What Is Visa VAMP?
Visa VAMP—the Visa Acquirer Monitoring Program—is a consolidated fraud and dispute monitoring framework that launched April 1, 2025, replacing five separate programs: VFMP, VDMP, the original VAMP, the Digital Goods Merchant Fraud Monitoring Program, and a fifth legacy program. That consolidation collapsed 38 separate remediation processes into one. An advisory period ran April through September 2025; enforcement began October 1, 2025. If you’ve been tracking the old VDMP and VFMP metrics, you are already operating under VAMP. What is changing on April 1, 2026 is a significant threshold reduction—and that is what this article is about.
Here’s the high-level version of what changed:
- VDMP (Visa Dispute Monitoring Program) tracked your chargeback-to-transaction ratio. You entered monitoring when chargebacks exceeded roughly 0.9% of transactions.
- VFMP (Visa Fraud Monitoring Program) tracked your fraud-to-sales dollar ratio. You entered monitoring when fraud volume crossed a separate threshold.
- VAMP replaced all five programs with a single combined ratio. The merchant Excessive threshold launched at 150 bps (1.5%), was temporarily raised to 220 bps (2.2%) in a May 2025 revision (effective June 1, 2025) to give merchants more time, and is dropping back to the originally planned 150 bps (1.5%) on April 1, 2026 for U.S., Canada, AP, and Europe. LAC has been at 150 bps since launch. Merchants who breach the Excessive threshold face fines of $8 per CNP dispute.
When VAMP launched in April 2025, the merchant Excessive threshold started at 150 bps. Visa temporarily raised it to 220 bps in May 2025 to give merchants more runway. That grace period ends April 1, 2026, when the threshold drops back to the originally planned 150 bps (1.5%). The 220 bps was never meant to be permanent—it was a runway, and that runway is ending.
Most payment industry coverage focuses on this threshold drop and calls it a day. That misses the real story. The threshold change is inconvenient. What I’m about to explain is a structural shift in what counts toward that threshold—and it will catch merchants completely off guard.
The Hidden Danger: TC40 Reports Now Count
This is the part that most merchant-facing coverage buries in footnotes, if it mentions it at all.
Under the old VFMP, your fraud monitoring ratio was calculated based primarily on chargebacks filed under fraud reason codes. A transaction had to result in an actual dispute, filed by the cardholder, before it hit your numbers. This meant that a large category of fraud—small-dollar transactions that issuers absorbed rather than dispute—was essentially invisible to merchants from a monitoring-program perspective.
Under VAMP, TC40 reports count.
TC40 is a data message that an issuing bank sends to Visa when their cardholder reports fraud on a transaction. It is the issuer’s internal fraud notification system. Critically, a TC40 can be filed on a transaction without a chargeback ever being initiated. The issuer may decide the transaction amount is too small to pursue through the formal dispute process, reissue the cardholder’s card, eat the loss, and file a TC40—all without the merchant ever receiving a chargeback notification.
Under VAMP, TC40 fraud reports that never become chargebacks still count toward your ratio. A $2.99 purchase made with a stolen card, reported by the cardholder to their bank, filed as a TC40 by the issuer, and never escalated to a formal dispute—that transaction now counts against your VAMP ratio. The merchant receives no notification. The chargeback never arrives. The funds are never reversed. But the damage to your ratio is real.
Why Low-Dollar Fraud Has Been “Invisible” Until Now
To understand why this matters so much, you need to understand how issuers actually behave when they receive a fraud report on a small transaction.
Chargebacks cost issuers money too. There is operational overhead in initiating a formal dispute, processing the paperwork, issuing provisional credit, and managing the potential representment cycle. For a $2.50 charge, the economics don’t work. The cost of pursuing the chargeback can exceed the amount recovered. So issuers have a long-standing practice of absorbing small-dollar fraud losses rather than filing formal disputes.
From the merchant’s perspective, this has historically been a free ride. Fraudsters have known this too—small-denomination testing charges (sometimes called “card testing” or “account testing”) frequently start with $0.99 to $4.99 transactions specifically because merchants and issuers alike tend to ignore them. The cardholder reports it, the issuer issues a new card and absorbs the $3, and the merchant never hears about it.
Under VAMP, every single one of those transactions generates a TC40 that counts against your ratio. The fraud was always there. The accountability just wasn’t.
The Math That Should Worry You
Let’s make this concrete with a realistic scenario. Consider a mid-volume e-commerce merchant processing 10,000 transactions per month.
This merchant sells digital products with price points ranging from $0.99 to $49.99. They have a good chargeback program—they respond to every dispute, they use AVS and CVV on most transactions, and under the old system they maintained a chargeback ratio comfortably below 0.5%. They’ve never been in a monitoring program. They feel like they have this handled.
