April 21, 2026
Last Updated: April 21, 2026
Visa just tightened the bar. As of April 1, 2026, the Visa VAMP merchant threshold dropped to 1.5% across North America, the European Union, and Asia Pacific. That number sounds manageable on paper. It isn't, once you understand how VAMP actually counts fraud and disputes.
This guide breaks down the Visa Acquirer Monitoring Program (VAMP) in detail: what the ratio includes, what the thresholds are in 2026, what the fees look like, and why the 1.5% bar hits harder than the old numbers suggest, especially for payment facilitators, PSPs, and sub-acquirers whose portfolio-level risk is now the number Visa watches.
The Visa Acquirer Monitoring Program (VAMP) is Visa's consolidated framework for monitoring fraud, disputes, and enumeration attacks across card-not-present transactions on VisaNet. It replaced five separate legacy programs on April 1, 2025 and put acquirers squarely on the hook for portfolio performance, with fees that pass through to merchants.
According to Visa, the new program has the potential to address four times the amount of fraud globally as its predecessors, covering more than $2.5 billion in losses. Visa also reports that enumeration attacks alone account for $1.1 billion in annual fraud losses, and that U.S. consumers disputed roughly $11 billion in charges last year, up from $7.2 billion in 2019.
Before VAMP, acquirers and their merchants navigated five distinct fraud and dispute programs and 38 separate remediation processes. That complexity made consistent risk management almost impossible across regions and business models.
The consolidation into a single acquirer-administered program gave Visa one lever to pull and gave acquirers one clear set of numbers to manage against.
The program also shifts Visa's approach from outlier management, which waits for merchants to breach a threshold, to lifecycle risk management, which expects acquirers to build controls that prevent breaches before they happen. That is a meaningful change in posture for anyone administering a portfolio.
The two most recognizable programs inside the old stack were the Visa Fraud Monitoring Program (VFMP), which tracked fraudulent transactions, and the Visa Dispute Monitoring Program (VDMP), which tracked chargeback ratios. Each had its own thresholds, its own calculation, and its own remediation track.
VAMP folds both metrics into a single combined ratio calculated at the merchant descriptor level for merchants, and at the portfolio level for acquirers. The old VFMP and VDMP ratios are gone. What remains is one number that captures both risks at once, and it is harder to stay under than either of the old numbers in isolation.
The VAMP Ratio is defined as:
(Count of TC40 fraud reports + Count of TC15 disputes) ÷ Count of settled CNP transactions
The numerator combines fraud reports filed by issuers (TC40) with disputes (TC15), including both fraud-related and non-fraud dispute condition codes. The denominator is settled card-not-present VisaNet transactions, domestic and cross-border. Visa calculates the ratio monthly, based on Central Processing Date.
Here is where the math gets uncomfortable.
Most fraudulent transactions end up both as a TC40 fraud report and as a TC15 dispute. That means a single fraudulent transaction can count twice in the numerator. The effective VAMP ratio that merchants see is therefore often higher than what their legacy VFMP or VDMP numbers would have suggested.
Worse, TC40 reports are filed by issuers even for small-value fraud that never becomes a formal dispute. Those reports still count toward the VAMP ratio even though no chargeback ever lands. Tools like Visa's Rapid Dispute Resolution (RDR) can remove resolved disputes from the ratio, but the underlying TC40 usually remains. Compelling Evidence 3.0 is one of the few controls that can clear both sides of the double count.
Alongside the VAMP Ratio, Visa also tracks a separate VAMP Enumeration Ratio to target card testing. This calculation is:
Enumerated authorization transactions (approved + declined) ÷ All authorization transactions (approved + declined)
The Excessive threshold for the enumeration ratio is 20% (2,000 basis points), with a minimum of 300,000 enumerated transactions per month to qualify. Visa identifies enumerated transactions using its Visa Account Attack Intelligence (VAAI) Score, which Visa says reduces false positives by 85%.
Enumeration covers the rapid, bot-driven testing of stolen or generated card details at scale. Because declined attempts count too, merchants can get pulled above threshold by attack volume alone, even when no fraudulent charge clears.
Visa has rolled out VAMP thresholds in phases.
Enforcement for the merchant Excessive level began on October 1, 2025. The stricter acquirer Above Standard threshold hit on January 1, 2026. And the tightest merchant number, the 1.5% bar, took effect on April 1, 2026.
Acquirers are graded on portfolio-wide performance across all the merchants they process for.
As of January 1, 2026, two classifications apply:
The move from a single 1.0% threshold under the old programs to a 0.5% Above Standard bar under VAMP represents a doubling of pressure on acquirer risk teams. Portfolio aggregation is what bites here: a single concentrated book of risky merchants can pull the whole portfolio across the line.
For merchants, VAMP only applies at the Excessive level. There is no Above Standard tier.
The merchant Excessive VAMP ratio sat at 2.2% from October 1, 2025. On April 1, 2026, it dropped to 1.5% in North America, the European Union, and Asia Pacific.
The 1,500 minimum combined fraud and dispute event threshold still applies, which means smaller merchants fall outside the program entirely. For merchants with the volume to qualify, the 1.5% bar is now the line to beat.
Fees under VAMP are calculated per flagged fraud or dispute transaction and scale by classification. First-time identification within a rolling 12-month window gets a three-month grace period before fees are applied.
All fines are administered to the acquirer.
The acquirer then decides how to pass those fees down to the merchant, which can mean direct chargeback surcharges, increased reserves, tightened terms, or account termination for merchants that remain above portfolio-imposed limits.
