispute Resolution (RDR), Verifi's Cardholder Dispute Resolution Network (CDRN), and Ethoca Alerts all intercept disputes at different stages. A processor that integrates these natively — rather than requiring you to contract with them separately — is better positioned to protect your ratio. Understand the cost structure before signing.
4. "How do you monitor and respond to enumeration attacks on my account?"
Ask specifically about declined-transaction monitoring. Many processors only alert merchants to settled-transaction fraud. Under VAMP, declined authorization attempts count toward the enumeration ratio. A processor with no visibility into your declined traffic cannot help you identify or respond to a card testing attack before it affects your VAMP standing.
5. "If my VAMP ratio exceeds your internal threshold, what is your notification and remediation process before termination?"
Some processors will give advance notice and a remediation window. Others will terminate with minimal warning, particularly if their own portfolio compliance is under pressure. Understanding this process in advance — ideally getting a written SLA around notification timelines — is the difference between having time to fix a problem and waking up to a terminated account.
Managing Your VAMP Ratio: The Practical Toolkit
Beyond processor selection, the following actions directly reduce VAMP exposure:
- Integrate Compelling Evidence 3.0. Fraud disputes resolved through CE 3.0 do not count toward your VAMP ratio. This is the most direct path to removing confirmed-fraud events from your numerator.
- Deploy pre-dispute resolution tools. RDR and CDRN intercept TC15 disputes before they post. Each resolved dispute that stays off the books reduces your ratio.
- Build internal VAMP ratio monitoring. Do not rely on your processor to tell you when you are approaching a threshold. Set internal alert levels — a 1.0% internal warning trigger and a 1.5% escalation trigger is a reasonable starting framework for most high-risk merchants — and review them on a rolling 30-day basis, not monthly.
- Audit billing descriptors. Confusing or generic billing descriptors are one of the most common drivers of friendly fraud disputes. A descriptor that clearly identifies your business and the product purchased reduces the volume of "I don't recognize this charge" disputes that generate TC15 events.
- Front-load fraud screening. Invest in pre-authorization fraud tools, not just post-settlement dispute management. Stopping a fraudulent transaction before it is authorized prevents both the TC40 and any resulting TC15 from ever entering the calculation.
Conclusion: The Threshold That Actually Governs Your Account
Visa's VAMP program created a compliance structure in which the thresholds that govern your merchant account are not the ones published in Visa's rules. The thresholds that matter are the ones your acquirer sets internally to protect its own portfolio compliance — and those numbers are lower, less transparent, and enforced faster than most merchants realize.
For high-risk merchants, the priority is not waiting to see whether your ratio crosses 2.2%. It is understanding what number your current or prospective processor uses internally, getting real-time visibility into your TC40 and TC15 data, and deploying pre-dispute tools that reduce your ratio before it becomes someone else's problem.
Choosing the right processor for a high-risk account has always required looking past surface-level pricing. Under VAMP, it now also requires asking the right compliance questions before you are already at risk.
