TL;DR: Visa VAMP collapses fraud and chargeback handling into a single ratio, with merchant excessive thresholds now at 1.5% and acquirers facing fees at 0.7%, according to Authsignal. That shift makes authentication evidence, step-up controls, and dispute telemetry part of revenue protection, not just fraud operations.
At a glance
What this is: Visa VAMP is a unified fraud and dispute monitoring framework that turns card-not-present authentication quality into a measurable ratio with direct enforcement consequences.
Why it matters: It matters because identity teams now influence chargeback exposure through login assurance, step-up policy, and transaction verification rather than treating payments as a separate fraud domain.
By the numbers:
- The merchant Excessive threshold dropped to 1.5% globally in April 2026, down from 2.2% as of June 2025.
- The acquirer Excessive threshold is 0.7%, and acquirers above that face $8 per dispute.
- The Minimum VAMP Count is 1,500 monthly fraud plus disputes before an account is pulled into the programme.
👉 Read Authsignal's analysis of Visa VAMP thresholds and dispute ratios
Context
Visa VAMP is best understood as an identity and fraud governance model for card-not-present commerce. It replaces separate fraud and dispute programmes with one combined threshold, which means merchant standing now depends on how often legitimate sessions, customer accounts, and payment events end in disputes.
For IAM and fraud practitioners, the important shift is that authentication evidence has become operational evidence. If a login, card enrolment, or high-value checkout cannot prove customer presence, the dispute outcome feeds directly into programme ratios and acquirer pressure.
Key questions
Q: How should security teams reduce chargeback risk in card-not-present commerce?
A: Security teams should treat authentication as part of dispute prevention. Step-up verification on suspicious logins, card enrolment, and high-value checkout reduces account takeover and creates stronger evidence if a transaction is later challenged. The goal is to bind the customer, the device, and the transaction in a way that survives dispute review.
Q: Why do account takeovers create disproportionate dispute risk?
A: Account takeovers reuse a legitimate customer identity, so the purchases often look normal to fraud systems. That makes them harder to block and more likely to become both fraud reports and chargebacks. In practice, the attacker inherits saved payment methods, which increases both transaction volume and enforcement exposure.
Q: What do teams get wrong about friendly fraud and first-party disputes?
A: Teams often treat friendly fraud as a pure chargeback issue, when it is also a proof problem. If the merchant cannot show durable authentication evidence at the point of purchase, the dispute is difficult to win. Strong identity proofing and session evidence matter because they establish who was present when consent was given.
Q: Who is accountable when merchant disputes push an acquirer into an excessive band?
A: Accountability does not stop at the merchant. Visa’s model pushes pressure up to the acquirer, which means portfolio management, merchant thresholds, and remediation oversight become shared responsibilities. Fraud operations, IAM, and payments governance need common reporting so one merchant’s behaviour does not damage the wider book.
Technical breakdown
How the VAMP Ratio turns authentication failures into enforcement exposure
VAMP uses a combined numerator of TC40 fraud reports and TC15 disputes divided by settled transactions. That design matters because a fraud event that later becomes a chargeback is counted twice, which means weak identity assurance compounds faster than under separate monitoring schemes. The model is especially unforgiving in card-not-present environments where the account, not the card, is the control point. Once an attacker gets into the account, stored payment methods and historical behaviour provide the trust signals that fraud models often misread as legitimate. Practical implication: security teams need telemetry that ties identity events to payment outcomes.
Practical implication: Map authentication events to dispute outcomes so the identity layer can be measured against chargeback exposure.
Why credential stuffing and account takeover drive VAMP risk
Most dispute-heavy fraud starts at login, not at payment. Credential stuffing gives attackers valid access, and once inside, they can add cards, reuse stored cards, or place purchases that look like normal customer activity. Because the behaviour is authenticated, traditional anomaly checks often lag behind the fraud. VAMP therefore punishes the point where identity assurance is weakest, not just the final payment event. Enumeration adds another layer, because even failed attempts contribute to the authorisation pattern Visa watches. Practical implication: login risk signals and transaction risk signals must be treated as one control surface.
Practical implication: Use login risk scoring and transaction controls as a single policy chain instead of separate fraud workflows.
Why authentication evidence is now dispute evidence
Under VAMP, merchants need proof that the right customer was present at the right moment. Passkeys, biometrics, device attestation, and verified step-up challenges create stronger evidence than simple password success or session continuity. The article’s underlying point is that dispute defence increasingly depends on the quality of identity binding at enrolment and at sensitive actions such as card addition or high-value checkout. That pushes authentication out of the user-experience lane and into governance. Practical implication: design identity proofing and step-up flows as evidentiary controls, not only friction controls.
Practical implication: Retain durable authentication evidence for card enrolment and sensitive checkout actions.
Threat narrative
Attacker objective: The attacker wants to convert legitimate customer identities into trusted payment paths that generate fraud, chargebacks, and portfolio pressure at scale.
- Entry occurs through credential stuffing at login, where attackers use leaked passwords to reach real customer accounts.
- Escalation follows when those accounts expose stored payment methods, saved addresses, and behavioural trust signals that let purchases look legitimate.
