How do payment systems fine merchants for high levels of fraud? (Visa and MasterCard monitoring programs, consequences for merchants)

[Student]

A detailed analysis of Visa and Mastercard monitoring programs in the context of carding​

Carding is a type of fraud in which criminals use stolen credit or debit card details to make unauthorized transactions. Carding is a serious threat to merchants, as high levels of such fraudulent transactions can lead to being caught in the monitoring programs of Visa and Mastercard payment systems, which entails fines, restrictions, and even a complete cessation of the ability to accept payments. In this answer, I will discuss in detail how Visa and Mastercard monitor carding fraud, what thresholds are applied, the stages of the monitoring programs, the consequences for merchants, and preventive measures. The answer is aimed at educational purposes in order to explain the mechanisms of work and help merchants minimize risks.

Carding context​

Carding typically occurs in card-not-present (CNP) transactions, such as online purchases, where a physical card is not used and data is entered manually (e.g. card number, CVV, expiration date). Attackers obtain card data through phishing, database leaks, skimmers or darknet markets. For merchants, this manifests itself in the form of:

• Fraudulent chargebacks: The cardholder disputes a transaction because they did not authorize it.
• Enumeration attacks: Attackers test stolen card data en masse to determine valid combinations, which increases the number of declined transactions or small test purchases.
• Account takeover (ATO): Fraudsters gain access to customer accounts and use saved payment methods.

Payment systems (Visa and Mastercard) track these activities through metrics such as fraud-to-sales ratio (share of fraudulent transactions to total sales) and chargeback ratio (share of chargebacks). If the indicators exceed the established thresholds, the merchant is included in monitoring programs, which entails financial and operational consequences.

Visa Monitoring Programs​

Visa has consolidated its fraud and dispute monitoring programs into the Visa Acquirer Monitoring Program (VAMP), which became effective April 1, 2025. VAMP monitors both fraud (including carding) and disputes (chargebacks) for CNP transactions. The program focuses on two key metrics:

1. VAMP ratio is a combined indicator of fraud and disputes.
2. Enumeration ratio — the proportion of transactions associated with brute force attacks (card testing).

VAMP thresholds (2025):​

Metrics	Threshold (basis points, bps)	Minimum volume
VAMP ratio (fraud + disputes)	100 bps (1%)	≥1000 fraud/disputes per month
Enumeration ratio	15 bps (0.15%)	≥300,000 enumerated transactions per month

• VAMP ratio is calculated as: (Number of fraud transactions [TC40] + disputes [TC15], minus exceptions) / Total number of transactions per month. TC40 are fraud codes that card issuers report through the Visa system (e.g. code 10.4 for carding). TC15 are dispute codes related to chargebacks.
• The enumeration ratio takes into account attempts at mass testing of cards, which is typical for carding.

VAMP program stages:​

1. Advisory Period (notification period, until October 1, 2025):
   • The merchant receives a notification from the acquirer about exceeding the thresholds.
   • There are no penalties, but analysis and work to reduce fraud is required.
   • Objective: to give time for the implementation of anti-carding tools (e.g. 3D Secure).
2. Workout Period (corrective, 1–4 months):
   • The merchant, together with the acquirer, develops a remediation plan.
   • Implementation of measures such as enhanced transaction verification, IP/geolocation filtering, or machine learning to identify suspicious transactions is required.
   • Reporting is mandatory, but fines are not yet applied.
3. Enforcement Period (forced, from the 5th month):
   • If the merchant does not reduce fraud to threshold values, fines begin.
   • Fines (for 2025):
     • Standard level: $25,000 fixed + 10.5% liability for fraud chargebacks (code 10.5, simplified refund of funds to issuers).
     • Excessive level: $8 for each fraudulent/disputed transaction + monthly fines up to $100,000.
   • Critical Consequence: If a merchant remains in the program for more than 12 months, the acquirer is required to close their account, which effectively eliminates the ability to accept Visa cards.

How does carding affect VAMP:​

• Fraud chargebacks (TC40): Carding leads to an increase in chargebacks with a fraud code (e.g. 10.4 - "Card Absent Fraud"). This directly increases the VAMP ratio.
• Enumeration: Brute force attacks, typical of carding, increase the enumeration ratio even if transactions are rejected, since Visa records the attempts.
• Example: If a merchant processes 100,000 transactions per month, and 1,000 of them are fraud (including carding), the VAMP ratio will be 1% (1,000/100,000), which is already on the threshold. Add brute force attacks (e.g. 300,000 attempts), and the enumeration ratio will exceed 0.15%, automatically transferring the merchant to the program.

Mastercard Monitoring Programs​

Mastercard uses the Excessive Fraud Merchant (EFM) Program to combat fraud, including carding, in CNP transactions. This program is part of the broader Acquirer Chargeback Monitoring Program. EFM focuses on fraud chargebacks and compliance with security standards such as 3D Secure.

EFM thresholds (2025):​

Criterion	Threshold
Transaction volume	≥1000 Mastercard transactions in the previous month
Fraud volume	≥$50,000 in fraud chargebacks per month
Fraud ratio	≥0.5% (fraud chargebacks / previous month's sales)
3D Secure compliance	<50% of transactions in regulated countries (or <10% in unregulated)

• Fraud ratio is calculated as: (Number of fraud chargebacks in the current month) / (Total number of transactions in the previous month). For example, if there were 10,000 transactions last month and 50 fraud chargebacks in the current month, the ratio = 0.5%, which is already on the threshold.
• 3D Secure compliance: Mastercard requires that in countries with regulated 3DS (e.g. EU) at least 50% of transactions be processed through 3D Secure, otherwise the risk of being caught by EFM increases.

Stages of the EFM program:​

1. Identification/Notification (1 месяц):
   • The acquirer automatically registers the merchant in the program when the thresholds are exceeded.
   • It is necessary to develop a remediation plan to combat carding (for example, implementation of 3DS, filtering by velocity checks).
   • There are no fines, but monitoring begins.
2. Remediation (corrective, up to 6 months):
   • The merchant must reduce the fraud ratio below 0.5%.
   • Extension for 6 months is possible if progress is noticeable, but reporting is required (monthly plan updates).
   • Main focus: implementation of anti-carding tools such as machine learning for anomaly detection or tokenization.
3. Enforcement (forced, from the 2nd month if there is no progress):
   • Fines depend on the length of stay in the program:
     

     A month in the program	Fine (USD)
     2–3	$1000–$5000
     4–6	$10 000–$25 000
     7+	Up to $100,000 + $5 for each chargeback over 300

   • If a merchant is in both EFM and Excessive Chargeback Program (ECP), penalties are charged only under EFM.
   • Exit: 3 consecutive months with a fraud ratio of <0.5% - removal of fines and exit from the program.

How does carding affect EFM:​

• Fraud chargebacks: Carding leads to an increase in chargebacks with fraud codes (for example, Reason Code 4837 - "No Cardholder Authorization"). This is a key EFM metric.
• 3D Secure non-compliance: If a merchant does not use 3DS for most transactions, the risk of carding increases as it is easier for fraudsters to make unauthorized payments.
• Example: A merchant with 10,000 transactions last month and $50,000 in fraud chargebacks has a fraud ratio of 0.5% (50/10,000). If only 40% of transactions go through 3DS in the EU, he automatically gets into EFM.

Consequences for merchants​

Being caught in VAMP or EFM programs due to carding has serious financial and operational consequences:

1. Financial losses:
   • Fines: For Visa — from $25,000 + $8 per transaction; for Mastercard — up to $100,000 + $5 for chargeback. For a large merchant with thousands of fraud transactions per month, this can amount to millions of dollars.
   • Chargeback liability: The merchant is fully responsible for the refund of fraudulent transactions, which increases losses.
   • High fees: Once in the program, acquirers can transfer a merchant to the high-risk category, which increases processing fees (1–3% per transaction) and introduces rolling reserves (freezing 5–10% of revenue for 6–12 months).
2. Reputational and operational risks:
   • MATCH list (Member Alert to Control High-Risk Merchants): Being blacklisted by Visa/Mastercard makes it difficult to open new accounts with other acquirers.
   • Termination: If a merchant does not exit the program within 12 months (Visa) or 6-12 months (Mastercard), the acquirer is required to close the merchant's account, which effectively removes the ability to accept cards.
   • Additional requirements: The merchant is required to implement expensive tools (3DS, fraud detection software), which requires investments in IT infrastructure.
3. Long term effects:
   • Moving to high-risk processors: These processors charge higher fees and often work with less reliable merchants, which increases operating costs.
   • Poor customer experience: Strict anti-carding measures (e.g. strict transaction checks) can lead to false declines, discouraging legitimate customers.
   • Legal risks: In the event of mass carding and data leaks, the merchant may face lawsuits from customers or regulators.

