VAMP 2026: Visa's New Thresholds and How to Survive Them
Visa's Acquirer Monitoring Program (VAMP) tightened its merchant Excessive threshold to 1.5% on 1 April 2026, combining TC40 fraud reports and TC15 chargebacks into one ratio with $8-per-transaction fines and no warning tier. Compelling Evidence 3.0 is the only compliant mechanism to remove TC40 fraud reports from the VAMP numerator after the fact, and when a CE 3.0 representment succeeds on a Visa reason code 10.4 dispute, the merchant keeps the revenue, avoids the refund, and sidesteps the $8 enforcement fee on that transaction entirely. cside, the browser-layer security platform, helps merchants capture the CE 3.0-grade browser evidence that makes those wins possible.
If you process Visa card-not-present transactions, you woke up to a tighter chargeback regime on 1 April 2026. The Visa Acquirer Monitoring Program (VAMP) Excessive threshold for merchants dropped from 2.2% to 1.5%, and the penalty structure landed hard: $8 per disputed or fraudulent transaction, with no warning tier. Visa has watched acquirers since VAMP launched on 1 April 2025 against an Above Standard threshold of 0.5% and an Excessive threshold of 0.7%; those acquirer bands did not change in April 2026, but acquirers still push pressure down onto merchants in their portfolios.
That is a 32% tightening of the headline merchant ratio in a single step. A mid-market e-commerce business running 200,000 monthly transactions at what used to be a comfortable 1.8% dispute-plus-fraud rate is now 20% above the Excessive line and on the hook for roughly $28,800 in enforcement fees per month before chargeback losses.
This playbook covers what changed, how VAMP is actually calculated, why traditional chargeback tools alone will not keep you under the line, and the Compelling Evidence 3.0 (CE 3.0) mechanic that removes TC40 fraud from the ratio entirely.
What is VAMP?
VAMP is the Visa Acquirer Monitoring Program. It replaces the old VDMP (dispute monitoring) and VFMP (fraud monitoring) programmes, combining TC40 fraud reports and TC15 chargebacks into a single ratio against total settled transactions. Visa enforces against acquirers, but acquirers push that pressure down onto the merchants inside their portfolios.
VAMP came into force on 1 April 2025. The April 2026 update is the first change under VAMP to the merchant Excessive threshold, the monitoring floor, and the merchant fee structure; acquirer thresholds were fixed at programme launch and have not moved since. The merger is the important part. Under the legacy programmes you could run a low dispute ratio while still accumulating fraud reports, and vice versa. VAMP forces both numerators into one denominator, which means a single problem category now drags your full ratio upward.
The April 2026 changes (and what stayed the same)
From 1 April 2026, the headline shift for merchants is the Excessive threshold dropping from 2.2% to 1.5%, the monitoring floor moving from 1,000 to 1,500 combined fraud reports and disputes per month, and enforcement fees becoming $8 per disputed or fraudulent transaction with no grace period for merchants at Excessive. Acquirer VAMP thresholds are 0.5% (Above Standard) and 0.7% (Excessive); they have been in effect since VAMP replaced VDMP and VFMP on 1 April 2025 and were not revised in April 2026. (Legacy VDMP/VFMP programme percentages are a different scheme and should not be read as an earlier VAMP tier.)
| What changed | Before 1 April 2026 | From 1 April 2026 |
|---|---|---|
| Merchant Excessive threshold | 2.2% | 1.5% |
| Merchant fee at Excessive | Phased | $8 per disputed or fraudulent transaction |
| Monitoring floor | 1,000 combined per month | 1,500 combined per month |
Acquirer VAMP thresholds (since 1 April 2025, unchanged April 2026)
| Tier | Threshold |
|---|---|
| Acquirer Above Standard | 0.5% |
| Acquirer Excessive | 0.7% |
Source: Visa Acquirer Monitoring Program fact sheet.
Merchants processing under 1,500 combined fraud reports and disputes per month are excluded from formal monitoring, though most acquirers apply stricter internal limits well below that floor.
