Idenza/Fyntek Roundtable: VAMP Enforcement and the New Compliance Reality

Defining the VAMP Ratio and Tightening Thresholds

Rahul: Why should merchants care about the VAMP ratio?

 

Michael: Prior to VAMP, the incentives were all about mitigating chargebacks. Now we have to stop fraud during pre-authorization to manage your TC40 and TC15 ratios. If you are out of ratio, you may lose your payments, and potentially end up on the MATCH list which makes it virtually impossible to secure new payment processing accounts. We are really happy to be here today with Idenza to talk about the problem. 

​

Rahul: We've stressed that VAMP is a consolidation of legacy programs. To start, can we define, in specific terms, the new single metric that determines merchant status?

Alex: VAMP consolidates the previous separate Fraud Monitoring Program (VFMP) and Dispute Monitoring Program (VDMP) into a single, count-based ratio. The VAMP Ratio is calculated by adding the total monthly count of TC40 fraud transactions and TC15 disputes (both fraud and non-fraud) and dividing that by the total count of settled CNP transactions. This combination is why the ratio appears inflated for many – it's a far more comprehensive picture of risk.

Michael: The pressure starts at the top. Acquirers themselves face strict thresholds: they are identified as 'Above Standard' at 50 basis points (0.5%) and 'Excessive' at 70 basis points (0.7%). For merchants, the 'Excessive' threshold starts at 150 basis points (1.5%), and potentially lower by early 2026. This is a clear signal that the risk tolerance across the entire ecosystem is plummeting.

Rahul: So, the key change is that all contested transactions, fraudulent or not, are contributing to the merchant's risk profile?

Alex: Precisely. The traditional defense mechanisms, where merchants simply focused on fighting or resolving specific fraud chargebacks, are no longer sufficient. The VAMP calculation forces accountability for all transaction issues, pushing merchants to clean up their entire payment and customer service lifecycle.

​
The biggest change really is just the liability shift from the banks to the merchants and the acquirers. Most merchants are aware of their chargeback ratio. If you were previously getting a lot of issuer declines for fraud, that information isn't always readily available. So you've got to start looking deeper into your acquirer and getting more information to proactively fight these enumeration and card testing attacks. I think that's the biggest change and what can't be ignored.

 

Rahul: What's the biggest misconception merchants have about these changes?

 

Alex: I think the biggest misconception probably is that it's going to be Armageddon. I have seen merchants in our portfolio who are kind of falling out of ratio, but what I've noticed is that Visa is giving them adequate time to adjust to this program. Of course the thresholds will be tightening especially in 2026. I do definitely think that people need to start thinking proactively about fraud and start making some adjustments to their payment stack.

 

Michael: Alex, what adjustments do you think can be quickly implementable?

 

Alex: As an operator, I think the first thing is to get access to your data. Acquirers should be sending you the TC40 reports. You should be getting access to your decline ratios and reason codes. If you're not getting access to that, have a conversation with your acquirer about that. If that's something that becomes challenging, consider adding new acquirers to the portfolio.

​

The New Reality: Stricter Acquirers, Higher Merchant Accountability​

​

Rahul: Question from our audience. Are there concerns banks will loosen rules on their side for CNP and shift more liability to the merchants?

​

Arunesh: I don't see them loosening the rules. I think that both issuers and acquirers are going to be cautious about their portfolios. The merchants are going to be held accountable because the acquirers themselves are going to be held to higher standards. And if their portfolio starts getting problematic, they are going to tighten the parameters for the merchants. So, like Alex said, the key thing is to know your data. You cannot just take a monthly view on things. You need to look at it in on a very frequent basis and look at both the quality of traffic as well as your TC40s and TC15s. 

​

Rahul: What are banks going to do? Are they going to start dropping merchants who don't meet their requirements?

​​

Alex: Acquirers have to meet the portfolio requirements, not for individual merchants. I've heard from conversations with multiple acquirers that they're not going to penalize well-performing merchants, in terms of volume, but they might absorb some of those costs themselves.

​

The biggest concern is what happens to those smaller merchants, that are less profitable, that are falling out of ratio. Are they going to be penalized more? and will banks start dropping those merchants? That I think is probably an unintended consequence of some of these new rules.

​

Michael:  In the sweepstakes space everyone is coming in as a new business without processing history. It's not enough to go in, and retroactively implement a fraud prevention strategy. What we've noticed with all of the merchants and operators we work with is when they're new, the amount of fraud is through the roof. The scammers are quite sophisticated and they're looking for new sites to have vulnerabilities. If you don't have a strategy and you don't have the right tools before going into market, as an operator, you're putting yourself at significant risk of losing money, fines and potentially losing your payments.

​

Rahul: Question from the audience. Any concerns about this killing the conversion rates?

​

Arunesh: Everybody obviously wants to go towards more of a frictionless experience. Fraud management on risk signals and risky identities is key there. Friction obviously will affect the real users. Fraudsters don't care about friction. The key is to reward the good traffic, reduce friction and increase conversion. With the bad traffic, you want to catch this early in the journey with pre-auth risk scoring before sending it to acquirers or even 3DS. So you need to have a segmentation such that the high-risk traffic is the only one which pays that cost.

