Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Visa VAMP and dispute ratios: what IAM teams should change


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Visa VAMP collapses fraud and chargeback handling into a single ratio, with merchant excessive thresholds now at 1.5% and acquirers facing fees at 0.7%, according to Authsignal. That shift makes authentication evidence, step-up controls, and dispute telemetry part of revenue protection, not just fraud operations.

NHIMG editorial — based on content published by Authsignal: What is Visa VAMP? Thresholds, fees, and how it affects your dispute ratio

By the numbers:

Questions worth separating out

Q: How should security teams reduce chargeback risk in card-not-present commerce?

A: Security teams should treat authentication as part of dispute prevention.

Q: Why do account takeovers create disproportionate dispute risk?

A: Account takeovers reuse a legitimate customer identity, so the purchases often look normal to fraud systems.

Q: What do teams get wrong about friendly fraud and first-party disputes?

A: Teams often treat friendly fraud as a pure chargeback issue, when it is also a proof problem.

Practitioner guidance

  • Tie identity events to dispute telemetry Correlate login risk signals, card enrolment, step-up outcomes, and TC40/TC15 data so you can see which identity events create the most chargeback exposure.
  • Require stronger verification on privileged payment actions Add step-up authentication for new device logins, card enrolment, stored-card checkout, and unusually high-value transactions.
  • Preserve authentication evidence for dispute defence Retain device signals, passkey or biometric assertions, and verified session records long enough to support chargeback disputes.

What's in the full article

Authsignal's full article covers the operational detail this post intentionally leaves for the source:

  • The exact VAMP ratio formula and how TC40 and TC15 events are counted in practice.
  • Threshold tables for merchant and acquirer classifications, including the fee bands and minimum volume triggers.
  • Specific examples of how account takeover, stored-card abuse, and enumeration raise dispute exposure.
  • Operational recommendations for step-up authentication, dispute defence, and monthly self-monitoring.

👉 Read Authsignal's analysis of Visa VAMP thresholds and dispute ratios →

Visa VAMP and dispute ratios: what IAM teams should change?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Authentication evidence has become a payments control, not just an IAM control. VAMP treats disputed commerce as a consequence of identity assurance quality, which means login strength, step-up policy, and enrolment proof now influence financial exposure. The practical conclusion is that identity and payments teams can no longer optimise these controls in separate silos.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.

A question worth separating out:

Q: Who is accountable when merchant disputes push an acquirer into an excessive band?

A: Accountability does not stop at the merchant. Visa’s model pushes pressure up to the acquirer, which means portfolio management, merchant thresholds, and remediation oversight become shared responsibilities. Fraud operations, IAM, and payments governance need common reporting so one merchant’s behaviour does not damage the wider book.

👉 Read our full editorial: Visa VAMP turns dispute management into authentication governance



   
ReplyQuote
Share: