What We Know About VAMP (Visa Acquirer Monitoring Program)
Upcoming Changes in 2025: Starting on April 1, 2025, Visa’s new VAMP will replace both the existing VDMP (Visa Dispute Monitoring Program) and VFMP (Visa Fraud Monitoring Programs) and consolidate them into a single, much more aggressive framework. Visa is aiming to prevent over $2.5 billion in global fraud losses, and the new rules could result in substantial fines and operational restrictions for those who don’t comply.
Why It’s Urgent: With less than a year until these sweeping changes take effect, businesses cannot afford to wait. The new VAMP changes will provide Visa with a comprehensive view of acquirer and merchant risk, and those who are unprepared for stricter monitoring could face hefty penalties or operational disruptions. Immediate action is required to ensure compliance with Visa’s evolving standards and to mitigate potential risks.
If your business hasn’t already started gathering fraud data and reviewing your chargeback mitigation and fraud prevention practices, now is the time to act. This is not a change to ignore—the cost of inaction could be significant. Not sure how to prepare? Slyce360 is here to help guide you through these updates and ensure your business stays ahead.
VAMP Ratio and Enumeration Ratio: New Metrics That Could Cost You
Visa is introducing critical thresholds that every acquirer and merchant must closely monitor. These metrics will now dictate your compliance status and could result in devastating financial penalties and risk the viability of your business if not managed properly.
Here are the key details of the new VAMP metrics:
- VAMP Ratio: This is the sum of card-not-present (CNP) fraud cases (TC 40) and non-fraud disputes (TC 15, Dispute Condition Codes 11, 12, and 13) divided by the total number of settled CNP transactions (TC 05).
- VAMP Enumeration Ratio: This is the number of CNP enumerated authorization transactions (approved + declined) divided by the total number of CNP authorization transactions (approved + declined). For more information about enumeration attacks please click on the link.
What exactly is an enumeration attack?
It is a type of cyberattack where an attacker systematically guesses or validates information by repeatedly trying different values or inputs to identify valid ones. In the context of payment systems, enumeration attacks often target credit card numbers, expiration dates, CVV codes, or account details. The attacker uses automated scripts or tools to test multiple combinations until they find a valid set of credentials.
For example, an attacker may attempt to guess a valid card number by submitting different variations through an online payment form and analyzing the responses to identify which values are correct. If successful, enumeration attacks can lead to unauthorized transactions, payment fraud, and compromised accounts.
New Thresholds for Acquirer and Merchant Portfolios
| Details | Acquirer | Merchant | |||
|---|---|---|---|---|---|
| Above Standard | Excessive | Excessive[1],[2] | Excessive[3] | ||
| VAMP Ratio | VAMP Ratio | VAMP Ratio | Enumeration Ratio | ||
| Threshold Effective Date is April 1st, 2025 | N/A | >= 0.5% | >= 1.5% (excluding LAC which will be >= 0.9%) | >= 20% | |
| Threshold Effective Date is January 1st, 2026 | >= 0.3% to <0.5% | >= 0.5% | >= 0.9% (excluding CEMEA which will be >= 1.5%) | >= 20% | |
| Additional Criteria |
| ||||
[1] Merchant Excessive identification level applies only if the acquirer VAMP ratio is less than 0.3%.
[2] In the CEMEA (Central and Eastern Europe, Middle East, and Africa) region, a merchant will reach the Excessive Identification Level if they exceed both a minimum of 100 fraud cases and a total fraud amount of at least USD 75,000 based on TC40 (fraud) and TC15 (non-fraud dispute) reporting.
[3] To meet this threshold, a merchant must process at least 300,000 monthly transactions that are tracked using the Visa Account Attack Intelligence model (VAAI), which is designed to detect patterns of fraudulent activity.
Acquirer First-Time Identification
Acquirers flagged as Above Standard or Excessive due to high levels of fraud and disputes are at serious risk of facing significant fines. For first-time identifications within a rolling 12-month period, Visa provides a three-month grace period to rectify performance issues. Failure to do so after this period can lead to immediate and potentially escalating fines.
If an acquirer’s portfolio breaches the set thresholds, penalties will be imposed on the acquirer for every non-fraud dispute and TC 40 record for merchants with a VAMP ratio of 0.3% or higher, putting acquirers under heavy financial strain.
Fines and Penalties
If you are flagged as “Above Standard” or “Excessive,” the penalties will be significant and can add up quickly.
- Enforcement for “Excessive” acquirers and merchants begins on July 1, 2025.
- Enforcement for “Above Standard” acquirers starts on January 1, 2026.
- Fines will apply to all merchants when an acquirer’s VAMP ratio is 0.30% or higher.
Acquirer Fines:
- $5 USD per CNP TC 40 fraud and non-fraud dispute for portfolios identified as Above Standard.
- $10 USD per CNP TC 40 fraud and non-fraud dispute for portfolios identified as Excessive.
Merchant Fines:
- $10 USD per CNP TC 40 fraud and non-fraud dispute for merchants identified as Excessive.
These fines can pile up quickly if you don’t take immediate action to lower your fraud and dispute levels.
Advisory Period
Visa is offering acquirers a 90-day advisory period from April 1, 2025, to June 30, 2025. During this time, no fines will be imposed, giving acquirers the opportunity to assess and strengthen their risk management strategies. Visa strongly encourages acquirers to use this period to implement and maintain adequate risk controls, ensuring full compliance before the program’s enforcement begins on July 1, 2025.
Visa Can Change These Parameters at Anytime
It’s important to keep in mind that Visa can modify the thresholds and fine structures associated with VAMP at any time, which can impact merchants who are at risk of being flagged for non-compliance. If you have concerns about how these changes might affect your business, or if you’re unsure how your acquirer measures and tracks these thresholds, reaching out to your acquirer is crucial. They will have the most current details on the specific thresholds and fine structures and can offer guidance on how to maintain compliance and avoid potential fines.
Act Now or Risk It All
The updated VAMP introduces some of the most stringent fraud and dispute controls to date. Failure to meet these new standards can lead to significant, rapidly accumulating penalties. Beyond the fines, repeated violations can lead to severe operational restrictions, potentially ending your ability to process Visa transactions altogether.
For acquirers, the burden is even greater. Compliance responsibility extends across your entire merchant portfolio, meaning just a few non-compliant merchants can trigger massive financial repercussions that threaten your entire operation. If you’re not actively monitoring and managing these risks you’re setting yourself up for costly surprises.
Slyce360 offers the advanced analytical tools that both acquirers and merchants need to proactively identify risks and implement tailored solutions to mitigate them. Designed to foster collaboration, Slyce360 ensures that acquirers and merchants can thrive together in a payments landscape where compliance requirements are constantly evolving. Let’s connect today and explore how Slyce360 can help protect your business and keep you growing.
October 17, 2024