TL;DR: Visa’s updated Acquirer Monitoring Program now counts fraud and dispute events against the same thresholds, and the article says merchants can be flagged when merchant ratios reach 2.2% or when acquirer portfolios hit 0.7%, according to Riskified. The operational lesson is that payment risk is now a governance problem, not just a fraud operations problem.
At a glance
What this is: Visa’s updated VAMP rules tie fraud and disputes together, raising the risk of account closures for merchants with weak chargeback and fraud controls.
Why it matters: This matters to ecommerce and payments teams because payment acceptance, dispute handling, and fraud prevention now need tighter governance, clearer evidence trails, and faster response loops.
By the numbers:
- Merchant excessive 2.2% ratio or higher, with at least 1,500 fraud and dispute transactions per month
- Acquirer excessive 0.7% portfolio ratio or higher
👉 Read Riskified's analysis of VAMP compliance pressure on Shopify merchants
Context
VAMP compliance has become a control issue for ecommerce merchants because fraud and dispute activity now feed the same enforcement logic. When payment platforms act under portfolio-wide obligations, individual stores can absorb business disruption even when they believe their own risk posture is manageable.
For identity and access teams, the relevant question is not only whether the checkout flow is protected, but whether the surrounding controls can support defensible decisions about orders, disputes, and customer trust. That makes payment risk adjacent to identity verification governance, fraud operations, and the auditability of merchant controls.
Key questions
Q: How should merchants reduce the risk of VAMP-driven account closures?
A: Merchants should treat VAMP as a governance programme, not only a fraud review task. That means combining fraud signals, dispute handling, and payment policy into one operating model, then assigning clear owners for refund, escalation, and representment decisions before thresholds are breached.
Q: Why do high-dispute ecommerce models face more payment risk?
A: Card-not-present, subscription, digital goods, and cross-border fulfilment models tend to generate more disputes because the buyer, delivery, and evidence chain are weaker than in face-to-face commerce. Under VAMP, those patterns matter more because fraud and disputes count together against enforcement thresholds.
Q: What breaks when merchants have alerts but no response workflow?
A: Alerts lose value when no one is accountable for acting on them during the narrow pre-chargeback window. Without a defined workflow, teams miss opportunities to refund, pause fulfilment, or resolve the customer issue before it becomes a formal chargeback that affects thresholds.
Q: Who is accountable when acquirer-level compliance triggers merchant closures?
A: Accountability is shared, but not evenly. The acquirer is responsible for portfolio compliance, while merchants are responsible for the transaction behaviour that contributes to the ratio. Practically, both sides need transparent reporting, escalation rules, and evidence that shows which controls were operating at the time.
Technical breakdown
How VAMP combines chargebacks and fraud into a single risk signal
Visa’s Acquirer Monitoring Program treats fraud and dispute activity as linked indicators of payment risk, rather than separate business problems. That matters because merchants can no longer offset weak fraud control with better dispute handling, or vice versa. The ratio is a portfolio governance metric, so the acquirer’s obligation can drive merchant consequences even when the merchant’s own transaction mix is the root cause. This is a classic control aggregation problem: one threshold can reflect multiple failure modes, and the enforcement action lands where the processor can act fastest.
Practical implication: Map every chargeback and fraud stream to the same monitoring model instead of managing them in separate operational silos.
Why card-not-present and recurring billing merchants face higher exposure
Card-not-present, subscription, digital goods, and cross-border fulfillment models tend to produce more disputes because the buyer and seller are less tightly coupled at the point of sale. In VAMP terms, that higher baseline risk now matters more because the updated framework counts the combined fraud and dispute picture. Merchants in these segments need stronger evidence collection, clearer policies, and tighter pre-fulfilment review because the normal business model itself raises the likelihood of threshold pressure.
Practical implication: Prioritise pre-fulfilment controls and dispute evidence capture for business models that naturally generate higher chargeback rates.
What Ethoca-style alerts change in the chargeback lifecycle
Near real-time dispute alerts create a short intervention window before a cardholder complaint becomes a formal chargeback event. That window is operationally valuable because it allows refund, pause, or customer-contact actions before the event hardens into a ratio-driving record. This is not a guarantee of avoidance, but it does shift risk treatment earlier in the lifecycle, which is where merchant teams have the most influence. In practice, the control value comes from speed, routing, and decision ownership, not from the alert itself.
Practical implication: Build a response path that can act during the pre-chargeback window, with clear ownership for refund and fulfilment decisions.
Threat narrative
Attacker objective: The objective is not always direct theft alone, but sustained payment abuse that forces merchants into higher loss rates and compliance penalties.
- Entry occurs through fraudulent or disputed card-not-present orders that bypass weak checkout and risk controls.
- Escalation follows when the same merchant accumulates enough fraud and dispute events to trigger VAMP thresholds at the portfolio level.
- Impact is account closure, frozen payouts, and operational disruption that can halt revenue flow and customer fulfilment.
NHI Mgmt Group analysis
Threshold-driven payments governance now behaves like identity policy enforcement: merchant account status is increasingly determined by a composite of risk signals rather than a single incident type. That shifts the control problem from isolated fraud review to ongoing policy governance, evidence quality, and accountable exception handling. Payment teams should treat the threshold itself as the control surface, not just the warning sign.
