How to Navigate the 2025 VAMP Rule Change: A Survival Guide for High-Risk Merchants

How to Navigate the 2025 VAMP Rule Change: A Survival Guide for High-Risk Merchants

Whether it be adult content or subscription billing, the high-risk space is laden with stressful changes. And the new 2025 VAMP rule changes are no different.

Visa’s Acquirer Monitoring Program (VAMP) isn’t new, but the latest update taking effect April 1, 2025, is raising concerns industry-wide. And for good reasons.

The stakes are being raised.

As changes are ripping through the payment world ecosystem, processors are preemptively tightening up their onboarding rules. Others are shifting risk to sub-merchants, demanding stronger fraud tools, or re-evaluating portfolios altogether.

The bottom line?

If you operate a card-not-present environment, the new VAMP thresholds apply to you. And now they’re stricter than they’ve ever been.

In this article, we’ll break down the new rules in plain English, show you how to monitor your risk exposure, and walk you through the steps to stay compliant. Think of this as your playbook for surviving the 2025 VAMP update.

 

Step 1: Let’s Understand What VAMP Actually Monitors

 

To stay compliant with the 2025 VAMP rule change, it makes a whole lot of sense to understand what Visa is actually watching.

 

VAMP is designed to track risk in card-not-present (CNP transactions). This includes nearly all online payments, with a particular emphasis on adult, gaming, and digital service industries.

 

Here’s the three key metrics Visa is zeroing in on.

1. Fraud (TC40 Reports)

These are transactions that issuing banks have flagged as fraudulent. If a cardholder says, “I didn’t make this purchase,” and the bank reports it to Visa, it counts toward your fraud rate.

2. Disputes (TC15 Non-Fraud)

These are chargebacks for reasons other than fraud—like customers claiming they didn’t receive a service, weren’t satisfied, or didn’t recognize the billing.

3. Enumeration Activity

This refers to bot-style attacks where bad actors run rapid-fire authorization attempts to guess valid card details. Even declined attempts count against you if they’re flagged as “enumerated” by Visa’s AI models.

When we combine Fraud and Disputes, that’s known as VAMP Ratio. Enumeration Ratio lives on its own. If either of these two numbers go beyond a defined threshold, you and/or your merchant can be flagged, fined, or turned off.

 

Step 2: Know the Risk Thresholds That Could Get You Flagged

 

Visa doesn’t just monitor your risk levels—they’ve set specific thresholds that trigger action. Starting April 1, 2025, if your fraud, dispute, or card testing activity goes above certain levels, your business could be flagged under the VAMP rules.

Here’s what you need to know:

What Triggers a VAMP Flag?

You (or your merchant account) can be flagged if:

  • Your overall VAMP Ratio crosses 50 bps (0.5%)
  • You hit 150 bps or more = Excessive
  • Your enumeration activity hits 2000 bps (20%) or more

Oh, and we’re not done yet, things are going to get even more restrictive on January 1, 2026. This is when even tighter global thresholds kick in, especially for the "Above Standard" category.

Here’s that.

Starting January 1, 2026, Visa lowers the bar:

  • “Above Standard” begins at 30 bps (0.3%)
  • “Excessive” starts at just 90 bps (0.9%) in some regions

That means more merchants will be flagged unless their risk controls improve in 2025.

Step 3: Track Your Metrics, There Are No Warnings

Visa has announced that enforcement will begin in October. VAMP takes effect April 1, but there now will be a 6-month advisory period following this date. Beginning on April 1, 2025, you won’t get any warnings if you're in breach of VAMP thresholds. Instead, you’ll receive a notification that your numbers are too high. In light of this, it’s an absolute must that you track your own fraud, disputes, and authorization activity on a monthly basis.

 

1. Monitor Your VAMP Ratio Internally

If you’re not already doing so, start calculating your VAMP Ratio:

(Fraud count + Non-fraud dispute count) ÷ Total settled transactions

You should be aiming for well under 50 bps (0.5%). And remember, that threshold gets even tighter in 2026.

2. Watch for Enumeration Red Flags

Visa uses AI to detect enumeration patterns, but you can spot early signs too:

  • Large spikes in authorization attempts with very low approval rates
  • Authorizations coming in at odd hours or from suspicious IPs
  • Repeated small-dollar transactions across multiple cards

Set up alerts with your gateway or risk platform to catch these signals.

3. Use Your Processor’s Tools (Or Ask for Them)

Many payment processors or facilitators offer dashboards or reports that highlight:

  • Chargeback reason codes
  • Fraud trends
  • Authorization patterns

If yours doesn’t—or you don’t have access—ask for visibility or explore a third-party risk monitoring tool.

The key takeaway?

 

The best way to avoid VAMP issues is to spot risk before Visa does and make sure your staff is trained.

 

Step 4: Respond Fast If You’re Flagged by Visa

 

Hopefully, you’ve monitored your metrics on a monthly basis and, well, you’re not flagged. But in any case, if you are flagged for exceeding VAMP thresholds and you get the dreaded notification through Visa’s OneERS platform, understand that the clock is ticking.

Here’s how to handle that.

1. Read the Notice Carefully

The OneERS notification will explain:

  • Why you were flagged (fraud, disputes, or enumeration)
  • What data Visa used
  • When you need to respond
  • What happens if you don’t

If you believe Visa’s data is inaccurate, you can challenge it—but do it quickly.

2. Submit a Remediation Plan Within 15 Days

Visa requires a detailed action plan explaining:

  • The root cause of the issue (e.g., risky merchant, bad billing practices, outdated fraud filters)
  • What steps you're taking to fix it (tech upgrades, policy changes, merchant termination, etc.)
  • How and when you’ll bring your metrics back within acceptable levels

There’s no one-size-fits-all fix—Visa wants to see that you understand your risk and are taking it seriously.

3. Take Immediate Action

Your plan is just the first step. You must actually:

  • Implement new fraud tools
  • Update your dispute management strategy
  • Work with your merchants to change practices—or remove those putting you at risk

Visa will monitor your progress monthly.

4. Watch Out for Repeat Flags

If you stay noncompliant for 3 or more consecutive months, you could face:

  • Fees (as outlined in Visa’s fee schedule)
  • Risk conditions or restrictions
  • Processor scrutiny—or even termination

Your first identification usually comes with a grace period. But if you’re flagged again, enforcement kicks in faster.

Visa’s 2025 VAMP rule change isn’t just another policy update, it’s a notice that card-not-present rules are tightening up. For high-risk merchants, staying compliant means more than just avoiding chargebacks. It means proactively monitoring your metrics, responding to issues quickly, and working closely with your payment processor.

 

MobiusPay is here to help you understand and navigate the complexities of VAMP. We have the tools and services needed to analyze the data and advise on maintaining compliance.

Return to Blog
Discover Card with white and orange
Diners Club International logo
Blue Visa Logo
Mastercard logo with orange and red
JCB logo with blue, red and green
Union Pay logo with blues and red
American Express with a blue background
PCI Compliant

* Created by Fencl Web Design