How to Avoid VAMP Penalties and Fraud Dispute Fees

Visa’s Acquirer Monitoring Program (VAMP) is now fully phased in. And as of April 1, 2026, the merchant excessive threshold is at 1.5%. So a business over this stricter threshold pays $8 per fraud or dispute on every applicable transaction (not just the ones over the limit).

The math behind new VAMP standards also makes the ratios run higher than they did under the old VFMP and VDMP programs. This means that a merchant who was comfortably compliant a year ago can now find themselves in trouble without changing how they operate. 

Here’s what you can do about it. 

Get TC40 Data From Your Processor

TC40 is a fraud report that’s filed by a cardholder’s issuing bank whenever a customer claims a transaction was fraudulent (separate from a chargeback). The bank files this report regardless of whether it escalates to the dispute stage, meaning TC40s can hit your account even if no money moves.

The problem is that most merchants don’t actually see these reports because they don’t always hit their accounts directly. But they still count toward your VAMP ratio.

It’s impossible to calculate your VAMP ratio without TC40 reports because you don’t have all the information. 

Call your processor and ask for monthly TC40 reporting. Because you probably don’t have access to it by default, and most will only provide the data if you request it. 

Stop Disputes Before They Become Chargebacks

This is the cheapest way to resolve disputes. There are three issuer-side solutions that exist specifically for this, but they don’t all do the same thing:

• Verifi Rapid Dispute Resolution (RDR): It’s automated, and you can set the rules for things like refunding any dispute under $50, refunding anything for a first-time customer, or refunding anything in a certain category. Visa applies your ruleset in real time whenever a cardholder calls the issuer, and the dispute never reaches you. 
• Verifi Cardholder Dispute Resolution Network (CDRN): You’ll be notified of every dispute, and you have a 72-hour window to refund the customer before the dispute becomes a chargeback. 
• Ethoca Alerts: This is actually owned by Mastercard, but it still covers both networks. You’ll get near-real-time fraud and dispute alerts from issuing banks, which is particularly useful for stopping an online order fulfillment on transactions that the issuer flagged. 

Most merchants can benefit from layering these systems. For example, you can use RDR to automate low-value resolutions and then use Ethoca for fraud-specific stops. Then CDRN can sit in the middle for cases above a certain dollar threshold that require human review.

The catch here is that while the TC15 (dispute) can be removed from your VAMP ratio, the TC40 will stay (and count toward your ratio) if the issuer also filed a fraud report. Visa changed this rule in mid-2025.

But removing the TC15 obviously still helps keep your VAMP ratio lower. So it’s worth it. 

Use Compelling Evidence 3.0 to Remove Both TC15 and TC40

This is the one tool that removes both the dispute (TC15) and fraud report (TC40) from your VAMP ratio entirely. Every other resolution only clears one or the other, whereas CE3.0 does both, making it the highest-impact lever for merchants with repeat customers. 

Here’s how Compelling Evidence 3.0 works:

If you can show that two prior undisputed transactions from the same cardholder share matching data elements with the disputed transaction, Visa will rule the fraud claim invalid and remove the TC15 and TC40 from your VAMP ratio.

• The two prior transactions must have been processed between 120 and 365 days before the dispute.
• Those transactions must share at least two matching data elements with the disputed transaction. 
• There are four eligible data elements to pull from: User ID/login, IP address, shipping address, and device ID/fingerprint. (and at least one of the two matches must be either IP address or device ID).

The concept behind this is simple. It’s a way to prevent friendly fraud, in which a clear repeat customer is trying to dispute something that they clearly authorized.

It’s worth noting that CE3.0 only works for card-not-present Visa transactions, and it only applies to fraud-coded disputes (reason code 10.4). This is going to be one of the most useful solutions for subscription businesses, marketplaces, and any online merchant with repeat buyers.

You just need a processor or chargeback platform that supports CE3.0 submissions. Definitely something worth contacting your processor to inquire about. 

Tighten Your Pre-Authorization Process

In addition to dispute resolution, you can also take steps to prevent issues that you won’t have to solve later. And stopping fraud before a transaction processes doesn’t generate any reports that count against your VAMP ratio. 

The basics include:

• CVV and AVS — Should be required on every CNP transaction. If either fails, you can route it through additional verification instead of just auto-approving.
• 3D Secure (3DS2) — Apply it on higher-risk sales to shift liability to the issuer on authenticated transactions, which gives you meaningful protection. 
• Network Tokens — More secure than stored PANs, making it harder for fraudsters to use stolen card data when a token is tied to a specific merchant. 
• Velocity Rules and Pattern Monitoring — Use this to flag things like mismatched billing country and issuer country, new devices on existing accounts, or repeat declines from the same IP address. 

Clear billing descriptors are also crucial, and it’s something that a lot of legitimate merchants get tripped up on. 

If a descriptor doesn’t match your business name, it often leads to “I don’t recognize this charge” disputes. These get coded as fraud and hit your TC40 count even if they’re resolved later. 

Defend Against Enumeration Attacks

The enumeration ratio only applies if you process 300,000 or more confirmed enumerator transactions per month, which is a high bar. But for merchants who hit it, the 20% threshold can be triggered fast because both approved and declined transactions count.

This happens when cyber criminals use automatic scripts to send a high volume of low-dollar transactions “testing” card details. They’re designed to exploit weak security protocols in merchants, as once a card is tested, it can then be resold on the black market or used by the same criminal to make fraudulent purchases. 

If your authorization decline rate is climbing fast without a clear reason, it’s usually a signal of an enumeration attack. These card testing bots will burn through thousands of attempts on a single endpoint. And while most decline, they all still count toward that 300,000 number.

Adding CAPTCHA is a standard defense at checkout. You can also set limits at the IP and device level. 

Lots of modern fraud platforms include enumeration-specific detection, too. So if you see these types of patterns, you can always ask your processor or fraud vendor whether they offer Visa Account Attack Intelligence (VAAI) integration. 

What to Watch For on Your Statements

VAMP fees are pass-through charges, meaning they flow from Visa to your acquirer before landing on your account. Visa charges your acquiring bank, and they ultimately decide whether (and how) to pass that cost on.

Here’s an important caveat to this: there’s no rule or requirement that says the line item must be labeled “VAMP.”

So your processor can pass through this as a compliance fee, fraud monitoring fee, risk surcharge, or just an unexplained per-transaction add on. 

This lack of transparency makes it much more difficult for merchants to know which statement charges correspond with VAMP penalties from Visa. And it makes things easier for your processor to bury hidden markups, either by padding your VAMP fees or adding extra charges even when VAMP penalties don’t apply. 

So if a new line item randomly appears on your statement that wasn’t there in the past, ask your processor specifically what they cover and whether it’s tied to VAMP. You’re entitled to know.

Our team here at MCC can also give you a free audit to see if your processor is passing through charges correctly or adding extra costs that can be removed from your account. 

Final Thoughts

VAMP is structured in a way that doing nothing will cost you money. Now that Visa counts fraud and disputes toward a single ratio, you’re more likely to be impacted even if you never had to deal with these penalties under the old programs. 

You need full access to all fraud-related data to calculate your VAMP ratio, and you also need to tighten internal protocols to prevent this ratio from rising and getting extra charges applied to your account. 

If you see anything on your statement that you don’t understand, just send it to us and we’ll let you know what’s actually being charged and whether it’s legit.