VAMP: Redefining What ‘Good’ Means for Payments Operations

If you run an e-commerce business, you’ve likely heard of Visa’s Acquirer Monitoring Program, known as VAMP.

Most explanations talk about how VAMP works. Fraud (TC40) and disputes (TC15) are now combined into one ratio. The rules are stricter, and acquirers must ensure everyone follows them.

All of this is accurate, but the main point is that VAMP is changing what it means to have ‘good’ payments operations.

A Shift in Focus: From Results to Patterns

In the past, merchants were judged by separate fraud and chargeback ratios, usually handled by different teams.

Now, VAMP puts fraud and disputes together into one count-based ratio:

(Fraud + Disputes) ÷ Transactions

This might seem simpler, but it changes how we think about risk. Instead of just asking, “Did something go wrong?” VAMP now looks for patterns over time.

Why the Count-Based Approach Matters

VAMP measures risk by counting the number of events, not by the value of transactions or the number of disputes. Now, if a fraud report leads to a chargeback, it gets counted twice.

This approach has a few effects. A small fraud event counts the same as a big one. Businesses with lots of transactions can build up risk more quickly. Even small issues can add up to bigger risks.

The new VAMP doesn’t just measure losses. It also sees consistent operations as a key sign of a strong payments system.

A business with a low dispute ratio, but frequent low-level fraud activity, can look riskier than one with higher dispute rates. 

Timing Is the Hidden Variable

VAMP is calculated every month based on past activity, but the signals it uses don’t all show up at once. Fraud reports might arrive days after a transaction, disputes can appear weeks or months later, and refunds can happen anytime in between.

This creates a challenge. By the time a dispute shows up, the behavior that caused it has already happened, and often the issuer has already made up their mind.

Why “Fixing It Later” Doesn’t Work with VAMP

Many merchants use tools like Verifi and Ethoca alerts, RDR, automated representments, or quick refunds. These help reduce day-to-day problems, but they don’t always change how events are counted.

Visa says that pre-dispute resolutions or Compelling Evidence 3.0 (CE3)-qualified fraud may be excluded from the VAMP calculation, but only if the timing is right. If an event occurs after the signal is recorded, it still counts, and Visa decides the timing.

This means that fixing things after the fact doesn’t work as well in practice.

Enumeration Is Now a Key Issue

VAMP also tracks enumeration at the authorization stage.

Enumeration means large-scale card testing. Fraudsters run small transactions to find out which cards work, then use those cards later for real fraud.

This matters because enumeration happens before any fraud or disputes. It shows that card data is being tested and that there’s a weakness in the system.

VAMP’s enumeration ratio includes both approved and declined authorization attempts, meaning even unsuccessful transactions can contribute to merchant-level risk measurement. Visa defines excessive enumeration as a ratio of at least 2000 basis points, with a minimum of 300,000 enumerated authorization attempts identified by its Account Attack Intelligence (VAAI) model. For many businesses, this is the first time activity at the authorization stage directly feeds into downstream monitoring.

The Multi-MID Reality

Many large merchants spread their transactions across multiple MIDs or processors to lower risk. But VAMP checks performance at several levels: the acquirer’s portfolio, the merchant’s descriptor, and all merchant activity combined.

If behavior isn’t consistent across those layers, it can send mixed signals instead of actually spreading out risk. What seems like risk management inside the company might look like instability to outsiders.

Why Merchants Feel the Pressure

Officially, VAMP is aimed at acquirers, but they’re responsible for how their portfolios perform. When thresholds loom, reserves go up, monitoring gets stricter, and requirements become tougher.

That pressure affects merchants even before they’re formally identified.

What Actually Improves Performance with VAMP

A common misconception about VAMP is that it can be managed primarily through dispute operations.

In reality, lasting improvements come from earlier decisions. Merchants can lower VAMP risk by adopting more consistent authorization strategies, setting clear customer expectations at checkout, and ensuring that the fraud, support, and payments teams work together.

These changes can lower event counts and, more importantly, reduce variability, which is what VAMP ultimately measures. Greater consistency leads to a more predictable, lower-risk profile.

A Different Way to Think About Risk

VAMP doesn’t just track fraud and disputes. It connects them and also links authorization, customer experience, and post-purchase resolution. All of these are decisions made at different points in the transaction process.

Merchants can’t manage risk in separate stages anymore. Holistic risk management is now essential. It has to be built into all processes, not split up by teams or stages.

VAMP: The Bottom Line

VAMP isn’t just a stricter monitoring program.

It’s a shift toward analyzing how a business behaves over time, using signals from every stage of each transaction.

Merchants who only fix problems after they happen may end up reacting too late.

Those who stay ahead will connect early decisions to later results, align strategies across teams, and watch for patterns. They’ll be more likely to reduce risk, avoid surprises, and keep up with the new standards.

In the end, the message is clear: To avoid VAMP and build lasting success, merchants need to treat payments as a connected process, not just a series of quick fixes. The only real way to avoid VAMP is to stop fraud and dispute risk before it starts by closing the gaps that let these problems happen in the first place.