Back to Blog
Education8 min read

VAMP Is Here: Why 3D Secure Is Now Your Best Defense Against Visa's New Monitoring Program

PAAY Team·February 15, 2026
VAMP Is Here: Why 3D Secure Is Now Your Best Defense Against Visa's New Monitoring Program

On April 1, 2025, Visa retired its legacy monitoring programs — VDMP, VFMP, VFMP 3DS, and DGMFM — and replaced them with a single, unified framework: the Visa Acquirer Monitoring Program (VAMP). This isn’t just a rebrand. VAMP fundamentally changes how fraud and disputes are measured, who is held accountable, and which tools actually work to keep merchants compliant.

The implications for merchants are significant. If you’ve been relying on reactive dispute tools like RDR, CDRN, or Ethoca alerts to manage your chargeback ratio, VAMP has shifted the ground beneath you. Here’s what changed, why it matters, and what you need to do about it.

What Is VAMP?

VAMP consolidated four separate Visa programs and 38 remediation processes into a single program with one core metric: the VAMP Ratio.

The formula is straightforward but consequential:

VAMP Ratio = (TC40 Fraud Reports + TC15 Disputes) / Settled CNP Transactions

Three things make this formula different from the old VDMP:

  1. Fraud reports now count. Under VDMP, only chargebacks (TC15 disputes) were tracked. Under VAMP, TC40 fraud reports — filed by issuers whenever a cardholder reports a transaction as unauthorized — are included in the numerator. This is a massive change.
  2. Fraud disputes are double-counted. When a transaction is reported as fraud AND disputed, it generates both a TC40 and a TC15. Both count in the VAMP ratio numerator. One fraudulent transaction can count twice.
  3. Count-based, not dollar-based. Transaction value is irrelevant. A $5 dispute counts the same as a $5,000 dispute. High volumes of small-dollar fraud are just as dangerous as a few large losses.

The VAMP Timeline — Key Dates

Here are the milestones every merchant needs to know:

  • April 1, 2025: VAMP went live. Legacy programs retired.
  • June 1, 2025: Updated thresholds. Merchant “Excessive” set at 2.2%. Minimum 1,500 events to trigger.
  • October 1, 2025: Enforcement began. $8-$10 per-transaction fines on Excessive merchants.
  • January 1, 2026: Stricter acquirer thresholds. Acquirer “Above Standard” tier (0.5%) now enforced.
  • April 1, 2026: Merchant threshold drops from 2.2% to 1.5% in the US, Canada, EU, and Asia Pacific. This is the deadline that should be driving your planning.

Why Reactive Tools Are No Longer Enough

Before VAMP, merchants could manage their VDMP ratio primarily through reactive tools:

  • RDR (Rapid Dispute Resolution): Auto-refunds disputes before they become chargebacks
  • CDRN / Ethoca Alerts: Notifies merchants of pending disputes so they can issue proactive refunds

These tools prevented the TC15 chargeback from posting. Under VDMP, that was enough. Under VAMP, it isn’t.

Here’s the critical problem: RDR and CDRN prevent the TC15 dispute, but the TC40 fraud report still counts toward your VAMP ratio. The issuer files the TC40 regardless of whether the dispute is resolved through RDR or CDRN. So you pay the RDR fee ($15), you refund the customer (losing the revenue), you lose the product you shipped — and the TC40 still counts against you.

The True Cost: RDR/CDRN vs. 3D Secure

This is where the economics become stark. Consider a $100 fraudulent transaction with approximately $50 in cost of goods:

With RDR ($168 total loss)

  • Revenue: Lost — $100 refunded to the cardholder
  • Product/COGS: Lost — already shipped, approximately $50
  • RDR fee: $15
  • Processing fees: Lost — approximately $3.20 (not refunded)
  • TC40 impact: Still counts toward VAMP

With Ethoca/CDRN ($190+ total loss)

  • Revenue: Lost — $100 refunded
  • Product/COGS: Lost — approximately $50
  • Alert fee: $35-40
  • Processing fees: Lost — approximately $3.20
  • TC40 impact: Still counts toward VAMP

With 3D Secure (pennies total loss)

  • Revenue: Kept — liability shift to issuer
  • Product/COGS: Kept — value retained
  • Authentication fee: Pennies per transaction
  • Processing fees: Retained
  • TC40 impact: Prevented — fraud blocked at authentication

The cost difference is staggering. And unlike RDR/CDRN, the merchant keeps the revenue and the product.