Exiting the program requires staying below thresholds for one month. Identification can also trigger increased scrutiny, required remediation plans, and in persistent cases, loss of the ability to process Visa transactions or placement on the MATCH list.
The 1.5% number reads like a generous allowance. In practice, most merchants see effective VAMP ratios that run materially higher than their historical fraud or dispute rates because of how VAMP counts events.
For anyone operating a portfolio of merchants - payment service providers, payment facilitators (PayFacs), independent sales organizations (ISOs), and sub-acquirers - VAMP is not a merchant problem. It is a portfolio problem, and the aggregate ratio is what Visa grades.
Three operational consequences follow:
The answer isn't hiring more analysts. It is real-time, merchant-level visibility on the transactions flowing through the portfolio, with AI-driven detection that catches fraudulent merchant behavior - bust-out fraud, transaction laundering, collusion patterns - weeks before the TC40s arrive.
Staying compliant under VAMP requires controls that operate at the event level, the merchant level, and the portfolio level simultaneously.
A short checklist of what works:
VAMP is built around the idea that acquirers should prevent breaches rather than react to them. That means onboarding controls, ongoing merchant behavior monitoring, and real-time transaction scoring all need to operate against the same risk model.
Treating fraud, AML, and merchant risk as separate silos with separate tools leaves gaps that VAMP punishes.
Score every transaction in real time at the point of authorization, with both event-level signals (device, IP, velocity, issuer response) and entity-level context (merchant behavior over time, peer group comparisons, money flow patterns).
A centralized AI model that has seen fraud patterns across many portfolios will catch emerging threats faster than a rule engine trained only on one acquirer's history. That is the kind of visibility that gives risk teams time to intervene before the monthly Visa report lands.
Fraudio's fraud prevention platform provides this real-time merchant and transaction scoring for acquirers, PayFacs, and PSPs managing portfolio-level VAMP exposure.
Several Visa tools can remove disputes from the ratio before they land:
These tools help, but they don't prevent fraud. They deflect the reporting consequences after the fact. Keeping the ratio low requires stopping the fraudulent transactions and onboarding the bad merchants in the first place.
Visa calculates VAMP monthly, which means portfolio risk teams see results after the damage is done. By the time an acquirer, PayFac, or PSP learns a merchant has drifted above threshold, 30 days of TC40s and disputes have already accumulated, and the fees are already owed.
Fraudio's real-time fraud and merchant monitoring closes that gap.
Patented centralized AI scores every transaction at authorization across a portfolio, flags fraudulent merchants weeks before chargebacks arrive (proven at Viva Wallet with fraud detected 3 weeks earlier than legacy tools), and deploys in days rather than months. Pay-per-use pricing, no setup fees, and proven 8x ROI make it accessible for emerging PayFacs and established acquirers alike.
Built specifically for acquirers, payment facilitators, sub-acquirers, and PSPs managing portfolio-level VAMP exposure who need merchant-level visibility in real time, not monthly.
Visa VAMP stands for the Visa Acquirer Monitoring Program, Visa's consolidated framework for tracking fraud, disputes, and enumeration attacks on card-not-present transactions. It launched on April 1, 2025, replacing five legacy programs including VFMP and VDMP. VAMP applies to acquirers at the portfolio level and merchants at the Excessive level, with fees of $4 to $8 per flagged transaction.
VAMP is calculated as the count of TC40 fraud reports plus TC15 disputes, divided by settled card-not-present VisaNet transactions for the month. Only CNP transactions count, and both fraud and non-fraud dispute condition codes are included in the numerator. A minimum of 1,500 combined events per month is required to qualify for evaluation.
The specific VAMP thresholds for acquirers are 0.5% for Above Standard and 0.7% for Excessive, both effective as of January 1, 2026. Above Standard triggers a $4 fee per flagged transaction and Excessive triggers an $8 fee. Both thresholds apply at the aggregate portfolio level across every merchant the acquirer processes for.
Penalties for exceeding VAMP limits include $4 per flagged transaction for acquirers Above Standard and $8 per flagged transaction for acquirers and merchants Excessive. First-time identification within a rolling 12-month period receives a three-month grace period. Continued violations can trigger remediation plans, higher reserves, merchant termination, or MATCH list placement. All fines land on the acquirer, which passes costs down to merchants.
The 1.5% Visa VAMP merchant threshold took effect on April 1, 2026 in the U.S., Canada, the EU, and Asia Pacific. It replaced the initial 2.2% Excessive threshold in force since October 1, 2025. Other regions remain at 2.2%, and the 1,500 monthly event minimum still applies.
The difference between VAMP and the older VFMP or VDMP is that VAMP consolidates fraud and dispute monitoring into a single combined ratio, while VFMP tracked only fraud and VDMP tracked only chargebacks separately. VAMP also adds a dedicated enumeration ratio the older programs did not cover. Acquirer thresholds are tighter: 0.5% Above Standard under VAMP versus 1.0% under the old VDMP.
PSPs and payment facilitators manage VAMP portfolio risk through real-time merchant-level monitoring, AI-driven onboarding scoring, and continuous aggregate ratio tracking rather than waiting on monthly Visa reports. Because VAMP grades portfolios in aggregate, a single fraudulent merchant can push the whole book above 0.5%. Roughly 3% of digitally onboarded SMEs turn out to be fraudulent, which manual review cycles cannot catch before TC40s arrive.
How about trying our solution and experiencing the next generation for yourself?
