Fraud and dispute monitoring programs
As part of your financial obligations to card networks, such as Visa and Mastercard, you need to ensure that disputes, which are called chargebacks and inquiries, and fraud in your store are kept at acceptable levels. If the amount of disputes, or the level of fraud exceed the thresholds set by the card networks, then you might be placed in a dispute or fraud monitoring program. As part of these programs, you might incur monthly fines and additional fees.
Visa evaluates your activity monthly against the percentage thresholds established in their monitoring programs. If Visa places you in a program, then you're notified at your store owner's address. You have 12 months to meet the thresholds, or Visa can restrict your ability to accept Visa payments.
This guide outlines the Mastercard and Visa chargeback and fraud monitoring programs, early fraud warnings (EFWs), and previous chargeback and fraud monitoring programs that are retired.
On this page
- Early fraud warnings (EFWs)
- Visa Acquirer Monitoring Program (VAMP)
- Visa Fraud Monitoring Program (VFMP) for 3D Secure transactions
- Visa merchant screening service (VMSS)
- Mastercard Excessive Chargeback Program (ECP)
- Mastercard excessive fraud merchant (EFM) compliance program
- Mastercard Alert to Control High-risk (MATCH)
- Retired dispute and fraud monitoring programs
Early fraud warnings (EFWs)
Early fraud warnings (EFWs) are messages from Visa's TC40 reports and Mastercard's System to Avoid Fraud Effectively (SAFE) reports that card issuers on these networks generate to flag payments that they suspect might be fraudulent. The networks require card issuers to report fraud, but that requirement doesn't affect an issuer's decision whether to initiate a dispute or not.
EFWs can occur on refunded transactions. The only scenario when a fraud report won't happen on a refunded transaction is when the refund is processed as a reversal, which needs to happen within 2 hours of the payment capture.
Although it's called an early fraud warning, it's possible to receive an EFW after you receive a fraud-related dispute on a charge. This is generally because the systems that the networks use to process EFWs are separate from the systems that they use to process disputes, and the systems aren't necessarily in sync.
Visa Acquirer Monitoring Program (VAMP)
VAMP identifies potential fraud based on certain ratios. If you meet both the VAMP ratio threshold, and the VAMP enumeration ratio threshold, then you are placed on the monitoring program. If you meet both the VAMP Ratio and the VAMP Enumeration Ratio, then you are notified that you are enrolled in VAMP. Extended enrollment in VAMP might result in your use of Shopify Payments being restricted.
Review the following information to understand the different types of ratios VAMP uses, and how they are calculated.
VAMP Ratio
The VAMP ratio is calculated by dividing the total number of fraud and non-fraud disputes initiated by your customers, by the total number of transactions processed. Fraud disputes are defined using early fraud warning (EFW) data sourced from Visa's TC40 reporting. Non-fraud disputes occur when a customer initiates an inquiry or chargeback for reasons such as "Product not received", "Product unacceptable", or "Credit not processed". Visa places businesses in VAMP when their ratio reaches a minimum of 1,000 monthly combined fraud and non-fraud disputes.
VAMP Enumeration Ratio
The VAMP Enumeration Ratio is calculated by dividing the number of monthly enumerated transactions, by the total number of transactions processed. Enumerated transactions occur when a fraudulent party enters combinations of card values such as Primary Account Number (PAN), card verification value (CVV2), expiration date, and postal code until they find a legitimate combination. Visa identifies businesses when their VAMP Enumeration Ratio reaches a minimum of 300,000 enumerated transactions.
VAMP ratios and related thresholds
Our banking partners notify Shopify if your ratios place you at risk for enrollment into VAMP. VAMP only enrolls accounts it classifies as Excessive when their counts and rates exceed certain thresholds. After the metric falls below the threshold, VAMP releases the account from the program.
Review the following information on the types of ratios and their thresholds.
