Chargeback and Fraud Monitoring Programs
SHOPLINE Payments must comply with financial obligations to card networks, which requires us to control potential chargeback and fraud risks to keep them within acceptable levels. Card networks like Visa and Mastercard set thresholds for these risks. If a merchant exceeds these thresholds, they may be placed in the card network's monitoring program. During this period, merchants may face penalties, additional fees, or even the loss of eligibility to use the card network's services until their chargeback or fraud levels drop to acceptable limits.
Once enrolled in a monitoring program, merchants can take corrective actions to reduce their chargeback or fraud rates below the threshold, helping them avoid further restrictions.
Visa Monitoring Programs
VDMP (Visa Dispute Monitoring Program)
Evaluation Criteria
The VDMP applies to merchants with high chargeback rates. A merchant will be placed in the program if they meet or exceed both of the following thresholds:
- Total number of chargebacks for payment transactions
- The ratio of chargebacks to successful transactions within a given month
Evaluation Period
Visa reviews merchant performance monthly, calculating the chargeback rate by dividing the total number of chargebacks by the total number of successful transactions for that month.
Penalty Criteria
| Type | Disputes | Dispute rate | Fine |
| Early Warning | 75 | 0.65% | No fines. Merchants are given time to take corrective actions to lower their dispute levels before penalties apply. |
| Standard | 100 | 0.9% | Fines begin after four months of exceeding thresholds, increasing each month until the merchant is removed from the program. |
| Excessive | 1000 | 1.8% | Fines apply immediately and continue until the merchant is removed from the program. See the timeline below for details. |
Standard type: If a merchant is placed under the monitoring program for standard reasons, the following fines apply:
| Monitoring Months | Fine |
| 1-4 |
|
| 5-9 |
|
| 10-11 |
|
| 12+ |
|
Excessive type: If a merchant exceeds the threshold for excessive chargebacks, the following fines apply:
| Monitoring Months | Fine |
| 1-6 |
|
| 7-11 |
|
| 12+ |
|
VFMP (Visa Fraud Monitoring Program)
Evaluation Criteria
The VFMP applies to merchants with high fraud rates. Visa assesses fraud levels using data from its TC40 Early Fraud Warning (EFW) report. A merchant will be placed in the program if they meet or exceed both of the following thresholds:
- Total amount of fraud alerts from EFW (USD)
- The ratio of fraud payments to successful payments (fraud rate)
| Note: Fraud warnings are based on the TC40 report month, not the transaction month. For example, fraud warnings reported in February will include successful payments from February but will not account for fraudulent transactions made in January. |
Evaluation Period
Visa monitors fraud metrics monthly, calculating the fraud rate by dividing the total amount of fraudulent transactions by the total amount of successful transactions for that month.
Penalty Criteria
| Type | Fraud amount | Fraud rate | Fine |
|
Early Warning |
USD 50,000 | 0.65% | No fines. Merchants can take corrective actions to reduce the fraud levels before fines are imposed. |
| Standard | USD 75,000 | 0.9% | Fines begin after four months, increasing monthly until the merchant is removed from the program. See the timeline below for details. |
| Excessive | USD 250,000 | 1.8% | Fines apply immediately, with a fine applied each month until the merchant is removed from the program. See the timeline below for details. |
Standard type: If a merchant is placed under the monitoring program for standard reasons, the following fines apply:
| Monitoring Months | Fine |
| 1-4 |
|
| 5-6 |
|
| 7-9 |
|
| 10-12 |
|
| 12+ |
|
Excessive type: If a merchant exceeds the fraud threshold, the following fines apply:
| Monitoring Months | Fine |
| 1-3 |
|
| 4-6 |
|
| 7-9 |
|
| 10-12 |
|
| 12+ |
|
VFMP-3DS (Visa Fraud Monitoring Program – 3DS, only for US)
The VFMP-3DS applies to US-based accounts that process domestic transactions using Visa 3D Secure (3DS) verification and exceed fraud thresholds.
