Visa Fraud Monitoring Program: Complete Guide for Merchants

The Visa Fraud Monitoring Program (VFMP) was replaced by VAMP in October 2025 — but fraud monitoring didn't go away. Under VAMP, fraud disputes now count alongside chargebacks in a single unified rate. Understanding how fraud monitoring works and how to reduce your fraud ratio is more important than ever.

What Was the Visa Fraud Monitoring Program?

The Visa Fraud Monitoring Program (VFMP) was Visa's standalone fraud tracking system, operating from 2001 until its replacement by VAMP in October 2025. VFMP monitored TC40 fraud dispute rates separately from chargebacks — a merchant could breach VFMP without breaching VDMP, and vice versa. VFMP had its own thresholds (typically 0.65% and 0.9%), its own fine schedule, and its own remediation framework.

Under VFMP, Visa tracked fraud disputes at the issuing bank level using TC40 data — internal reports filed by issuers when cardholders report fraud. TC40 reports precede the formal chargeback by days or weeks; they represent the issuer flagging a transaction as likely fraudulent in their internal systems. Merchants who received many TC40 reports on the same card or merchant category code (MCC) attracted Visa's attention for potential fraud facilitation.

VFMP is no longer active. If you are reading about VFMP because you are researching your current compliance obligations, the relevant programme is now VAMP. This guide explains the transition and focuses on what fraud monitoring looks like under VAMP in 2026.

How Fraud Monitoring Works Under VAMP

Under VAMP, fraud disputes (TC40-coded chargebacks) count toward your combined VAMP rate alongside standard consumer chargebacks. The calculation is: (chargebacks + fraud disputes) ÷ prior month transactions. Both types contribute equally to the single rate that Visa monitors.

This integration creates a new dynamic. Under the old VFMP structure, a merchant with low chargebacks but high fraud could stay below the chargeback threshold while only breaching the fraud threshold. Under VAMP, a merchant with 0.5% chargebacks and 0.5% fraud disputes has a combined rate of 1.0% — above the Standard threshold — even though neither metric alone would have triggered the old programmes.

Visa's intent is to prevent merchants from managing one metric at the expense of the other. Any meaningful fraud monitoring programme must now address both dispute types simultaneously. Fraud-reduction strategies that succeed at the expense of chargeback volume (such as blanket refund policies that convert disputes to friendly fraud) are counterproductive under VAMP.

What Is a TC40 Fraud Report?

A TC40 is an internal Visa data format used by issuing banks to report suspected fraud transactions to Visa's fraud monitoring system. TC40 reports are filed when a cardholder reports their card as compromised or used without authorisation. They are generated before the formal chargeback process begins — in many cases weeks before the merchant receives a chargeback notification.

TC40 reports do not themselves result in chargebacks. They are Visa's internal fraud intelligence. However, they feed the VAMP fraud ratio calculation: TC40 disputes for a given merchant and month are counted as fraud disputes in the VAMP rate. A high TC40 volume at your merchant account — even before the corresponding chargebacks arrive — may trigger early enquiries from your acquirer.

Merchants cannot directly access their own TC40 data. However, Visa's Rapid Dispute Resolution (RDR) programme and Verifi's Order Insight can partially offset TC40 impact by resolving disputes before they escalate to formal chargebacks. Chargeback alert services (Verifi, Ethoca) provide advance notice of cardholder fraud reports, creating a window for proactive action.

The Most Common Fraud Dispute Types

Fraud-coded disputes under VAMP primarily come through Visa reason code 10.4 (Other Fraud — Card-Absent Environment). This code covers card-not-present transactions where the cardholder claims the transaction was fraudulent. The main scenarios:

True Card-Not-Present Fraud

Stolen card credentials — obtained through data breaches, phishing, skimming, or dark web markets — are used to make purchases on your platform. The legitimate cardholder later discovers the transactions and disputes them. Without 3DS authentication, the merchant bears full liability for these disputes. This is the core case the fraud monitoring system was designed to catch.

Friendly Fraud Filed Under Fraud Codes

A significant proportion of Visa 10.4 disputes are not true fraud — they are legitimate cardholders claiming non-authorisation to access the dispute system's most favourable pathway. Filing under a fraud code typically gives the cardholder a stronger presumption of validity than filing under a consumer dispute code. Merchants must contest these with strong device, IP, and cardholder verification evidence. Visa's CE 3.0 framework was designed specifically to address this pattern.

Account Takeover Fraud

Criminals access legitimate customer accounts through credential stuffing or phishing, change the shipping address, and make purchases. The legitimate account holder disputes the transactions as fraudulent. These disputes are harder to contest because the account credentials were valid — the fraud is in the account takeover, not the transaction itself. Multi-factor authentication on account changes is the primary prevention.

3DS2: The Primary Tool for Fraud Liability Shift

3D Secure 2.0 is the single most impactful tool for reducing fraud-coded chargebacks. When a CNP transaction is successfully authenticated via 3DS2, liability for subsequent fraud disputes shifts from the merchant to the issuing bank. If the cardholder later claims the transaction was fraudulent, the chargeback goes to the issuer — not your VAMP ratio.