Here is what their VAMP exposure actually looks like:
| Fraud Type | Monthly Count | Avg. Amount | Chargeback Filed? | TC40 Filed? | Old System Impact | VAMP Impact |
|---|---|---|---|---|---|---|
| High-value fraud (>$25) | 25 | $38 | Yes | Yes | Counted | Counted |
| Mid-value fraud ($5–$25) | 35 | $12 | Sometimes | Yes | Partial | Counted |
| Low-dollar fraud (<$5) | 100 | $2.99 | Rarely | Yes | Invisible | Counted |
Under the old system, this merchant’s effective monitored fraud count was roughly 25 to 40 transactions per month—a ratio of 0.25% to 0.40%. Safely inside every threshold.
Under VAMP, all 160 TC40s and TC15 disputes count in the numerator, divided by settled CNP transactions in the denominator. Assuming this is an all-CNP merchant with 10,000 settled CNP transactions: 160 fraud events ÷ 10,000 settled CNP transactions = a 1.6% VAMP ratio. And that assumes none of those 160 events double-count—if even some of the high- or mid-value fraud transactions generate both a TC40 and a TC15, the true ratio climbs higher.
This merchant just breached the Excessive threshold. And they have not received a single chargeback on 100 of those 160 events. They had no idea.
In this scenario, the 100 low-dollar TC40s alone represent a 1.0% ratio against the 1.5% Excessive threshold—before a single actual dispute is counted. A merchant with “good” fraud management could breach the VAMP threshold entirely from fraud they never see, on transactions they never get notified about. Double-counting of TC40s and TC15s on the same transaction makes this even worse.
The Controversial Take: Consider Adding Friction to Low-Dollar Transactions
Here is where I will diverge from conventional payment optimization wisdom, and I want to be direct about it because most consultants won’t say this.
If you have meaningful low-dollar fraud volume, you should consider deliberately adding checkout friction on small transactions.
The standard advice in conversion optimization is to minimize friction at every price point. Reduce form fields. Skip unnecessary verification steps on low-value purchases. Let the $1.99 transactions flow through with the fewest possible clicks. The logic is sound in isolation: small purchases have high abandonment sensitivity, the fraud risk is low in dollar terms, and the marginal cost of a fraudulent $2 transaction seems negligible.
VAMP breaks that logic at the count level. A $2 fraudulent transaction is not low-risk anymore—it counts exactly as much against your VAMP ratio as a $200 fraudulent transaction. The risk is no longer proportional to the transaction amount. It is flat per event.
This means the calculation has fundamentally changed:
Old Risk Model (Pre-VAMP)
- Fraudulent $2.99 transaction: issuer absorbs loss, no chargeback, no penalty, no friction needed
- Chargeback ratio impact: 0
- Verdict: friction is a net negative (hurts conversion, zero benefit)
New Risk Model (VAMP — April 2026 Threshold Reduction)
- Fraudulent $2.99 transaction: issuer files TC40, counts toward your 1.5% Excessive threshold
- VAMP ratio impact: 1 event minimum — 2 events if the issuer also files a TC15 chargeback (double-counting is possible)
- Verdict: if you have significant low-dollar fraud volume, friction trades a conversion hit for ratio protection
The math only justifies adding friction if you actually have low-dollar fraud volume. If your sub-$5 fraud rate is near zero, this is irrelevant. But merchants in digital goods, gaming, content subscriptions, and any category where stolen cards are commonly tested on small purchases need to seriously reconsider their checkout friction strategy below certain price thresholds.
What “Adding Friction” Actually Means
I am not suggesting you make checkout painful. I am suggesting targeted, calibrated verification that blocks fraud without meaningfully degrading legitimate customer experience:
- Require CVV on all transactions, including small ones. Many merchants skip CVV requirements for micro-transactions. Stop. CVV mismatches catch a meaningful percentage of card-testing fraud.
- Enable AVS on transactions above a minimum threshold. Zip code matching is low-friction for legitimate customers and blocks a significant share of stolen card usage.
- Deploy 3D Secure on low-dollar purchases if you are in a high-fraud category. Yes, 3DS adds a step. But it also shifts chargeback liability to the issuer—and the TC40 question for authenticated transactions under VAMP is worth confirming with your acquirer.
- Consider a minimum transaction floor. If your product legitimately has a $0.99 option and you are seeing high fraud at that price point, consider whether offering $0.99 transactions is worth the VAMP exposure. Raising the minimum to $2.99, $4.99, or higher reduces your attack surface for card-testing fraud significantly.
- Implement velocity rules on email/IP for small transactions. Card testers run dozens of small transactions from the same IP or device. A rule that blocks more than 2 to 3 low-dollar transaction attempts from the same fingerprint in a 24-hour window catches a disproportionate share of testing fraud.
