Visa VAMP Program 2026: Chargeback Thresholds, Fees, and What Merchants Must Do Now

On April 1, 2026, Visa tightened its "Excessive Merchant" VAMP threshold from 2.2% to 1.5% for merchants in the US, Canada, EU, and Asia-Pacific — a 32% reduction.

The VAMP ratio combines fraud reports (TC40) and disputes (TC15) into a single count-based metric. One fraudulent transaction can hit your ratio twice.

Merchants who exceed the threshold face $8-per-event fees — applied to every fraud report and dispute in that month, not just the ones over the line.

A separate Enumeration Ratio monitors card-testing attacks. Exceed 20% and you're in a second monitoring track.

Disputes resolved through RDR, Verifi CDRN, and Compelling Evidence 3.0 are excluded from your VAMP ratio — these tools should be part of every merchant's compliance stack.

What Is the Visa VAMP Program?

The Visa Acquirer Monitoring Program (VAMP) is Visa's consolidated fraud and dispute monitoring framework. It replaced two predecessor programs — the Visa Fraud Monitoring Program (VFMP) and the Visa Dispute Monitoring Program (VDMP) — when it launched in June 2025 (Chargebacks911).

The "A" in VAMP is the tell. Unlike its predecessors, which focused primarily on merchants, VAMP places direct accountability on acquirers — the banks and processors that sponsor merchant accounts. Each month, Visa reviews every acquirer's portfolio for elevated fraud, disputes, and card-testing activity. Acquirers that fail to keep their portfolio within Visa's thresholds face fines and mandatory remediation. That pressure flows downhill: acquirers that are on the hook for your numbers are highly motivated to restrict, fine, or offboard merchants who push their portfolio ratios higher.

For high-risk merchants — subscription businesses, digital goods, travel, nutraceuticals, iGaming — this is the compliance environment you are now operating in. VAMP doesn't care about your MCC. The old programs used to offer more generous thresholds for high-dispute industries like gaming and travel. Those exemptions are gone. Every merchant processing Visa CNP transactions is now measured by the same ratio standard.

The program also introduces something the predecessor programs lacked: a second metric, the Enumeration Ratio, specifically designed to catch merchants whose checkout infrastructure is being exploited for card-testing attacks. That means two separate ways your account can enter monitoring — not one.

VAMP applies exclusively to card-not-present (CNP) transactions — domestic and cross-border — processed on VisaNet (Visa VAMP Fact Sheet). If your business sells online, by phone, or through any channel where the physical card isn't present at the point of sale, every Visa transaction you process falls under this program.

The New 2026 Thresholds: What Changed on April 1, 2026

On April 1, 2026, the "Excessive Merchant" VAMP threshold dropped from 220 basis points (2.2%) to 150 basis points (1.5%) across the US, Canada, European Union, and Asia-Pacific regions (Accertify). That is a 32% reduction — applied overnight, with no transition period for merchants who were operating between those two numbers.

If your combined fraud-and-dispute ratio was 1.8% in March 2026, you were compliant. On April 2, 2026 — with the exact same volume and the exact same dispute count — you were in violation and subject to penalties.

Here is how the thresholds now break down by region and entity type:

Table 1 — VAMP Threshold Levels (Effective April 1, 2026)

Level	Entity	VAMP Ratio Threshold	Min. Monthly Events
Excessive Merchant	Merchant (US, Canada, EU, AP)	≥ 1.5% (150 bps)	≥ 1,500
Excessive Merchant	Merchant (LAC)	≥ 1.5% (150 bps)	≥ 1,500
Excessive Merchant	Merchant (CEMEA)	≥ 2.2% (220 bps)	≥ 150 + ≥ USD 75,000
Above Standard	Acquirer Portfolio	≥ 0.5% (50 bps)	≥ 1,500
Excessive	Acquirer Portfolio	≥ 0.7% (70 bps)	≥ 1,500

Sources: Visa VAMP Fact Sheet, Accertify

Two structural points that trip up merchants when reading these numbers:

The minimum count matters. You do not enter merchant-level monitoring unless you generate at least 1,500 combined TC40 fraud reports and TC15 disputes in a given month (Visa VAMP Fact Sheet). Most mid-size and enterprise ecommerce merchants clear this floor easily. But even merchants below the 1,500 floor are not fully insulated — if your numbers are pushing your acquirer's portfolio ratio toward 0.5%, your acquirer may still come to you.