Ratio type | Effective date | Threshold ratio or order amount |
---|---|---|
VAMP ratio | April 1, 2025 | 1.5% globally (0.9% in Latin America and Caribbean) 1,000 monthly combined fraud and non-fraud disputes |
January 1, 2026 | 0.9% globally (1.5% in Central Europe, the Middle East, and Africa) 1,000 monthly combined fraud and non fraud disputes | |
VAMP enumeration ratio | April 1, 2025 | 20% 300,000 enumerated transactions |
VAMP fine schedule
When you exceed the VAMP Ratio or the VAMP Enumeration Ratio, you receive fines for disputes or transactions reported as fraud. You can receive fines for exceeding both ratios.
Effective date | Fine for exceeding VAMP ratio | Fine for exceeding VAMP enumeration ratio |
---|---|---|
April 1, 2025 | 10 USD for each dispute or transaction reported as fraud | 10 USD for each dispute or transaction reported as fraud |
January 1, 2026 | 10 USD for each dispute or transaction reported as fraud | 10 USD for each dispute or transaction reported as fraud |
Visa Fraud Monitoring Program (VFMP) for 3D Secure transactions
Visa has a VFMP program specifically for US businesses who have excessive amounts of domestic 3D Secure fraud on their account. If you're based in the United States, then at the beginning of each month, Visa reviews your previous month's activity to determine if it exceeds their established thresholds. If the amount of 3D Secure fraud is over a certain volume or rate, then the liability for disputes is shifted to you, the business owner, instead of the card issuer.
VFMP volume and rate thresholds
US businesses are placed in the 3DS VFMP if they meet or exceed the thresholds on all of the following criteria:
- Fraud volume: The total amount of domestic Visa 3DS fraudulent transactions in USD.
- Fraud rate: The total percentage of fraudulent transactions compared to total domestic 3DS transactions.
VFMP warnings and penalties
Review the following information to understand the warnings you receive at each fraud volume and rate, and the related penalties.
Monitoring level | Fraud volume | Fraud rate | Penalties |
---|---|---|---|
Early warning | $50,000 USD | 0.5% | You receive no fines. Actions can be taken to reduce the amount of fraud before fines are applied. Learn more about early fraud warnings (EFWs). |
Standard | $75,000 USD | 0.9% | You receive no fines, but you lose liability shift for 3D Secure transactions. Liability shift isn't restored until the program is exited by reducing fraud levels and completing a 3-month tracking period. |
Visa merchant screening service (VMSS)
VMSS is Visa's database of terminated merchant Files (TMFs) which contains information about accounts that have been closed by credit card processors around the world for high chargebacks or violations of card brand rules.
Criteria for VMSS qualification
When a relationship ends between a business and a credit card processor, the processor determines whether the business meets the criteria to be placed on VMSS.
If any VMSS criteria are satisfied, then the processor must add information about the terminated business to VMSS.
VMSS qualitative criteria
The majority of VMSS reason codes involve breaches of card network rules, including illegal activity.
Code | Reason | Description |
---|---|---|
23 | Transaction laundering | The merchant or third party agent misrepresented the source of submitted transactions (unauthorized aggregation), or submitted transactions on behalf of another merchant (factoring). |
24 | Illegal transactions | The merchant or third party agent submitted unlawful and/or prohibited transactions into the payment system. |
25 | Visa risk compliance program identification | The merchant or third party agent was terminated at the acquirer's discretion after identification in a Visa risk compliance program and didn't adequately remediate. |
26 | Merchant collusion | The merchant or third party agent colluded to commit fraud. |
27 | Common point of purchase (CPP) | The merchant or third party agent was identified as a location where account data from legitimate transactions was compromised for use in subsequent fraudulent activity (including skimming) and didn't adequately remediate. |
28 | Fraud conviction | The principal owners of a merchant outlet or third party agent was convicted of a fraud crime. |
29 | Bankruptcy, liquidation, or insolvency | The merchant or third party agent cannot fulfill its financial obligations due to potential or actual bankruptcy, insolvency, or suspension of business operations. |
30 | Violation of merchant or third party agent agreement | The merchant or third party agent breached their agreement. |
31 | Violation of the Visa rules | The merchant or third party agent violated the Visa rules exposing the acquirer of the payment system to undue risk. |
32 | Account information security program non-compliance | The merchant or third party agent was non-compliant with the Payment Card Industry Data Security Standard (PCI DSS) or the Payment Application Data Security Standard (PA-DSS) requirements. |
33 | Account Data Compromise | The merchant or third party agent suffered a data breach, directly or indirectly resulting in an unauthorized disclosure of payment account and/or transaction information. |
34 | Merchant Identity Theft | The merchant application was submitted using principal owner or corporate officer information belonging to individuals that were never party to the merchant agreement. |
35 | Disqualification from the Visa payment system | Visa disqualified the merchant or third party agent from participating in the Visa payment system. |
VMSS quantitative criteria
Two VMSS reason codes have specific numeric thresholds defined by Visa for when processors must add accounts to the VMSS list.
