Visa VAMP 2026: what the new thresholds mean for sub-merchant monitoring
Visa's monitoring threshold drops again in 2026. As the ratio tightens, fewer bad sub-merchants are needed to push a whole portfolio into an enforcement bucket. Here is what changes, and how to catch the sub-merchants that move your number before the monthly report does.
What VAMP measures
The Visa Acquirer Monitoring Program (VAMP) consolidated Visa's earlier fraud and dispute monitoring (VFMP and VDMP) into a single program in 2025, with thresholds effective June 1, 2025 and enforcement live since October 1, 2025. It tracks one ratio on card-not-present transactions: fraud reports (TC40) plus non-fraud disputes (TC15) measured against settled transactions (TC05), expressed in basis points, at both the acquirer and merchant level. Disputes resolved through pre-dispute tools (such as RDR) and fraud qualified under Compelling Evidence 3.0 are excluded. Acquirers pass that accountability down to payment facilitators and their sub-merchants.
The key thing to internalize: VAMP is a portfolio ratio, not a per-merchant pass or fail. A handful of high-fraud or high-dispute sub-merchants can move the number for everyone boarded underneath you.
What changes in 2026
Two changes are now in force. Since January 1, 2026, Visa enforces the acquirer above-standard threshold at 0.5% (50 basis points), with the excessive line at 0.7%. On April 1, 2026, the merchant excessive threshold dropped from 2.2% to 1.5% (220 to 150 basis points) in the US, Canada, EU, and Asia-Pacific, with a floor of 1,500 combined fraud and dispute events per month before a merchant is in scope. Visa assesses enforcement fees at the acquirer level, reported around $4 per fraud-or-dispute transaction above standard and $8 at the excessive level (confirm the current figures against Visa's VAMP fact sheet). Visa does not fine merchants directly; acquirers and payment facilitators pass that exposure down to sub-merchants contractually. There is also a separate enumeration screen aimed at card-testing attacks: 20% of authorization attempts flagged as enumerated, with a 300,000-transaction floor.
One caveat still worth a conversation: many acquirers hold their portfolios to stricter internal lines than Visa's published thresholds, so your effective limit may sit below 1.5%.
A lower threshold means a smaller margin for error across the whole book. Sub-merchants you would have tolerated at the old level can now tip you over.
Why this is a monitoring problem, not just a boarding problem
The signals that predict VAMP exposure are scattered. A sub-merchant's fraud score, dispute history, MCC risk, a prior Mastercard MATCH listing, KYB red flags: each is produced by a different vendor and sits in a different console. At boarding, you tend to decide on whichever console you happened to open. After boarding, you usually learn the ratio moved when the monthly report lands, which is weeks too late to act on.
Most of the monitoring signals you receive never escalate to a case. But fraud and dispute drift accumulates quietly inside that large majority, and by the time it surfaces in the ratio, the damage to your portfolio number is already done.
One record per sub-merchant: decide on the whole picture, prove it later
FinQub is the single source of truth for your risk decisions. It sits alongside the gateway, acquirer, KYB, sanctions, and fraud tools you already use, and lands every signal each one produces on one record per sub-merchant. That record does two jobs.
At boarding. Every signal is on the same record before your boarding decision fires, so the fraud and dispute signals that would move your ratio toward the limit are visible at decision time, not in next month's report. The sub-merchant's Mastercard MATCH inquiry state is captured at boarding, so a later inquiry cites the exact list version, not a re-pull.
After boarding. Every new signal lands on the same record, so monitoring is continuous rather than a monthly catch-up. When the dispute or fraud trend on a sub-merchant starts to drift, it is on the record the day it arrives.
When the request comes. When an acquirer or sponsor bank sends an information request on, say, 47 sub-merchants from the last 90 days, one query produces a signed exam packet per sub-merchant: every signal, every decision, every override, with the policy version that applied.
A pre-2026 checklist for PayFac risk teams
- Confirm your current VAMP ratio, the threshold, and its effective date with your acquirer.
- Identify which sub-merchant segments drive your fraud (TC40) and disputes (TC15).
- Capture Mastercard MATCH inquiry state at boarding, not at audit time.
- Make boarding decisions on the full signal set, not one vendor console.
- Keep monitoring after boarding. Dispute and fraud drift is gradual, not a single event.
- Be able to produce per-sub-merchant decision history on one query, in the format your acquirer asks for.
Frequently asked questions
When do the new VAMP thresholds take effect?
They are already in force. The merchant excessive threshold dropped from 2.2% to 1.5% in the US, Canada, EU, and Asia-Pacific on April 1, 2026, with a floor of 1,500 combined fraud and dispute events per month before a merchant is in scope. Acquirer thresholds (0.5% above standard, 0.7% excessive) have been enforced since January 1, 2026. The program-wide advisory period ended September 30, 2025; first-time violators within a rolling 12 months get a three-month grace period before enforcement fees apply.
Does VAMP apply to PayFacs or only acquirers?
VAMP is measured at the acquirer and portfolio level, as a ratio of fraud (TC40) and non-fraud disputes (TC15) to settled transactions in basis points. Acquirers cascade that accountability down to payment facilitators and their sub-merchants, so a few high-risk sub-merchants can move the number for everyone underneath you.
What is the difference between VAMP and Mastercard MATCH?
VAMP is Visa's portfolio ratio monitoring program. Mastercard MATCH is a list of terminated merchants. They are separate. Capture a sub-merchant's MATCH inquiry state at boarding so a later inquiry cites the exact list version, not a re-pull.
How does FinQub help with VAMP exposure?
FinQub lands every boarding and monitoring signal on one record per sub-merchant, so your boarding decision is made on the whole picture rather than whichever console you happened to check. Vendor outputs are signals, not decisions: your rules make the call. After boarding, every new signal lands on the same record, and per-sub-merchant decision history is queryable on demand.
FinQub keeps the boarding and monitoring story on your own vendor stack, the single source of truth for fintech risk decisions. See how it compares to the tools you already run, or book a short walkthrough below.