Skip to main content

Dispute & Fraud Monitoring Programs

TL;DR

Visa consolidated its dispute and fraud monitoring into VAMP (effective April 2025), while Mastercard maintains separate ECM (chargebacks) and EFM (fraud) programs. Exceeding thresholds triggers escalating monthly fines (potentially reaching six figures), required remediation plans within 15 days, and potential MATCH listing that prevents processing for 5 years. Prevention through alerts (Ethoca, Verifi) can exclude resolved disputes from ratio calculations.

Visa Acquirer Monitoring Program (VAMP)

Background and Consolidation

VAMP replaced the separate VDMP (Visa Dispute Monitoring Program) and VFMP (Visa Fraud Monitoring Program) effective April 1, 2025. The consolidation combines monitoring into a single ratio that includes both fraud and non-fraud disputes.

Key Dates:

  • April 1, 2025: VAMP goes live, advisory period begins
  • October 1, 2025: Enforcement begins, fines assessed
  • 2026: Thresholds tighten further (exact dates vary by region)

VAMP Ratio Calculation

Visa combines issuer fraud reports (TC40) and dispute events (TC15) into a single VAMP ratio, calculated over card-not-present volume.

Components:

  • TC40: Issuer-reported fraud notifications
  • TC15: Chargeback transaction codes (Dispute Condition Codes 11, 12, 13)
  • Denominator: Settled CNP transactions

Key Concept: Fraud disputes effectively "count twice": once when the issuer files a TC40 fraud notification, and again if a TC15 chargeback is also filed.

Minimum Volume: Approximately 1,500 applicable disputes required for program identification.

Denominator Varies by Reporting View

Exact formulas and denominators may vary by acquirer reporting system. Use your acquirer's specific definition when building compliance dashboards rather than assuming a single universal formula.

Threshold Overview (2025-2026)

As of 2025-2026, Visa is tightening merchant VAMP thresholds from approximately 2.2% toward 1.5% (and lower in some regions like LAC), with additional reductions planned through 2026. Acquirer portfolio-level thresholds are being introduced around 0.3-0.5%.

AudienceDirectionApproximate Range (2025-2026)
MerchantsTightening~2.2% → ~1.5% → potentially lower
Acquirers (Excessive)New threshold~0.5%
Acquirers (Above Standard)Phasing in~0.3%
Verify Current Thresholds

Threshold numbers change. Always confirm current thresholds via Visa Core Rules or your acquirer's compliance documentation. Regional variations apply (e.g., LAC has different timelines).

Enumeration Ratio

VAMP also monitors card testing/BIN attacks through the enumeration ratio.

Formula:

Enumeration Ratio = Confirmed Enumerated Transactions / Total Settled Transactions

Threshold: 20% triggers enrollment

Minimum Volume: 300,000 enumerated transactions

Detection: Uses Visa Account Attack Intelligence (VAAI) Score for identification

Exclusions and Prevention Tool Impact

RDR and CDRN can keep disputes out of VAMP ratios, but issuer fraud reports (TC40) often still count even when the dispute is resolved. CE 3.0 can exclude some TC40/TC15 combinations from Visa's program metrics, but the exact treatment depends on how the transaction qualifies.

Check Current Visa Guidance

The interaction between prevention tools and VAMP calculations has evolved (e.g., March 2025 clarifications on TC40 treatment). Always verify current Visa guidance for exact exclusion rules, as these details change.

VAMP Fee Structure

Fees are assessed per dispute/fraud event for acquirers and merchants exceeding thresholds:

LevelPer-Dispute Fee Range
Acquirer Above StandardLower single-digit dollars
Acquirer ExcessiveApproaching $10 per dispute
Merchant ExcessiveTypically passed through by acquirer

Key Program Features:

  • 3-month grace period for first-time identification in rolling 12-month period
  • Fines compound monthly until compliance achieved
  • Exact fee amounts published in Visa Core Rules and subject to change

Remediation Requirements

  • Submit remediation plan within 15 days of notification
  • Monthly progress reporting required
  • Exit criteria: Below excessive threshold for 3 consecutive months