Carding prevention​

To avoid getting into VAMP or EFM, merchants need to actively combat carding. Here are the key measures:

1. Technological solutions:
   • 3D Secure (EMV 3DS): Mandatory implementation for CNP transactions, especially in the EU where regulation requires SCA (Strong Customer Authentication). 3DS shifts the responsibility for fraud to the issuer, reducing chargebacks.
   • Fraud detection tools: Use platforms such as Sift, Kount or Signifyd that use machine learning to analyze transactions (velocity checks, geolocation, behavioral patterns).
   • Tokenization: Replace card data with tokens to minimize the risk of leaks.
   • CVV/CVC verification: Verify security codes for all transactions.
   • IP and device fingerprinting: Monitor IP addresses and devices to identify suspicious patterns (e.g. multiple attempts from the same IP).
2. Operational measures:
   • Real-time monitoring: Use acquirer dashboards to track fraud ratio and chargeback ratio. Goal: keep fraud <0.5% (Mastercard) and VAMP ratio <1% (Visa).
   • Velocity checks: Limit the number of transactions from one card or IP in a short period of time to block enumeration attacks.
   • Manual review: For high-risk transactions (e.g. large amounts or orders from countries with high fraud rates), perform a manual review.
3. Cooperation with the acquirer:
   • Consult with your acquirer regularly for reports and recommendations.
   • Once you are accepted into the program, develop a remediation plan that includes specific steps (e.g. implementing 3DS within 3 months).
   • Participate in Visa/Mastercard risk management training programs.
4. Customer experience:
   • Balance security measures and convenience. Too strict checks can increase false declines, which reduces conversion (for example, legitimate transaction declines reduce revenue by 5-10%).
   • Educate clients on how to use 3DS to minimize disputes.

Sample Script​

Situation: An online electronics store processes 50,000 transactions per month ($5 million). Of these, 600 transactions ($60,000) are marked as fraud due to carding (code 10.4 for Visa, 4837 for Mastercard). Fraud ratio = 1.2% (600/50,000), which exceeds the VAMP (1%) and EFM (0.5%) thresholds.

Consequences:

• Visa (VAMP): The merchant enters the Advisory Period, receives a notice. Without correction, after 4 months, the penalties will begin: $25,000 + $8 for each of 600 transactions = $29,800 per month.
• Mastercard (EFM): Store goes straight to Enforcement (month 2): $1,000–$5,000 fine. If not fixed within 6 months, fines increase to $25,000 + $5 for each chargeback over 300 (300 x $5 = $1,500).
• Additional: Acquirer increases fees to 2.5% and introduces 10% rolling reserve. The store loses $125,000 monthly due to frozen funds.

Solution: The store implements 3D Secure (coverage of 80% of transactions), velocity checks (limitation of 3 attempts from one IP) and a fraud detection tool (Signifyd). After 3 months, the fraud ratio drops to 0.3%, the store exits EFM and avoids Enforcement in VAMP.

Conclusion​

Carding creates significant risks for merchants, as high levels of fraud lead to inclusion in Visa (VAMP) and Mastercard (EFM) monitoring programs. These programs include strict thresholds (1% for Visa, 0.5% for Mastercard), remediation steps, and fines up to $100,000 + additional transaction fees. Consequences include financial losses, reputational risks, and potential account closure. To prevent carding, merchants need to implement 3D Secure, fraud detection tools, and cooperate with acquirers. Regular monitoring and prompt response will help avoid sanctions and save business.

For up-to-date details, I recommend checking the rules on the official websites of Visa (visa.com) and Mastercard (mastercard.com) or consulting with the acquirer, as thresholds and penalties may be updated (for example, VAMP will tighten thresholds in 2026). If you have a specific case or need to analyze an example, write, and I will help!