How 3DS Actually Prevents TC40s

The key distinction is this: 3DS prevents the fraudulent transaction from occurring in the first place. When a fraudster attempts a purchase with a stolen card, 3DS requires authentication from the actual cardholder — via OTP, biometric, or their banking app. The fraudster cannot pass this step. The transaction is declined before it is ever authorized.

No authorized fraudulent transaction means:

  • No TC40 fraud report filed by the issuer
  • No TC15 dispute
  • No impact on your VAMP ratio

The data backs this up. According to Visa, authenticated transactions show approximately 45% lower fraud rates — just 11 basis points of fraud compared with 20 basis points for non-authenticated ecommerce transactions (Source: VisaNet data, US credit cards, Q4 2024). The European Banking Authority reported that mandatory 3DS authentication under SCA reduced e-commerce card fraud rates by approximately 50% for issuers (Source: EBA-ECB Joint Report on Payment Fraud, 2024).

Best Buy Canada saw a 61% reduction in CNP fraud rate within two quarters of implementing Visa Secure (Source: Visa case study).

3DS Also Deters Friendly Fraud

Friendly fraud — where a legitimate cardholder makes a purchase and then disputes it — accounts for up to 75% of all disputes in the US. 3DS authentication creates a verifiable record that the cardholder authorized the transaction using their own device, biometric, or OTP. This makes it significantly harder to claim “I didn’t do this.”

As Chargebacks911 notes: “Because 3-D Secure contains so much information, it makes claiming fraud much harder for those trying to commit friendly fraud.”

Don’t Forget Mastercard

While VAMP gets the headlines, Mastercard has its own monitoring programs — and one of them makes 3DS adoption a hard requirement.

Mastercard’s Excessive Fraud Merchant (EFM) program explicitly exempts merchants with more than 10% of their volume processed through 3DS in non-regulated markets like the US. If you authenticate more than 10% of your Mastercard volume, you cannot be placed in the EFM program regardless of your fraud numbers. This is not a soft benefit — it is a binary enrollment criterion.

What You Should Do Now

The April 2026 threshold reduction is less than two months away. Here is a practical roadmap:

  1. Know your numbers. Pull your current VAMP ratio (or ask your acquirer for it). If you’re above 1.5%, you need to act now.
  2. Implement 3DS authentication. This is the single most effective step you can take to reduce both TC40 filings and fraud chargebacks. PAAY merchants typically go live in 3-5 days.
  3. Layer your defenses. 3DS prevents fraud at the source. Use RDR/CDRN as a backstop for non-fraud disputes that 3DS cannot address. The optimal strategy is 3DS for prevention + reactive tools for residual service disputes.
  4. Monitor monthly. Track your VAMP ratio trend. Acquirers are setting their own thresholds (often 1.0% or lower) to keep their portfolio average below 0.5%.

The question is no longer whether you need 3DS — it’s whether you’ll implement it before or after the threshold drops. [@portabletext/react] Unknown block type "span", specify a component for it in the `components.types` prop to get started.

Sources: Visa VAMP Fact Sheet (2025), Visa Corporate 3DS data (2024), EBA-ECB Joint Report on Payment Fraud (2024), LexisNexis True Cost of Fraud Study (2025), Mastercard EFM Program Documentation, Chargebacks911, Evervault, Checkout.com. For the full VAMP resource guide with thresholds, timeline, and cost comparisons, visit our [@portabletext/react] Unknown block type "span", specify a component for it in the `components.types` prop.

Ready to protect your business?

Learn how PAAY's EMV 3DS authentication can reduce chargebacks and increase authorization rates.

Get in Touch