Skip to content
    Picture of Basis Theory ·
    Resources Payments

    How the Visa Acquirer Monitoring Program Impacts You

    Visa Acquirer Monitoring Program

    There is no more feared word in the world of e-commerce than chargeback. This represents a charge reversed by the card network rather than the merchant. Merchants who generate too many chargebacks (historically more than 1% of transactions) face fines, holdbacks, and even account closures. 

    The Visa Acquirer Monitoring Program (VAMP) seeks to standardize how fraud is tracked and managed—promising difficult times ahead.

    What is the Visa Acquirer Monitoring Program? 

    The Visa Acquirer Monitoring Program is, according to Visa, a program that “makes it easier for clients to deter fraud and manage disputes.” In essence, VAMP replaces 38 fraud tracking and mitigation processes into a single program. By blending the Visa Dispute Monitoring Program (VDMP) and Visa Fraud Monitoring Program (VFMP), VAMP, in principle, provides a single window into the fraud risk not only of merchants, but of the acquiring banks who connect those merchants to the consumer world.

    Unlike prior programs, VAMP does not wait for chargebacks to roll in: rather, it calculates the number of initiated disputes and potentially fraudulent transactions reported on a pair of forms (TC40 and TC15), and divides them by the total number of transactions associated with the related entity. 

    So if a merchant makes a thousand sales, and creates five TC40 or TV15 reports, its VAMP ratio is 5/1000=0.5%; the percentage is generally reported in basis points (bps), where 100 bps equals one percent, so 0.5% is 50bps.

    Unlike earlier programs, VAMP is designed to hold both merchants, and the acquiring banks they work with to account. For each type of entity, there is a threshold at which the VAMP ratio is deemed excessive: for acquirers, it is just 50bps, while for individual merchants, it is 150bps through 2026, at which point it will drop to 90 bps. 

    Any entity deemed to have an excessive VAMP ratio will face immediate additional fees and other remedial penalties, potentially even having its right to operate on Visa’s rails revoked.

    Return to Top

    How VAMP Risk Rolls Downhill 

    You’ll have noticed that acquirers are held to a higher standard than any individual merchant. This reflects the reality that acquirers have a portfolio of merchants, and so can spread the risk across a larger volume of transactions. For illustrative purposes imagine an acquirer with just 5 merchants:

    Transactions

    Fraud Reports

    Ratio as %

    Ratio as BPS

    10,000

    150

    1.50%

    150

    100,000

    1,200

    1.20%

    120

    20,000

    200

    1.00%

    100

    250,000

    900

    0.36%

    36

    400,000

    1,100

    0.28%

    28

    780,000

    3,550

    0.46%

    46

    In this example, the acquirer is below the excessive VAMP ratio level (46bps) because of the excellent record of the last two large merchants. Even though the first two merchants are close to the excessive limit for 2025, they and the third will move into excess in 2026 when 90bps becomes the maximum.

    The challenge, however, is that this is a blended rate, and therefore always subject to change: if the acquirer lost the business of Merchant 4 or 5, their VAMP ratio would go up. It is in their best interest to pressure all their merchants to stay well below the VAMP ratio limits. In other words, although Merchant 2 seems fine at 120bps, the acquirer is likely to be uncomfortable with such a high rate, and may impose their own limits to lower their own risk.

    In the simplest of terms: regardless of the limits imposed on merchants by Visa, acquirers are motivated to require lower VAMP ratios, putting pressure on merchants to be diligent about their fraud management.

    Return to Top

    VAMP is Stricter Than What Came Before 

    Most merchants were familiar with the concept that 1% was the upper limit on how many chargebacks they could risk. VAMP, however, doesn’t just count chargebacks - it counts the TC40 and TC15 forms, which tend to be more numerous than actual chargebacks, and previously were not a part of the calculation. The forms represented potential trouble, and often led to actions that prevented actual chargebacks, including acquirers simply refunding the customer because the cost of challenging the requested refund was higher than simply making it.

    With VAMP, every potential chargeback counts, and the ratio by 2026 is actually lower for all involved than it used to be. This means that merchants simply cannot put off including additional security guardrails to protect their business: they will need to ensure they are making the most of Address Verification Service, double-checking CVVs, using real-time fraud detection, and making the most of 3-D secure

    They will also want to ensure that a wide range of anti-fraud activities occur before presenting cardholder data to the card networks. Visa will also now be counting the frequency with which transactions are presented with invalid card numbers, a process known as enumeration. This is to prevent hackers from using merchants’ processes to go through long lists of stolen or self-generated numbers to work out which can be used.

    Return to Top

    Merchants Must Rely on Themselves 

    If the acquiring banks tighten up their rules for their customers, it is inevitable that PSPs, especially full-service PSPs, will tighten theirs even more. And based on their terms of service— not to mention their track record—PSPs will inevitably be active in eliminating those merchants they fear may hurt their VAMP ratio. Therefore, relying on the PSP’s security offerings is likely to be risky, as it exposes the merchant’s operation to scrutiny. Instead, merchants should be assembling a payment system that

    • Securely collects payment information from consumers.
    • Runs security operations to evaluate fraud risk.
    • Delivers only those transactions deemed low-risk downstream to PSPs.

    It is about to become a necessity to have relationships with multiple PSPs: while a merchant may stay on the right side of Visa with, say, an 85bps VAMP ratio, the chances are good that a PSP may find that too close to the line and start to impose additional fees or other requirements. It will be vital under such circumstances to both have an alternative at hand that can keep processing costs reasonable, and to balance traffic to work the VAMP ratio down (i.e., send only the transactions with near-zero risk to the PSP, imposing restrictions to reduce the VAMP ratio).

    Businesses across the world, particularly in the EU, have already started making the move away from single-processor payment systems, recognizing the opportunity for self-determination, processing fee management, and data ownership. As VAMP, and the new and challenging landscape of VAMP ratios becomes the standard, allowing any PSP to become a single point of failure becomes a massive risk. 

    Merchants should start their pursuit of VAMP-inspired multi-processor systems by finding a programmable payments vault like Basis Theory with whom they can collect and store data securely, without increasing PCI-DSS scope, and submit transactions to whichever downstream PSP or gateway makes sense. 

    Eliminating the risk of limited PSP partnerships may be the most important thing any merchant does before 2025 comes to an end.

    Return to Top

     

    De-Risk Payments. De-Scope Compliance.   Accelerate time-to-compliance and eliminate nearly 90% of the PCI DSS Level 1 requirements using Basis theory.  

    Stay Connected

    Receive the latest updates straight to your inbox