Fraud and dispute monitoring programs

As part of your financial obligations to card networks, such as Visa and Mastercard, you need to keep disputes, including chargebacks and inquiries, and fraud in your store at acceptable levels. If disputes or fraud exceed card network thresholds, then you might be placed in a monitoring program and incur monthly fines or additional fees. Learn more about Shopify Payments risk standards and card network thresholds.

If you use Shopify Payments, then you can monitor your chargeback rate in the Shopify admin to review recent chargeback activity and take steps to reduce future chargebacks.

This guide outlines Mastercard and Visa chargeback and fraud monitoring programs, early fraud warnings (EFWs), and high-risk merchant lists.

Early fraud warnings (EFWs)

Early fraud warnings (EFWs) are messages from Visa's TC40 reports and Mastercard's System to Avoid Fraud Effectively (SAFE) reports that card issuers on these networks generate to flag payments that they suspect might be fraudulent. The networks require card issuers to report fraud, but that requirement doesn't affect an issuer's decision whether to initiate a dispute or not.

EFWs can occur on refunded transactions. The only scenario when a fraud report won't happen on a refunded transaction is when the refund is processed as a reversal that was processed within 2 hours of the payment capture.

Although it's called an early fraud warning, it's possible to receive an EFW after you receive a fraud-related dispute on a charge. This is generally because the systems that the networks use to process EFWs are separate from the systems that they use to process disputes, and the systems aren't necessarily in sync.

Monitoring program calendars

Each monitoring program evaluates your store on a recurring schedule. Understanding how the networks count time helps you connect a program notification to the activity that triggered it, and anticipate when your next evaluation occurs.

How activity is assigned to a month

A dispute or fraud report is assigned to the month in which the network receives it, regardless of when the original payment was processed. For example, a chargeback raised in February on a payment captured in January counts toward February's activity.

The following terms describe the timeline:

Terms used to describe monitoring program timelines.
TermDefinition
Data monthThe month in which a network receives a dispute or fraud report.
Report monthThe month in which a program identifies your store as exceeding a threshold. This is usually the month after the data month that contains the qualifying activity.

Because of this, you're typically notified in the month after the activity that placed you in a program occurred.

How each network calculates your rate

Visa and Mastercard evaluate your activity monthly, but they use different reference months to calculate your rate:

  • Visa (VAMP and Visa Secure): Each month, Visa calculates your count, ratio, and volume from the previous month's data, and identifies your store based on that data. For Visa Secure, an early fraud warning (EFW) belongs to the month in which the underlying TC40 fraud report was received, not the month the original payment was captured. For example, February's calculation includes 3D Secure payments captured in February and EFWs reported in February, even if some of those fraudulent payments were originally captured in January.
  • Mastercard (ECP and EFM): Mastercard refers to two different data months, one for disputes and the other for sales. Your rate for the current month is your dispute or fraud chargeback count for the current month divided by your total captured payments from the preceding month. A chargeback belongs to the month in which it's raised. For example, February's ECP calculation uses payments captured in January and chargebacks raised in February.

Some regional programs use a different cadence. For example, AusPayNet in Australia tracks activity by quarter rather than by month.

Visa Acquirer Monitoring Program (VAMP)

VAMP identifies potential fraud based on certain ratios. If you meet the VAMP ratio threshold, or the VAMP enumeration ratio threshold, then you're placed on the monitoring program and notified that you're enrolled in VAMP. If you have an extended period of enrollment in VAMP, then your use of Shopify Payments might be restricted.

Review the following information to understand the different types of ratios VAMP uses, and how they're calculated.

VAMP count

The VAMP count is the total number of disputes and fraud on your account, excluding Point of Sale transactions. The count includes the following two components:

  • Disputes: All payment disputes, both fraudulent and non-fraudulent, as identified by Visa's TC15 reporting. This includes chargebacks and inquiries.
  • Fraud: Early fraud warnings (EFWs) sourced from Visa's TC40 reports. Fraud transactions can escalate to chargebacks and can occur on refunded transactions.

VAMP ratio

The VAMP ratio is calculated by dividing the VAMP count by the total count of all captured payments. Fraud notices are defined using early fraud warning (EFW) data sourced from Visa's TC40 reporting. Disputes occur when a customer initiates an inquiry or chargeback. Some of the potential reasons a customer might initiate an inquiry or chargeback include suspected fraud, when the product they paid for isn't received, or when a product is received but is damaged.

