The Visa Acquirer Monitoring Program (VAMP) is Visa's consolidated fraud and dispute monitoring framework. It replaced two predecessor programs — the Visa Fraud Monitoring Program (VFMP) and the Visa Dispute Monitoring Program (VDMP) — when it launched in June 2025 (Chargebacks911).
The "A" in VAMP is the tell. Unlike its predecessors, which focused primarily on merchants, VAMP places direct accountability on acquirers — the banks and processors that sponsor merchant accounts. Each month, Visa reviews every acquirer's portfolio for elevated fraud, disputes, and card-testing activity. Acquirers that fail to keep their portfolio within Visa's thresholds face fines and mandatory remediation. That pressure flows downhill: acquirers that are on the hook for your numbers are highly motivated to restrict, fine, or offboard merchants who push their portfolio ratios higher.
For high-risk merchants — subscription businesses, digital goods, travel, nutraceuticals, iGaming — this is the compliance environment you are now operating in. VAMP doesn't care about your MCC. The old programs used to offer more generous thresholds for high-dispute industries like gaming and travel. Those exemptions are gone. Every merchant processing Visa CNP transactions is now measured by the same ratio standard.
The program also introduces something the predecessor programs lacked: a second metric, the Enumeration Ratio, specifically designed to catch merchants whose checkout infrastructure is being exploited for card-testing attacks. That means two separate ways your account can enter monitoring — not one.
VAMP applies exclusively to card-not-present (CNP) transactions — domestic and cross-border — processed on VisaNet (Visa VAMP Fact Sheet). If your business sells online, by phone, or through any channel where the physical card isn't present at the point of sale, every Visa transaction you process falls under this program.
On April 1, 2026, the "Excessive Merchant" VAMP threshold dropped from 220 basis points (2.2%) to 150 basis points (1.5%) across the US, Canada, European Union, and Asia-Pacific regions (Accertify). That is a 32% reduction — applied overnight, with no transition period for merchants who were operating between those two numbers.
If your combined fraud-and-dispute ratio was 1.8% in March 2026, you were compliant. On April 2, 2026 — with the exact same volume and the exact same dispute count — you were in violation and subject to penalties.
Here is how the thresholds now break down by region and entity type:
Sources: Visa VAMP Fact Sheet, Accertify
Two structural points that trip up merchants when reading these numbers:
The minimum count matters. You do not enter merchant-level monitoring unless you generate at least 1,500 combined TC40 fraud reports and TC15 disputes in a given month (Visa VAMP Fact Sheet). Most mid-size and enterprise ecommerce merchants clear this floor easily. But even merchants below the 1,500 floor are not fully insulated — if your numbers are pushing your acquirer's portfolio ratio toward 0.5%, your acquirer may still come to you.
The acquirer thresholds are tighter than yours — and they affect you. Your acquirer's portfolio must stay below 0.5% (Above Standard) and 0.7% (Excessive). Visa began enforcing the Above Standard acquirer fine in January 2026 (Corgi Labs). Acquirers managing their own compliance exposure will often set internal merchant limits well below the 1.5% Visa line — some as low as 1.0% — to protect their portfolio headroom.
The VAMP ratio is a single, count-based metric (Visa VAMP Fact Sheet):
VAMP Ratio = Count of [Fraud (TC40) + Disputes (TC15)] ÷ Count of Settled Transactions (TC05)
Three mechanics define how this formula works in practice:
1. It's count-based, not dollar-based. Visa counts transactions, not value. A merchant processing 100,000 low-ticket digital downloads has far more ratio exposure per dollar of revenue than a merchant processing 1,000 high-ticket hardware orders at the same fraud rate. Volume is the enemy.
2. A single fraudulent dispute counts twice. When a cardholder reports fraud, their issuing bank files a TC40 fraud report. If you don't refund fast enough to prevent the chargeback, a TC15 dispute follows. Both events hit your ratio separately — one transaction generates two ratio events. As Forter notes, this can result in $16 in VAMP fines from a single disputed transaction (two $8 events).
3. Only card-not-present transactions are counted. CNP transactions are both the numerator events (TC40/TC15) and the denominator (TC05 settled transactions). In-store transactions are excluded entirely.
