Visa has long relied on strict compliance programs to protect its global payments network from abuse. One of the most significant was the Visa Fraud Monitoring Program (VFMP), designed to identify merchants with excessive levels of issuer-reported fraud and enforce corrective action.
Working alongside the Visa Dispute Monitoring Program (VDMP), VFMP helped Visa track and penalize merchants who posed reputational or financial risk. But over time, the separation between these two programs led to operational inefficiencies, redundant oversight, and confusion.
To streamline enforcement and unify risk assessment, Visa retired both VFMP and VDMP on March 31, 2025, replacing them with a single, consolidated system: the Visa Acquirer Monitoring Program (VAMP).
What Was the Visa Fraud Monitoring Program?
The Visa Fraud Monitoring Program was a global compliance initiative developed by Visa to detect and control excessive merchant-side fraud. Operating for many years as a core part of Visa’s risk management ecosystem, VFMP aimed to identify merchants whose transactions consistently triggered high volumes of issuer-reported fraud. These are cases where cardholders or issuing banks flagged transactions as unauthorized or suspicious.
Unlike chargeback-based programs, VFMP relied on TC40 reports, which issuers submitted to Visa when fraud was suspected, regardless of whether the cardholder had yet filed a formal dispute. This early-warning system enabled Visa to respond to fraud risks more proactively, flagging merchants based on trends rather than waiting for finalized chargebacks to accumulate.
Once a merchant breached both the defined fraud rate (the percentage of their sales flagged as fraudulent) and fraud volume (the total dollar value of fraud), Visa would trigger VFMP enrollment. Visa introduced three risk tiers:
- Early Warning: A fraud rate of 0.65% or more, with at least $50,000 in fraud volume.
- Standard: 0.90% fraud rate and $75,000 in volume. Enrollment began here.
- Excessive: A 1.80% rate and $250,000 in fraud. Merchants at this level faced immediate financial penalties.
This dual-threshold model ensured that small merchants wouldn’t be unfairly flagged based on a few incidents, while also allowing Visa to act quickly against large-volume merchants with disproportionately high fraud activity.
How the VFMP Worked
The VFMP process was built around a clear and escalating enforcement timeline. When a merchant crossed the Standard threshold, Visa would notify their acquiring bank, which was then responsible for working with the merchant to develop and implement a fraud remediation plan. This initial notification month did not carry penalties, but it marked the beginning of formal monitoring.
If the merchant remained above the threshold for the next three months (known as the workout period), they would then enter the enforcement phase. Here, Visa began assessing monthly non-compliance fines, starting at $25,000 and increasing to $75,000 if fraud rates persisted beyond 10 months. Merchants enrolled in the Excessive tier skipped the workout period altogether and were fined immediately. This began at $10,000 per month, escalating to $75,000 over time.
An additional layer of consequence came through Reason Code 10.5. Any fraud-related chargebacks incurred while in VFMP were assigned this code, which automatically shifted liability to the merchant, effectively removing their ability to dispute the chargeback unless they met rare exception criteria, such as proving the transaction used chip-and-PIN in a card-present environment.
If a merchant failed to reduce their fraud rates below the Standard threshold for 12 consecutive months, Visa reserved the right to terminate their ability to process Visa payments entirely. Merchants could exit the program by remaining under the fraud threshold for three consecutive months and demonstrating that risk controls were working.
High-Risk Categories and VFMP-3DS
Visa recognized that certain industries, such as online gambling, digital subscriptions, travel, and nutraceuticals, had naturally higher fraud exposure. These merchants were classified under high-risk Merchant Category Codes (MCCs) and were subject to closer scrutiny. In practice, Visa could escalate these merchants to VFMP even if their metrics only just met the Standard threshold.
To encourage the adoption of more secure authentication protocols, Visa also launched a variant of the program in the United States called VFMP-3DS, which applied specifically to merchants using EMV 3-D Secure. This version imposed tighter thresholds on 3DS-authenticated transactions, holding merchants accountable if fraud continued despite the use of 3DS, typically considered a best practice in card-not-present transactions.
Why VFMP Was Replaced
Although VFMP was effective at identifying fraud, its existence alongside VDMP led to duplication and inefficiency. Many merchants with high fraud also had high dispute rates, but under the dual-program model, they would receive separate notifications, follow separate remediation timelines, and sometimes face inconsistent enforcement.
This fragmentation also created a compliance burden for acquirers, who were expected to monitor and report across two different frameworks with separate thresholds and tracking systems. Visa recognized that this complexity undermined the effectiveness of both programs and decided that a unified model was needed. One that treated fraud and disputes as interconnected risks and emphasized proactive acquirer involvement.
This realization led to the development of the Visa Acquirer Monitoring Program (VAMP), which replaced both VFMP and VDMP in April 2025.
A Unified Approach to Risk
VAMP consolidates fraud and dispute monitoring under a single umbrella. Instead of managing separate fraud and chargeback ratios, merchants are now evaluated based on a unified VAMP ratio, calculated by combining TC40-reported fraud and non-fraud chargebacks and dividing by the merchant’s total Visa sales volume.
Initially, merchants are flagged when their ratio exceeds 1.5%, but beginning in January 2026, the threshold will tighten to 0.9%, aligning with VDMP’s previous Standard level. Notably, VAMP eliminates the Early Warning stage. Once a merchant exceeds the threshold, enrollment and enforcement begin immediately.
In a major shift, acquirers now carry primary responsibility. Visa no longer functions as the first line of defense; acquirers are expected to monitor merchant ratios, implement internal thresholds, and manage remediation before Visa steps in. This is reinforced with direct financial penalties for acquirers whose portfolios exceed VAMP thresholds.
To combat specific emerging threats, VAMP also includes enumeration monitoring, tracking card-testing attacks using Visa’s internal intelligence systems. If more than 300,000 enumeration attempts occur in a month and account for over 20% of all transactions, enforcement is triggered automatically.
A New Standard for Payments Accountability
The Visa Fraud Monitoring Program was a powerful tool in its time, but its limitations became more apparent as fraud tactics evolved and merchant operations grew more complex. The shift to VAMP reflects Visa’s understanding that fraud and disputes are often symptoms of the same underlying weaknesses, and that a fragmented compliance model is no longer sufficient.
By streamlining enforcement, tightening thresholds, and placing the burden on acquirers to manage risk holistically, Visa has set a new standard for accountability in the payments space. For merchants and acquirers alike, success under VAMP will require vigilance, transparency, and a renewed commitment to reducing fraud and chargebacks before enforcement begins.