VAMP enumeration ratio

The VAMP Enumeration Ratio is calculated by dividing the number of monthly enumerated transactions by the count of authorization transactions. Enumerated transactions occur when a fraudulent party enters combinations of card values such as Primary Account Number (PAN), card verification value (CVV2), expiration date, and postal code until they find a legitimate combination.

VAMP ratios and related thresholds

Our banking partners notify Shopify if your ratios place you at risk for enrollment into VAMP. VAMP enrolls accounts when Visa classifies them as Excessive after their counts, rates, or volume exceed certain thresholds. After the metric falls below the threshold, VAMP releases the account from the program.

Review the following information on the types of VAMP ratios and their thresholds.

Information on the types of VAMP ratios and their thresholds.
CriteriaNon-compliant thresholdExcessive threshold
VAMP count5150 in Central Europe, the Middle East, and Africa
1,500 elsewhere
VAMP ratio0.5%2.2% in Central Europe, the Middle East, and Africa
1.5% elsewhere
VAMP volumeN/A$75,000 USD in Central Europe, the Middle East, and Africa
N/A elsewhere

Visa identifies businesses for VAMP enumeration monitoring when they meet or exceed both of the following thresholds:

Information on the VAMP enumeration monitoring thresholds.
CriteriaThreshold
VAMP enumeration count300,000 enumerated transactions
VAMP enumeration ratio20%

Visa doesn't assess fines for VAMP enumeration monitoring.

Visa Secure Excessive Fraud Program (US-only)

The Visa Secure Excessive Fraud Program applies to US businesses with excessive domestic 3D Secure fraud.

You're placed in this program if you meet or exceed both of the following monthly thresholds:

  • Fraud volume: $75,000 USD, which is the total USD value of Early Fraud Warnings on Visa 3D Secure-authenticated payments.
  • Fraud rate: 0.9%, which is the EFW volume divided by the total USD value of all captured Visa 3D Secure-authenticated payments.

Visa counts an EFW in the month its TC40 report is received, not the month the payment was captured. There's no monetary fine, but you lose liability shift on domestic 3D Secure transactions until you fully exit the program by bringing fraud back below the thresholds.

Mastercard monitoring programs

Mastercard's Excessive Chargeback Program (ECP) consists of two levels: Excessive Chargeback Merchant (ECM) and High Excessive Chargeback Merchant (HECM). The Excessive Fraud Merchant (EFM) Compliance Program is a separate program that applies to businesses in all supported countries besides Germany, India, and Switzerland.

Mastercard removes you from a program when your chargebacks drop below the program threshold for 3 consecutive months. If you're in HECM, and your chargebacks drop below the HECM threshold but still meet the ECM threshold, then you move to the ECM level.

Mastercard Excessive Chargeback Program (ECP)

Businesses are placed in the ECP if they meet or exceed the thresholds on both of the following conditions:

  • Dispute count: The total number of transactions that have been disputed.
  • Dispute rate: The total percentage of disputed transactions compared to total transactions.

Review the following information to understand the different monitoring levels at each dispute count and rate, and the related penalties.

Descriptions of monitoring levels in Mastercard's chargeback monitoring programs.
Monitoring levelDispute countDispute ratePenalties
ECM100-2991.5%-2.99%
  • 1 month: No fines.
  • 2 months: $1,000 USD.
  • 3 months: $1,000 USD.
  • 4-6 months: $5,000 USD, plus issuer recovery assessment.
  • 7-11 months: $25,000 USD, plus issuer recovery assessment.
  • 12-18 months: $50,000 USD, plus issuer recovery assessment.
  • 19+ months: $100,000 USD, plus issuer recovery assessment.
After 4 months, businesses are subject to issuer recovery assessment. This assessment adds an additional $5 USD fee for every chargeback after your 300th chargeback in a month.
HECM300+3%
  • 1 month: No fines.
  • 2 months: $1,000 USD.
  • 3 months: $2,000 USD.
  • 4-6 months: $10,000 USD, plus issuer recovery assessment.
  • 7-11 months: $50,000 USD, plus issuer recovery assessment.
  • 12-18 months: $100,000 USD, plus issuer recovery assessment.
  • 19+ months: $200,000 USD, plus issuer recovery assessment.
After 4 months, businesses are subject to issuer recovery assessment. This assessment adds an additional $5 USD fee for every chargeback after your 300th chargeback in a month.

