Mastercard’s Excessive Fraud Merchant (EFM) Program is a card-brand compliance scheme designed to curb rising e‑commerce fraud. Launched in 2020, the EFM program monitors merchants’ fraud activity and imposes penalties on those with “excessive” fraud rates. You can think of EFM as the fraud-focused counterpart to Mastercard’s Excessive Chargeback Program (ECP).
In practice, EFM sets strict monthly limits on fraud outcomes from Mastercard transactions. If a merchant consistently breaches these limits, Mastercard flags the merchant’s account and escalates fees. The stated goal is to create “a more secure ecosystem” for cardholders by holding merchants accountable for preventable fraud.
Enrollment: When Merchants Get Flagged
Under the EFM Program, merchants are evaluated monthly at the Merchant ID level. A merchant is placed in the EFM program only if all of Mastercard’s criteria are met in the same month.
In other words, EFM isn’t triggered by a single chargeback; it requires a combination of high fraud count, volume, and rate. The key criteria are:
- Minimum Sales Volume — At least 1,000 Mastercard transactions in the prior month. This high volume ensures the program targets big e‑commerce merchants.
- Fraud chargebacks — The merchant’s total Mastercard fraud chargebacks (card-not-present fraud disputes) exceed $50,000 in that month. These are disputes with fraud reason codes like “No Cardholder Authorization” 4837 or legacy “Cardholder Does Not Recognize – Potential Fraud” 4863.
- Fraud rate — The number of fraud chargebacks divided by sales transactions is 0.50% or higher. In practice, this means one fraud chargeback per 200 sales triggers the threshold.
- 3D Secure Volume — Low use of authentication, with fewer than 50% of transactions using 3-D Secure (for “regulated” countries) or fewer than 10% using 3DS (for “non-regulated” countries). These ensure merchants do not rely on strong consumer authentication, which is known to reduce fraud.
All criteria must be met at once for that month. For example, a merchant with a 0.6% fraud rate but only $30,000 in fraud won’t qualify. Notably, Australia has a lower dollar threshold ($15,000) and stricter 3DS rule (must be under 10%). In short, EFM flags large-volume merchants that are letting many unauthorized transactions slip through undetected.
EFM Thresholds and Penalties
Once enrolled in EFM, a merchant faces a tiered penalty schedule. Mastercard imposes escalating fines for each month the merchant remains above the program’s fraud thresholds.
These charges are based on the number of months above the thresholds. For example, a merchant who exceeds the fraud criteria in June but gets below thresholds in July will still owe the June fine of $500 (for month two). If the merchant stays above thresholds in June, July, and August, they’d incur $500 (for month two) and $1,000 (for month three), totaling $1,500 for that period.
Mastercard does offer a one-time extension on fine accrual. A merchant (via its acquirer) can request a 6-month “extension” once identified, which pauses any new fine charges for that period. However, the merchant remains in the EFM program and any future breaches during the extension will still count. If by the end of the 6 months the merchant is below all thresholds, the accumulated (but not yet charged) fines are wiped out. If not, all accrued fines become due.
Consequences of the EFM Program
Notably, there is no appeal once flagged. The only way out is remediation. To exit the program, a merchant’s account must be below all EFM thresholds for 3 consecutive months. After those three clean months, the merchant re-enters compliance, though any future breaches would restart the clock. Thus, the path out is simply to drive fraud below the limits and stay there.
Beyond fees, being in the EFM program can trigger other consequences. Acquirers may impose higher processing fees or stricter controls on merchants in the program. If no improvement is seen, a merchant’s acquiring bank might decide to terminate the relationship. In other words, unchecked fraud not only costs fines, but it also risks your ability to accept Mastercard at all.
Mastercard’s Fraud Ratios and SAFE Alerts
Mastercard explicitly calls a fraud rate “excessive” when it tops 0.50% of transactions in a month. Below that, a merchant is generally considered compliant. Note that this 0.50% threshold is similar to the old Visa Fraud Monitoring Program’s ratio. Visa has recently moved its combined-fraud ratio threshold to 0.9% (falling from 1.5%) under the new VAMP program, but merchants should watch both networks’ standards.
It’s important to clarify terminology here, too. TC40 is Visa’s early fraud report, while SAFE is Mastercard’s. Whenever a cardholder reports an unauthorized Mastercard transaction, their bank files a SAFE report (“System to Avoid Fraud Effectively”) with Mastercard’s fraud database. These SAFE alerts work just like Visa’s TC40 files: They’re not chargebacks but behind-the-scenes flags of suspected fraud. Accumulating many SAFE alerts can feed into the EFM evaluation, since issuers often use this data to determine fraud rates. Similarly, Visa’s SAFE/TC40 alerts are factored into VAMP.