The acquirer thresholds are tighter than yours — and they affect you. Your acquirer's portfolio must stay below 0.5% (Above Standard) and 0.7% (Excessive). Visa began enforcing the Above Standard acquirer fine in January 2026 (Corgi Labs). Acquirers managing their own compliance exposure will often set internal merchant limits well below the 1.5% Visa line — some as low as 1.0% — to protect their portfolio headroom.

How VAMP Calculates Your Dispute Ratio

The VAMP ratio is a single, count-based metric (Visa VAMP Fact Sheet):

VAMP Ratio = Count of [Fraud (TC40) + Disputes (TC15)] ÷ Count of Settled Transactions (TC05)

Three mechanics define how this formula works in practice:

1. It's count-based, not dollar-based. Visa counts transactions, not value. A merchant processing 100,000 low-ticket digital downloads has far more ratio exposure per dollar of revenue than a merchant processing 1,000 high-ticket hardware orders at the same fraud rate. Volume is the enemy.

2. A single fraudulent dispute counts twice. When a cardholder reports fraud, their issuing bank files a TC40 fraud report. If you don't refund fast enough to prevent the chargeback, a TC15 dispute follows. Both events hit your ratio separately — one transaction generates two ratio events. As Forter notes, this can result in $16 in VAMP fines from a single disputed transaction (two $8 events).

3. Only card-not-present transactions are counted. CNP transactions are both the numerator events (TC40/TC15) and the denominator (TC05 settled transactions). In-store transactions are excluded entirely.

Worked Example

A subscription software merchant processes 10,000 settled CNP transactions in April 2026. During the month, issuers file 85 TC40 fraud reports against the merchant. Of those 85 fraud reports, 70 escalate to TC15 chargebacks before the merchant can issue refunds. The merchant also receives 40 non-fraud TC15 disputes (billing confusion, cancellation issues).

Total numerator events: 85 (TC40) + 70 (TC15 from TC40s) + 40 (non-fraud TC15) = 195 events

VAMP Ratio = 195 ÷ 10,000 = 1.95%

This merchant exceeds the 1.5% threshold. If they meet the 1,500-event minimum (they do not in this example — high-volume merchants processing 50,000+ transactions per month are far more likely to trigger that floor), they enter Excessive monitoring and face $8 per event in fees for every one of those 195 events — a potential $1,560 in VAMP fines for that single month, on top of standard chargeback fees.

VAMP Fees: What You'll Pay If You Exceed Thresholds

VAMP fees are assessed per fraud report and per dispute — and they apply to every event in a month in which you exceed the threshold, not just the events above the line (Forter).

The fee structure, effective after the October 2025 enforcement start date:

Table 2 — VAMP Per-Event Fees

Category	Fee Per Event	Effective Date
Excessive Merchant	$8 per TC40 + TC15	October 1, 2025
Acquirer Excessive	$8 per TC40 + TC15	October 1, 2025
Acquirer Above Standard	$4 per TC40 + TC15	January 1, 2026

Sources: Accertify, Visa VAMP Fact Sheet

First-time violator grace period. If you have not been enrolled in VAMP monitoring within the prior 12 months and you breach the threshold for the first time, you receive a three-month grace period before fines begin (Forter). This grace period also exists at the acquirer level. First-time violations result in the acquirer being given three months to remediate before fines apply. Remediation plans must be submitted to Visa within 15 calendar days of notification.