You can ask Mastercard to suspend an assessed fine one time during an open case. However, only do so if you're confident that you'll be below the threshold to exit the program for the next 3 months. If you request a suspension of fines and fall below the threshold for 2 months, but exceed it in the following month, fine assessments continue until you exit the program.

Mastercard excessive fraud merchant (EFM) compliance program

Mastercard's process for determining if a business is placed into EFM is similar to their calculations for ECP, except that the fraud chargeback rate is calculated using only fraudulent chargebacks.

Businesses are placed in the EFM program if they meet or exceed the thresholds on all of the following criteria:

  • Payment count: The total number of ecommerce Mastercard payments.
  • Fraud volume: The total amount of fraudulent chargebacks in USD, calculated by using dispute reason codes 4837 and 4863.
  • Fraud rate: The total percentage of fraudulent transactions compared to total e-commerce transactions.
  • 3DS rate: The total percentage of 3DS Mastercard payments compared to total payments.

Review the following information to understand the different payment count, fraud volume, fraud chargeback rate, total 3DS payment rates thresholds, and their related penalties.

Description of monitoring in the EFM.
Payment count equal to or greater thanFraud volume greater thanFraud chargeback rate greater thanTotal 3DS rate less than or equal toPenalties
1,000 or more$50,000 USD or more
$15,000 USD or more for Australia
0.50% or more
0.20% or more for Australia
  • 10% of total Mastercard count (non-regulated countries)
  • 50% of total Mastercard count (regulated countries)
  • 1 month: No fines.
  • 2 months: $500 USD.
  • 3 months: $1,000 USD.
  • 4-6 months: $5,000 USD.
  • 7-11 months: $25,000 USD.
  • 12-18 months: $50,000 USD.
  • 19+ months: $100,000 USD.

You can ask Mastercard to suspend an assessed fine one time during an open case. However, only do so if you're confident that you'll be below the threshold to exit the program for the next 3 months. If you request a suspension of fines and fall below the threshold for 2 months, but exceed it in the following month, fine assessments continue until you exit the program.

High-risk merchant lists

VMSS and MATCH are Terminated Merchant Files (TMFs), which are databases of accounts that processors worldwide have closed for high chargebacks or card network rule violations. Processors check these lists when onboarding new businesses and must add a business that meets the criteria when its account is closed. A listing often causes a new processor application to be declined.

Mastercard Alert to Control High-risk (MATCH)

MATCH is Mastercard's database of terminated merchant files (TMFs). The database contains information about accounts that have been closed by credit card processors around the world for high chargeback rates or violations of card brand rules.

Criteria for MATCH qualification

When a relationship between a business and a credit card processor ends, the processor must determine whether the business meets the criteria to be placed on MATCH.

If any MATCH criteria are satisfied, then the processor must add information about the business to MATCH within one business day of termination or within one business day of the account becoming eligible for MATCH after termination.

MATCH qualitative criteria

The majority of MATCH criteria, or reason codes, involve breaches of card network rules, including illegal activity and collusion.

This table displays a list of MATCH reason codes and their descriptions.
CodeReasonDescription
1Account data compromiseAn occurrence that results, directly or indirectly, in the unauthorized access to or disclosure of account data.
2Common point of purchaseAccount data is stolen at the merchant location and then used for fraudulent purchases at other merchant locations.
3LaunderingThe merchant was engaged in laundering activity. Laundering means that a merchant presented transaction records to its acquirer that weren't valid transactions for sales of goods or services between that merchant and a real cardholder.
7Fraud convictionThere was a criminal fraud conviction of a principal owner or partner of the merchant.
8Mastercard questionable merchant audit programThe merchant was determined to be a questionable merchant according to the criteria set forth in the Mastercard questionable merchant audit program.
9Bankruptcy, liquidation, or insolvencyThe merchant was unable or is likely to become unable to discharge its financial obligations.
10Violation of StandardsWith respect to a merchant reported by a Mastercard Acquirer, the merchant was in violation of one or more standards that describe procedures to be employed by the merchant in transactions in which cards are used, including, by way of example and not limitation, the standards for honoring all cards, displaying the marks, charges to cardholders, minimum or maximum transaction amount restrictions, and prohibited transactions set forth in Chapter 5 of the Mastercard Rules manual.
11Merchant collusionThe merchant participated in fraudulent collusive activity.
12PCIDSS non-complianceThe merchant failed to comply with Payment Card Industry (PCI) Data Security Standard (DSS) requirements.
13Illegal transactionsThe merchant was engaged in illegal transactions.
14Identity theftThe acquirer has reason to believe that the identity of the listed merchant or its principal owners was unlawfully assumed for the purpose of unlawfully entering into a merchant agreement.