A subscription software merchant processes 10,000 settled CNP transactions in April 2026. During the month, issuers file 85 TC40 fraud reports against the merchant. Of those 85 fraud reports, 70 escalate to TC15 chargebacks before the merchant can issue refunds. The merchant also receives 40 non-fraud TC15 disputes (billing confusion, cancellation issues).
Total numerator events: 85 (TC40) + 70 (TC15 from TC40s) + 40 (non-fraud TC15) = 195 events
VAMP Ratio = 195 ÷ 10,000 = 1.95%
This merchant exceeds the 1.5% threshold. If they meet the 1,500-event minimum (they do not in this example — high-volume merchants processing 50,000+ transactions per month are far more likely to trigger that floor), they enter Excessive monitoring and face $8 per event in fees for every one of those 195 events — a potential $1,560 in VAMP fines for that single month, on top of standard chargeback fees.
VAMP fees are assessed per fraud report and per dispute — and they apply to every event in a month in which you exceed the threshold, not just the events above the line (Forter).
The fee structure, effective after the October 2025 enforcement start date:
Sources: Accertify, Visa VAMP Fact Sheet
First-time violator grace period. If you have not been enrolled in VAMP monitoring within the prior 12 months and you breach the threshold for the first time, you receive a three-month grace period before fines begin (Forter). This grace period also exists at the acquirer level. First-time violations result in the acquirer being given three months to remediate before fines apply. Remediation plans must be submitted to Visa within 15 calendar days of notification.
The fee math compounds quickly. A merchant with 2,000 combined TC40+TC15 events in a month — not unusual for a subscription business at scale — at a 1.6% ratio faces $16,000 in VAMP fines for that month alone, before accounting for standard chargeback fees, retrieval fees, and reserve holdbacks their acquirer may impose. Fines are assessed monthly, so a merchant sitting just above the line for multiple months can face tens of thousands in cumulative penalties while working through a remediation cycle.
One critical nuance: VAMP fines are passed through the acquirer to the merchant. Your acquirer absorbs the Visa fine and then charges you — meaning your processor agreement determines exactly how that liability lands. Some acquirers will itemize VAMP fees as a line item; others will bury them in processing reserves or adjustment charges. Review your merchant agreement and ask your acquirer explicitly how VAMP fines are billed before you find out the hard way.
The VAMP Enumeration Ratio is a separate compliance metric that tracks card-testing attacks — the automated fraud method where bad actors run thousands of authorization attempts against your checkout to validate stolen card numbers (Chargebacks911).
Formula:
Enumeration Ratio = Count of Enumerated Authorization Transactions (Approved + Declined) ÷ Count of All Authorization Transactions (Approved + Declined)
Threshold: ≥ 20% (2,000 bps), with a minimum of 300,000 enumerated authorization transactions per month to trigger monitoring (Visa VAMP Fact Sheet).
Visa identifies enumerated transactions using the Visa Account Attack Intelligence (VAAI) Score system, which detects bot-pattern authorization behavior — not just declined transactions, but the pattern of high-frequency, sequential card number attempts regardless of approval outcome.
What makes the Enumeration Ratio different from the VAMP dispute ratio:
Merchants with marketplace or subscription platforms that expose payment endpoints via API, or that run split-second free-trial flows, are the most vulnerable to enumeration attacks. The VAAI Score system Visa uses to flag enumeration is based on behavioral signals, not just volume — which means bot attacks don't need to be massive to register.
Managing your VAMP ratio requires both proactive fraud prevention and reactive dispute resolution. These are the tools and practices that move the needle:
When does the new VAMP threshold take effect?
The tighter 1.5% Excessive Merchant threshold took effect on April 1, 2026 in the US, Canada, EU, and Asia-Pacific. Enforcement of fines for merchants began October 1, 2025 at the previous 2.2% threshold. Acquirer Above Standard fines began January 1, 2026. First-time violators at the new threshold receive a three-month grace period before fines begin, provided they have not been in VAMP monitoring within the prior 12 months (Forter).
What is the difference between VAMP and the old VDMP/VFMP?