The fee math compounds quickly. A merchant with 2,000 combined TC40+TC15 events in a month — not unusual for a subscription business at scale — at a 1.6% ratio faces $16,000 in VAMP fines for that month alone, before accounting for standard chargeback fees, retrieval fees, and reserve holdbacks their acquirer may impose. Fines are assessed monthly, so a merchant sitting just above the line for multiple months can face tens of thousands in cumulative penalties while working through a remediation cycle.

One critical nuance: VAMP fines are passed through the acquirer to the merchant. Your acquirer absorbs the Visa fine and then charges you — meaning your processor agreement determines exactly how that liability lands. Some acquirers will itemize VAMP fees as a line item; others will bury them in processing reserves or adjustment charges. Review your merchant agreement and ask your acquirer explicitly how VAMP fines are billed before you find out the hard way.

The Enumeration Ratio: The Second Metric You Need to Monitor

The VAMP Enumeration Ratio is a separate compliance metric that tracks card-testing attacks — the automated fraud method where bad actors run thousands of authorization attempts against your checkout to validate stolen card numbers (Chargebacks911).

Formula:

Enumeration Ratio = Count of Enumerated Authorization Transactions (Approved + Declined) ÷ Count of All Authorization Transactions (Approved + Declined)

Threshold: ≥ 20% (2,000 bps), with a minimum of 300,000 enumerated authorization transactions per month to trigger monitoring (Visa VAMP Fact Sheet).

Visa identifies enumerated transactions using the Visa Account Attack Intelligence (VAAI) Score system, which detects bot-pattern authorization behavior — not just declined transactions, but the pattern of high-frequency, sequential card number attempts regardless of approval outcome.

What makes the Enumeration Ratio different from the VAMP dispute ratio:

It captures both approved and declined transactions in the denominator. If bots are hammering your checkout and you're declining most of them, those declines still count.

Enumeration monitoring is technically the acquirer's responsibility, but merchants who are the source of enumeration activity face the same compliance pressure: their acquirer will act to protect its own portfolio standing.

A 20% enumeration ratio means 1 in 5 of your authorization attempts is flagged as bot-driven card testing. For most legitimate merchants, this only becomes relevant if their checkout lacks rate-limiting, bot detection, or CAPTCHA — common gaps in high-volume API-connected checkout environments.

Merchants with marketplace or subscription platforms that expose payment endpoints via API, or that run split-second free-trial flows, are the most vulnerable to enumeration attacks. The VAAI Score system Visa uses to flag enumeration is based on behavioral signals, not just volume — which means bot attacks don't need to be massive to register.

How to Stay Below VAMP Thresholds (tactical checklist)

Managing your VAMP ratio requires both proactive fraud prevention and reactive dispute resolution. These are the tools and practices that move the needle:

Deploy 3D Secure (3DS2) on all eligible transactions. 3DS shifts fraud liability to the issuer, which means TC40 fraud reports and TC15 chargebacks on authenticated transactions typically cannot be filed against you. Broad 3DS2 deployment is the highest-leverage single control for VAMP ratio reduction in CNP environments.

Enroll in Visa Rapid Dispute Resolution (RDR). RDR allows disputes to be automatically resolved before they generate a TC15 entry in your VAMP ratio. Disputes resolved via RDR are explicitly excluded from VAMP ratio calculations (Chargebacks911). This is the most direct ratio-reduction tool available through Visa's own infrastructure.

Use Verifi CDRN (Cardholder Dispute Resolution Network). Like RDR, Verifi CDRN resolves pre-dispute notifications before they escalate to chargebacks. CDRN-resolved disputes are excluded from VAMP ratio calculations.