MATCH quantitative criteria

Two MATCH reason codes have specific numeric thresholds defined by Mastercard for when processors must add accounts to MATCH.

These reason codes involve chargeback and fraud activity on an account and they're the most common reasons for being added to MATCH. These reason codes can affect businesses that are not engaged in illegal or rule-violating activity.

This table lists the two most common reason codes that are applied when a merchant is placed on MATCH and their descriptions.
CodeReasonDescription
4Excessive chargebacksWith respect to a merchant reported by a Mastercard Acquirer, the number of Mastercard chargebacks in any single month exceeded 1% of the number of Mastercard sales transactions in the same month, and those chargebacks totaled $5,000 USD or more.
5Excessive fraudThe merchant effected fraudulent transactions of any type (counterfeit or otherwise) meeting or exceeding the following minimum reporting standard: the merchant's fraud-to-sales dollar volume ratio was 8% or greater in a calendar month, and the merchant effected 10 or more fraudulent transactions totaling $5,000 USD or more in that calendar month.

Additional information on excessive chargebacks and fraud

MATCH reason codes are separate from card brand chargeback and fraud monitoring programs operated by Visa and Mastercard. The excessive chargebacks criteria only applies to activity on Mastercard cards, even though MATCH is required by all major card networks.

If dispute activity doesn't take place on a Mastercard card, then it doesn't factor into MATCH rates. Other card networks might ask for businesses to be listed on MATCH if those businesses hit the excessive stages of their card brand monitoring programs or are fined as part of those programs.

When evaluating MATCH eligibility, processors review all transactions and chargebacks that occurred within the same calendar month, regardless of when the original transaction took place.

When a business meets the excessive chargebacks or fraud MATCH criteria in a calendar month, the merchant must be added to MATCH if the processing relationship is terminated, even if the processing relationship is not ended in that calendar month.

For example, if a business meets MATCH criteria only in February, and the processing relationship ends in September, then the processor is still required to add information to MATCH even though the qualifying activity took place in February.

If a business doesn't meet MATCH criteria when the relationship is initially terminated, then it can still qualify for MATCH if the criteria are met afterward. For example, if chargebacks are initiated after termination, then the business can be added to MATCH.

Example qualification data

Review the following example of transactions and chargebacks during one calendar month:

  • Number of Mastercard transactions: 125
  • Number of Mastercard chargebacks: 6
  • Ratio of chargebacks to transactions: (6/125) = 4.8%
  • Volume of Mastercard chargebacks: $6,250

In this case, the business would qualify for MATCH for excessive chargebacks if the processing relationship later terminates. It doesn't matter if chargebacks are later reversed or won by the merchant.

There is no minimum number of chargebacks for MATCH qualification for excessive chargebacks.

Information added to MATCH

The card networks require that the following information be added to MATCH if available:

  • Business legal name and doing business as (DBA) name
  • Business address
  • Business phone number
  • Business tax ID
  • Business URL
  • Principal owner name
  • Principal owner address
  • Principal owner phone number
  • Principal owner tax ID
  • Account opening date and termination date
  • MATCH reason code

Mastercard doesn't assess the accuracy of MATCH listings.

Removal from MATCH

The payment processor can't remove an account's information from MATCH upon request. A processor can remove a MATCH entry only in the following circumstances:

  • If the processor added the business to MATCH in error.
  • If the listing is for MATCH reason code 12 PCI DSS and the processor has confirmed that the business has become compliant with the PCI DSS.

If you believe either of those two situations exist, then you need to reach out to the processor that listed your information on MATCH to be removed. Records remain on the MATCH system for five years before being automatically purged by Mastercard.

What to do if you're listed on MATCH

If you're listed on MATCH, then you're notified when you attempt to sign up for a new processor. MATCH is only used as an informational tool by processors during the application process but the presence of a MATCH listing often means that an application is declined.

You need to reach out to your previous processor to find out why your information was added to MATCH. MATCH criteria are determined by Mastercard and processors are required to follow this criteria. Shopify can't remove a business that met the excessive chargebacks criteria even if the business has remediated the issues leading to chargebacks, for example.