- Impact is measured as duplicated TC40 and TC15 events that raise the VAMP ratio and push merchants or acquirers into enforcement bands.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Coupang Signing Key Breach — Unrevoked signing key credentials expose 33.7 million records after employee offboarding failure at Coupang.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Authentication evidence has become a payments control, not just an IAM control. VAMP treats disputed commerce as a consequence of identity assurance quality, which means login strength, step-up policy, and enrolment proof now influence financial exposure. The practical conclusion is that identity and payments teams can no longer optimise these controls in separate silos.
Card-not-present fraud is now a governance problem around account trust, not only a fraud-scoring problem. Credential stuffing, stored-card misuse, and friendly fraud all exploit the same weakness: the system cannot reliably distinguish genuine presence from inherited session trust. That pushes merchant controls toward stronger proof at the point of login, card enrolment, and high-value checkout.
Dispute ratios expose the identity layer’s hidden blast radius. VAMP collapses what used to be parallel monitoring programmes into one financial metric, so a weak account can create downstream acquirer pressure even when the original payment amount is small. The implication is that identity risk must be managed by transaction criticality, not by authentication event type alone.
Authentication is now a revenue integrity control with measurable downstream consequences. When a merchant cannot produce durable proof of customer presence, the dispute often becomes unwinnable even if the login was technically successful. Practitioners should treat identity proofing, step-up, and device binding as evidence generation for financial disputes, not merely fraud deterrence.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
- For a deeper NHI lens, Ultimate Guide to NHIs , The NHI Market helps separate governance from tooling claims.
What this signals
Dispute governance is becoming an identity programme signal. When authentication quality drives financial enforcement, the teams that own login assurance, session risk, and step-up policy need the same visibility finance teams already expect from fraud. The practical shift is toward shared telemetry across IAM, fraud, and payments rather than isolated dashboards.
VAMP exposes a broader control gap in many identity programmes: evidence retention. Strong authentication alone is not enough if the organisation cannot later prove who was present when the transaction was authorised. That is why durable session records, device binding, and step-up logs become operational artefacts, not just security data.
According to The State of Secrets in AppSec, 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases. That same evidence gap will widen as customer-facing automation and fraud tooling become more adaptive, so identity governance must prepare for more dynamic trust decisions at checkout.
For practitioners
- Tie identity events to dispute telemetry Correlate login risk signals, card enrolment, step-up outcomes, and TC40/TC15 data so you can see which identity events create the most chargeback exposure. Use that view to set thresholds for sensitive actions such as stored-card use and high-value checkout.
- Require stronger verification on privileged payment actions Add step-up authentication for new device logins, card enrolment, stored-card checkout, and unusually high-value transactions. Treat those paths as privileged operations because they create the strongest dispute risk and the hardest-to-defend evidence gaps.
- Preserve authentication evidence for dispute defence Retain device signals, passkey or biometric assertions, and verified session records long enough to support chargeback disputes. Evidence at the point of consent matters more than post-incident explanations once the issuer begins review.
- Model acquirer thresholds before Visa enforcement arrives Build internal monitoring around the merchant Excessive threshold, the acquirer Excessive threshold, and monthly dispute counts so portfolio pressure is visible before formal notification. That gives fraud, IAM, and finance teams time to coordinate remediation.
Key takeaways
- Visa VAMP turns card-not-present dispute rates into a direct governance issue for identity, fraud, and payments teams.
- Credential stuffing, stored-card abuse, and weak evidence at checkout are the patterns most likely to inflate the combined fraud and dispute ratio.
- Durable authentication evidence and shared telemetry are now essential if merchants want to defend disputes and stay below enforcement thresholds.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and access control drive VAMP exposure in CNP environments. |
| NIST SP 800-53 Rev 5 | IA-2 | Strong authentication is central to proving customer presence at high-risk payment events. |
| NIST SP 800-63 | SP 800-63B | Authenticator strength matters because dispute defence depends on reliable customer presence signals. |
| NIST Zero Trust (SP 800-207) | VAMP rewards continuous verification of user and device context before sensitive actions. |
Adopt phishing-resistant authenticators where the transaction value justifies stronger identity proof.
Key terms
- VAMP Ratio: The VAMP Ratio is Visa’s combined measure of fraud and dispute exposure in card-not-present commerce. It counts fraud reports and chargebacks in one numerator, so identity failures, payment misuse, and dispute outcomes all affect the same enforcement metric.
- Account Takeover: Account takeover is unauthorised access to a legitimate customer account using stolen credentials or session abuse. In payments, it matters because the attacker inherits stored cards, saved addresses, and trust signals that make fraudulent transactions look normal.
- Enumeration Ratio: The Enumeration Ratio measures how much authorisation traffic appears to be automated card testing. It captures both approved and declined attempts, which means even failed activity can create enforcement risk if the pattern shows systematic probing of checkout or payment APIs.
- Step-Up Authentication: Step-up authentication is additional verification triggered when risk increases during login or checkout. For payment flows, it becomes a governance control because it can both stop account abuse and create evidence that the right customer was present.
What's in the full article
Authsignal's full article covers the operational detail this post intentionally leaves for the source:
- The exact VAMP ratio formula and how TC40 and TC15 events are counted in practice.
- Threshold tables for merchant and acquirer classifications, including the fee bands and minimum volume triggers.
- Specific examples of how account takeover, stored-card abuse, and enumeration raise dispute exposure.
- Operational recommendations for step-up authentication, dispute defence, and monthly self-monitoring.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or identity governance programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-04-13.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org