Mastercard Excessive Chargeback Program (ECP)

Program Structure (as of 2025)

Two tiers based on both count AND ratio requirements (both must be met):

LevelChargeback CountChargeback Ratio
ECM (Excessive Chargeback Merchant)100-2991.5%-2.99% (150-299 bps)
HECM (High Excessive Chargeback Merchant)300+3.0%+ (300+ bps)

Ratio Calculation

Basis Points = (First Presentment Chargebacks in Month N) / (Transactions in Month N-1) × 10,000

Note: Mastercard uses prior month's transactions as denominator (different from Visa)

ECM Fine Structure

Assessments start once you've been identified as ECM for multiple months:

Program DurationMonthly Assessment Range
Early months (1-3)Low thousands
Mid-program (4-6)Several thousand
Extended (7-11)Tens of thousands
12+ monthsCan reach six figures ($100K+)

Additionally, an Issuer Recovery Assessment applies once you exceed certain chargeback volumes, typically an additional fee per chargeback over a threshold (e.g., over 300 chargebacks).

Fine Amounts Change

Exact dollar amounts are specified in Mastercard rules and are subject to periodic updates. The structure above reflects the escalation pattern; confirm current assessments with your acquirer.

HECM Fine Structure

HECM assessments follow a similar escalation pattern but at higher amounts:

Program DurationMonthly Assessment Range
Early monthsLow thousands
Mid-programTens of thousands per month
Extended (12+ months)Can reach $200K+ per month

The escalation is significantly steeper than ECM, reflecting the severity of the HECM classification.

Exit Criteria

  • Below ECM thresholds (fewer than 100 chargebacks AND less than 1.5% ratio) for 3 consecutive months
  • Extension available: Suspends fines for 6 months while remediation implemented
  • If below thresholds at extension end, accrued fines forgiven
  • If still above thresholds, all accrued fines become due

Mastercard Excessive Fraud Merchant (EFM)

Enrollment Criteria (as of 2025)

All criteria must be met:

  • 1,000+ Mastercard transactions in prior month
  • $50,000+ in fraud claims
  • 0.50%+ fraud-to-sales ratio
  • Less than 50% 3DS usage in regulated markets (or 10% in non-regulated)

EFM Fine Structure

Fines escalate from hundreds to tens of thousands as months in the program accumulate:

Program DurationMonthly Assessment Range
Month 1Warning/notification
Early months (2-3)Hundreds to low thousands
Mid-program (4-6)Several thousand per month
Extended (7+)Tens of thousands monthly

Exit: Below all thresholds for 3 consecutive months

3DS Requirement

Mastercard emphasizes 3DS authentication as key EFM prevention. Merchants in regulated countries need 50%+ 3DS coverage; non-regulated need 10%+. Data-only 3DS transactions count toward this threshold.

MATCH List (Terminated Merchant File)

What is MATCH?

MATCH (Member Alert to Control High-Risk) is a Mastercard-maintained database of terminated merchants that acquirers must check before onboarding. It's the industry's primary blacklist for problem merchants.

Key Characteristics:

  • Entries remain for 5 years
  • Only the listing acquirer can request removal
  • Effectively prevents processing with any acquirer
  • Impacts ability to process all card brands (not just Mastercard)

MATCH Reason Codes (as of 2025)

CodeReasonDescription
01Account Data CompromiseCardholder data exposed
02Common Point of PurchaseMerchant system was fraud source
03LaunderingTransaction laundering
04Excessive ChargebacksExceeded chargeback thresholds
05Excessive FraudExceeded fraud thresholds
07Fraud ConvictionPrincipal convicted of fraud
08QMAPQuestionable Merchant Audit Program violation
09Bankruptcy/LiquidationMerchant insolvent
10Violation of StandardsNetwork rules violation
11Merchant CollusionCollusion with cardholder
12PCI Non-ComplianceFailed to maintain PCI compliance
13Illegal TransactionsProcessed illegal activity
14Identity TheftMerchant was identity theft victim