The Visa Dispute Monitoring Program (VDMP) and Visa Fraud Monitoring Program (VFMP) were separate merchant-level programs with separate thresholds — previously 0.9% each (combined tolerance of 1.8% in practice). VAMP replaced both in 2025 with a single unified ratio that adds TC40 fraud reports and TC15 disputes together and divides by settled transactions. The result: the effective combined tolerance is lower (1.5%), there are no longer separate fraud and dispute buckets, high-dispute MCCs lost their special exemptions, and acquirers — not just merchants — are now the primary monitored entities (Chargebacks911).
Does VAMP apply to my business?
VAMP applies to all Visa CNP transactions. If you sell online, by phone, or through a card-not-present channel and process Visa transactions, VAMP affects you. Formal monitoring enrollment at the merchant level requires exceeding both the 1.5% ratio threshold and 1,500 combined TC40+TC15 events per month. Merchants below the 1,500-event floor are not formally monitored by Visa — but your acquirer may impose its own internal limits at any volume (Visa VAMP Fact Sheet).
What happens if my acquirer is in VAMP?
If your acquirer's portfolio-level VAMP ratio reaches 0.5% (Above Standard) or 0.7% (Excessive), the acquirer receives notification from Visa, must submit a remediation plan within 15 calendar days, and faces per-transaction fines on its entire portfolio. Acquirers in this situation will actively audit their merchant base, increase reserve requirements, impose lower processing volume caps, or terminate accounts that are contributing to the problem. Even if your individual ratio is under 1.5%, you may face restrictions if you are among the highest-ratio merchants in your acquirer's book (Corgi Labs).
How is the Enumeration Ratio different from the chargeback ratio?
The VAMP dispute ratio measures fraud reports and disputes as a percentage of settled transactions. The Enumeration Ratio measures confirmed card-testing attempts — both approved and declined — as a percentage of all authorization attempts. It is a measure of bot attack intensity on your checkout, not customer dispute behavior. You can have an excellent dispute ratio and still be flagged for enumeration if your checkout is being targeted by automated card-testing bots.
Are RDR-resolved disputes counted in my VAMP ratio?
No. Disputes resolved through Visa Rapid Dispute Resolution (RDR) and Verifi CDRN are explicitly excluded from VAMP ratio calculations, contingent on timing — the resolution must occur within the same monthly data extract period as the dispute. TC40 fraud reports resolved under Compelling Evidence 3.0 are also excluded. This exclusion is the primary reason every high-risk merchant should be enrolled in at least one pre-dispute resolution tool (Chargebacks911).
What happens if I'm flagged under VAMP?
If you exceed the 1.5% threshold and the 1,500-event minimum, your acquirer receives notification from Visa. If you are a first-time violator (not in VAMP monitoring within the prior 12 months), you receive a three-month grace period before fines are assessed. After the grace period — or immediately if you are a repeat violator — $8-per-event fees apply to every TC40 and TC15 in the qualifying month. Sustained exceedance without remediation can result in your acquirer imposing reserves, restricting processing volume, or terminating your account. The terminal consequence is MATCH list placement, which effectively ends your ability to obtain Visa processing through any mainstream acquirer.
VAMP is not a bureaucratic nuisance. It is a direct tax on poor dispute management — and with the April 2026 threshold reduction now in effect, the margin for error has narrowed sharply.
CARDZ3N works exclusively with high-risk merchants. We know the difference between friendly fraud, true fraud, and processing infrastructure that generates chargebacks by design. Our chargeback management product, ChargebackZ3N, is built specifically for merchants in dispute-intensive verticals — subscription billing, digital goods, nutraceuticals, gaming, and more. We combine pre-dispute tools (RDR, CDRN), CE3.0 data capture, and active chargeback representment into a single managed program.
What we do for VAMP-exposed merchants:
If your ratio is already above 1.5%, or you are seeing your acquirer tighten reserves and volume caps, act now. The three-month grace period for first-time VAMP violators is finite.
Explore our services:
Call us directly: 702-623-3528
CARDZ3N — High-Risk Merchant Services | Las Vegas, NV | cardz3n.com
Sources cited in this article:
Take the first step towards success by scheduling your complimentary consultation with CARDZ3N
