Subscription Merchant Guide: Adapting Your Payment Recovery to Visa’s New VAMP Standards

Introduction

Merchants running subscriptions and other card-not-present transactions are at greater risk of having their transactions flagged as fraudulent, and the introduction of the Visa Acquirer Monitoring Program (VAMP), effective April 1, 2025, will only make things more difficult for these merchants. These new regulations combine fraud and dispute metrics into a VAMP Ratio and introduce an Enumeration Ratio to track excessive fraudulent or card testing attempts.
This guide outlines how to stay on the right side of Visa’s new policies for merchants and provides actionable recommendations.

 

What is VAMP?

Visa’s new Acquirer Monitoring Program (VAMP) replaces separate chargeback and fraud monitoring programs with a unified approach designed to streamline oversight and reduce financial risk. Previously, Visa tracked fraud and chargebacks separately under Visa Dispute Monitoring Program (VDMP) and Visa Fraud Monitoring Program (VFMP), but VAMP introduces a combined measurement system that evaluates both types of disputes together.

With VAMP, Visa is also introducing monitoring for enumeration attacks, a type of fraud where payment credentials are systematically tested to identify valid account details. The goal of VAMP is to enhance security, minimize unauthorized transactions, and provide acquirers with better tools to manage risk.

Why is Visa Making This Change?

To reduce fraud, Visa is shifting greater responsibility to acquirers, which in turn have a greater capacity to monitor merchants and hold them  accountable. As a result, merchants must now meet stricter fraud and dispute thresholds to maintain compliance. Merchants that don’t follow Visa’s rules could face higher fees, reduced payment processing capabilities, or even termination of their merchant accounts. Staying compliant is crucial to avoiding disruptions to business operations and maintaining a positive relationship with acquirers and payment processors.

Understanding Visa’s VAMP Standards

Visa is tightening its monitoring of merchant behavior, particularly regarding fraud, disputes, and authorization attempts. This includes the introduction of two key metrics under VAMP: the VAMP Ratio and the VAMP Enumeration Ratio. These metrics are used to identify risk and ensure compliance with
Visa’s updated fraud prevention standards.

VAMP Ratio:

The VAMP Ratio is Visa’s new method of evaluating fraud and chargeback risk by calculating the proportion of fraudulent and non-fraudulent disputes relative to the total number of transactions. This provides a comprehensive risk assessment that accounts for all types of disputes, ensuring merchants take a more complete approach to fraud prevention.

Combines fraud and non-fraud chargebacks into a single metric.
Thresholds:

– April 1, 2025: Above 1.5% is considered excessive.
– January 1, 2026: Threshold tightens to 0.9%.
Chargebacks exceeding these limits may trigger penalties, enforcement actions, and stricter processing
requirements.

VAMP Enumeration Ratio:

The VAMP Enumeration Ratio is a new metric to track and reduce enumeration attacks, which occur when bad actors test stolen card credentials by submitting large batches of transaction attempts. These test transactions can lead to excessive declines, increased fraud liability, and penalties for merchants.
• Visa is now tracking excessive retries as a sign of potential fraud or systemic risk.
Threshold: Having more than 20% of transactions flagged as excessive retries will result in enforcement action. This ratio is likely to be lowered in the future, as VISA reviews the impact of this metric.
Impact: For the first time, VISA will hold merchants accountable for fraudulent transactions, even if they were declined.

The Risks of Enumeration Alerts

Visa has introduced Enumeration Alerts to help acquirers and merchants detect and prevent fraudulent activity before it escalates. Failed and voided transactions still contribute to these calculations, making fraud prevention tools essential for maintaining compliance. Merchants that process a high volume of initial payments must ensure they have the proper security measures to avoid falling into the excessive risk category.

Failing to Comply Could Have Catastrophic Consequences

Businesses that exceed Visa’s thresholds may face financial penalties, increased scrutiny, or, in extreme cases, the complete loss of their merchant accounts with little chance of getting new ones. Repeated violations can result in placement on Visa’s MATCH list, a database identifying merchants with payment processing privileges revoked by an acquiring bank or processor. Payment processors often use the MATCH system to determine if a merchant account application should be approved or denied.

The Days of Sliding Under the Radar are Over

Before VAMP, it was primarily large companies with a blatant disregard for best practices that would be flagged. Now, enforcing strict control with the acquirers allows the network to target bad practices at a deeper level. By VISA holding the acquirers responsible for their merchants, VISA has shifted the responsibility of weeding out bad actors to those acquirers. In turn, Visa can more closely monitor the market by reducing the number of institutions it interacts with. These acquirers will undoubtedly tighten their practices and give less leeway to merchants that were marginally acceptable in the past.

Visa’s new Acquirer Monitoring Program (VAMP) replaces separate chargeback and fraud monitoring programs with a unified approach designed to streamline oversight and reduce financial risk. This new program significantly raises the stakes for merchants processing recurring payments. To safeguard their businesses, merchants must closely monitor chargebacks and fraud, implement fraud prevention strategies, and monitor and prevent card testing on their merchant accounts.

By holding acquirers more accountable, Visa is working to ensure that all sides involved in payment processing take a more active role in fraud prevention and dispute management. As a result, acquirers will be monitoring merchants more closely, applying additional scrutiny to high-risk accounts, and enforcing stricter measures to ensure compliance. 

Best Practices Under VAMP

Focusing on new signups exclusively is no longer good enough. As a merchant, you’re expected to be the first line of defense against bad actors trying out fraudulent credit cards.

Reduce Risk of Enumeration Flags
• Ensure transaction integrity: Maintain consistent parameters (e.g., recurring flag settings) to avoid
compliance violations.

• Ensure velocity checks: Maintain a fraud system that monitors and blocks excessive signup attempts
from the same IP/email/address/region, to avoid getting hit with a card testing attack.

Conclusion

Merchants that don’t follow Visa’s rules will face higher fees, reduced payment processing capabilities, or even termination of their merchant accounts. Staying compliant is crucial to avoiding disruptions to business operations and maintaining a positive relationship with acquirers and payment processors.