These reason codes, which involve chargeback and fraud activity on an account, are the most common reasons for being added to VMSS, and can affect businesses that aren't engaged in illegal or rule-violating activity.
Code | Reason | Description |
---|---|---|
21 | Excessive Fraud | The merchant or third party agent submitted excessive fraudulent transactions ($250,000 USD fraud amount and 1.8 percent (180 basis points) fraud-to-sales amount ratio in any single month) into payment system, and didn't adequately remediate. |
22 | Excessive Disputes | The merchant or third party agent generated excessive disputes (1,000 dispute count, and 1.8 percent (180 basis points) dispute-to-sales amount ratio in any single month) into payment system and didn't adequately remediate. |
Removal from VMSS
Shopify, or any other processor, typically can't remove an account's information from VMSS upon request. A processor can only remove a VMSS entry if the processor themselves added the business to VMSS in error.
Next steps if you're listed on VMSS
If you're listed on VMSS, then you might not be aware of this until you attempt to sign up for a new processor. VMSS is only used as an informational tool by processors during the application process. The presence of a VMSS listing often leads to an application being declined. If you are listed on VMSS, then you need to contact your previous processor to find out why your information was added to VMSS. VMSS criteria are determined by Visa, and processors are required to follow this criteria.
Shopify can't remove a business that meets the excessive chargebacks criteria, for example, if the business resolves the issues leading to chargebacks.
Because of banking partner restrictions, Shopify generally can't process for businesses listed on VMSS unless extenuating circumstances apply, such as the case of a legitimate business that previously had their identity information stolen.
Mastercard Excessive Chargeback Program (ECP)
Businesses are placed in the ECP if they meet or exceed the thresholds on both of the following conditions:
- Dispute count: The total number of transactions that have been disputed.
- Dispute rate: The total percentage of disputed transactions compared to total transactions.
Review the following information to understand the different monitoring levels at each dispute count and rate, and the related penalties.
Monitoring level | Dispute count | Dispute rate | Penalties |
---|---|---|---|
ECM | 100-299 | 1.5%-2.99% |
|
HECM | 300+ | 3% |
|
Mastercard excessive fraud merchant (EFM) compliance program
Mastercard's process for determining if a business is placed into EFM is similar to their calculations for ECP, except that the fraud chargeback rate is calculated using only fraudulent chargebacks.
Businesses are placed in the EFM program if they meet or exceed the thresholds on all of the following criteria:
- Payment count: The total number of ecommerce Mastercard payments.
- Fraud volume: The total amount of fraudulent chargebacks in USD, calculated by using dispute reason codes 4837 and 4863.
- Fraud rate: The total percentage of fraudulent transactions compared to total transactions.
- 3DS rate: The total percentage of 3DS Mastercard payments compared to total payments.
Review the following information to understand the different payment count, fraud volume, fraud chargeback rate, total 3DS payment rates thresholds, and their related penalties.
Payment count greater than | Fraud volume greater than | Fraud chargeback rate greater than | Total 3DS rate less than | Penalties |
---|---|---|---|---|
1,000 or more | $50,000 USD or more | 0.50% or more |
|
|
Mastercard Alert to Control High-risk (MATCH)
MATCH is Mastercard's database of terminated merchant Files (TMFs). The database contains information about accounts that have been closed by credit card processors around the world for high chargeback rates or violations of card brand rules.
