< Back

Visa Acquirer Monitoring Program (VAMP) 2025: Enforcement and Fines Have Arrived.

The VAMP “Advisory Period” is Ending Soon: Starting on October 1, 2025, Visa’s Acquirer Monitoring Program (VAMP) has transitioned from its advisory phase, where Visa was simply monitoring Acquirer, registered agent, and Merchant performance against VAMP thresholds, to its enforcement stage where fines will be levied and remediation will be required. How Acquirers are reacting to VAMP has been a hot topic in many payment forums.  We’ve heard of mass Merchant terminations, Acquirers passing fees and fines along to Merchants (with a mark-up) as well as a wait and see approach to underwriting new business until the VAMP storm settles out. The reality is all of these (re)actions are happening and the pace of negative impacts to Acquirers and Merchants will only accelerate in 2026.

Why It’s Urgent: The new VAMP changes will provide Visa with a comprehensive view of Acquirer and Merchant risk, and those who are unprepared for stricter monitoring will face hefty penalties, operational disruptions or termination. Immediate action is required to ensure compliance with Visa’s updated VAMP standards and to mitigate potential risks.

If your business hasn’t already started gathering fraud data and reviewing your chargeback mitigation and fraud prevention practices, now is the time to act. This is not a change to ignore—the cost of inaction could be significant. Not sure how to prepare? Slyce360 is here to help guide you through these updates and ensure your business is “future-proofed” for what comes next.

VAMP Ratio and Enumeration Ratio: New Metrics That Could Cost You

Visa’s VAMP compliance requirements introduce critical fraud prevention thresholds for Acquirers and Merchants, aimed at reducing chargeback rates and improving payment fraud monitoring. Businesses must monitor their VAMP ratio. This key metric will now dictate your compliance status and could result in devastating financial penalties and risk the viability of your business if not managed properly.

Here are the key details of the new VAMP metrics:

  • VAMP Ratio: This is the sum of card-not-present (CNP) fraud cases (TC 40) and chargeback disputes (TC 15) divided by the total number of settled CNP transactions (TC 05). If a transaction creates BOTH a TC40 alert and a fraud chargeback, the individual transaction will count TWICE in your VAMP numerator. Specific TC40 cases, resolved through RDR, CDRN or CE3 will reduce the numerator of the VAMP Ratio. RDR and CDRN enrollment for higher risk merchants is critical to keeping VAMP ratios inline. (See the table below for more details)
  • VAMP Enumeration Ratio: This is the number of CNP enumerated authorization transactions (approved + declined) divided by the total number of CNP authorization transactions (approved + declined). For more information about enumeration attacks please click on the link.

What is an Enumeration Attack?

An enumeration attack is a type of cybersecurity threat where an attacker systematically guesses or validates information by repeatedly trying different values or inputs to identify valid ones. In the context of payment systems, enumeration attacks often target credit card numbers, expiration dates, CVV codes, or account details. The attacker uses automated scripts or tools to test multiple combinations until they find a valid set of credentials.

For example, an attacker may attempt to guess a valid card number by submitting different variations through an online payment form and analyzing the responses to identify which values are correct. If successful, enumeration attacks can lead to unauthorized transactions, payment fraud, and compromised accounts.

New Thresholds for Acquirer and Merchant Portfolios

New thresholds for acquirer and merchant portfolios
Acquirer Portfolio
Merchant
Program Thresholds &
Identification Levels		 Early Warning* Above Standard Excessive Excessive1 Excessive3
Data Elements VAMP Ratio (bps) VAMP Ratio (bps) Enumeration Ratio (bps)
REGION GLOBAL GLOBAL GLOBAL NA EU ASIAPAC CEMEA2 LAC GLOBAL
Threshold Effective
June 1, 2025
through March 31, 2026		 >=40 bps
<50 bps		 >=50 to
<70 bps		 >=70 bps >=220 bps >=220 bps >=220 bps >=220 bps >=150 bps >=2000 bps
Threshold Effective
April 1, 2026		 >=40 bps
<50 bps		 >=50 to
<70 bps		 >=70 bps >=150 bps >=150 bps >=150 bps >=220 bps >=150 bps >=2000 bps
Additional Criteria
  • Includes VisaNet transactions only, card-not-present only, domestic and cross border.
  • Minimum of 1,500 monthly combined fraud (TC40) and disputes (TC15).
  • Disputes (TC15) resolved through pre-dispute products are excluded from VAMP calculations—contingent upon the timing of the data extract.
  • Fraud (TC40) qualified for Compelling Evidence 3.0 are excluded from VAMP calculations—contingent upon the timing of the data extract.
* Visa may send a courtesy notification called “Early Warning” for Acquirers meeting the Threshold of a VAMP ratio >=40 bps and < 50 bps and a VAMP count of 1500. Fees are not applied, but Acquirers should take proactive action to avoid Above Standard or Excessive identification.

†Above Standard Fees are not enforced until January 2026 VAMP Identifications.

1 Merchant Excessive Identification level applies only if Acquirer VAMP Ratio <50bps.
2 CEMEA region Merchant Excessive only: Minimum of 150 combined Frauds (TC40) and Disputes (TC15) and >= $75,000 USD Fraud and Dispute amount.
3 Min of 300,000 count of enumerated authorization transactions identified via Visa Account Attack Intelligence (VAAI) model.

Fines and Penalties

As an Acquirer, if you are flagged as “Above Standard” or “Excessive,” the penalties will be significant and can add up quickly.

  • Enforcement for “Excessive” Acquirers and Merchants began on October 1, 2025.
  • Enforcement for “Above Standard” Acquirers starts on January 1, 2026.

These fines can pile up quickly if you don’t take immediate action to lower your fraud and dispute levels.

Visa Can Change These Parameters at Anytime…and Has Already!

It’s important to note that Visa has already modified specific aspects of VAMP as the program has evolved from its first iteration. Visa may continue to update the compliance metrics and fines related to VAMP at any time, which can impact Acquirers and Merchants who are at risk of being flagged for non-compliance.

If you’re a Merchant and have concerns about how these changes might affect your business, or if you’re unsure how your Acquirer measures and tracks these thresholds, reaching out to your Acquirer is crucial. They will have the most current details on the specific thresholds and fine structures and can offer guidance on how to secure TC40 reporting, maintain compliance and avoid potential fines.

Act Now or Risk It All

Visa’s updated VAMP introduces some of the most stringent fraud and dispute controls to date. Failure to comply with VAMP compliance requirements can lead to significant, rapidly accumulating penalties.  Beyond the fines, repeated violations can lead to severe operational restrictions, potentially ending your ability to process Visa transactions altogether.

For Acquirers, the burden is even greater. Compliance responsibility extends across your entire merchant portfolio, meaning just a few non-compliant merchants can trigger massive financial repercussions that threaten your entire operation. If you’re not actively monitoring and managing these risks, you’re setting yourself up for costly surprises.

Take Action Today

Slyce360 offers advanced analytical tools that both acquirers and merchants need to proactively identify risks and implement tailored solutions to mitigate them. Designed to foster collaboration, Slyce360 ensures that Acquirers and Merchants can thrive together in a payments landscape where compliance requirements are constantly evolving. Let’s connect today and explore how Slyce360 can help protect your business and keep you growing.

Edited October 2, 2025

< Return to Bytes

Subscribe to the Slyce360 newsletter

Seize the opportunity in the CNP RP space

Skip to content