Platform
Platform
Drop-In Authentication
Passkeys
Phishing-resistant, FIDO2/WebAuthn
Biometric authentication
Face and device-native biometrics
WhatsApp OTP
Global reach, lower cost than SMS
Email OTP
Universal second factor
App push authentication
Native device push notifications
Palm biometrics
Contactless identity verification
All authentication methods
KEY FEATURES
No-code rules engine
Step-up auth, risk policies, alerts
User observability
Audit trails, dynamic linking
Risk-based authentication
Adaptive MFA by context
Session management
Persistent sessions across channels
Digital credentials API
Verify sovereign digital IDs
Pre-built UI
Fastest deployment path
Passkeys
Deploy phishing-resistant passkeys across web and mobile in days
Solutions
Solutions
USE CASE
Account Takeover Prevention
Stop ATO without adding friction
Go Passwordless
Replace passwords with passkeys
Account Recovery
Secure self-service recovery flows
Call Centre Authentication
Verify callers without KBA
SMS Cost Optimisation
Cut OTP costs up to 90%
Existing Apps (Drop-In)
Add auth without re-architecting
Palm biometric payments
Contactless in-store payments
INDUSTRY
Financial Services & Banking
Secure high-value transactions
Healthcare
Authentication for ePHI access
Loyalty Programs
Protect points and member accounts
ROLE
Engineering
Fast integration, flexible SDKs
Product
No-code flows, conversion insights
Cybersecurity
Risk policies, compliance, audit trails
PricingCustomers
Resources
Resources
LEARN
Blog
Guides
Regulatory
Templates
Docs
COMPANY
About Us
Why Authsignal
Partners
Careers
Security
Contact
INTEGRATIONS
Amazon Cognito
Auth0
Azure AD B2C
Custom identity provider
Duende IdentityServer
All integrations
Docs
Start a trial
Book a callLogin
AUS Flag

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

AUS Flag

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

Join us today!
Right icon
Blog
/
Current article
Visa VAMP
Chargebacks
Dispute Management

What is Visa VAMP? Thresholds, fees, and how it affects your dispute ratio

Ashutosh Bhadauriya
⬤
April 13, 2026
Share
What is Visa VAMP? Thresholds, fees, and how it affects your dispute ratio

The Visa Acquirer Monitoring Program (VAMP) is Visa's consolidated framework for measuring and enforcing fraud and dispute thresholds across the payments ecosystem. Effective April 1, 2025, it replaced five legacy programmes, most notably the Visa Fraud Monitoring Program (VFMP) and Visa Dispute Monitoring Program (VDMP), along with 38 distinct remediation processes, into a single unified standard.

At the centre of it is a new single metric, the VAMP Ratio, which gives Visa and your acquirer a consolidated view of how much of your transaction volume ends up in dispute.

// VAMP Ratio
Count of [Fraud (TC40) + Disputes (TC15)] / Count of Settled Transactions (TC05)

// Enumeration Ratio
Enumerated Transactions (Approved + Declined) / Total Authorization Transactions

Fraud disputes that originate as a TC40 and then escalate into a TC15 chargeback are counted twice in the numerator, once as fraud, once as a dispute. Fraud-related chargebacks therefore hit harder than they did under the previous programmes.

"VAMP is truly an outlier programme. An acquirer has to be performing five, seven, ten times the global average to be identified. But for merchants operating in CNP-heavy environments, the maths is far less forgiving."

The new thresholds

VAMP Table
Merchant Excessive (Global, from April 2026) 1.5%, down from 2.2% as of June 2025. This is the threshold that triggers enforcement fees.
Acquirer Excessive 0.7%. Acquirers above this face $8/dispute. The Above Standard band (0.5% to 0.7%) triggers $4/dispute.
Enforcement Fee (Merchant) $8 per CNP fraud or disputed transaction once classed as "Excessive." In effect since October 2025.
Minimum VAMP Count 1,500 monthly fraud + disputes needed to be pulled into the programme. Protects smaller merchants.

‍

April 1, 2026: the merchant Excessive threshold dropped to 1.5% globally. Merchants exceeding this threshold after a 3-month grace period face per-dispute fees and, ultimately, the loss of Visa processing rights. If you haven't yet audited your CNP dispute exposure, the window is closing.