You do not need to add friction everywhere. Pull your TC40 data from your payment processor or fraud tool (most fraud scoring platforms expose this). Segment by transaction amount. If your sub-$10 TC40 rate is 3x your overall TC40 rate, you have a low-dollar fraud problem worth addressing with targeted friction. If it is proportional, address it elsewhere.
How VAMP Is Actually Calculated
The VAMP ratio formula (applies to CNP transactions only):
| Component | What Counts |
|---|---|
| Numerator | TC40 fraud reports + TC15 disputes (CNP transactions only; see exclusions below) |
| Denominator | Settled CNP transactions (TC05) in the calendar month |
| Merchant Excessive Threshold | 220 bps (2.2%) currently → drops to 150 bps (1.5%) on April 1, 2026 (U.S., Canada, AP, Europe). LAC has been at 150 bps since launch. Fine: $8 per CNP dispute. |
| Acquirer Above Standard | ≥50 bps — $4 per transaction |
| Acquirer Excessive | ≥70 bps — $8 per transaction |
| First-Time Grace Period | 3-month grace period within a rolling 12-month window |
| Program Timeline | Launched April 1, 2025 (advisory Apr–Sep 2025; enforcement began Oct 1, 2025); 150 bps threshold effective April 1, 2026 |
A few important nuances on the calculation:
- TC40s and TC15 disputes for the same transaction CAN double-count. If a fraudulent transaction generates both a TC40 fraud report and a TC15 chargeback, Visa counts it twice—once for each report. This double-counting makes the effective VAMP impact worse than raw numbers suggest. A single fraudulent transaction that is reported as fraud and also disputed escalates as two hits to your ratio.
- VAMP applies only to card-not-present (CNP) transactions. Card-present transactions are excluded from both the numerator and denominator.
- Certain events are excluded from the ratio. Disputes resolved through pre-dispute solutions (Verifi or Ethoca alerts) are excluded, as are TC40s that qualified for CE 3.0. Merchants actively using these tools reduce their effective VAMP exposure.
- The ratio is based on transaction count, not dollar volume. This is why low-dollar transactions matter so much—each one counts as a full event regardless of amount.
- TC40 data typically lags by 30 to 60 days. Issuers do not always file TC40s immediately. This means you may be accumulating VAMP exposure in the current month that won’t appear in your monitoring data until next month.
- Your acquirer is responsible for your VAMP compliance. Acquirers who have merchants repeatedly in monitoring face their own fines. Expect your acquirer to get aggressive about enforcement in Q2 and Q3 2026.
Practical Steps to Take Before April 1
If you are reading this before the April 1, 2026 threshold reduction takes effect, you still have time to act. Here is what to prioritize:
1. Get Your TC40 Data Now
Contact your payment processor and ask specifically for your TC40 report for the past 90 days. Many merchants have never seen this data. You need to understand what your VAMP ratio would look like under the new calculation before April 1. If your processor cannot provide TC40 data directly, ask about Visa’s Risk Manager portal (formerly Visa Merchant Purchase Inquiry, or VMPI)—your acquirer should have access.
2. Segment Fraud by Transaction Size
Do not just look at your aggregate TC40 rate. Break it down by transaction amount bucket: under $5, $5 to $20, $20 to $100, over $100. Low-dollar fraud concentration is the key diagnostic. If your under-$5 fraud rate is significantly higher than your overall rate, that is where to intervene first.
3. Audit Your Fraud Filters on Low-Dollar Transactions
Check your fraud screening rules for transactions under $10. Are CVV and AVS checks being skipped? Are velocity rules less aggressive at low price points? Are you using 3DS only above certain amounts? These are common optimizations that made sense before VAMP and now need to be reconsidered.
4. Evaluate Minimum Transaction Amounts
If you offer very low price points ($0.99, $1.99) and you have data showing elevated fraud at those levels, model the revenue impact of raising your floor. The math is: (estimated TC40 reduction × VAMP fine risk) vs. (revenue lost from abandoned low-dollar purchases). For many merchants in this situation, the VAMP protection outweighs the revenue impact.
5. Implement or Strengthen Card-Testing Detection
Card testing specifically targets low-dollar transactions. A dedicated card-testing detection rule (blocking high velocity of small transactions from the same IP, device fingerprint, or BIN range) addresses a disproportionate share of your low-dollar TC40 exposure. Most fraud platforms offer this out of the box—if you have not configured it, do it now.
