Head of Compliance
Visa's 2025 Acquirer Monitoring Program (VAMP) represents one of the most significant changes to payment fraud monitoring in over a decade.
Visa consolidated multiple regional programs into a single global system. The result? A more restrictive compliance environment that forces PSPs to rethink their fraud management strategies to avoid excessive dispute fees.
Visa replaced multiple regional fraud monitoring programs with a unified VAMP system. On paper, this sounds straightforward, but in reality, it adds additional regulatory pressure for PSPs and merchants.
The core change is the unified VAMP ratio that consolidates fraud and dispute tracking:
This ratio focuses exclusively on card-not-present transactions, where fraud and chargebacks are most prevalent.
It represents a significant change from previous programs, which often tracked fraud and disputes separately. Now, both count toward a single metric that determines your compliance status.
In addition to the new VAMP ratio, Visa introduced a second monitoring system: enumeration tracking. Visa now monitors card testing attacks through enumeration ratios:
Here’s the catch: if over 20% of your authorization attempts are flagged as enumeration attempts (with at least 300,000 such attempts monthly), you're subject to the same penalties as excessive fraud ratios.
The addition of enumeration tracking within the Visa VAMP program creates a new compliance risk for PSPs serving merchants in crypto, gaming, or other sectors prone to card testing attacks.
The new threshold structure creates a narrower margin for acceptable performance:
The enforcement timeline is outlined below:
The March 2025 policy update means TC40 fraud alerts resolved through RDR and CDRN are no longer excluded from VAMP calculations.
Previously, service providers would resolve ~90% of disputes through RDR before they became formal chargebacks, keeping ratios manageable. However, resolved disputes now count toward your VAMP ratio after the program changes.
What still provides exclusions:
What no longer helps:
This shift represents a fundamental change. Reactively managing chargebacks is no longer sufficient. PSPs must prevent dispute reports from being filed in the first place.
The post-VAMP regulatory landscape makes 3D-Secure (3DS) essential for two critical reasons: proactive fraud prevention and liability shift.
3DS 2.x (2.2 and newer) exchanges over 100 data points during authentication (compared to fewer than 15 in legacy 3DS 1.0). This rich data enables sophisticated risk assessments by issuers' Access Control Servers (ACS), allowing legitimate transactions to flow through frictionlessly while flagging suspicious activity for step-up challenges.
Key advantage: Fraudulent transactions get stopped before they become TC40 reports that count against your VAMP ratio.
When a transaction is authenticated through 3DS 2.x, liability for fraud chargebacks shifts from the merchant/acquirer to the issuing bank. Under card network rules, if you properly implement 3D-Secure and obtain authentication approval, the issuer assumes liability for fraud-related chargebacks (Visa Reason Code 10.x series).
Practical impact: The liability shift protects you from chargeback costs but doesn't exclude these transactions from VAMP monitoring. However, successful 3DS authentication significantly reduces the likelihood that issuers will file TC40 reports in the first place.
3DS liability shift applies exclusively to fraud-related chargebacks—Visa reason codes 10.1 through 10.5, Mastercard 4837/4840/4849/4871, and American Express F-series codes. Non-fraud disputes (service issues, processing errors, etc.) receive no liability protection.
Notable exceptions: Certain merchant category codes (MCCs) for betting and money orders aren't covered by liability shift. However, these represent a subset of high-risk categories rather than the majority of high-risk merchants.
From our experience helping PSPs implement 3DS for VAMP compliance, several tactical considerations are critical:
Don't expose authentication complexity to your merchants. A successful implementation reduces your merchant support burden and looks like this from their perspective:
1const result = await psp.authenticate({
2 amount: 10000,
3 currency: 'USD',
4 card: cardToken
5});Behind the scenes, you handle:
Geographic considerations:
Transaction value thresholds:
Monitor post-authorization responses to ensure liability shift success:
~10% of successful authentications may not achieve liability shift due to technical issues (mismatched transaction IDs, configuration problems, etc.), so active monitoring is essential.
PSPs who serve merchants with recurring payments, 3RI provides liability shift for subsequent transactions without customer interaction. Released in 3DS version 2.1, 3RI allows merchant-initiated authentication using references to initial customer-present authentications.
Use cases:
Performance considerations: 3RI has lower authentication success rates in the US, typically 60-70% depending on industry and transaction size. However, the key advantage is that 3RI is non-blocking since it happens behind the scenes without user involvement, eliminating any conversion rate impact.
Implementation advantage: View 3RI as a strategic enhancement with minimal overhead, offering liability shift without impacting conversion. For successful authentications, authorization performance is comparable to a completed 3DS challenge, with negligible differences.
From a technical implementation perspective, PSPs have three realistic options:
| Approach | Control | Implementation effort | Cost | Verdict |
|---|---|---|---|---|
| Build in-house | Full control | High (18+ months) | $500k - $1 million | Only viable for the largest processors |
| Standalone | High | Low (2-3 weeks) | Transaction-based pricing, typically <$0.03 per authentication | Best for service providers looking to offer a great experience with minimal engineering effort |
| Acquirer white-label solution | Low | Low (2-3 weeks) | Transaction-based pricing, typically <$0.05 per authentication | Best for smaller service providers with limited technical resources |
For VAMP compliance timelines, partnering with an established 3DS provider is most service providers' only realistic and strategic path toward compliance.
Given VAMP's enforcement schedule and the technical realities, PSPs must take immediate action. Consider the following timeline:
Phase 1 (Immediate - September 2025): Advisory period preparation
Phase 2 (October 2025): Excessive enforcement begins
Phase 3 (January 2026): Threshold tightening
VAMP changes create significant competitive differentiation opportunities for PSPs implementing proper fraud prevention infrastructure. While competitors face compliance costs or must drop high-risk merchants, well-prepared service providers can:
The traditional model of competing on interchange rates becomes less relevant when merchants prioritize staying compliant and maintaining processing capabilities over marginal fee differences.
The regulatory environment now strongly favors businesses that prevent disputes from occurring rather than managing them reactively.
3D-Secure has evolved from an authentication tool to an essential compliance infrastructure for PSPs and acquirers. PSPs that recognize this shift and implement accordingly will have significant competitive advantages in serving higher-risk merchant segments.
PSPs who haven't started implementation, time is running out. In the 2025 VAMP landscape, fraud prevention infrastructure isn't optional; it's essential.
Our latest technical session on 3DS for high-risk payments is available on demand and provides specific guidance for service providers facing these regulatory changes.
Watch now
If you're a payment service provider working with high-risk merchants, April 1st, 2025 marked the beginning of a big change in how Visa calculates fraud rates.
Shane Curran
During our 3D-Secure for high-risk payments webinar, attendees asked many insightful questions. To ensure everyone benefits from the discussion, we've compiled some key questions with our answers below.
Shane Curran