Why it matters to merchants

Previously, merchants could treat fraud and chargebacks as parallel problems, tracked in separate programmes with separate thresholds. VAMP removes that separation. One combined ratio, applied monthly, determines your standing and your acquirer's.

Visa holds acquirers accountable for their merchant portfolio. If your dispute behaviour pushes your acquirer into an "Excessive" classification, they face $8 per disputed transaction across their entire book. Many acquirers are now setting internal merchant thresholds well below Visa's published limits, some at 1% or lower, to protect their portfolio. Breach those internal thresholds and you risk mid-cycle account termination before formal notice from Visa ever arrives.

For merchants in card-not-present environments (subscriptions, digital goods, travel, marketplaces, financial services), the calculus is particularly sharp. CNP transactions are the only transaction type VAMP monitors. If your revenue model is primarily online, VAMP covers your entire business.

What drives your VAMP ratio up

The VAMP ratio runs on transaction counts. Every fraudulent transaction and every dispute adds to your numerator regardless of the dollar amount.

Account takeover (ATO)

ATO ranks among the highest-impact contributors to CNP fraud disputes. A fraudster who gains access to a legitimate customer account inherits stored payment methods, saved addresses, and purchase history. Those are the trust signals that bypass fraud scoring. Purchases made during an ATO session are almost always disputed when the true account holder notices, generating both a TC40 fraud report and a TC15 chargeback: a double VAMP hit.

Standard fraud models are tuned to flag new or anomalous behaviour. ATO doesn't look new or anomalous. It looks exactly like a loyal, high-value customer making a purchase, which is why it evades detection so reliably.

Stored card CNP fraud

Merchants who offer card-on-file for frictionless repeat purchases create a high-value target. Once an attacker is inside an account, stored cards provide an instant verified payment method with no need to enter stolen card details that might trigger fraud checks. Disputes from stored-card misuse are then difficult to defend at chargeback: the merchant can show the card was authenticated at enrolment, but cannot demonstrate the account holder was present for the subsequent transaction. Issuers know this, and they rule accordingly.

Enumeration and card testing

Enumeration is the brute-force testing of stolen or generated card numbers, cycling through BINs, expiry dates, and CVVs at scale to identify valid cards. VAMP now tracks this separately via the Enumeration Ratio, confirmed by Visa's Account Attack Intelligence (VAAI) system. Declined attempts count too. Even if no transaction succeeds, a wave of automated card testing on your checkout can trigger the enumeration threshold (20% of authorizations flagged) and pull you into scope. Merchants without bot detection at the authentication layer have no buffer here.

Credential stuffing at login

Most ATO-driven disputes start upstream, at login. Attackers buy leaked credential lists and test them systematically against login forms. Successful logins become the entry point for stored-card abuse. Because credential stuffing uses valid passwords rather than random guesses, traditional brute-force detection misses it. Without step-up authentication on suspicious login signals (new device, new geography, unusual access times), there's nothing standing between the attacker and the customer's payment data.

Friendly fraud and first-party misuse

Not all disputes come from external attackers. A genuine customer disputing a transaction they actually authorised is a growing share of CNP chargebacks, particularly in subscriptions and digital goods. Under VAMP's combined formula, these non-fraud TC15 disputes (condition codes 11, 12, 13) sit in your ratio alongside genuine fraud. Without strong authentication evidence at the point of purchase, these disputes are very hard to win.

What you can do about it

Managing your VAMP ratio is a risk engineering problem. The merchants who stay below threshold tend to treat authentication as revenue infrastructure.

Deploy step-up authentication when login signals deviate from a customer's established pattern. New device, new country, unusual hour: each should trigger a verification step before any transaction is attempted. Most ATOs can be stopped at login.

Adding a new payment method, updating an existing card, or initiating a high-value checkout with a stored card should each carry its own verification requirement. A passkey or biometric confirmation at card enrolment creates dispute-resistant evidence of genuine customer presence. Treat these as privileged operations.

Enumeration attacks target checkout and payment APIs too. Velocity controls, CAPTCHA, and bot scoring applied at the authorisation request level, before a transaction hits Visa's network, directly reduce your Enumeration Ratio exposure.

