VAMP Is Already Reshaping Merchant Risk. Most Merchants Don’t See It Yet

The Shift Most Merchants Haven’t Noticed Yet

A sweeping new fraud-monitoring program went live April 1, 2025. If you're processing card-not-present transactions and haven't heard of VAMP, your merchant account may already be in trouble.

Here's a number that should get your attention: $40 billion. That's how much Visa claims to have prevented in fraud losses last year alone. And yet, fraud, particularly online fraud, is still accelerating. Card testing bots. Friendly fraud. Dispute abuse. The gap between what payment networks can detect and what merchants can actually prevent has never been wider.

Visa's answer is VAMP: the Visa Acquirer Monitoring Program. It went live on April 1, 2025, and for online merchants, it represents the most consequential shift in payment compliance in years. If you process Visa transactions online, you need to understand what changed, why it matters, and what happens if you ignore it.

What VAMP Actually Is

Think of VAMP as Visa collapsing its entire fraud-and-dispute enforcement apparatus into a single, harder-to-game system. Previously, merchants had to manage two separate programs: the Visa Dispute Monitoring Program (VDMP), which tracked chargebacks, and the Visa Fraud Monitoring Program (VFMP), which tracked fraud. Each had its own thresholds, its own remediation processes, its own logic.

VAMP replaces both, and then some. It consolidates five programs and 38 separate remediation processes into one unified framework.

The core of the new system is a single metric called the VAMP Ratio:

(TC40 Fraud Reports + Chargebacks) ÷ Total Settled Transactions

This applies to card-not-present (CNP) transactions only, meaning every online purchase, subscription charge, and digital goods transaction you process.

The key word there is TC40. A TC40 is a fraud report filed by a card-issuing bank when a cardholder reports a transaction as fraudulent. Under the old system, TC40 data fed into the VFMP separately, and most merchants never even saw their own TC40 numbers. Under VAMP, those reports now count directly toward your ratio, alongside traditional chargebacks. For many merchants, this change alone will cause their apparent "dispute rate" to spike dramatically overnight.

If you’re new to VAMP, this is where things start to get more complex.

If you want a simpler, more practical breakdown of how it works — without the technical layers — you can start here:

• Read our VAMP overview for online merchants

The Numbers You Need to Know

The excessive threshold for merchants under VAMP is 2.20%, a number that sounds forgiving until you understand how it's calculated. That threshold drops further to 1.50% in April 2026, giving merchants less than a year to get systems in place before the bar gets significantly harder to clear.

For acquirers (the banks and payment processors who underwrite merchant accounts), the thresholds are even tighter: Early Warning kicks in at 0.40%, Above Standard at 0.50%, and Excessive at 0.70%. Those are acquirer-level numbers, but they directly affect merchants, because acquirers under pressure will push that pressure downstream.

And here's the real story: many acquirers aren't waiting for Visa's published thresholds to kick in. Industry sources report that some acquirers are already requiring merchants to stay below 0.4% on their VAMP Ratio, a fraction of the official excessive threshold. If your PSP or acquirer hasn't told you what number they're holding you to, that conversation is already overdue.

There's also a new enumeration monitoring component. If more than 20% of your authorization attempts are classified as enumerated, meaning they look like bot-driven card testing, you face additional fines and potential loss of Visa processing privileges. For low-ticket merchants, free trial businesses, and subscription services, this is an acute risk. Low-friction checkout flows that make card testing easy are now directly penalized.

Why This Hits Harder Than It Looks

The subtle genius, and the real danger, of VAMP is in the TC40 inclusion. To understand why, consider this scenario from the guide published by chargeback management firm Fraud Deflect.

A gaming merchant processes 5,000 Visa transactions in a month, with 35 chargebacks and 150 TC40 fraud reports. Under the old VDMP framework, their chargeback rate is 0.7%, below the 0.9% threshold. No fine. Under VFMP, their fraud dollar volume might also fall below the penalty tier. No fine there either.

Under VAMP? That same merchant's combined ratio is 3.7%, nearly double the excessive threshold of 2.20%. Same business. Same transactions. Massive fine.

This isn't a hypothetical designed to scare merchants. It's a structural consequence of how TC40 reports work. Issuers file them quietly, merchants rarely see them, and until now they existed in a separate compliance lane. That lane is gone. TC40s and chargebacks are now the same problem.

Who Gets Hit Hardest

VAMP is a broad policy, but its sharpest edges are aimed at specific verticals. The merchants at highest risk are those operating in categories with structurally elevated dispute rates: subscription services, streaming platforms, digital goods, gaming, nutraceuticals, adult content, SaaS, free trial offers, and high-volume e-commerce with low average ticket sizes.

These categories share a common vulnerability. Recurring billing creates billing confusion disputes. Low-ticket transactions attract card testers. Digital goods are easily disputed because there's no physical item to return. And subscription models, where the cardholder forgot they signed up, or misunderstood the cancellation policy, generate a consistent stream of both chargebacks and TC40 flags.

For these merchants, the 2.20% threshold isn't a distant ceiling. It's a number they may already be exceeding without knowing it, simply because they've never had visibility into their TC40 data.

What Compliance Actually Requires

The grace period is real but brief: a 3-month window for first-time threshold breaches within a 12-month period, with no penalties during that time. After that, fines for merchants range from $8 to $40 per disputed or TC40-flagged transaction. Repeat non-compliance leads to higher reserve requirements, stricter underwriting, and ultimately termination of Visa processing privileges.

Getting ahead of VAMP isn't just about adding a fraud tool. It requires a layered approach:

Know your actual VAMP Ratio. Most merchants don't have access to their TC40 data. If your PSP isn't providing it, you're flying blind. Request it. Calculate your ratio. This is the starting line.

Close the gap between fraud and disputes. Tools like Visa's Rapid Dispute Resolution (RDR), Verifi CDRN, and Ethoca Alerts can intercept disputes before they become chargebacks, but under VAMP, chargebacks resolved via these tools can still count toward your ratio if the issuer flags a TC40. Prevention upstream matters more than resolution downstream.

Address enumeration directly. If card testing is a problem in your business, it shows up in your enumeration rate. AVS checks, CVV validation, velocity rules, and real-time fraud detection aren't optional in a VAMP world.

Fix the customer experience issues driving non-fraud disputes. Clear cancellation policies. Prominent billing descriptors. Proactive communication on recurring charges. A significant percentage of chargebacks exist because merchants made it easier to dispute a charge than to contact support.

Talk to your acquirer now. The gap between Visa's published thresholds and what individual acquirers are actually enforcing is significant and growing. You need to know what number your acquirer is using before enforcement starts in earnest.

The Window Is Closing

VAMP is not a future concern. The program is live. The clock on the April 2026 threshold tightening has already started. Merchants who treat this as a Q4 problem will find themselves behind on compliance, in conversation with their acquirer about reserve requirements, and scrambling to fix in weeks what should have been built over months.

The payment ecosystem is tightening. Visa is consolidating enforcement. Acquirers are raising the bar. And the TC40 data that most merchants have never seen is now the single most important number in their compliance profile.

The full Fraud Deflect VAMP Guide covers the complete threshold breakdown, sample ratio calculations, industry-specific risk profiles, and a preparation checklist for merchants. Download it free at frauddeflect.com/vampguide.