Criteria for MATCH qualification
When a relationship between a business and a credit card processor ends, the processor must determine whether the business meets the criteria to be placed on MATCH.
If any MATCH criteria are satisfied, then the processor must add information about the business to MATCH within one business day of termination or within one business day of the account becoming eligible for MATCH after termination.
MATCH qualitative criteria
The majority of MATCH criteria, or reason codes, involve breaches of card network rules, including illegal activity and collusion.
Code | Reason | Description |
---|---|---|
1 | Account data compromise | An occurrence that results, directly or indirectly, in the unauthorized access to or disclosure of account data. |
2 | Common point of purchase | Account data is stolen at the merchant location and then used for fraudulent purchases at other merchant locations. |
3 | Laundering | The merchant was engaged in laundering activity. Laundering means that a merchant presented transaction records to its acquirer that weren't valid transactions for sales of goods or services between that merchant and a real cardholder. |
7 | Fraud conviction | There was a criminal fraud conviction of a principal owner or partner of the merchant. |
8 | Mastercard questionable merchant audit program | The merchant was determined to be a questionable merchant according to the criteria set forth in the Mastercard questionable merchant audit program. |
9 | Bankruptcy, liquidation, or insolvency | The merchant was unable or is likely to become unable to discharge its financial obligations. |
10 | Violation of Standards | With respect to a merchant reported by a Mastercard Acquirer, the merchant was in violation of one or more standards that describe procedures to be employed by the merchant in transactions in which cards are used, including, by way of example and not limitation, the standards for honoring all cards, displaying the marks, charges to cardholders, minimum or maximum transaction amount restrictions, and prohibited transactions set forth in Chapter 5 of the Mastercard Rules manual. |
11 | Merchant collusion | The merchant participated in fraudulent collusive activity. |
12 | PCIDSS non-compliance | The merchant failed to comply with Payment Card Industry (PCI) Data Security Standard (DSS) requirements. |
13 | Illegal transactions | The merchant was engaged in illegal transactions. |
14 | Identity theft | The acquirer has reason to believe that the identity of the listed merchant or its principal owners was unlawfully assumed for the purpose of unlawfully entering into a merchant agreement. |
MATCH quantitative criteria
Two MATCH reason codes have specific numeric thresholds defined by Mastercard for when processors must add accounts to MATCH.
These reason codes involve chargeback and fraud activity on an account and they're the most common reasons for being added to MATCH. These reason codes can affect businesses that are not engaged in illegal or rule-violating activity.
Code | Reason | Description |
---|---|---|
4 | Excessive chargebacks | With respect to a merchant reported by a Mastercard Acquirer, the number of Mastercard chargebacks in any single month exceeded 1% of the number of Mastercard sales transactions in the same month, and those chargebacks totaled $5,000 USD or more. |
5 | Excessive fraud | The merchant effected fraudulent transactions of any type (counterfeit or otherwise) meeting or exceeding the following minimum reporting standard: the merchant's fraud-to-sales dollar volume ratio was 8% or greater in a calendar month, and the merchant effected 10 or more fraudulent transactions totaling $5,000 USD or more in that calendar month. |
Additional information on excessive chargebacks and fraud
MATCH reason codes are separate from card brand chargeback and fraud monitoring programs operated by Visa and Mastercard. The excessive chargebacks criteria only applies to activity on Mastercard cards, even though MATCH is required by all major card networks.
If dispute activity doesn't take place on a Mastercard card, then it doesn't factor into MATCH rates. Other card networks may ask for businesses to be listed on MATCH if those businesses hit the "excessive" stages of their card brand monitoring programs or are fined as part of those programs.
When evaluating MATCH eligibility, processors look at all transactions and chargebacks that occurred within the same calendar month, regardless of when the original transaction took place.
When a business meets the excessive chargebacks or fraud MATCH criteria in a calendar month, the merchant must be added to MATCH if the processing relationship is terminated, even if the processing relationship is not ended in that calendar month.