Due to banking partner restrictions, Shopify generally can't process for businesses listed on MATCH unless extenuating circumstances apply, such as the case of a legitimate business that previously had their identity information stolen.

Visa merchant screening service (VMSS)

VMSS is Visa's database of terminated merchant files (TMFs) that contains information about accounts that have been closed by credit card processors around the world for high chargebacks or violations of card brand rules.

Criteria for VMSS qualification

When a relationship ends between a business and a credit card processor, the processor determines whether the business meets the criteria to be placed on VMSS.

If any VMSS criteria are satisfied, then the processor must add information about the terminated business to VMSS.

VMSS qualitative criteria

The majority of VMSS reason codes involve breaches of card network rules, including illegal activity.

This table displays the different VMSS reason codes and their descriptions.
CodeReasonDescription
23Transaction launderingThe merchant or third party agent misrepresented the source of submitted transactions (unauthorized aggregation), or submitted transactions on behalf of another merchant (factoring).
24Illegal transactionsThe merchant or third party agent submitted unlawful or prohibited transactions into the payment system.
25Visa risk compliance program identificationThe merchant or third party agent was terminated at the acquirer's discretion after identification in a Visa risk compliance program and didn't adequately remediate.
26Merchant collusionThe merchant or third party agent colluded to commit fraud.
27Common point of purchase (CPP)The merchant or third party agent was identified as a location where account data from legitimate transactions was compromised for use in subsequent fraudulent activity (including skimming) and didn't adequately remediate.
28Fraud convictionThe principal owners of a merchant outlet or third party agent was convicted of a fraud crime.
29Bankruptcy, liquidation, or insolvencyThe merchant or third party agent cannot fulfill its financial obligations due to potential or actual bankruptcy, insolvency, or suspension of business operations.
30Violation of merchant or third party agent agreementThe merchant or third party agent breached their agreement.
31Violation of the Visa rulesThe merchant or third party agent violated the Visa rules exposing the acquirer of the payment system to undue risk.
32Account information security program non-complianceThe merchant or third party agent was non-compliant with the Payment Card Industry Data Security Standard (PCI DSS) or the Payment Application Data Security Standard (PA-DSS) requirements.
33Account Data CompromiseThe merchant or third party agent suffered a data breach, directly or indirectly resulting in an unauthorized disclosure of payment account or transaction information.
34Merchant Identity TheftThe merchant application was submitted using principal owner or corporate officer information belonging to individuals that were never party to the merchant agreement.
35Disqualification from the Visa payment systemVisa disqualified the merchant or third party agent from participating in the Visa payment system.

VMSS quantitative criteria

Two VMSS reason codes have specific numeric thresholds defined by Visa for when processors must add accounts to the VMSS list.

These reason codes that involve chargeback and fraud activity on an account are the most common reasons for being added to VMSS, and can affect businesses that aren't engaged in illegal or rule-violating activity.

This table lists the two VMSS reason codes with specific numeric thresholds and their descriptions.
CodeReasonDescription
21Excessive FraudThe merchant or third party agent submitted excessive fraudulent transactions ($250,000 USD fraud amount and 1.8 percent (180 basis points) fraud-to-sales amount ratio in any single month) into payment system, and didn't adequately remediate.
22Excessive DisputesThe merchant or third party agent generated excessive disputes (1,000 dispute count, and 1.8 percent (180 basis points) dispute-to-sales amount ratio in any single month) into payment system and didn't adequately remediate.

Removal from VMSS

Shopify typically can't remove an account's information from VMSS upon request. A processor can remove a VMSS entry only if the processor added the business to VMSS in error.

Next steps if you're listed on VMSS

If you're listed on VMSS, then you might not be aware of this until you attempt to sign up for a new processor. VMSS is only used as an informational tool by processors during the application process. The presence of a VMSS listing often leads to an application being declined. If you're listed on VMSS, then you need to contact your previous processor to find out why your information was added to VMSS. VMSS criteria are determined by Visa, and processors are required to follow this criteria.

Shopify can't remove a business that meets the excessive chargebacks criteria, for example, if the business resolves the issues leading to chargebacks.

Because of banking partner restrictions, Shopify generally can't process for businesses listed on VMSS unless extenuating circumstances apply, such as the case of a legitimate business that previously had their identity information stolen.