MATCH Consequences

  • Most acquirers will not onboard MATCH-listed merchants
  • High-risk processors may accept with elevated fees and reserves
  • Listing affects ability to process all card brands (not just Mastercard)
  • Removal requires the acquirer that listed the merchant to request it

Visa Merchant Screening Service (VMSS)

Visa's equivalent to MATCH with similar characteristics:

  • Acquirers must query before onboarding
  • Must add terminated merchants within 1 business day
  • Similar reason codes and 5-year retention
  • Parallel functionality to MATCH

High-Risk Merchant Programs

VIRP (Visa Integrity Risk Program)

VIRP replaced the Global Brand Protection Program (GBPP) in May 2023. It categorizes high-risk merchants into three tiers:

Tier Structure:

  • Tier 1: Adult content, dating/escort services, gambling, pharmaceuticals
  • Tier 2: Cryptocurrency, cyberlockers, file sharing
  • Tier 3: Other high-risk MCCs

Costs (as of 2024 Visa bulletins):

  • Registration fees: On the order of ~$1,000 per acquirer
  • Transaction fees: A few basis points plus per-transaction fees for certain MCCs (5967, 7273, 7995)
  • Non-compliance assessments: Can reach significant monthly amounts for unregistered acquirers/merchants
Fee Amounts Subject to Change

VIRP pricing is updated periodically via Visa bulletins. Verify current fees with your acquirer or Visa documentation.

BRAM (Mastercard Business Risk Assessment and Mitigation)

BRAM protects against illegal or brand-damaging transactions.

Prohibited Categories Include:

  • Synthetic drugs
  • Illegal pharmaceuticals
  • Counterfeit goods
  • Unlicensed gambling
  • Child exploitation material
  • Piracy and IP theft

Requirements:

  • Acquirers must register with Merchant Monitoring Program (MMP)
  • Monthly reporting required
  • Fine mitigation (75-100%) for using registered MMSP (Merchant Monitoring Service Provider)

Remediation Strategies

Immediate Actions

  1. Identify root cause: True fraud vs. friendly fraud vs. operational issues
  2. Implement prevention alerts: Ethoca, Verifi (RDR/CDRN)
  3. Review high-chargeback products/services: Consider discontinuing problem offerings
  4. Audit customer service and refund processes: Easy refunds prevent disputes

Prevention Tools Impact (as of 2025)

ToolVAMP ImpactECM Impact
RDR (Visa)Can exclude associated TC15 disputes; TC40 usually still countedN/A
CDRN (Visa)Can exclude associated TC15 if resolvedN/A
CE 3.0 (Visa)Can exclude both TC40 and TC15 for qualifying transactionsN/A
Ethoca AlertsPrevents chargeback if refunded before TC40 filedPrevents if refunded
Order InsightReduces disputes by providing transaction details to issuersReduces disputes
Confirm Tool Behavior

The interaction between prevention tools and program ratios is complex and evolves. Always confirm current behavior with your acquirer or processor.

Remediation Plan Components

  1. Business description and current state: What you do, current ratios
  2. Root cause analysis: Why chargebacks/fraud are elevated
  3. Specific actions with implementation dates: What you'll change
  4. Timeline for improvement: Expected ratio trajectory
  5. Backup plan: If primary strategy fails
  6. Regular reporting commitments: How you'll communicate progress

Issuer Considerations

TC40 Filing Requirements

  • Issuers must file TC40 for all fraud claims, even small amounts
  • TC40 filed even when alert resolves dispute (for Visa VAMP)
  • Failure to file can result in issuer compliance issues

Visa Issuer Monitoring Program (VIMP)

  • Monitors issuer-side fraud and dispute rates for CNP
  • Metrics include dispute-to-transaction and fraud-to-sales ratios
  • Regional minimum volume thresholds apply

Consumer Clarity / Order Insight

  • Issuer enrollment provides transaction details to cardholders
  • Reduces "unrecognized charge" disputes
  • Available through Verifi (Visa) and Ethoca (Mastercard)
Last Verified: December 2024

Network monitoring thresholds and program structures change. VAMP is new (effective April 2025) and still evolving. Verify current thresholds with Visa and Mastercard documentation before making compliance decisions.

See Also