For example, if a business meets MATCH criteria only in February, and the processing relationship ends in September, then the processor is still required to add information to MATCH even though the qualifying activity took place in February.
If a business doesn't meet MATCH criteria when the relationship is initially terminated, then it can still qualify for MATCH if the criteria are met afterward. For example, if chargebacks are initiated after termination, then the business can be added to MATCH.
Example qualification data
Review the following example of transactions and chargebacks during one calendar month:
- Number of Mastercard transactions: 125
- Number of Mastercard chargebacks: 6
- Ratio of chargebacks to transactions: (6/125) = 4.8%
- Volume of Mastercard chargebacks: $6,250
In this case, the business would qualify for MATCH for excessive chargebacks if the processing relationship later terminates. It doesn't matter if chargebacks are later reversed or won by the merchant.
There is no minimum number of chargebacks for MATCH qualification for excessive chargebacks.
Information added to MATCH
The card networks require that the following information be added to MATCH if available:
- Business legal name and doing business as (DBA) name
- Business address
- Business phone number
- Business tax ID
- Business URL
- Principal owner name
- Principal owner address
- Principal owner phone number
- Principal owner tax ID
- Account opening date and termination date
- MATCH reason code
Mastercard doesn't assess the accuracy of MATCH listings.
Removal from MATCH
The payment processor can't remove an account's information from MATCH upon request. A processor can only remove a MATCH entry in the following circumstances:
- If the processor added the business to MATCH in error.
- If the listing is for MATCH reason code 12 PCI DSS and the processor has confirmed that the business has become compliant with the PCI DSS.
If you believe either of those two situations exist, then you need to reach out to the processor that listed your information on MATCH to be removed. Records remain on the MATCH system for five years before being automatically purged by Mastercard.
What to do if you're listed on MATCH
If you're listed on MATCH, then you're notified when you attempt to sign up for a new processor. MATCH is only used as an informational tool by processors during the application process but the presence of a MATCH listing often means that an application is declined.
You need to reach out to your previous processor to find out why your information was added to MATCH. MATCH criteria are determined by Mastercard and processors are required to follow this criteria. Shopify cannot remove a merchant that met the "excessive chargebacks" criteria even if the business has remediated the issues leading to chargebacks, for example.
Due to banking partner restrictions, Shopify generally cannot process for businesses listed on MATCH unless extenuating circumstances apply, such as the case of a legitimate merchant who previously had their identity information stolen.
Retired dispute and fraud monitoring programs
The following information relates to the disputes and fraud monitoring programs Visa and Mastercard previously used, before introducing VAMP.
Visa Dispute Monitoring Program (VDMP)
The VDMP applies to businesses with an unusually high level of chargebacks on their account. At the beginning of each month, Visa reviews your previous month's activity to determine if it exceeds their established thresholds.
Businesses are placed in the VDMP if they meet or exceed both of the following thresholds:
- Dispute count: The total number of transactions that have been disputed.
- Dispute rate: The total percentage of disputed transactions compared to total transactions.
Review the following information to understand the monitoring levels for different dispute volumes and rates, and the related penalties.
Monitoring level | Dispute count | Dispute rate | Penalties |
---|---|---|---|
Early warning | 75 | 0.65% | No fines. Actions can be taken to reduce the amount of disputes before fines start to be applied. Learn more about EFWs. |
Standard | 100 | 0.9% | 1-4 months: No fines. 5-9 months: $50 USD for each dispute. 10-11 months: $50 USD for each dispute. Businesses outside the European Union are subject to a $25,000 USD review fee. Businesses might be subject to an audit. 12+ months: $50 USD for each dispute. Businesses are subject to a $25,000 USD review fee. Businesses might be subject to an audit. After 12 months, businesses in this program are eligible for disqualification by Visa. If you're disqualified, then you can no longer process Visa payments. |
Excessive | 1,000 | 1.8% | 1-6 months: $50 USD for each dispute. 7-11 months: $50 USD for each dispute. Businesses outside the European Union may be subject to a $25,000 USD review fee. 10-11 months: $50 USD for each dispute. Businesses outside the European Union may be subject to a $25,000 USD review fee. 12+ months: $50 USD per dispute. Businesses may be subject to a $25,000 USD review fee. After 12 months, businesses are eligible for disqualification by Visa. If you're disqualified, then you can no longer process Visa payments. |
Visa Fraud Monitoring Program
The VFMP applies to businesses who have excessive amounts of fraud on their account. Fraud is defined as a transaction that isn't authorized by the cardholder. This isn't the same as a chargeback, though fraudulent transactions often lead to a chargeback issued by the cardholder. At the beginning of each month, Visa reviews your previous month's activity to determine if it exceeds their established thresholds.