Merchant dispute handling now depends on the quality of decision rights, not just fraud tooling. The article points to a common operating gap: teams may have alerts, but not a clear model for who can refund, pause fulfilment, or escalate based on evidence. Governance fails when operational response is fragmented, because thresholds do not wait for committee cycles. Practitioners should formalise authority and escalation paths before a portfolio-level trigger forces them.
Payment abuse should be read as a lifecycle problem, not a point-in-time event. The merchant journey from order acceptance to dispute resolution resembles a control lifecycle with multiple handoffs, each of which can either reduce or amplify risk. That makes this topic adjacent to identity governance because trust decisions are being made continuously, with limited proof that the right entity, order, or transaction was validated at each step. Teams should focus on the full decision chain, not just the final chargeback outcome.
VAMP exposes a visibility gap between merchant operations and acquirer accountability. The acquirer can be penalised for portfolio-level outcomes that individual merchants may not fully see until account action arrives. That asymmetry creates a governance blind spot where merchants assume local compliance is enough, while the processor is managing aggregate exposure. Practitioners should re-check how much downstream visibility they actually have into dispute and fraud ratios.
Named concept: payment threshold spillover. This is the situation where merchant-level behaviour triggers processor-level enforcement through shared ratios and portfolio obligations. It matters because the organisation that bears the operational pain may not be the organisation with the strongest direct control over the threshold. Security and risk teams should design for spillover before the first closure event, not after.
What this signals
Payment governance is moving closer to identity governance. Merchant risk decisions increasingly depend on who can act, when they can act, and whether the evidence behind that action is trustworthy. For teams that already manage IAM or fraud operations, this is a signal to tighten decision ownership and auditability around the transaction lifecycle.
Merchant visibility into dispute and fraud ratios will become a control differentiator. The organisations that can see alert timing, fulfilment status, and representment evidence in one place will manage threshold pressure better than those working from fragmented dashboards. That visibility problem is analogous to the blind spots seen in third-party access governance, which is why the boundary between payments and identity is getting narrower.
Threshold spillover should change how merchants think about programme resilience. A merchant can be operationally compliant in one workflow and still be exposed at the portfolio level because the acquirer’s obligations are broader than the store’s local view. That means future readiness depends on cross-functional controls, not isolated fraud tooling.
For practitioners
- Unify fraud and dispute governance Track fraud, chargeback, and alert outcomes in one operating view so the same merchant cannot be judged against three disconnected risk processes. Align thresholds, owners, and escalation criteria to the portfolio rules that actually drive enforcement.
- Create a pre-chargeback response path Define who can refund, pause fulfilment, or contact customers during the alert window before a TC40 or TC15 is issued. Time matters here, so the workflow needs clear ownership and a fast approval path.
- Review exposure for high-dispute business models Prioritise card-not-present, subscription, digital goods, and cross-border fulfilment merchants because these segments naturally produce more disputes and are more likely to hit portfolio thresholds.
- Strengthen evidence collection for representment Capture order, shipping, device, and customer interaction evidence at the time of sale so disputed transactions can be defended consistently. Evidence quality determines whether recovery efforts reduce the ratio or simply document the loss.
Key takeaways
- VAMP turns fraud and dispute rates into a single enforcement problem, so merchants can face shutdowns even when their local processes look acceptable.
- The scale of the issue is structural: merchant ratios at 2.2% and acquirer portfolios at 0.7% can trigger action under the updated rules.
- The practical response is tighter governance of alerts, representment, and fulfilment decisions before the chargeback lifecycle closes.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access and transaction governance map to enforcing controlled payment decisions. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege applies to who can refund, pause fulfilment, and override decisions. |
| ISO/IEC 27001:2022 | A.5.15 | Access control governance supports accountable handling of payment-risk decisions. |
| GDPR | Merchants processing customer data and disputes may need privacy and rights handling discipline. |
Where personal data is involved, align dispute evidence handling with GDPR obligations and data minimisation.
Key terms
- Chargeback Recovery Rate: The percentage of disputed transactions that a merchant successfully overturns or recovers. It is a practical measure of how well evidence, workflow design, and review prioritisation are working together, rather than a simple count of disputes processed.
- Acquirer Monitoring Program: A payments oversight framework used by card networks to track merchant or portfolio risk against defined thresholds. It links fraud, disputes, and operational controls to enforcement outcomes, making the acquirer responsible for portfolio performance and merchants responsible for the behaviours that drive it.
- Representment: Representment is the merchant’s formal response to a chargeback, where evidence is submitted to show that the transaction was legitimate or that the dispute claim is false. It depends on strong records such as shipping proof, order details, communications, and policy documentation.
- Pre-chargeback Alert: A notification that a customer has disputed or flagged a transaction before the event becomes a formal chargeback. These alerts create a short intervention window where merchants can refund, contact the customer, or pause fulfilment to reduce downstream ratio impact.
What's in the full article
Riskified's full article covers the operational detail this post intentionally leaves for the source:
- Merchant-specific examples of how VAMP thresholds affect Shopify Payments closures and payout disruption.
- The article’s explanation of how TC40 and TC15 events are combined into a single monitoring ratio.
- Practical use of Ethoca Alerts and Compelling Evidence CE 3.0 to reduce chargeback exposure.
- Riskified’s implementation context for merchants that need faster dispute response and representment workflows.
👉 Riskified's full post covers the threshold logic, dispute alerts, and chargeback response detail.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management in a way that helps practitioners connect lifecycle controls to operational risk. It is designed for security and identity teams that need a clearer governance model across human and non-human access.
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org