The Dual Threat: Enumeration and Data Double-Counting

​​

Rahul: Gaming and digital goods are inherently higher risk verticals. How realistic is that 1.5% goal?

 

Michael: It's uncomfortable and it's a challenge. Your operations, your ability to drive traffic, and being in control of your payments -- we look at these as the three main pillars that make operators successful. Now, the merchant has to take responsibility for the quality of the traffic that they are driving. It definitely changes the game. If you have read the book 'Who Moved My Cheese?', the cheese has been moved. What we've noticed working with so many merchants is that getting this right is a long process.

​

Arunesh: The quality of traffic you are sending to the issuer is important. If you have a lot of low quality enumeration and card testing happening, or promo abuse, there will be downstream effects with TC40 and TC-15. This is something that you will have to pay attention to in the gaming and sweepstakes sector.

​

Beyond the core VAMP Ratio, merchants face a second major compliance metric: the VAMP Enumeration Ratio. This specifically targets automated attacks, or 'card testing,' where sophisticated fraud rings run huge volumes of stolen card numbers against a merchant’s checkout in a short time. Even if every transaction is declined, the activity itself is penalized.

The thresholds here are staggering: you are flagged if you have over 300,000 enumerated transactions in a month that constitute more than 20% of your total authorization volume. This is why sectors like digital goods, gaming, and any high-volume, automated payment flow are uniquely vulnerable. Without a real-time defense against enumeration, a merchant's ratio will immediately spiral. 

Rahul: What about the idea of 'double counting' risk?

​

Arunesh: It’s a crucial technical point. A single fraudulent transaction can generate a TC40 report (fraud), which later escalates into a TC15 chargeback (dispute). Under VAMP, if those two reports land in different calendar months, they can count twice against your ratio. This dynamic creates an urgent, month-end time pressure to resolve all disputes quickly. If you don't manage your fraud at the pre-authorization stage, you face a compounding risk in the next reporting cycle.

​

​The Technology Imperative: Pre-Authorization Scoring

​​

Michael: How does the Idenza platform actually work to help operators once they implement it?

​

Arunesh: The days of relying solely on post-transaction alerts or simple velocity checks are over. With VAMP, prevention is the only cure. Merchants must shift to tools that provide pre-authorization risk scoring that is comprehensive enough to catch bad actors before sending the transaction to 3DS, before the TC40 is ever generated.

​

With traffic acquisition campaigns, you're going to get a lot of low quality traffic with high rate of promo abuse as well as card testing. There will be a lot of clusters of card testing.  You need to catch them before you send all of that traffic to 3DS. 

This is where solutions using device intelligence and behavioral analytics are vital. Our approach, for example, analyzes hundreds of data points from typing speed and mouse movements to the presence of VPNs or known fraud device fingerprints to generate a risk score before the card details are ever submitted for authorization. This is the only way to successfully block enumeration attacks and prevent the initial fraud report that triggers the VAMP count.

​

When chargebacks happen, which is a fact of life, you need to be ready with all the signals and the evidence to be able to effectively fight the fraudulent chargebacks.

Alex: It's also essential to note the role of 3D Secure (3DS). While 3DS provides a liability shift to the issuer, it does not exempt the transaction from counting toward your TC40 or VAMP metrics. You still get the fraud report. Therefore, 3DS should be treated as a strategic tool that is used adaptively on genuinely high-risk transactions, rather than a blanket solution, to manage customer experience and conversion rates.

​​​

The Merchant Action Plan and Future of Compliance

​

Rahul: How should merchants view the immediate pressure they're receiving from their acquirers?

Alex: Acquirers are under extreme pressure to maintain their portfolio health. Because the penalties hit the acquirer first, they will inevitably pass stricter requirements downstream. Merchants can expect their acquirers to impose lower, customized thresholds that are far tighter than Visa’s stated minimums to create a safety buffer. Merchants who rely on multiple Acquirers must manage multiple, varying compliance limits simultaneously, adding significant complexity.

​

Michael: Now we're advising merchants about proactive pre-authorization measures to be in place prior to going live, because as mentioned earlier, the vulnerability is the highest when you're launching. We have noticed that is when you're more subject to malicious attacks and bad actors. And if you're running a smaller amount of traffic, your ratios can get out of alignment very quickly.

Arunesh: For new businesses, speed of adoption is critical. You are already an attractive target for fraudsters. Launching without an adaptive, pre-authorization defense system is taking an unacceptable risk that could lead to immediate termination and the permanent loss of payment access.

Alex: Ultimately, VAMP requires a transition from viewing fraud as a controllable expense to viewing compliance as a critical operational function. The old era of managing risk in silos is over. Success in this new environment relies entirely on the integrated strategy, technology, and transparency provided through specialist partnerships.

​​​

Rahul: One concluding question for Alex. If there is one metric that merchants should really focus on monitoring on a daily basis, what should that be?

​

Alex: I will speak to the one metric which is impacting the merchants in our portfolio the most. What I can see at the moment is a lot of card testing, and a lot of declines by the issuer due to suspected fraud. This is the one where I see the most urgency and the biggest impact. Following on from that, chargebacks are always going to be a problem. Having data to be able to fight those chargebacks and to be able to win those cases successfully is going to become critical as well. 

​