It’s important for merchants to stay on top of any fraud risks to avoid entering the Visa Fraud Monitoring Program (VFMP). Not only can these fraud programs come with hefty fees, but they can lead to the loss of Visa acceptance privileges after month 12 of the program if acceptable levels are not met. Visa calculates these fraud thresholds using both fraudulent chargeback and TC40 data.

What is TC40 data?

Reported fraud, also known as TC40 data, is any incident of a fraudulent transaction that’s reported to the card brands by issuing banks. The issuing bank may or may not initiate a chargeback on these transactions for a variety of reasons, such as being more costly for the issuer to process a chargeback than to write-off a nominal dollar amount. Therefore, reported fraud and chargebacks are measured and reported separately.

How can TC40 data be applied?

TC40 data can be used to determine emerging fraud trends, monitor monthly fraud thresholds to ensure compliance, and manage chargebacks. However, it can be a challenge for merchants to get TC40 data from their processor. There is a growing list of third-party service providers providing this data to merchants for a fee. If a merchant chooses to receive this data from a third-party service provider, they need to be careful that the data they receive is complete. Merchants can then analyze the data to determine any fraud trends that may be emerging by drilling down into data points such as:

• Marketing channels
• Products
• Source/SKUs
• Location
• Clients
• Customers
• MCC Codes
• Price Points
• IP Addresses
• Chargebacks

Using TC40 data to manage chargebacks

In some cases, TC40 data is reported several days before the issuer processes a chargeback. Merchants can leverage this lag in timing by processing refunds to avoid the chargeback process. However, it is important to note that the card associations have recently shortened the chargeback timeframes, which has made this data less valuable to merchants within the context of using it to stop the chargeback process. Merchants need to closely analyze their data to develop cost-effective strategies that take into consideration the lag between when the TC40 was reported and when the issuer processed the chargeback.

Visa Fraud Monitoring Program Thresholds

VFMP has three levels: Early Warning, Standard Program, and Excessive Program. Each threshold is determined by a merchant’s total fraud dollars in a month, or certain levels of fraud dollar to sales dollar ratios. Visa updates their rules bi-annually, which may impact merchants. If merchants have any questions about how VFMP impacts them directly, they should always reach out to their acquirer.

Early Warning: $50,000 in fraud dollars or a fraud dollar to sales dollar rate of 0.65%. At this threshold, the merchant is not in the VFMP program — this serves as a notification for the merchant and their acquirer advising investigation of rising fraud levels. There are zero Non-Compliance Assessments (NCAs).

Standard Program: $75,000 in fraud dollars or a fraud dollar to sales dollar rate of 0.9%. At this threshold, the merchant is given a four-month workout period in which to bring fraud thresholds down. Months five through 12 are referred to as the ‘reinforcement period’ if fraud levels continue to be above the program threshold. Under the enforcement period, Visa can begin charging applicable fees. Effective April 2021, once a merchant reaches month five of the standard timeline, they are subject to NCAs. Assessments start at $25,000 and can be as high as $75,000 by month 10. In month eight, the acquirer is required to provide Visa with a written confirmation that the merchant has been notified that they may lose Visa acceptance privileges if they fail to reduce their fraud below the program thresholds by month twelve.

Excessive Program: $250,000 in fraud volume or a fraud dollar to sales dollar rate of 1.8%. This threshold is set aside for merchants who exceed the excessive Visa fraud threshold. It’s worth noting that merchants in a high-risk Merchant Category Code (MCC) that sell in a Card Not Present (CNP) environment are placed here automatically. This applies to all CNP transactions for the following MCCs:

• 5122 (Drugs, Drug Proprietaries, Druggist Sundries)
• 5912 (Drug Stores, Pharmacies)
• 5962 (Direct Marketing – Travel-Related Arrangement Services)
• 5966 (Direct Marketing – Outbound Telemarketing Merchants)
• 5967 (Direct Marketing – Inbound Telemarketing Merchants)
• 5993 (Cigar Stores and Stands)
• 7273 (Dating and Escort Services)
• 7995 (Betting, including Lottery Tickets, Casino Gaming Chips, Off-Track Betting, and Wagers at Racetracks)

This placement also applies to certain CNP Transactions using the following MCCs:

• 4816 (Computer Network/Information Services), for the sale of access to cyber lockers or remote digital file-sharing services
• 5816 (Digital Goods-Games), for transactions involving skilled game wagering (for example: daily fantasy sports)
• 6051 (Non-Financial Institutions – Foreign Currency, Non-Fiat Currency, Money Orders, Travelers Cheques, and Debt Repayment), for the sale of cryptocurrencies.

Effective April 2021, a merchant on the high-risk or excessive timeline are subject to non-compliance assessments (NCA) in the first month. Assessments start at $10,000 and can be as high as $75,000 by month 10.

The Visa Fraud Monitoring Program is not a place a merchant wants to find himself. Staying on top of continually evolving rules and regulations impacting fraud thresholds will help merchants stay in Visa’s good graces.