How VAMP is calculated, step by step
The VAMP ratio equals the sum of TC40 fraud reports plus TC15 chargebacks divided by total settled card-not-present transactions over the monitoring period. A single reported-fraud message without a chargeback still counts toward the numerator.
Three operational consequences sit inside that formula.
The numerator is now broader
The issuer generates a TC40 message when a cardholder claims fraud, and it flows into your acquiring bank. Many TC40s never become chargebacks because the issuer writes off the amount rather than process a dispute. The old VFMP tracked those TC40s separately. Under VAMP they count the same as a chargeback.
The denominator ignores declines
The denominator is settled transactions, not attempted transactions. Authorisation declines do not help the ratio. You cannot tighten your risk rules at auth time and expect the ratio to fall without also working the numerator down.
The monitoring window is rolling
There is no quarterly reset. Every month VAMP looks at the prior period and applies the current threshold. If you breach Excessive this month, you pay this month.
Why traditional chargeback tools alone are not enough
Traditional dispute management platforms can assemble billing records, shipping data, and rebuttal letters. Some, like Kount, also collect browser-side signals as part of a broader fraud decisioning suite. But in every case, device fingerprinting is a side feature or a capability integrated from another product rather than the core focus. When CE 3.0 qualification hinges on device ID and IP match quality, that distinction matters.
Six vendors dominate the chargeback category and each plays a useful role:
- Chargebacks911 (now a cside partner) offers deep representment services and deflection infrastructure.
- Kount (owned by Equifax) bundles fraud decisioning with dispute management and collects some device signals, though fingerprinting is not its primary function.
- Forter and Signifyd both provide post-transaction liability shift through chargeback guarantees.
- Chargeflow focuses on automated representment for Shopify and mid-market merchants.
- Verifi (owned by Visa) and Ethoca (owned by Mastercard) operate at the network layer through Rapid Dispute Resolution and Alerts respectively.
Where these tools fall short is the depth and specificity of browser-layer evidence. When an issuer evaluates a CE 3.0 case, the evidence that actually closes the dispute is device-matching and session continuity from the browser where the purchase was made. cside is built around that problem: dedicated, specialised fingerprinting at the checkout session level, purpose-built for CE 3.0 qualification rather than bolted onto a broader fraud or dispute platform.
For a breakdown of which evidence fields map to which capture layer, see CE 3.0 requirements: the ten data points acquirers actually need.
The CE 3.0 wedge: remove TC40 fraud from the VAMP ratio
Compelling Evidence 3.0 applies to Visa reason code 10.4 disputes only. When you win a CE 3.0 representment, Visa removes the TC40 from the fraud count, which means it stops contributing to your VAMP ratio. CE 3.0 is the only compliant way to actively scrub TC40 fraud from the numerator. A successful representment also means the merchant retains the original transaction revenue and avoids both the refund and the $8 VAMP enforcement fee that would otherwise apply.
The qualification rule is specific. You must supply two prior undisputed transactions on the same payment credentials, aged between 120 and 365 days. At least two of four data elements must match across the prior and disputed transactions: User ID, shipping address, IP address, device ID. At least one of those two must be IP address or device ID. Per Visa's CE 3.0 Merchant Readiness document, these requirements have been in force since April 2023.
That last clause is what makes browser-layer evidence load-bearing. A traditional chargeback tool can reconstruct shipping address and a hashed User ID. Producing a matching device ID and matching IP at a level that satisfies the issuer requires capturing the actual browser session at checkout. For the step-by-step workflow, see How to Remove a TC40 via CE 3.0.
Merchant adoption confirms the case. Per the Merchant Risk Council 2025 Global Fraud and Payments Report, 87% of merchants surveyed are already using the Compelling Evidence programme to fight first-party misuse.
From cside data: cside analysis of merchant representment outcomes shows that adding browser-layer device ID and IP to CE 3.0 packets produces a material lift in win rate versus server-side-only packets. cside measures this by comparing CE 3.0 case outcomes for merchants before and after instrumentation of browser-layer capture at checkout.