6. Talk to Your Acquirer
Ask your acquirer point-blank: what is my projected VAMP ratio based on recent TC40 data? What threshold am I expected to hit by end of April? A good acquirer should be proactively reaching out to merchants with elevated projected ratios. If yours has not, initiate the conversation. You want to understand the fine structure, the remediation timeline expectations, and whether you have any grace period provisions for the first monitoring month.
Get Full Access to Every Defense Playbook
Subscribe to get copy-paste response templates, evidence checklists, and the exact language networks look for — plus all reason code guides and premium deep dives.
Subscribe for Full AccessWhat the Threshold Drop Really Means in Practice
Let’s put numbers on the 1.5% threshold in terms of how much margin you actually have.
For a merchant processing 10,000 settled CNP transactions per month, 1.5% means 150 combined events (TC40s + TC15 disputes) before breaching the Excessive threshold. That sounds like a comfortable buffer. But consider:
- If you have 80 low-dollar TC40s from card testing that you currently never see, you are already at 0.8%—53% of your available threshold before any actual chargebacks are counted.
- Add 30 actual fraud chargebacks (a 0.3% chargeback ratio, which is below most alert levels) and you are at 1.1%.
- Add seasonal fraud spikes, a phishing campaign targeting your customer base, or a BIN attack in a single week, and you breach 1.5% for the month.
The 1.5% threshold is not generous when half your exposure is invisible under current monitoring practices.
The Bigger Picture: VAMP as a Fraud Incentive Realignment
Visa’s rationale for including TC40s in VAMP is actually sound, even if it creates pain for merchants in the short term. The old system created a moral hazard: merchants had no financial incentive to reduce fraud that issuers absorbed. If a fraudster was running card-testing attacks at $1.99 per attempt, the merchant's chargeback ratio was unaffected—so there was no monitoring-program pressure to stop it.
Under VAMP, that changes. The cost of being a low-friction target for card testing now flows through to the merchant’s compliance standing. Visa is essentially saying: if your platform is being used to commit fraud, you have a monitoring obligation regardless of whether the individual transactions result in chargebacks.
From a network health perspective, this is the right call. TC40 data is more comprehensive and more current than chargeback data. It captures the full scope of fraud activity on a merchant’s account, not just the fraction that issuers escalate.
For merchants, the adjustment period will be rough. The merchants who will struggle most are those in digital goods, SaaS micro-transactions, and marketplace environments where low-value transactions are common and fraud friction has been deliberately minimized. These merchants need to recalibrate now.
Frequently Asked Questions
Visa VAMP (Visa Acquirer Monitoring Program) launched April 1, 2025. The merchant Excessive threshold was temporarily raised to 220 bps (2.2%) in May 2025 (effective June 1, 2025) from the original 150 bps, giving merchants more runway to adapt. On April 1, 2026, it drops back to the originally planned 150 bps (1.5%) for U.S., Canada, AP, and Europe—LAC has been at 150 bps since launch. Merchants who breach the Excessive threshold face fines of $8 per CNP dispute, with a 3-month grace period for first-time offenders within a rolling 12-month window.
Yes, and this is the most important change merchants need to understand. TC40 fraud reports—issuer-filed fraud notifications that do not result in a formal chargeback—count toward your VAMP ratio. A $2.99 fraudulent transaction that the cardholder reports to their bank, where the issuer files a TC40 and absorbs the loss rather than initiating a dispute, still counts against your VAMP ratio. The merchant never receives a chargeback notification, but the event is counted. This is a fundamental change from prior programs where only formal chargebacks were tracked.
Visa previously ran five separate monitoring programs: VFMP (Visa Fraud Monitoring Program), VDMP (Visa Dispute Monitoring Program), the original VAMP, the Digital Goods Merchant Fraud Monitoring Program, and a fifth legacy program—involving 38 separate remediation processes. VAMP consolidated all five into a single ratio based on CNP transaction count. The key structural differences are: (1) VAMP includes TC40 fraud reports, not just formal chargebacks; (2) a single fraudulent transaction can be double-counted if it generates both a TC40 and a TC15 chargeback; (3) VAMP uses a count-based ratio rather than a dollar-volume ratio, so low-dollar transactions carry the same weight as high-dollar ones; and (4) the ratio applies only to card-not-present (CNP) transactions.
For merchants with meaningful low-dollar fraud volume, yes—this is worth considering even though it runs counter to standard conversion optimization advice. The key insight is that under VAMP, a fraudulent $2.99 transaction counts equally against your ratio as a fraudulent $299 transaction. If you have a high concentration of TC40s on sub-$5 transactions (card testing is a common cause), targeted friction at that price tier—CVV requirements, AVS checks, velocity rules, or a minimum transaction floor—can materially reduce your VAMP exposure. The caveat is that this calculus only applies if you actually have a low-dollar fraud concentration problem; adding friction everywhere is not the recommendation.