Evaluation Criteria
Visa assesses fraud levels using its TC40 Early Fraud Warning (EFW) report. A merchant will be placed in the program if they meet or exceed both of the following thresholds:
- The total fraud amount for Visa payments processed with 3DS verification
- The ratio of fraud payments to total Visa payments processed with 3DS
Penalty Criteria
| Type | Fraud amount | Fraud rate | Fine |
| Early Warning | USD 50,000 | 0.5% | No fines. Merchants can take corrective actions before fines are imposed. |
| Standard | USD 75,000 | 0.9% | No fines, but merchants lose liability protection for US transactions under 3DS. |
VAMP (Visa Acquirer Monitoring Program)
Starting April 2025, Visa will merge the Visa Dispute Monitoring Program (VDMP) and Visa Fraud Monitoring Program (VFMP) into a global initiative called the Visa Acquirer Monitoring Program (VAMP).
Evaluation Criteria
The VAMP program assesses merchant performance based on two key metrics: the VAMP Ratio and the VAMP enumeration ratio.
VAMP Ratio
Key metrics:
- Fraud transactions: This refers to early fraud warning (EFW) data sourced from Visa’s TC40 reporting
- Non-fraud disputes: Disputes with reason codes 11, 12, and 13 are considered non-fraud chargebacks; reason code 10.5 is excluded from this category
The VAMP ratio is calculated as: (fraud transactions + non-fraud chargebacks) ÷ successful transactions
Visa also considers the thresholds for fraud and chargeback volumes set by the acquirers. This means that acquirers must ensure that their merchants' metrics do not exceed Visa's defined thresholds.
VAMP Enumeration Ratio – Card Testing Activity or BIN Attacks
This ratio, also known as card testing or BIN attack, is calculated by dividing the confirmed transaction volume by the total transactions. Confirmed transactions related to attacks are validated by Visa's new system, Visa Account Attack Intelligence (VAAI).
| Type | Metric | Initial phase (2025.4) | Official phase (2026.1) | |
| Acquirer | Standard | VAMP Ratio | N/A | 0.3% |
| Excessive | VAMP Ratio | 0.5% | 0.5% | |
| Merchant | Excessive | VAMP Ratio | 1.5% globally (0.9% in LAC) |
0.9% globally (1.5% in CEMEA) |
| Excessive | Enumeration | 20% | 20% |
Additional thresholds:
- Merchant thresholds: Merchants must have a minimum of 1,000 disputes, and only card-not-present (CNP) transactions are considered under the VAMP program.
- Merchant enumeration ratio: To be subject to this metric, a merchant must process at least 300,000 transactions per month, as defined by Visa's system.
- Dispute exclusions: Disputes resolved through Visa's Rapid Dispute Resolution (RDR) process and the Cardholder Dispute Resolution Network (CDRN) are not included in VAMP calculations.
- Thresholds for UAE merchants: In the United Arab Emirates (UAE), merchants are considered to exceed thresholds if they 1) Have a minimum of 100 disputes; 2) Reach or exceed a total fraud and dispute amount of $75,000.
Mastercard Monitoring Programs
ECP (Mastercard Excessive Chargeback Program)
Evaluation Criteria
Mastercard monitors merchants' chargeback activity through the Excessive Chargeback Program (ECP). The program classifies merchants into two categories:
- Excessive Chargeback Merchant (ECM): Applies to merchants with a high volume of chargebacks.
- High Excessive Chargeback Merchant (HECM): Targets merchants with even higher chargeback rates, subject to stricter penalties and increased monitoring.
A merchant is placed in the ECP if they meet or exceed both of the following monthly thresholds:
- Total chargebacks: The total number of chargebacks within the month.
- Chargeback rate: The ratio of chargebacks to successful transactions from the previous month.
