Justt and The Paypers recently hosted an information-packed webinar, “VAMP Demystified: What Merchants Need to Know (and Do).” The session featured experts from Visa, CMSPI, and Justt unpacking the latest updates to Visa’s Acquirer Monitoring Program (VAMP), a key initiative aimed at reducing fraud and disputes in the card-not-present ecosystem.
The speakers delivered a clear breakdown of VAMP’s thresholds, structure, and implications for merchants and acquirers alike. They also addressed many audience questions during the live session. But VAMP is such a dramatic change to the ecosystem that we got many more questions than there was time to answer. Below, we’ve compiled the full list of submitted questions with detailed answers for each. Missed the session? Click here to watch.
If you’re unfamiliar with VAMP, it’s Visa’s redesigned approach to fraud and dispute monitoring that consolidates multiple legacy programs into a single system.
VAMP works by calculating a monthly ratio of reported fraud and disputes (TC40s and TC15s) over the number of settled card-not-present (CNP) transactions. If this ratio exceeds defined thresholds, and the absolute volume of TC40s and TC15s crosses 1,500 in a specific month, the merchant may be identified and subject to monitoring by Visa. You can read our full explainer on VAMP here.
Eligibility & Scope
Do we need to hit both ratio and count to enter the program?
Yes. Both the ratio threshold and a minimum of 1,500 combined fraud (TC40) and dispute (TC15) events in a month must be exceeded.
Please explain the 1500 transactions qualification again. What does that apply to?
It refers to the combined number of TC40s and TC15s. This count determines whether a merchant or acquirer is eligible for inclusion in the program.
Will VAMP be applied by individual MID or by relationship?
By descriptor and acquirer relationship.
Are merchants able to have multiple MIDs aggregated under one company account?
Yes, if they share the same descriptor and acquirer.
Does VAMP count for the same merchant that uses different PSPs separately?
VAMP is measured per descriptor per acquirer.
Will all MIDs in the same acquirer be joined and measured per descriptor?
Yes, if they share a descriptor and are processed by the same acquirer.
Which country has the highest and lowest threshold?
Thresholds vary by where the merchant is located.
AP, Canada, EU, U.S:
VAMP Ratio: ≥220bps5
Monthly count of fraud and disputes: ≥1,500
LAC:
VAMP Ratio: ≥150bps
Monthly count of fraud and disputes: ≥1,500
CEMEA:
VAMP Ratio: ≥220bps
Monthly count of fraud and disputes: ≥150 and amount ≥ USD 75,000
There was a note stating that the threshold for TC40 + TC15 for CEMEA is only 150. Why is there such a difference compared with the 1500 mark? Is this based on the merchant or shopper country?
It’s based on the merchant’s location. Lower thresholds reflect regional market dynamics.
Data & Metrics
Does the denominator include only the CNP Transactions?
Yes. Only Card-Not-Present (CNP) settled transactions count toward the denominator in the VAMP ratio calculation.
Can you provide an example of the calculations for VAMP using this scenario: 100,000 settled transactions, 500 Fraud Chargebacks, 1,000 Fraud RDR Alerts?
Assuming RDR alerts were resolved pre-dispute before the 500 cases turned into fraud chargebacks, you would not receive TC15s on these 500 cases. The numerator would be 500 (TC40s), and the denominator would be 100,000.
In the above example, how is the denominator determined? By acquirer, by entity, by descriptor?
The denominator includes settled CNP transactions tied to that specific descriptor and acquirer.
Do TC40 data include declined transactions due to fraud, or only successfully authorized ones?
TC40 data includes only successfully authorized transactions that are later reported as fraudulent, not declined transactions.
Is the VAMP ratio calculated by overall merchant performance, MID, or merchant name?
It’s calculated per descriptor and acquirer.
If in June I try to calculate the VAMP ratio for May, do I count all May transactions and TC15/TC40 reported in May? Or do I use April transactions and May chargebacks?
Use all May transactions and TC40/TC15 events that were reported in May.
Can we perform the VAMP ratio with the reports from VAP?
Not fully. VAP doesn’t always contain all the required fields for a full VAMP calculation.
Which TC40s are excluded from the VAMP calculations? Which warning status codes are excluded?
Only cases that are resolved through CE 3.0 will exclude TC40s, other cases that are resolved though CDRN or RDR will exclude the TC15s, but not the TC40s. Specific TC40 codes have not been publicly listed as being excluded.
Tools & Strategies
Does CE 3.0 remove the fraud and disputes transactions for the ratio?
Yes. Successfully disputed transactions via CE 3.0 are excluded from both TC40 and TC15 counts.
Can you confirm that RDR, Ethoca, and CDRN will NOT impact the TC-40 and will only remove items from the TC-15?
Correct. These tools affect TC15 only.
Can Ethoca fraud alerts be excluded from the VAMP count (if they don’t turn into chargebacks)?
Yes, similar to RDR and CDRN, Ethoca Alerts for Visa transactions will exclude TC15s, but not the TC40s if resolved pre-dispute.
How do acquirers get the information when merchants use CDRN/RDR?
Acquirers do not need to receive the RDR and CDRN data in order to calculate VAMP. When RDRs or CDRNs are used properly the TC15 will not come through, so the acquirers or merchant can monitor based off of the TC15s and TC40s that do come in.
Do we need to ask our PSP (e.g., Stripe, PayPal) for our TC40 + TC15 reports? Are they available on their dashboards?
Yes. These reports are critical, and not all PSPs display them on dashboards, so merchants should ask directly.
Enforcement & Risk Management
How would Visa expect Acquirers to adjust their strategy on Monitoring Merchants?
Acquirers are expected to actively monitor merchant performance and collaborate more closely with them on fraud prevention.
Are there guidelines or policies to protect merchants against throttling acceptance?
While Visa hasn’t issued specific guidelines, it promotes open communication between acquirers and merchants to manage risk effectively.
Since merchants could be held to the acquirer thresholds if acquirers breach, will Visa require acquirers to share their performance with merchants so they can prepare accordingly?
Visa doesn’t mandate this, but merchants are encouraged to proactively request performance data from their acquirers.
If a merchant is enrolled in the Excessive category, how long can they stay within the program? Will there be additional penalties, aside from fines?
Once a merchant passes the limits they will have 3 months to get out of the program before the fines begin. They need 1 clean month in order to get out of the program within these 3 months.
What advice would you give to merchants with acquirers that are above the acquirer threshold?
Open a conversation with your acquirer, understand your impact, and consider moving if needed.
Does the new program have similar risks of losing liability protections as seen with VFMP-3DS for merchants using Visa Secure?
No changes to 3DS liability protections have been announced as part of VAMP.
The bottom line
Visa’s VAMP program signals a more data-driven and proactive approach to fraud and dispute monitoring. For merchants, that means understanding what’s being tracked, where your risk stands, and how to partner effectively with your PSP or acquirer to manage it. Transparency, vigilance, and communication will be your best defenses.
