Visa is sunsetting its Visa Dispute Monitoring Program (VDMP) and Visa Fraud Monitoring Program (VFMP) on March 31, 2025.
What changes are being introduced?
The VDMP was previously utilized to enforce excessive dispute thresholds, while the VFMP was aimed at fraud disputes based on the TC40 data.
Effective April 1, 2025, Visa is updating the Visa Acquirer Monitoring Program (VAMP) to redefine disputes and emphasize enumeration fraud control. The revised VAMP introduces merchant and acquirer-level (participants) thresholds, establishing a macro compliance initiative covering disputes, fraud, and enumeration events.
The VAMP will utilize a new calculation for the basic program ratio:
VAMP Ratio = (CNP Fraud Disputes + CNP Non-fraud Disputes) / CNP Settled Sales
CNP Fraud is now defined as TC40 dispute count, while CNP non-fraud disputes are represented by the total count of dispute condition codes 11, 12, and 13 identified on the TC15 report. Settled transactions can be identified on TC05 report. Disputes are tracked based on the post date. Note that there is a minimum count of 1,000 combined TC40 and TC15 monthly transactions that will also serve as a threshold for the program.
| Participant | Acquirer | Merchant | ||
|---|---|---|---|---|
|
Classification |
Above Standard |
Excessive |
Excessive |
Excessive |
|
Category |
VAMP Ratio |
VAMP Ratio |
VAMP Ratio |
Enumeration |
|
Threshold Effective Date: 1 April 2025 |
N/A |
>= 50 bps |
>= 150 bps |
>= 2,000 bps |
|
Threshold Effective Date: 1 January 2026 |
>= 30 bps to 50 bps |
>= 50 bps |
>= 90 bps |
>= 2,000 bps |
Acquirer program thresholds start at an excessive rate of 50 (or higher) basis points VAMP ratio on April 1st. On January 1st, 2026, a new acquirer category will be included, which will range from a VAMP ratio of 30 to 50 basis points.
For merchants, the program thresholds of 150 basis points or higher for the VAMP will have an effective date of April 1st, 2024, however that threshold will decrease to 90 basis points on January 1st, 2026.
Enumeration activity is identified at the merchant level in the VAMP, with a single threshold of 2,000 basis points or above resulting in merchant identification in the program.
It’s important to note that the Visa Fraud Monitoring 3D Secure (VFMP-3DS) program is anticipated to remain in place in the United States region. This particular program forces merchants to utilize a layered risk control approach, and can result in penalties for those participants that send un-filtered traffic to 3D Secure for the purposes of authentication.
Why do these changes matter?
The update of the VAMP will not eliminate all Visa merchant level programs. Instead the new VAMP is introducing merchant level thresholds, and the card network will still provide acquirers with merchant level identification data. Therefore merchants will still be responsible to ensure that their fraud and non-fraud dispute count, volume and rates will remain acceptable.
Challenges merchants may face:
A critical challenge for merchants is limited access to TC40 data (fraud notifications). Many acquirers and PSPs either cannot provide these reports or charge substantial fees for access, creating a significant blind spot in fraud management. It will be more important than ever for Visa to provide access to TC40 data, and it is essential for merchants to initiate conversations with their acquirer regarding the TC40 program and the availability of fraud data.
Certain PSPs (Stripe and Adyen in particular) provide strong reporting and insights into the TC40 data (“early fraud warnings” at Stripe, and “notifications of fraud” at Adyen). Additionally, their risk tools (Stripe Radar, Adyen Uplift) leverage TC40 data in AI models to block suspected fraud in real-time.
New Focus on Enumeration Attacks
Visa estimates enumeration attacks cause
in annual losses in North America.
The revised VAMP signals heightened attention to these attacks (also known as card testing or BIN attacks), which negatively impact e-commerce and digital merchants through:
- Declines in approval rates
- Increased non-legitimate traffic
- Payment processing latency issues
- Blocked legitimate orders (collateral damage in an effort to control this phenomenon)
Transaction-level Fines for Excessive Disputes
Another concern for merchants are fines (non-compliance assessments) being collected for VDMP and VFMP. The updated VAMP is introducing a new type of assessment – a transaction level fine.
The fine will be applicable to merchants that receive an Excessive program identification.
The fine implemented will be a
(USD) per fraud dispute (TC40 fraud, and TC15 non-fraud) or dispute (condition code 11, 12, 13).
First time “offenders” within a 12 month rolling period will receive a three month grace period to remediate, during which enforcement will not be implemented.
Re-assessment of Rapid Dispute Resolution
Visa has also announced that fraud disputes (TC40) issued for transactions that result in successful RDR cases will be included in the VAMP calculation. This will result in merchants that may have been excluded from the traditional VDMP program thresholds fall into the VAMP scope. RDR was never intended to be a fraud prevention and mitigation solution. The product has shown effectiveness in mitigating some of the impact of first party misuse, however the solution should not replace traditional fraud mitigation controls. Merchants will need to ensure that they invest in pre-authorization fraud decisioning technology, adequate TC40 based reporting and analysis, and focus on closely partnering with their acquirer and card network partners.
What should acquirers and merchants do?
VAMP’s impact will vary based on your business profile, product offerings, and existing risk management infrastructure. To prepare effectively, entities impacted by the updated VAMP should conduct an in-depth assessment of their risk program, with a focus on:
- Availability and quality of data pertaining to disputes, fraud, and enumerated activity
- Risk detection and fraud prevention capabilities, both pre-authorization and post-authorization
- Analysis on the efficiency of the risk controls in place
- Availability of reporting capabilities, particularly those focused on daily, weekly, and monthly monitoring of fraud trend data
The updated VAMP highlights the need for improved collaboration and communication between participants in the payment ecosystem: acquirers should actively leverage communication channels with the card network to fully understand the updated program, provide feedback, and look for pathways of collaboration to create positive impact.
Merchants should seek to engage with their acquirer or PSP as soon as possible to discuss gaps in their risk management program, such as the absence of TC40 data, or to request support to assess their risk and fraud controls, and identify opportunities for improvement, such as leveraging PSP tools like Stripe Radar.
It’s essential for acquirers and merchants to start scoping the impact of the VAMP program changes ahead of its April 1st launch. While true impact cannot be fully assessed until the program is live, predictive analytics and strong data management, as well as a thorough understanding of one’s customer base, can help all participants prepare strategies for minimizing negative impact, and maximizing the positive outcomes from these changes.
While regulatory changes create compliance challenges, they also present an opportunity to strengthen fraud prevention strategies and improve customer experience. Proactive merchants who adapt quickly will gain competitive advantage while minimizing compliance costs.
Share this Article