Evaluation Period
Mastercard evaluates chargeback trends on a monthly basis, calculating the chargeback rate as: (Total chargebacks ÷ Successful transactions from the previous month)
Penalty Criteria
ECM: Mastercard Excessive Chargeback Merchant
| Disputes | Chargeback rate | Fine |
| 100-299 | 1.5-2.99% | Fines start after two months and increase monthly. See the timeline below for details. |
Once a merchant is enrolled in the card organization's monitoring program, the following fine schedule applies:
| Monitoring months | Fine | Issuing bank recovery assessment |
| 1 | USD 0 | No |
| 2 | USD 1,000 | No |
| 3 | USD 2,000 | No |
| 4-6 | USD 5,000 | Yes |
| 7-11 | USD 25,000 | Yes |
| 12-18 | USD 50,000 | Yes |
| 19+ | USD 100,000 | Yes |
Additional Fees: Merchants exceeding 300 chargebacks in a month will incur an additional $5 per chargeback. For example, if a merchant has 400 chargebacks in the fourth month under ECM, their total fee would be: $5,500 = ($5,000 + (400 - 300) * $5)
HECM: Mastercard High Excessive Chargeback Merchant
| Disputes | Chargeback rate | Fine |
| 300+ | 3% | Fines start after two months and increase monthly. See the timeline below for details. |
Once a merchant is enrolled in the card organization's monitoring program, the following fine schedule applies:
| Monitoring months | Fine | Issuing bank recovery assessment |
| 1 | USD 0 | No |
| 2 | USD 1,000 | No |
| 3 | USD 2,000 | No |
| 4-6 | USD 10,000 | Yes |
| 7-11 | USD 50,000 | Yes |
| 12-18 | USD 100,000 | Yes |
| 19+ | USD 200,000 | Yes |
EFM (Mastercard Excessive Fraud Merchant Compliance Program)
Evaluation Criteria
Merchants may be placed in Mastercard's Excessive Fraud Merchant Compliance Program (EFM) if they meet the following thresholds:
- Transaction volume: At least 1,000 Mastercard e-commerce transactions.
- Net fraud amount: Fraud-related chargebacks (dispute reason codes 4837 or 4863) exceed $50,000 (or $15,000 in Australia).
- Fraud chargeback rate: The percentage of fraud-related chargebacks compared to total transactions in the previous month exceeds 0.50% (or 0.20% in Australia).
- 3D Secure (3DS) verification rate: The percentage of Mastercard transactions verified via 3D Secure (3DS) must meet one of the following:
- Non-regulated countries: ≤ 10% of total Mastercard transactions
- Regulated countries: ≤ 50% of total Mastercard transactions
Evaluation Period
Mastercard reviews fraud metrics on a monthly basis, calculating the fraud chargeback rate as: (Fraud chargebacks ÷ Total successful transactions from the previous month)
Penalty Criteria
| Monitoring months | Fine |
| 1 | USD 0 |
| 2 | USD 500 |
| 3 | USD 1,000 |
| 4-6 | USD 5,000 |
| 7-11 | USD 25,000 |
| 12-18 | USD 50,000 |
| 19+ | USD 100,000 |
AusPayNet Monitoring Programs
The AusPayNet (APN) CNP Fraud Mitigation Program aims to mitigate card-not-present (CNP) fraud within the Australian payment industry. It applies to both Australian merchants and cardholders.
FMP (APN Fraud Monitoring Program)
Merchants will be included in the program if they meet or exceed the following two quarterly thresholds:
- Fraudulent chargeback amount: The total value of fraudulent chargebacks received in the quarter exceeds AUD 50,000.
- Fraud chargeback rate: The ratio of fraudulent chargebacks to total sales for the quarter exceeds 0.20%.
If a merchant's CNP transactions fall below the FMP thresholds in a quarter, they may be exempt from FMP and SCA obligations.
| Number of quarters above the FMP threshold | Corrective measures |
| 1 | Merchants must implement fraud controls to reduce fraudulent chargebacks. It is recommended to apply Strong Customer Authentication (SCA) to a subset of CNP transactions defined as high-risk. |
| 2 | Merchants must perform one or more of the following actions:
|
| 3 | Merchants must forward all CNP transactions to the cardholder's issuing bank for SCA. Otherwise, they can only opt out. |
| 4+ | Merchants may have lost eligibility to use the service. |
What is Strong Customer Authentication (SCA)?
Strong Customer Authentication (SCA) is a security protocol that requires merchants to verify a cardholder's identity using at least two of the following authentication factors:
- Something they know: Information only the cardholder knows, such as a password or PIN.
- Something they have: An item or device the cardholder possesses, such as a mobile phone or security token.
- Something they are: Biometric data such as a fingerprint or facial recognition.