Build CE3.0 (Compelling Evidence 3.0) eligibility into your transaction data. CE3.0 allows you to challenge fraud disputes — including TC40 reports that have not yet escalated to a chargeback — by demonstrating the cardholder's prior purchase history matches the disputed transaction. You need device ID and IP address captured on every transaction, and at least two qualifying prior transactions that are 120+ days old (Chargebacks911 — CE3.0 Update). Start collecting this data now if you are not already; you need 120 days of history to qualify.

Issue proactive refunds on fraud-flagged orders before TC15 fires. When a TC40 fraud report lands and you have not yet been charged back, refunding immediately can prevent the TC15 dispute from being filed. Under VAMP, a TC40 alone still counts against your ratio — but preventing the accompanying TC15 halves the ratio impact of that transaction.

Optimize your billing descriptor. "Friendly fraud" — cardholders disputing legitimate charges they don't recognize — is a primary TC15 driver. A clear, consistent descriptor that matches your website name, includes a phone number or URL, and is visible before purchase dramatically reduces "I didn't authorize this" disputes. Chargebacks caused by unrecognized descriptors are preventable.

Implement real-time fraud scoring at authorization. Machine learning fraud scoring that declines high-risk authorization attempts upstream reduces TC40 filings before they occur. A transaction that never settles cannot generate a VAMP event. Use fraud velocity checks, device fingerprinting, and IP intelligence to block suspicious transactions before they enter TC05.

Deploy bot detection and rate-limiting on all checkout and API authorization endpoints. This directly reduces your enumeration ratio exposure. Effective CAPTCHA, device fingerprinting, behavioral analysis, and request rate-limiting are the front-line defenses against card-testing attacks that would push your enumeration ratio toward the 20% threshold.

Implement pre-purchase cancellation and refund flows for subscriptions. For subscription merchants, billing clarity and easy cancellation paths reduce "I didn't know this was recurring" chargebacks — the non-fraud TC15 category. A prominent pre-billing notification email 3–5 days before a renewal reduces friendly fraud disputes substantially.

Audit your chargeback response process for TC40 velocity. Monitor TC40 filings daily, not monthly. VAMP is calculated monthly, but TC40 signals spike before TC15 disputes arrive. Early identification of fraud patterns by SKU, geography, or card BIN allows you to take action — refund, block, flag — before a TC40 turns into a TC15.

Know your acquirer's internal threshold, not just Visa's. Your acquirer almost certainly enforces a ratio limit more conservative than 1.5%. Request a conversation with your account manager. If your acquirer's internal limit is 1.0%, your effective compliance target is 1.0% — regardless of what Visa's published threshold says.

Establish monthly VAMP ratio tracking. You cannot manage what you don't measure. Build a monthly reporting process that pulls your TC40 count, TC15 count, and TC05 settled transaction count from your processor data and calculates your ratio before Visa does. Surprises in monitoring programs always cost more than early detection.

Frequently Asked Questions

When does the new VAMP threshold take effect?

The tighter 1.5% Excessive Merchant threshold took effect on April 1, 2026 in the US, Canada, EU, and Asia-Pacific. Enforcement of fines for merchants began October 1, 2025 at the previous 2.2% threshold. Acquirer Above Standard fines began January 1, 2026. First-time violators at the new threshold receive a three-month grace period before fines begin, provided they have not been in VAMP monitoring within the prior 12 months (Forter).

What is the difference between VAMP and the old VDMP/VFMP?

The Visa Dispute Monitoring Program (VDMP) and Visa Fraud Monitoring Program (VFMP) were separate merchant-level programs with separate thresholds — previously 0.9% each (combined tolerance of 1.8% in practice). VAMP replaced both in 2025 with a single unified ratio that adds TC40 fraud reports and TC15 disputes together and divides by settled transactions. The result: the effective combined tolerance is lower (1.5%), there are no longer separate fraud and dispute buckets, high-dispute MCCs lost their special exemptions, and acquirers — not just merchants — are now the primary monitored entities (Chargebacks911).

Does VAMP apply to my business?

