What Merchants Need to Know – Forter

April 1, 2026 marks one year of the Visa Acquirer Monitoring Program (VAMP). It’s also the date when the final, stricter thresholds come into official enforcement by Visa. Many merchants felt wrong-footed by the initial VAMP rollout, and being well informed can prevent that from happening again.

In this article we’ll explore what’s changing, the direct impact on merchants, and some food for thought about the best ways to adapt. The payment landscape changes fast, so we’ll be updating this post whenever it’s relevant to keep it fresh as things shift over time. 

Last updated: March 25th, 2026

VAMP explained

Visa brought in VAMP to replace their earlier programs, the VFMP (Visa Fraud Monitoring Program) and VDMP (Visa Dispute Monitoring Program). 

It fills the same conceptual “space” in the fraud and payments ecosystem as these programs combined, but with some significant differences:

• Unified metric. VAMP unifies disputes, fraud chargebacks and non-fraud chargebacks into a single metric. From April 2026, that’s 1.5% / 150 basis points, referred to as the VAMP ratio. You can see the calculation at the bottom of these bullet points.
• Tighter thresholds. Before VAMP, the thresholds were 0.9% in both programs, for a combined 1.8%. In the initial rollout, the VAMP program threshold was 2.2%, although even this higher number caused difficulties for some merchants struggling with the double counting challenge (see the Fine Print section below). From April 2026, the threshold will be 1.5%.
• Acquirers are front and center. VAMP adds a bit more distance between merchants and Visa, as Visa’s relationship shifted towards an emphasis on acquirers (that’s the “A” in VAMP – which wasn’t present in either of the earlier programs). More on this below.
• Automated attacks are a metric of their own. VAMP targets automated attacks like card testing as well as chargebacks, introducing an Enumeration Ratio of 20%. So bot attacks on your site need to stay below 20% of your total transactions.
• No grace period except for first-time offenders. VAMP fines are relevant for any month in which a merchant exceeds their thresholds for disputes or enumeration. There’s no grace period when you’re alerted to the problem and given time to fix it before being fined. On the other hand, you also don’t need to stay “clean” for any period before being removed from VAMP. It’s just relevant for any month when you’re not in compliance.
  • There is a grace period of three months for any merchant who has been out of the VAMP program for at least 12 months (calculated on a rolling basis).
• Exemption for small merchants. For a merchant to qualify for VAMP assessment, they need to have a minimum settled transaction count of 1,500, meaning smaller merchants may fall outside the scope of the program.

Here’s the calculation:

(Fraud Disputes (TC40)  + All Disputes (TC15)) 

———————————————————————–

                 Total Settled Transactions (TC05)

VAMP has been rolled out in staggered fashion, with different geographies hitting different thresholds at different times. From April 1st 2026, it will be much more standardized, with the only exceptions being Central and Eastern Europe, Middle East, Africa (CEMEA). Merchants there will have the 2.2% or 220 basis points threshold, though with a different, lower monthly fraud count.

New Thresholds for the Updated VAMP Ratio

For other regions – US, Canada, LATAM, EU, APAC – regardless of how their rollout period looked, the key details from April 1st 2026 are that:

• Merchants need to stay below 1.5% or 150 basis points VAMP ratio
• Merchants need to stay below 20% Enumeration Ratio
• Merchants pay $8 for every violation in a month in which they’re over threshold

The VAMP fine print

The VAMP rollout has seen a lot of confusion across the payment ecosystem, and there are some aspects that many merchants don’t discover until they’re hit by fines that they struggle to understand.

Here are some points you need to know that might have flown under your radar:

• A single dispute can count twice. VAMP combines TC40s (fraud alerts) and TC15s (chargebacks) into one ratio. If a fraud alert is issued and you don’t refund it fast enough to prevent a chargeback both of those can count towards your ratio separately. Also, if you’re above threshold and a TC40 resulted in a TC15, you can be charged $16 in fines for the single transaction.
• Resolving pre-chargeback doesn’t necessarily make it disappear. Previously, if you resolved a dispute pre-chargeback, you may find that none of this interaction counted towards your dispute ratio. Now, the TC40 still has an impact. However, resolving through Visa’s Compelling Evidence 3.0 program (CE3.0) does remove a transaction from your VAMP ratio.
• Visa’s programs grant exclusion – but only within the right month. Visa’s CE3.0 for TC40 disputes, and Visa’s RDR and CDRN for TC15 disputes can help you resolve a dispute so that it doesn’t count for your VAMP ratio. However, both resolution and dispute need to fall within the same month for the exclusion to be effective, because VAMP looks at each month in isolation.
• When Visa says “April” they mean March. Visa brought fines for VAMP in October 2025 — for transactions in September 2025. So the shift to 1.5% will be on your March transactions.
• Chargebacks for which you’re not liable still count for VAMP. Counterfeit cards, or account takeover on the issuing bank side, can result in chargebacks. You don’t have to pay them. But they do count for your VAMP metrics, at least for now.
• Fines are on all transactions, in a month when you’ve gone past the thresholds. They’re not for only transactions beyond the threshold.

Why you need to understand the acquirer aspect

Visa’s shift to seeing disputes through the lens of acquirers sounds like a technical update in the payments landscape. In fact, it’s crucial that merchants understand what’s happening from the acquirers’ perspective, because it directly impacts merchants’ experience and bottom line.

If you thought the new 1.5% threshold sounded like a challenge, particularly with the double counting and so on, take a moment to imagine how acquirers have engaged with VAMP given that they now have a portfolio limit of 0.5% to 0.7%.

Acquirers used to offset having some high-risk merchants in their portfolio with other low-risk merchants. They had considerable flexibility to find the right balance to match their risk appetite. With the new threshold from VAMP, that’s not really the case anymore. Acquirers have to stay under 0.7% for their entire portfolio. Anything above, and they’re designated Excessive. Even if they fall within the 0.5% to 0.7% region, they’re designated Above Standard, facing $4 fines rather than $8 ones. It’s not insignificant.

Direct impact for merchants: Your acquirer might not be able to afford you if you’re too much above 0.7%, no matter how safely below 1.5% you are.

For an acquirer to stay under their 0.5% limit, they have to offset high-risk merchants with thousands of ultra-low-risk merchants. They’ll have to pick their merchants carefully. There are already reports of merchants who were unlucky enough not to make the cut. 

What it means for merchants

Protect pre-checkout. If you’re still thinking about fraud largely in terms of chargebacks, you need to leave that model behind. Stopping fraud at checkout is no longer enough to keep your business safe from fines, a monitoring program, or difficulties with your acquirer.

Detect and block bots early. Visa monitors transaction attempts, not just success. Even if your system blocks a bot from actually placing an order, the very act of the bot hitting your payment gateway with thousands of different card numbers is what triggers the Enumeration Ratio. That will land you in VAMP just as surely as high chargebacks will. To be agentic ready but VAMP compliant, you’ll need to follow the Visa Trusted Agent Protocol.

Be aware of your context. At the same time, the acquirer limit means you have to consider your business in the context of your industry and other industries as well. Operating in a silo and ticking all the boxes you’re supposed to tick for your business by itself is no longer enough for safety. 

Practical steps for merchants to consider:

• Prepare. Make sure you’re ready for the change from 2.2% to 1.5%, if you haven’t already. Ideally with some room to spare. If you’re not sure where your ratio stands today, or whether your current fraud and dispute workflows are built to handle these changes, Forter’s platform is designed to address both sides of the equation — automated CE3.0 qualification, upstream fraud prevention, and access to cross-merchant identity data that becomes newly eligible evidence in Q4 2026.
• Precision. Deal with the challenge by increasing precision and accuracy, not by simply becoming more conservative. Losing a lot of business to false positives is just loss from another direction.
• Ensure you are capturing the right data on every transaction. CE3.0 only works if you have Device ID and IP Address on file — and the clock is already running. The two qualifying prior transactions must be at least 120 days old at the time of the dispute. If Device ID and IP Address aren’t being consistently recorded on every transaction right now, the historical footprint you’ll need simply won’t exist when you need it. Forter is able to do this for you.
• Velocity. Make sure your site is sensitive to velocity regardless of whether money is involved.
• Bots. Protect your site from malicious bots, before they check out. Declining the transaction isn’t enough, you need to detect and block earlier now.
• Agentic-ready. At the same time, if you’re tweaking your bot protection mechanisms, make sure you’re adapted to identify agentic activity and respond positively to it. Make sure you’re asking your acquirer for your monthly VAAI (Visa Account Attack Intelligence) report to ensure agentic activity isn’t being counted as malicious.
• Auth-only risk. Watch out for auth-only type transactions. They’re not “no risk” anymore.
• Business risk profile. Consider VAMP in the context of your industry and the risk level of your business. A subscription model is particularly vulnerable to these changes, for example, since customers sometimes use chargebacks as a way of canceling. If this is the case, work with the product department to try to minimize this behavior.
• Acquirer alignment. Descriptors are important in how VAMP ratios are calculated, so it’s important to proactively engage your acquirer to review how your descriptors are registered and reported. A multi-PSP approach may be an advantage for strategizing on how to group descriptors and acquirers to potentially spread risk.
• Acquirer visibility. Work with your acquirer to achieve visibility into how they’re handling the changes. If you’re at an enterprise company, consider this as a possible point of negotiation in the future.
• Personalize. Tailor your customer journey according to trust level. Known customers can breeze through. If there are suspicious signals, restrict privileges such as guest checkout. Lean on a network effect to increase your knowledge of identities.

VAMP is the new reality in the payments, fraud and disputes world. Change can feel overwhelming when there’s so much else going on — which there always is in the world of online fraud.

Many of the best ways for merchants to adapt to VAMP are changes that are good for the long-term health of the business and its fraud strategy. VAMP adds some pressure, but it’s also a valuable opportunity to ensure that your fraud and payments systems and priorities are well-positioned for the challenges of today’s digital economy.

October 24, 2026: CE3.0 Expands

While April 2026 is an enforcement deadline, the October change is an opportunity.

On or after October 24, 2026, Visa is significantly expanding CE3.0’s scope in two key ways:

1. Cross-merchant qualifying transactions

Under current CE3.0 rules, the two qualifying prior transactions must come from the same merchant. Starting October 24, 2026, Visa is updating this to allow qualifying transactions processed at different merchants — provided that related credentials (additional tokens linked to the same card) were used and the required data elements match.

This change acknowledges how cardholders actually shop: across multiple merchants, using related payment credentials. A merchant that can demonstrate a cardholder’s consistent, undisputed behavior across several different merchants has a stronger, more credible historical footprint.

2. Expanded credentials

The update also allows transactions on all credentials related to the same underlying card (additional tokens) to qualify — not just transactions on the identical card or token used in the disputed transaction.

Source: AI16011 — Updates to Remedy Rule (CE3.0) for Dispute Condition 10.4, Visa Business News, January 29, 2026

One important caveat: While Visa is allowing cross-merchant evidence in principle, an acquirer can only submit transaction data that was accepted and processed by that same acquirer. The cross-merchant benefit is therefore only realizable in practice if a merchant or their fraud platform can compile qualifying cross-merchant transaction data and route it appropriately through the acquirer chain.

Why Forter is uniquely positioned for this change

This is where network matters.

Forter’s identity platform operates across thousands of merchants globally. When a transaction comes through any merchant using Forter, we capture and link identity signals (Device ID, IP address, behavioral patterns) at the time of the transaction. Rather than looking backward through one merchant’s transaction history, we can identify qualifying prior transactions across the broader Forter merchant network.

This is a structural advantage. In practice, it means:

• A disputed transaction at Merchant A may be supported by two qualifying undisputed transactions from Merchants B and C — both processed by Forter — that share the same device fingerprint and IP address.
• Forter can surface those cross-merchant qualifying transactions instantly, building the historical footprint the October 2026 rules enable.
• Merchants who couldn’t previously satisfy CE3.0 criteria because they lacked sufficient transaction history with a given customer now have a much richer dataset to draw from.

There’s another layer to this that goes beyond CE3.0 qualification. Not every dispute is an honest mistake. A meaningful share of friendly fraud comes from cardholders who have a pattern of disputing legitimate purchases across multiple merchants. Because Forter’s identity graph operates across thousands of merchants, we can identify these serial claimers even when they’ve never disputed a transaction with your business specifically.