3DS2 authentication operates through a risk-based process: the payment network exchanges over 100 data points between the merchant, card scheme, and issuer in real time. For most low-risk transactions, authentication is frictionless — the cardholder sees nothing additional at checkout. For higher-risk transactions, the issuer may request a one-time code or biometric confirmation. Both frictionless and challenged authentications shift liability equally.

Implementation on major platforms: Stripe enables 3DS2 automatically on eligible Radar-scored transactions; Shopify Payments supports it by default on applicable card types; most payment gateways support it as a configuration change. EU merchants are required to use 3DS2 (SCA) on eligible transactions under PSD2 — making it both a compliance obligation and a fraud protection tool in EU markets.

The practical result of enabling 3DS2 on all eligible transactions: your Visa 10.4 exposure drops to near zero on authenticated orders. Authenticated transactions that are disputed as fraud are the issuer's liability, not yours. Over time, this structurally reduces both your fraud ratio and your VAMP rate.

Visa Compelling Evidence 3.0

For fraud chargebacks that cannot be prevented through 3DS authentication — legacy transactions, authentication failures, or orders where 3DS wasn't enabled — Visa Compelling Evidence 3.0 (CE 3.0) provides a powerful recovery mechanism.

CE 3.0 allows merchants to dispute a 10.4 chargeback by demonstrating that the same transaction data elements (device fingerprint and IP address) were present in at least two prior undisputed transactions at the same merchant within the past 120–365 days. If this evidence exists, liability shifts from merchant to issuer — the cardholder's "I didn't authorise this" claim is effectively overridden by historical evidence that their device and IP address have transacted with you before without dispute.

CE 3.0 win rates for well-documented submissions consistently exceed 70%. This makes it the highest-impact response strategy available for Visa 10.4 disputes. The prerequisite is that you collect and retain device fingerprint and IP address data at the point of checkout — which most modern payment stacks do by default.

→ Full Visa CE 3.0 guide

Fraud Prevention Tools Beyond 3DS

3DS2 addresses fraud liability on authenticated transactions but doesn't prevent fraudulent transactions from being attempted. Additional fraud prevention tools reduce the volume of fraud orders that complete and subsequently produce chargebacks:

Address Verification Service (AVS) checks the billing address entered at checkout against the address registered with the card issuer. A mismatch is a fraud signal. Declining or flagging AVS-mismatched transactions reduces fraud order completion rates, particularly for card-testing patterns.

Card security code (CVV) verification requires the 3-digit CVV printed on the card. CVV data cannot be stored after authorisation (PCI DSS requirement), meaning it cannot be obtained from a data breach of stored card data. Requiring CVV significantly reduces the utility of stolen card numbers obtained through breaches.

Machine learning fraud scoring (Stripe Radar, Shopify Fraud Analysis, or third-party services) evaluates over 100 signals per transaction in real time: velocity patterns, device fingerprint, geolocation consistency, email domain risk, and more. Custom rules — country blocks, 3DS triggers for high-value orders, velocity limits — allow merchants to tune risk thresholds for their specific product and customer mix.

Velocity rules limit the number of transactions from a single IP, device, or card number in a defined time window. Card testing attacks (small transactions testing stolen credentials before larger fraudulent purchases) are identified and blocked by velocity limits before they complete.

How to Respond to Fraud-Coded Chargebacks

When a fraud-coded dispute arrives and 3DS authentication was not used, the evidence required is different from consumer dispute evidence:

• IP address geolocation record — showing the purchase IP is geographically consistent with the cardholder's billing address location
• Device fingerprint — the browser/device used at checkout, ideally matching prior authenticated sessions on the same account
• AVS match confirmation — the address entered at checkout matched the card's registered billing address
• CVV match confirmation — the CVV was verified at checkout
• Prior transaction history — prior purchases from the same card at your merchant with no prior disputes
• Post-purchase cardholder interactions — any contact from the cardholder after the disputed transaction: delivery confirmation, support tickets, product usage, login activity
• CE 3.0 evidence (if applicable) — two or more prior undisputed transactions with matching device fingerprint and IP address within the past 365 days

Visa 10.4 disputes without 3DS authentication and without CE 3.0-eligible prior transactions have lower win rates than consumer disputes with delivery confirmation. For high-volume merchants facing regular 10.4 losses, enabling 3DS2 is the structural fix — response strategy is a secondary lever.

Monitoring Your Fraud Ratio

Tracking your fraud ratio requires separating fraud-coded disputes (Visa 10.4, Mastercard 4840) from consumer disputes in your dispute reporting. Most payment processors label disputes by reason code in their dashboards. Some aggregate all disputes into a single count — if yours does, request a reason-code breakdown from your acquirer directly.

Track fraud ratio monthly and compare to the VAMP combined threshold. A fraud ratio of 0.4% combined with a chargeback ratio of 0.6% puts you above the 0.9% VAMP Standard threshold even though neither metric alone would trigger monitoring. Use our VAMP Ratio Calculator to evaluate your combined position.

Internal fraud ratio targets: maintain below 0.3% to give comfortable headroom within the combined VAMP threshold, assuming your chargeback ratio is also being managed actively. At 0.3% fraud + 0.5% chargebacks, you have a total rate of 0.8% — within the Standard threshold with meaningful buffer.