Businesses are placed in the VFMP if they meet or exceed both of the following threshold criteria:
- Fraud volume: The total amount of fraudulent transactions in USD.
- Fraud rate: The total percentage of fraudulent transactions compared to total transactions.
Review the following information to understand the different monitoring levels at each fraud volume and rate, and the related penalties.
Monitoring level | Fraud volume | Fraud rate | Penalties |
---|---|---|---|
Early warning | $50,000 USD | 0.65% | You receive no fines. You can take certain actions to reduce the amount of fraud before fines start to be applied. Learn more about EFWs. |
Standard | $75,000 USD | 0.9% | US businesses lose liability shift for 3D Secure transactions immediately. Businesses in other countries and regions lose liability shift at month 5. Liability shift isn't restored until the program is exited by reducing fraud levels and completing the 3-month tracking period. 1-4 months: No fines. 5-6 months: $25,000 USD. 7-9 months: $50,000 USD. 10-12 months: $75,000 USD. After 12 months, businesses are eligible for disqualification by Visa. If you're disqualified, then you can no longer process Visa payments. |
Excessive | $250,000 USD | 1.8% | Businesses outside of the US lose liability shift for 3D Secure transactions immediately. Liability shift isn't restored until the program is exited by reducing fraud levels and completing the 3-month tracking period. 1-3 months: $10,000 USD. 4-6 months: $25,000 USD. 7-9 months: $50,000 USD. 10-12 months: $75,000 USD. 12+ months: $75,000+ USD. After 12 months, businesses are eligible for disqualification by Visa. If you're disqualified, then you can no longer process Visa payments. |
Visa Fraud Monitoring Program for digital goods businesses
Visa also has a VFMP program specifically for businesses that sell digital goods. This program affects businesses with the following businesses category codes:
- 5735 — Record Stores
- 5815 — Digital Goods Media — Books, Movies, Digital artwork/images, Music
- 5816 — Digital Goods — Games
- 5817 — Digital Goods — Applications (Excludes Games)
- 5818 — Digital Goods — Large Digital Goods Merchants
At the beginning of each month, Visa reviews your previous month's activity to determine if it exceeds their established thresholds.
Businesses are placed in the digital goods VFMP if they meet or exceed the thresholds on all of the following criteria:
- Fraud volume: The total amount of fraudulent transactions in USD.
- Fraud count: The total number of fraudulent transactions.
- Fraud rate: The total percentage of fraudulent transactions compared to total transactions.
Review the following information to understand the different monitoring levels at each fraud volume and rate, and the related penalties.
Monitoring level | Fraud volume | Fraud count | Fraud rate | Penalties |
---|---|---|---|---|
Early warning | $15,000 USD | 150 | 0.45% | You receive no fines. You can take certain actions to reduce the amount of fraud before fines start to be applied. Learn more about EFWs. |
Standard | $25,000 USD | 300 | 0.9% | Businesses lose liability shift for 3D Secure transactions at month 5. Liability shift isn't restored until the program is exited by reducing fraud levels and completing the 3-month tracking period. 1-4 months: No fines. 5-6 months: $25,000 USD. 7-9 months: $50,000 USD. 10-12 months: $75,000 USD. 12+ months: $75,000 USD. After 12 months, businesses are eligible for disqualification by Visa. If you're disqualified, then you can no longer process Visa payments. |