What browser-layer evidence adds that acquirer data cannot
Browser-layer evidence is device-level session data and script-verified transaction context captured at the moment of purchase. It includes device ID, network fingerprint, and a replayable artefact of the checkout session, all aligned to the billing descriptor the cardholder will later see on their statement.
cside's Chargeback Evidence product captures this layer. The same device that completed two prior undisputed purchases is matched to the device that completed the disputed one, and the match is surfaced to the acquirer in a CE 3.0-ready format. For a reason code 10.4 case that would have gone uncontested under CE 2.0, CE 3.0 combined with browser-layer proof converts the dispute into a reversal, removes the associated TC40 from your VAMP numerator, and lets you keep the transaction revenue instead of issuing a refund.
This is a mechanical outcome, not a persuasion exercise. The evidence either matches or it does not. When it does, your ratio drops and your revenue stays.
Understanding which ten data points acquirers actually evaluate is the foundation for building a complete evidence chain.
A 90-day VAMP survival checklist
Audit the current ratio, instrument browser-layer evidence capture, align billing descriptors to first-six consistency, run CE 3.0 representment tests, and negotiate the pipeline with the acquirer. Most merchants can get under the 1.5% line within one monitoring cycle if all four steps run in parallel.
- Pull the last 90 days of TC40 and TC15 data from your acquirer. If they do not give it to you, escalate. Under VAMP there is no defensible reason for an acquirer to withhold it.
- Check the first six characters of every billing descriptor across your payment stack. CE 3.0 qualification requires identical first-6 descriptor across the prior and disputed transactions.
- Instrument browser-layer evidence on every checkout page. Device ID and IP match at qualification standard cannot be reconstructed after the fact. For device fingerprinting context, see device fingerprinting for Compelling Evidence chargebacks.
- Pick ten recent reason code 10.4 disputes that would not have qualified under CE 2.0 and run them through CE 3.0 with the new evidence. Measure the reversal rate.
- Ask your acquirer for their current VAMP report and the internal threshold they apply to your portfolio. Most acquirers run below Visa's published ratio as a buffer; verify the specific threshold directly with your acquirer as internal limits are not publicly disclosed by Visa.
Vertical snapshots
e-commerce, subscription, and SaaS merchants face the sharpest VAMP exposure because first-party misuse and descriptor confusion dominate their dispute profiles. Travel and Hospitality carry concentrated fraud on high-ticket items. Gaming and iGaming sit at the top of industry ratios. Financial Services treat VAMP as a portfolio issue. The fix in every case runs through CE 3.0 and browser-layer evidence.
e-commerce and Retail. Descriptor confusion and "item not received" disputes make up the majority of TC15 volume. CE 3.0 eligibility is wide for these merchants because most customers are repeat buyers.
Subscription and SaaS. Recurring billing produces high prior-transaction counts on the same credential, which is the asset CE 3.0 rewards. The challenge is descriptor drift across billing cycles. See the SaaS friendly fraud playbook for vertical-specific tactics.
Travel and Hospitality. Single-ticket values are high, so a small number of disputed transactions moves the ratio fast. Device and IP matching across booking and fulfilment is the tightest evidence chain.
Gaming and iGaming. Industry dispute ratios in iGaming run higher than most other verticals per operator survey data published by the Merchant Risk Council. A device-matched session history is the difference between a low and a high representment win rate.
Financial Services. Treat VAMP as a portfolio ratio. Spread across merchants in the book means a single problem operator can drag the acquirer's ratio.
Further reading on cside
- Why chargeback indemnification no longer works with the new VAMP ratio
- CE 3.0 Requirements: The Ten Data Points Acquirers Actually Need
- How to Remove a TC40 via CE 3.0
This article reflects cside's analysis of VAMP and friendly-fraud regulations as of 2026-04-29. Threshold values, deadlines, and programme rules are subject to change by Visa, Mastercard, and acquirer-specific contracts. Verify with primary sources before operational decisions.
About the author
Mike Kutlu is Head of GTM at cside, where he works with Heads of Payments, Risk, and Finance on instrumenting browser-layer chargeback evidence for Compelling Evidence 3.0 representment. He writes about VAMP, friendly fraud, and the mechanics of dispute evidence for enterprise merchants.