On the dispute side, non-fraud TC15 disputes resolved through tools like Rapid Dispute Resolution (RDR) are excluded from your VAMP calculation. Compelling Evidence 3.0 (CE 3.0) removes both the dispute and the associated TC40 from your ratio, making it worth adopting for merchants with a meaningful volume of fraud chargebacks. Getting enrolled in these tools creates a mechanism to resolve or rebut disputes before they formally count against you.

Track your VAMP ratio monthly, before Visa does. Build internal monitoring using your TC40 and TC15 data. Many merchants only discover they're approaching threshold when their acquirer calls. Self-monitoring gives you lead time. At acquirer-notification stage, you're already in remediation mode.

When a genuine customer disputes a transaction they authorised, your defence is the authentication record: passkey signature, device attestation, verified session data. Building that evidence at authentication time is what determines whether you win or absorb it.

Where Authsignal fits

ATO, stored card fraud, credential stuffing, friendly fraud: in each case the gap is at the authentication layer. Either the account was accessed by the wrong person, the transaction went through without verifiable customer presence, or there's no durable evidence of genuine consent when the dispute arrives.

Authsignal sits between your application and your payment flow, providing orchestrated multi-factor authentication triggered by risk signals. For enterprise merchants that means step-up challenges on sensitive account events: login from a new device, card enrolment, high-value checkout, without adding friction to routine low-risk sessions.

Passkey and biometric verification creates a cryptographically-signed, phishing-resistant record of customer presence. That record is the strongest available evidence in a chargeback dispute. The rules engine intercepts anomalous behaviour at the authentication layer, before it reaches your payment processor or generates a TC40. Identity verification at onboarding anchors stored credentials and payment methods to a verified identity from day one.

VAMP is Visa acknowledging what security teams have argued for years: the payment dispute problem is an authentication problem. Fix that layer and the ratio tends to follow.

Question icon
Have a question?
Talk to an expert
NewsletterDemo PasskeysView docs
Visa VAMP
Chargebacks
Dispute Management

You might also like

The passkey UX patterns that drive adoption in 2026
Passkeys
Passkeys implementation

The passkey UX patterns that drive adoption in 2026

July 2, 2026
What is silent network authentication, and how does it work?
Silent Network Authentication
SNA

What is silent network authentication, and how does it work?

June 26, 2026
HIPAA MFA requirements and what to do before the final rule lands
Passkeys
Step up authentication
Adaptive MFA
SMS Alternative

HIPAA MFA requirements and what to do before the final rule lands

July 4, 2026

Secure your customers’ accounts today with Authsignal

Passkey demoCreate free account
Authsignal Purple Logo

Authsignal is a drop-in authentication and orchestration layer for consumer-facing businesses. Passkeys, adaptive MFA, and omnichannel verification on top of your existing identity stack. Deployed in weeks, not quarters.

AICPA SOCFido Certified
LinkedInTwitter
Platform
Drop-In Authentication
PasskeysBiometric authenticationWhatsApp OTPEmail OTPApp push authenticationPalm biometricsSMS OTPEmail OTPMagic LinksAuthenticator apps (TOTP)
View all auth methods
KEY FEATURES
No-code rules engineUser observabilityRisk-based authenticationSession managementDigital credentials APIPre-built UI
All authentication methods
Pricing
Customers
Solutions
USE CASE
Account takeovers (ATO)
Go passwordless
Call center
SMS cost optimization
Existing apps
Palm biometric payments
View all use cases
industry
Financial services
Healthcare
Marketplace
View all use cases
ROLE
Engineering
ProductCybersecurityDocs
Compare
Twilio Verify vs AuthsignalAuth0 vs AuthsignalAWS Cognito vs Authsignal + AWS Cognito
Resources
LEARN
BlogGuidesRegulatoryTemplatesDocs
COMPANY
About usWhy AuthsignalPartnersCareersSecurityContact
Integrations
Amazon Cognito
Azure AD B2C
Duende IdentityServer
Keycloak
Auth0
NextAuth.js
Custom identity provider
All integrations
United States
+1 214 974-4877
Ireland
+353 12 676529
Australia
+61 387 715 810
New Zealand
+64 275 491 983
© 2026 Authsignal - All Rights Reserved
Terms of servicePrivacy policySecuritySystem statusCookies