The New Disputes Rules From Visa: VAMP and Enumeration Attacks

The way Visa monitors merchants is about to change significantly. Here’s what you need to know.

Visa currently has two separate monitoring programs for merchants, 

1. VDMP focuses on monitoring chargeback ratios and 
2. VFMP covers fraudulent transactions. 

Effective April 1, 2025, both programs will be consolidated into a single enhanced framework under the Visa Acquirer Monitoring Program (VAMP).  It is expected to be deployed on  Apr 1, 2025 in the EU and then rolled out globally in 2026. This blog runs through the key changes so you can be fully prepared. 

There are key changes in the Dispute ratio, and they added an enumeration attack ratio for the first time. Are you ready for the change?

What is VAMP? (Disputes/Total Sales)

Simply put, VAMP is a ratio. The Visa Aquirer Monitoring Program dispute ratio is calculated using the formula below. 

‍

VAMP Ratio = Total disputes/Total sales count

The new VAMP (disputes/sales) threshold for merchants will be 1.5% from April 2025, then dropping to 0.9% from the first day of January 2026. Anything higher than that will be classed as “excessive.” 

Note: 

• The total disputes will not include figures from Visa’s Rapid Dispute Resolution (RDR) tool and Verifi's Cardholder Dispute Resolution Network (CDRN). 
• This will also not include Order Insight and Compelling Evidence 3.0 deflections.

After April 1, 2025, tools to manage and resolve disputes quickly will be more important than ever. Services like CDRN, RDR, and Order Insight with Compelling Evidence 3.0 will be more crucial than ever in 

• What is Rapid Dispute Resolution? Is a network that helps merchants resolve a dispute before it becomes a chargeback through arbitration; mediation; and negotiation. If a dispute is resolved this way it does not count the overall VAMP figure.
• What is a Cardholder Dispute Resolution Network? Verifi runs a Cardholder Dispute Resolution Network™ or CDRN real-time communication between the merchant and issuer. If a dispute is resolved this way it does not count the overall VAMP figure.
• What is a Compelling Evidence 3.0 deflection? Merchant’s can dispute a transaction if they gather than submit Compelling Evidence (CE) to their acquirer or PSP.  Since the launch of 3.0 the card networks now include user device profiling as a part of compelling evidence. This is crucial for merchants who want higher auth rates and a lower dispute figure. If a dispute is resolved this way it does not count the overall VAMP figure.

Combined, these tools will help merchants stay on the right side of the VAMP ratio.

But assuming you’re on top of your dispute resolution, the next step is to ensure your fraud defenses are as capable as possible. Bot detection is now a critical technique for merchants to employ.

Enumeration Ratio (Bots)

An enumeration attack is a scheme where fraudsters systematically submit card-not-present (CNP) authorization attempts while concentrating on a single Bank Identification Number (BIN) or multiple BINs and iterating through various combinations of payment values. These payment values generally include the primary account number (PAN), expiration date, Card Verification Value 2 (CVV2), and postal code. Issuers decline the authorization attempts until the right combination of payment values returns an approval response.

VAMP Thresholds for Acquirers.

• Between April 1 and December 31, 2025, the threshold will be 0.5% for “excessive”. 
• Then, from 1 January 2026, 0.3% to 0.5% will be defined as “above standard.” 

This means that just 0.3% (30 bps)  will be sufficient to designate an acquirer as having “above standard” VAMP dispute rates – down to one-third of the current 0.9%. Bot attacks of 20% of authorized traffic will also keep merchants in an excessive category.

VAMP Fines 

If an acquirer exceeds the threshold, a fine of $5  for above standard level or $10 for excessive level will apply to each dispute for all the merchants on the acquirer’s portfolio. 

If a merchant is at an excessive level, they will be charged $10 for any disputes, as seen in the tc40 and tc15 reports.

How can merchants see the enumerated Transactions?

Expect Acquiring banks to be proactive. 

Merchants will be able to see the enumerated Transactions via their acquirer. This collaboration will be crucial. The acquirer can share detailed statistics around the ratio of the enumerated transaction. The acquirers are likely to email the merchants to take steps to bring down the enumerated transactions.

How can merchants minimize Enumeration attacks?

Visa does not disclose which transactions will be flagged as enumeration, as that will tip off bot attackers. Visa likely uses the internal model or maybe  VAAI score to identify enumerated transactions.  

So merchants should use appropriate vendors or build below bot detection themselves.

If you are in a high-risk Merchant Category Code (MCC), the merchant's chance of being attacked with bots is higher. Those merchants should consider CAPTCHA, but it may come at the cost of high friction to customers. Therefore we commend the following:

1. Build logic to detect bots, like having an invisible field where a hidden form field on a website is designed to be invisible to human users but can be detected by bots and hence filled out by automated bots.
2. Leverage an “invisible CAPTCHA,” which detects emulators or bots. Providers can help you identify bots through their device usage and on-device behavior. Please see more details in this blog for how Sardine does this today.
3. High risk signals to screen for. Deviations or spikes in merchant authorization attempts. e.g., velocity to the same issuer or issuing BIN, or sequential PANs. Note Having robust bot detection may give you some leniency in the velocity thresholds you use to decline customers.
4. Leverage response codes for possible signs of bot behavior. Authorization declines with response codes that are indicative of potential bot attacks, including Response Code 14, which means Invalid Account Number or Response Code 54, which means Expired Card.

How Sardine AI Can Help

Sardine AI, a leading provider of AI-powered fraud prevention solutions, is well-positioned to help merchants and acquirers navigate the complexities of VAMP 2025. Sardine's advanced fraud detection and prevention capabilities can significantly reduce chargeback and bot attacks.

Key Benefits of Sardine AI for VAMP Compliance

• Real time Bot Prevention - Sardine has the latest generation technology for Bot Prevention
• Real-time Fraud Detection: Sardine's AI-powered system can identify and block fraudulent transactions in real-time, minimizing losses and chargebacks.  

By partnering with Sardine AI, merchants and acquirers can proactively address the challenges posed by VAMP 2025 and safeguard their businesses against fraud and bot attacks. Sardine's AI-powered solutions offer a robust and practical approach to mitigating risk and ensuring compliance.

‍