SAFE/TC40 reports serve as early fraud alerts, helping networks and acquiring banks monitor where fraud is occurring. In essence, they flag risky transactions even before a formal chargeback. While a SAFE alert itself doesn’t debit your account, it does feed the data that Mastercard uses to calculate your fraud-to-sales ratio. Therefore, a surge in SAFE reports raises your EFM risk.
Best Practices for Avoiding Mastercard’s EFM Program
Because EFM penalties are stiff, a multi-layered fraud prevention strategy is essential. No single tool is foolproof; instead, combine checks, filters, and alerts. Our key recommendations for merchants include:
Using AVS and CVV Checks
Always verify billing details. AVS compares the customer’s billing address to the one on file with the card issuer, and alerts you if they don’t match. The card security code (CVV) check is another simple step: Ensuring the 3- or 4-digit code matches protects against stolen-card use.
Stripe notes that using AVS (and CVV) is one of the most basic and effective tools for reducing credit card fraud. In practical terms, AVS/CVV mismatches are a red flag; configure your payment gateway to either decline or hold orders with AVS/CVV failures.
Use 3-D Secure (3DS) Authentication
Implement EMV 3-D Secure for CNP transactions. This protocol routes payments through the issuing bank for an additional authentication, such as a one‑time password, banking app push, or a “frictionless” backend check. A successful 3DS check shifts liability for fraud to the card issuer, protecting your business. n other words, if a transaction is 3DS‑authenticated and later turns out to be fraudulent, the issuer, not you, eats the chargeback.
Beyond liability shift, 3DS provides extra data (e.g., device info, authentication results) that helps catch fraud. Keep in mind that meeting your 3DS usage threshold helps, too. Under EFM rules, merchants should ideally achieve >50% 3DS coverage on regulated markets (10% on non-regulated) to avoid one of the enrollment triggers.
Implement Fraud Filters and Rules
Use rules-based fraud screening to catch suspicious orders. You can usually set triggers such as: Flag if more than 5 orders come from the same IP in a day; decline if billing country differs from shipping; hold transactions over a certain dollar amount for manual review; and so on.
Modern fraud systems can combine dozens of signals into a risk score. If you lack an in-house team, many payment gateways and fraud-protection services can apply machine learning or reputation data to filter out fraud in real time. Remember to tailor filters to your business: Too loose and fraud slips through; too strict and you’ll lose legitimate sales.
Leverage Device and Geolocation Screening
Use IP geolocation or device fingerprinting to spot anomalies. For instance, if an IP location doesn’t match the shipping country, or if an order is flagged by browser isolation (i.e., VPN or proxy ), consider it high-risk.
Take the same approach with a first-time buyer sending to a freight forwarder address or PO box. Many fraud services maintain blacklists of known fraudsters or high-risk credentials; matching against those can be another layer.
Set Up Pre-Chargeback Alerts
While not fraud screening per se, enrolling in alert services like Mastercard’s Ethoca or Visa’s Verifi RDR can head off disputes. These services notify you when a cardholder dispute is filed, often before it becomes a chargeback, allowing you to refund the order directly.
For example, Verifi’s Rapid Dispute Resolution (RDR) automatically resolves small disputes under preset rules, preventing chargebacks. Mastercard’s Ethoca alerts work similarly. By quickly refunding or resolving a dispute, you avoid the chargeback entirely, which keeps your fraud and dispute ratios lower.
Stay EFM-Compliant
Mastercard’s EFM program is strict, but completely avoidable. By understanding the program, monitoring your fraud ratios, and using layered fraud controls, you can keep your Mastercard fraud chargebacks under 0.50% and avoid fines. Remember:
- Prevent before the chargeback. Tools like AVS, CVV, 3DS, velocity rules, and fraud scoring catch fraudsters upfront.
- Resolve quickly when disputes arise. Use alerts (Ethoca/RDR) and responsive refund policies to stop disputes from becoming chargebacks.
- Monitor early warnings. Pay attention to SAFE/TC40 alerts and shifting fraud patterns so you can adapt your defenses.
ChargebackStop’s platform can help here. We offer real-time fraud alerts, including SAFE/TC40 and Ethoca/RDR notifications, automated risk scoring, and expert support to set up the right filters and workflows. Our clients typically see a dramatic drop in their fraud ratio, often enough to avoid any EFM enrollment.
Our comprehensive solution makes it easy to implement best practices, monitor risk, and respond to disputes. Don’t wait for fines to pile up — schedule a demo with ChargebackStop today and take control of your fraud and chargeback risk.
