The Visa Acquirer Monitoring Program (VAMP) is Visa's consolidated framework for measuring and enforcing fraud and dispute thresholds across the payments ecosystem. Effective April 1, 2025, it replaced five legacy programmes, most notably the Visa Fraud Monitoring Program (VFMP) and Visa Dispute Monitoring Program (VDMP), along with 38 distinct remediation processes, into a single unified standard.
At the centre of it is a new single metric, the VAMP Ratio, which gives Visa and your acquirer a consolidated view of how much of your transaction volume ends up in dispute.
// VAMP Ratio
Count of [Fraud (TC40) + Disputes (TC15)] / Count of Settled Transactions (TC05)
// Enumeration Ratio
Enumerated Transactions (Approved + Declined) / Total Authorization TransactionsFraud disputes that originate as a TC40 and then escalate into a TC15 chargeback are counted twice in the numerator, once as fraud, once as a dispute. Fraud-related chargebacks therefore hit harder than they did under the previous programmes.
"VAMP is truly an outlier programme. An acquirer has to be performing five, seven, ten times the global average to be identified. But for merchants operating in CNP-heavy environments, the maths is far less forgiving."
The new thresholds
April 1, 2026: the merchant Excessive threshold dropped to 1.5% globally. Merchants exceeding this threshold after a 3-month grace period face per-dispute fees and, ultimately, the loss of Visa processing rights. If you haven't yet audited your CNP dispute exposure, the window is closing.
Why it matters to merchants
Previously, merchants could treat fraud and chargebacks as parallel problems, tracked in separate programmes with separate thresholds. VAMP removes that separation. One combined ratio, applied monthly, determines your standing and your acquirer's.
Visa holds acquirers accountable for their merchant portfolio. If your dispute behaviour pushes your acquirer into an "Excessive" classification, they face $8 per disputed transaction across their entire book. Many acquirers are now setting internal merchant thresholds well below Visa's published limits, some at 1% or lower, to protect their portfolio. Breach those internal thresholds and you risk mid-cycle account termination before formal notice from Visa ever arrives.
For merchants in card-not-present environments (subscriptions, digital goods, travel, marketplaces, financial services), the calculus is particularly sharp. CNP transactions are the only transaction type VAMP monitors. If your revenue model is primarily online, VAMP covers your entire business.
What drives your VAMP ratio up
The VAMP ratio runs on transaction counts. Every fraudulent transaction and every dispute adds to your numerator regardless of the dollar amount.
Account takeover (ATO)
ATO ranks among the highest-impact contributors to CNP fraud disputes. A fraudster who gains access to a legitimate customer account inherits stored payment methods, saved addresses, and purchase history. Those are the trust signals that bypass fraud scoring. Purchases made during an ATO session are almost always disputed when the true account holder notices, generating both a TC40 fraud report and a TC15 chargeback: a double VAMP hit.
Standard fraud models are tuned to flag new or anomalous behaviour. ATO doesn't look new or anomalous. It looks exactly like a loyal, high-value customer making a purchase, which is why it evades detection so reliably.
Stored card CNP fraud
Merchants who offer card-on-file for frictionless repeat purchases create a high-value target. Once an attacker is inside an account, stored cards provide an instant verified payment method with no need to enter stolen card details that might trigger fraud checks. Disputes from stored-card misuse are then difficult to defend at chargeback: the merchant can show the card was authenticated at enrolment, but cannot demonstrate the account holder was present for the subsequent transaction. Issuers know this, and they rule accordingly.
Enumeration and card testing
Enumeration is the brute-force testing of stolen or generated card numbers, cycling through BINs, expiry dates, and CVVs at scale to identify valid cards. VAMP now tracks this separately via the Enumeration Ratio, confirmed by Visa's Account Attack Intelligence (VAAI) system. Declined attempts count too. Even if no transaction succeeds, a wave of automated card testing on your checkout can trigger the enumeration threshold (20% of authorizations flagged) and pull you into scope. Merchants without bot detection at the authentication layer have no buffer here.
Credential stuffing at login
Most ATO-driven disputes start upstream, at login. Attackers buy leaked credential lists and test them systematically against login forms. Successful logins become the entry point for stored-card abuse. Because credential stuffing uses valid passwords rather than random guesses, traditional brute-force detection misses it. Without step-up authentication on suspicious login signals (new device, new geography, unusual access times), there's nothing standing between the attacker and the customer's payment data.
Friendly fraud and first-party misuse
Not all disputes come from external attackers. A genuine customer disputing a transaction they actually authorised is a growing share of CNP chargebacks, particularly in subscriptions and digital goods. Under VAMP's combined formula, these non-fraud TC15 disputes (condition codes 11, 12, 13) sit in your ratio alongside genuine fraud. Without strong authentication evidence at the point of purchase, these disputes are very hard to win.
What you can do about it
Managing your VAMP ratio is a risk engineering problem. The merchants who stay below threshold tend to treat authentication as revenue infrastructure.
Deploy step-up authentication when login signals deviate from a customer's established pattern. New device, new country, unusual hour: each should trigger a verification step before any transaction is attempted. Most ATOs can be stopped at login.
Adding a new payment method, updating an existing card, or initiating a high-value checkout with a stored card should each carry its own verification requirement. A passkey or biometric confirmation at card enrolment creates dispute-resistant evidence of genuine customer presence. Treat these as privileged operations.
Enumeration attacks target checkout and payment APIs too. Velocity controls, CAPTCHA, and bot scoring applied at the authorisation request level, before a transaction hits Visa's network, directly reduce your Enumeration Ratio exposure.
On the dispute side, non-fraud TC15 disputes resolved through tools like Rapid Dispute Resolution (RDR) are excluded from your VAMP calculation. Compelling Evidence 3.0 (CE 3.0) removes both the dispute and the associated TC40 from your ratio, making it worth adopting for merchants with a meaningful volume of fraud chargebacks. Getting enrolled in these tools creates a mechanism to resolve or rebut disputes before they formally count against you.
Track your VAMP ratio monthly, before Visa does. Build internal monitoring using your TC40 and TC15 data. Many merchants only discover they're approaching threshold when their acquirer calls. Self-monitoring gives you lead time. At acquirer-notification stage, you're already in remediation mode.
When a genuine customer disputes a transaction they authorised, your defence is the authentication record: passkey signature, device attestation, verified session data. Building that evidence at authentication time is what determines whether you win or absorb it.
Where Authsignal fits
ATO, stored card fraud, credential stuffing, friendly fraud: in each case the gap is at the authentication layer. Either the account was accessed by the wrong person, the transaction went through without verifiable customer presence, or there's no durable evidence of genuine consent when the dispute arrives.
Authsignal sits between your application and your payment flow, providing orchestrated multi-factor authentication triggered by risk signals. For enterprise merchants that means step-up challenges on sensitive account events: login from a new device, card enrolment, high-value checkout, without adding friction to routine low-risk sessions.
Passkey and biometric verification creates a cryptographically-signed, phishing-resistant record of customer presence. That record is the strongest available evidence in a chargeback dispute. The rules engine intercepts anomalous behaviour at the authentication layer, before it reaches your payment processor or generates a TC40. Identity verification at onboarding anchors stored credentials and payment methods to a verified identity from day one.
VAMP is Visa acknowledging what security teams have argued for years: the payment dispute problem is an authentication problem. Fix that layer and the ratio tends to follow.
.svg)
.png)
