Are You Ready for VAMP?

 To level set, the VAMP ratio is the sum of CNP fraud cases (called TC40) and non-fraud disputes (TC15, dispute conditions 11, 12, and 13) with a monthly minimum of 1000 transactions. This numerator is then divided by the total number of settled CNP transactions to yield the VAMP ratio. 

1. Start with all your fraud and dispute cases — specifically:
    
   • Fraud reports (TC40)
      
   • Non-fraud disputes like:
      
     • Processing errors
        
     • Customer complaints
        
     • Issues with services or products (TC15, dispute codes 11, 12, 13)
        

1. Only count it if your business had at least 1,000 online/card-not-present (CNP) transactions in the month.
    
2. Then divide that total number of fraud and dispute cases by your total CNP transactions that were successfully processed and settled.
    

That final number is your VAMP ratio. The higher it is, the more likely Visa is to flag you for risk.

 In addition to the fraud and dispute ratio, VAMP will introduce changes to the enumeration ratio to better address the problem of enumeration attacks. This calculation is the number of enumerated authorization transactions (both approved and declined) divided by the total number of CNP authorized transactions with a monthly minimum of 300,000 enumerated transactions, identified and confirmed via the VAAI (Visa Attack Account Intelligence) Score system. 

VAMP is also looking at bot attacks where fraudsters try lots of stolen card numbers to find one that works. This is called an enumeration attack.

To track this, Visa uses something called the enumeration ratio:

• They count how many times bots tried card numbers on your system (even if the transactions failed).
   
• Then they compare that to all your online/card-not-present (CNP) transaction attempts.
   
• Visa only looks at this if at least 300,000 suspicious tries happen in a month.
   

If that ratio is high, it means your system might be getting hit by bots, and Visa could take action.

 Much as the name suggests, one critical difference is that this new program will be administered at the acquirer level, replacing the existing merchant side programs. We’ll talk about the implications of this shortly.  

One big change with VAMP is who it applies to.

Instead of focusing just on merchants, Visa will now hold payment processors (acquirers) responsible.

This means the whole processor's portfolio is being watched, not just individual businesses.

We’ll explain what this means and why it matters next.

 Effective April 1, 2025, the ‘Excessive’ category for acquirers is >=50 bps. Effective January 1, 2026, two threshold categories will be in play: ‘Above Standard’, defined as >=30 to <50 bps, and the ‘Excessive’ threshold at >=50 bps. On top of this, there is a merchant-specific threshold as well, and fines will apply accordingly at the merchant level. Effective April 1, 2025, ‘Excessive’ is defined as >=150 bps, and effective April 2026 ‘Excessive’ will move down to >=90 bps. It’s critical to note that the VAMP ratio will exclude resolutions from pre-dispute tools, including RDR (Rapid Dispute Resolution), CDRN (Cardholder Dispute Resolution Network), and the Compelling Evidence 3.0 program. Exclusions will also be granted for any data processed through Visa Net which is card network agnostic.

Starting April 1, 2025, Visa will begin enforcing VAMP thresholds for both acquirers (processors) and merchants.

• If your VAMP ratio is 50 bps (0.50%) or higher, you’ll be labeled "Excessive" starting April 2025.
   
• Then, starting January 1, 2026, Visa adds a second category:
   
  • "Above Standard" = 30–49 bps (0.30% to 0.49%)
     
  • "Excessive" = 50 bps (0.50%) or more
     

• From April 1, 2025, if a merchant’s VAMP ratio is 150 bps (1.50%) or higher, they’re considered "Excessive" and may face fines.
   
• Starting April 2026, that threshold lowers to 90 bps (0.90%).
   

• Some dispute types won’t count toward your VAMP ratio, like:
   
  • RDR (Rapid Dispute Resolution)
     
  • CDRN (Cardholder Dispute Resolution Network)
     
  • Compelling Evidence 3.0 cases
     
• Transactions processed through systems outside of Visa’s own tools (VisaNet) may also be excluded.
   

 For acquirers, USD $5 will apply for each CNP fraud and dispute non-fraud in the ‘Above Standard’ threshold. USD $10 USD will apply in the ‘Excessive’ threshold. If acquirer performance is above the specified threshold, fees will apply to each fraud and non-fraud dispute for all merchants with a VAMP ratio >=30 bps. In addition, if merchant performance is above the specified ‘Excessive’ threshold, a $10 fee will apply to each fraud and non-fraud dispute for that merchant only. It’s worth noting that while the program includes fines at both acquirer portfolio and merchant level, all fines will be administered to the acquirer. The acquirer will then have to determine how they pass those fees down to the merchant.  

Visa will start charging fees when VAMP ratios get too high. Here's how it works:

• If the acquirer's portfolio is:
   
  • Above Standard (30–49 bps) → $5 fee for every fraud or non-fraud dispute
     
  • Excessive (50+ bps) → $10 fee per dispute
     
• These fees apply to all merchants under that acquirer who have a VAMP ratio of 30 bps or more.
   

• If a merchant’s VAMP ratio is Excessive (e.g. 150 bps in 2025, 90 bps in 2026) → $10 fee per fraud or non-fraud dispute
   

• Visa sends all fines to the acquirer, not directly to the merchant.
   
• It's up to the acquirer to decide how (or if) to pass those costs on to each merchant.
   

  For first-time identifications withing a rolling 12-month period, a three-month grace period will be given before enforcement actions are taken. Identifications after the grace period will be fully subject to published fines.  

If it’s your first time being flagged within a 12-month period, Visa will give you a 3-month grace period to fix the issue.

• During this time: No fines or penalties.
   
• After 3 months: If the problem isn’t fixed, full fines will apply based on the published rules.