VAMP applies to all Visa CNP transactions. If you sell online, by phone, or through a card-not-present channel and process Visa transactions, VAMP affects you. Formal monitoring enrollment at the merchant level requires exceeding both the 1.5% ratio threshold and 1,500 combined TC40+TC15 events per month. Merchants below the 1,500-event floor are not formally monitored by Visa — but your acquirer may impose its own internal limits at any volume (Visa VAMP Fact Sheet).

What happens if my acquirer is in VAMP?

If your acquirer's portfolio-level VAMP ratio reaches 0.5% (Above Standard) or 0.7% (Excessive), the acquirer receives notification from Visa, must submit a remediation plan within 15 calendar days, and faces per-transaction fines on its entire portfolio. Acquirers in this situation will actively audit their merchant base, increase reserve requirements, impose lower processing volume caps, or terminate accounts that are contributing to the problem. Even if your individual ratio is under 1.5%, you may face restrictions if you are among the highest-ratio merchants in your acquirer's book (Corgi Labs).

How is the Enumeration Ratio different from the chargeback ratio?

The VAMP dispute ratio measures fraud reports and disputes as a percentage of settled transactions. The Enumeration Ratio measures confirmed card-testing attempts — both approved and declined — as a percentage of all authorization attempts. It is a measure of bot attack intensity on your checkout, not customer dispute behavior. You can have an excellent dispute ratio and still be flagged for enumeration if your checkout is being targeted by automated card-testing bots.

Are RDR-resolved disputes counted in my VAMP ratio?

No. Disputes resolved through Visa Rapid Dispute Resolution (RDR) and Verifi CDRN are explicitly excluded from VAMP ratio calculations, contingent on timing — the resolution must occur within the same monthly data extract period as the dispute. TC40 fraud reports resolved under Compelling Evidence 3.0 are also excluded. This exclusion is the primary reason every high-risk merchant should be enrolled in at least one pre-dispute resolution tool (Chargebacks911).

What happens if I'm flagged under VAMP?

If you exceed the 1.5% threshold and the 1,500-event minimum, your acquirer receives notification from Visa. If you are a first-time violator (not in VAMP monitoring within the prior 12 months), you receive a three-month grace period before fines are assessed. After the grace period — or immediately if you are a repeat violator — $8-per-event fees apply to every TC40 and TC15 in the qualifying month. Sustained exceedance without remediation can result in your acquirer imposing reserves, restricting processing volume, or terminating your account. The terminal consequence is MATCH list placement, which effectively ends your ability to obtain Visa processing through any mainstream acquirer.

Ready to Reduce Your Chargeback Ratio?

VAMP is not a bureaucratic nuisance. It is a direct tax on poor dispute management — and with the April 2026 threshold reduction now in effect, the margin for error has narrowed sharply.

CARDZ3N works exclusively with high-risk merchants. We know the difference between friendly fraud, true fraud, and processing infrastructure that generates chargebacks by design. Our chargeback management product, ChargebackZ3N, is built specifically for merchants in dispute-intensive verticals — subscription billing, digital goods, nutraceuticals, gaming, and more. We combine pre-dispute tools (RDR, CDRN), CE3.0 data capture, and active chargeback representment into a single managed program.

What we do for VAMP-exposed merchants:

Conduct a current VAMP ratio analysis and identify your highest-risk TC40/TC15 drivers

Configure RDR and CDRN enrollment to immediately reduce ratio-counting disputes

Implement CE3.0 data capture so you can challenge TC40 reports that never escalated to chargebacks

Structure your billing descriptor, refund policy, and subscription communication to reduce friendly fraud

Connect you with a high-risk merchant account that comes with a processor who understands your industry — not one that will offboard you at the first monitoring flag

If your ratio is already above 1.5%, or you are seeing your acquirer tighten reserves and volume caps, act now. The three-month grace period for first-time VAMP violators is finite.

Get a Custom Quote — 2 min →

Explore our services: