VAMP 2025: What Every Merchant and Acquirer Needs to Know

A Shift in Responsibility and Risk

The rules have changed. Risk tolerance is no longer an excuse and acquirers are now the ones being measured.

Visa’s new Acquirer Monitoring Program (VAMP) goes beyond an operational update. It represents a structural shift in accountability across the payments ecosystem. While fraud and dispute monitoring historically focused on merchants Visa is now directing scrutiny toward acquirers. Since the enhanced version launched in April 2025 both acquirers and merchants are now navigating a more complex transparent and data driven enforcement framework.

This article outlines the changes what prompted them and what they mean for stakeholders in practical terms.

Why the Program Changed

Quick Take:

• Visa is shifting focus from just merchant behavior to also include acquirer accountability
• The change is driven by patterns of repeated fraud and risk being enabled by a handful of acquirers

In the early 2000s, Visa and other card networks began noticing recurring spikes in fraud and disputes across high-risk industries like online pharma, trial offers, and counterfeit goods. While these merchants often rebranded quickly, the deeper issue was clear: a small number of acquirers continued to onboard risky clients without proper due diligence. Some worked through shell companies or sub-ISOs to mask merchant activity, prioritizing volume over compliance.

Even when Visa flagged these merchants under programs like VFMP and VDMP, the pattern repeated. Merchants resurfaced. Acquirers remained untouched. As high-profile fraud and regulatory scrutiny mounted, Visa recognized that merchant-only enforcement was not enough. It had to hold acquirers accountable too.

VAMP was introduced to do exactly that. Rather than chasing merchant violations one by one, Visa shifted to monitoring acquirers who exhibited patterns of risky behavior. It is a structural move designed to preserve trust across the entire payment network.

A New, Consumer-First Model

Visa’s enhancements to VAMP reflect a deeper focus on the transaction-level experience.

What Changed:

• VAMP now looks at all transactions, not just those with high-dollar fraud
• Acquirers are evaluated based on overall portfolio health, not isolated incidents
• The goal is to reduce consumer friction and systemic fraud exposure

With the ongoing enhancements with AI and real time payments, it just made sense that incremental improvements were no longer sufficient. Visa began to completely revamp the program altogether. It starts with prioritizing the end consumer friction that happens in their payment experience, regardless of the transaction amount. Visa decided to move the program from looking at the highest amounts of fraud that were happening and started looking at it from a transaction base approach. Now the acquirer can look at their entire portfolio and have a mix of high and low risk, and they will have the ability to manage their risk appetite without compromising the overall ecosystem.

Key Program Updates: What’s Changing in 2025

Summary of Key Changes:

• Launch Date: April 1, 2025
• Consolidates fraud and dispute monitoring into one program
• Advisory period extends through September 2025
• Dual counting of TC40 and TC15 may raise reported ratios

Effective April 1, 2025, Visa launched the enhanced VAMP, consolidating its prior fraud and dispute monitoring programs into one unified structure. This new version aims to improve prevention and dispute resolution across the payments landscape. Visa extended the advisory period through the end of September, to give acquirers and merchants time to adapt without penalties.

VAMP now calculates ratios using both fraud reports (TC40s) and chargebacks (TC15s) divided by total transactions (TC05s). Notably, TC15s now include all chargebacks, not just non-fraud, meaning a single incident can result in both a TC40 and TC15, effectively being counted twice. This change may increase VAMP ratios for many acquirers and merchants, especially if 3DS is not used, as fraud reports are likely to result in corresponding chargebacks.

Understanding the Metrics:

Thresholds to Know:

• Monthly fraud reports to trigger VAMP: 1,500 (up from 1,000)
• Merchant ratios: starts at 2.2 percent, phases to 1.5 percent by April 2026
• Acquirer ratios: 0.5 percent (Above Standard), 0.7 percent (Excessive)
• Grace period: through September 2025

Dispute Management Reminders:

• TC15s resolved through RDR/CDRN do not count toward ratios
• TC40s always count unless compelling evidence (CE 3.0) is submitted
• Merchants using only RDR/CDRN without CE 3.0 will still be penalized
• Duplicate hits are possible when a single event triggers both a TC15 and TC40

Thresholds for program entry have also changed. The required number of monthly fraud-related reports to trigger VAMP inclusion has increased from 1,000 to 1,500. New penalty trigger ratios will phase in over time, starting at 2.2 percent and gradually decreasing to 1.5 percent by April 2026 for merchants. For acquirers, the updated thresholds are 0.5 percent (Above Standard) and 0.7 percent (Excessive), effective June 1, 2025. Visa is also offering a grace period through September 2025.

Key dispute management takeaways:

• TC15s resolved via RDR/CDRN do not count toward VAMP metrics
• TC40s always count unless compelling evidence (CE 3.0) is submitted
• Relying only on RDR/CDRN without CE 3.0 will still trigger TC40 penalties
• Duplicate hits for a single event (TC15 + TC40) are now possible
• CE 3.0 is essential for those approaching VAMP thresholds

The use of CE 3.0 is vital for those nearing threshold limits or with a history of elevated fraud ratios.

Bottom Line: Visa is pushing acquirers and merchants to be more proactive and data-driven in how they manage fraud and disputes. This includes using the right tools, understanding thresholds, and staying well below trigger points.

What This Means for Merchants

Quick Take:

• Noncompliance can lead to MATCH list placement, fines, or acquirer penalties
• Merchants must respond quickly, accurately, and proactively to disputes

Merchants are not off the hook. In fact, they face significant risk if they do not adapt to the new rules. Under VAMP, fraud and chargeback activity is now tied more visibly to merchant behavior, and acquirers will no longer absorb that risk without passing on the consequences.

If a merchant consistently exceeds dispute thresholds, fails to respond with compelling evidence, or overlooks pre-dispute tools like RDR and CDRN, they risk being flagged and fined by their acquirer. Worse still, they could be placed on the MATCH list, effectively blacklisting them from the payments ecosystem.

Visa’s unified approach means duplicate hits (TC15 and TC40 for the same incident) are now possible, increasing risk exposure. Merchants must respond faster, submit accurate data, and engage proactively in fraud mitigation.

What This Means for Acquirers

Quick Take:

• Acquirers are now accountable for merchant behavior
• Penalties and fines will pass downstream if thresholds are exceeded

Acquirers are now explicitly responsible for the behavior of the merchants they board. The days of risk deflection are over. If a merchant violates VAMP thresholds, Visa fines the acquirer and in turn, most acquirers will pass that cost downstream.

But it is not just about fines. Repeated violations can lead to audits, reputational damage, and in extreme cases, termination from the Visa network. That is a risk most acquirers cannot afford to take.

High-risk verticals such as gambling, crypto, cannabis, and subscription-based supplements are especially vulnerable. Acquirers servicing these markets must establish stronger oversight, know their portfolio, and implement response strategies at scale.

Where to Start

Next Steps: If you are unsure how VAMP impacts your business, or whether your current chargeback, dispute, and fraud ratios could put you at risk, Redbridge can help. Our Payments Advisory team works alongside acquirers and merchants to:

• Benchmark fraud and dispute ratios
• Analyze chargeback sources and dispute response processes
• Implement risk reduction strategies using tools like CE 3.0, RDR, and CDRN
• Reduce exposure and avoid penalties before they hit

Let’s reduce your risk and protect your bottom line. Contact the Redbridge team to schedule a review.