Card scheme monitoring programs: VAMP, ECP, EFM, and MATCH explained
This guide explains how VAMP, ECP, EFM, and MATCH work, what triggers them, and what payment teams should monitor before their acquirer does.
Most payment teams only learn how a card scheme monitoring program works after they have already been placed in one. The acquirer forwards a notice; fraud and dispute ratios move from background reporting to board-level urgency; and what used to look like a chargeback-prevention problem becomes a compliance, commercial, and banking continuity problem.
This article is the map you want before that happens. You’ll learn which programs exist, what triggers them, how the schemes calculate the ratios, and what happens if you stay above threshold.
How card scheme monitoring works
Card scheme monitoring is how Visa and Mastercard keep tabs on merchants (and the acquirers who sponsor them) to catch excessive chargebacks and fraud before they damage the ecosystem. The logic is simple: a merchant that generates many disputes or fraudulent transactions creates costs and risks for issuers, cardholders, and the network's reputation. So the schemes set thresholds, measure everyone against them monthly, and escalate when a merchant crosses the line.
Two things are being watched: disputes/chargebacks and fraud. They're tracked separately because they signal different problems — disputes often point to operational or ‘friendly fraud’ issues, while fraud points to compromised cards or weak authentication.
Visa and Mastercard don’t usually manage merchant remediation directly. The scheme monitors network activity, identifies merchants or acquirer portfolios that cross defined thresholds, and notifies the acquirer. The acquirer is then expected to investigate, manage remediation, pass through assessments where applicable, and decide whether the merchant remains an acceptable risk.
That chain matters because being placed in a chargeback monitoring program means your acquirer is now in a compliance conversation with the scheme about you. Even when the formal fine lands on the acquirer, the commercial consequence usually lands on the merchant: reserves, higher fees, processing restrictions, remediation plans, or termination.
How the ratios are calculated
Monitoring is threshold-based, and almost always combines an absolute count with a ratio. A merchant usually has to breach both to get flagged — a tiny shop with 5 chargebacks won't trigger anything even at a high percentage, and a huge merchant with a few hundred disputes might still sit under the ratio.
The ratio is roughly disputes (or fraud) per month ÷ transaction volume.
An important detail is which transaction count goes in the denominator. Mastercard historically divides the current month's chargebacks by the previous month's transaction count, while Visa uses the same-month volume. That timing difference can make the same merchant look slightly different across the two networks.
At-a-glance comparison of card scheme monitoring programs
Program | Scheme/owner | What it monitors | Key trigger logic | Operational severity |
|---|---|---|---|---|
VAMP | Visa | Combined fraud reports and disputes, plus enumeration activity | VAMP ratio = TC40 fraud + TC15 disputes ÷ settled transactions; merchant and acquirer thresholds differ | High: remediation, assessments, acquirer pressure |
VDMP/ VFMP | Visa (legacy) | Disputes (VDMP) and fraud (VFMP) where legacy monitoring still applies | Separate dispute or fraud count plus ratio thresholds | Medium to high: fines and remediation |
ECP: ECM/HECM | Mastercard | First-presentment chargebacks | Chargeback count plus chargeback basis points, using prior-month transactions as the denominator | High: escalating monthly fines and possible account instability |
EFM | Mastercard | E-commerce fraud chargebacks | All four criteria: e-commerce volume, fraud value, fraud basis points, and low 3DS usage | High, but actionable: 3DS coverage is a direct lever |
MATCH | Mastercard | Terminated high-risk merchants | Acquirer adds the merchant after termination for a qualifying reason code | Critical: a five-year listing can block acquiring |
Visa: VAMP (Visa Acquirer Monitoring Program)
VAMP, the Visa Acquirer Monitoring Program, became effective on 1 April 2025, consolidating multiple fraud and dispute monitoring processes into a unified framework. In practical terms, Visa moved away from treating fraud and disputes as separate conversations and towards a single view of card-not-present risk.
The core metric is the VAMP ratio:
The rollout has been phased. Visa introduced VAMP in April 2025, then moved through advisory and enforcement stages. The merchant Excessive threshold tightened in several major regions in April 2026, while acquirer-level thresholds remain materially lower than merchant-level thresholds.
First-time placements may receive a limited grace period, but the practical advice is not to treat grace as extra runway. It’s a remediation window, not a buffer for normal operations.
Tools that can keep disputes out of your ratio
Some dispute-resolution tools can help keep cases out of your VAMP ratio, but only if they work early enough. Disputes resolved through Rapid Dispute Resolution (RDR), the Cardholder Dispute Resolution Network (CDRN), or qualifying Compelling Evidence 3.0 outcomes may be excluded from VAMP calculations. But timing is critical. If Visa’s monthly review has already captured the fraud report or dispute before the resolution is recorded, the event may still count towards your ratio.
For a deeper breakdown of VAMP thresholds, phases, exclusions, and assessments, see Corefy's dedicated guide.
Visa VAMP explained: key changes for merchants & payment businesses
VDMP and VFMP
Visa’s Dispute Monitoring Program (VDMP) and Visa Fraud Monitoring Program (VFMP) were Visa’s previous monitoring programs for excessive disputes and fraud. VDMP focused on merchants with high dispute activity, while VFMP focused on merchants with high fraud activity.
These programs have now been retired and replaced by VAMP. Instead of treating disputes and fraud as two separate compliance tracks, VAMP combines them into one operational score based on TC40 fraud reports and TC15 disputes.
The practical change is important: teams that previously managed chargeback ratios and fraud ratios separately now need to manage their combined impact.
Mastercard: Excessive Chargeback Program (ECP)
Mastercard Excessive Chargeback Program identifies merchants whose chargeback activity exceeds Mastercard's acceptable limits and places them into one of two severity levels: Excessive Chargeback Merchant (ECM) or High Excessive Chargeback Merchant (HECM).
The detail that catches teams out is the calculation. Mastercard uses basis points, not a simple same-month percentage. The chargeback basis point figure is generally calculated as the current month's first-presentment chargebacks divided by the previous month's Mastercard transactions, multiplied by 10,000. A month of falling sales can therefore worsen the ratio even if the chargeback count is flat.
ECP has two core levels:
- ECM: typically 100 to 299 chargebacks and 150 to 299 basis points
- HECM: typically 300 or more chargebacks and 300 or more basis points
Both the count and the basis-point threshold matter. A merchant with a high chargeback count but a ratio below the threshold may not fall into the same severity tier; a merchant with a high ratio but insufficient count may also remain outside formal placement. The risk lies where both numbers overlap.
Minimise your chargeback ratio
What it costs to stay in the program
The cost of delay is the reason ECP needs executive attention. Month one is typically a notification period, but assessments escalate as the merchant remains in the program.
The longer a merchant remains in the programme, the more expensive it becomes. ECM assessments typically start at $1,000 and can increase to $100,000 over time. HECM assessments start higher, at around $2,000, and can rise to $200,000. Mastercard may also apply an issuer recovery assessment of $5 per chargeback above 300.
Exiting the programme is not immediate. Mastercard generally requires a merchant to remain below the relevant ECP thresholds for three consecutive months. A single clean month followed by another breach does not restore normal standing; it restarts the remediation timeline.
Mastercard: Excessive Fraud Merchant (EFM) Program
The Excessive Fraud Merchant (EFM) Program is Mastercard’s fraud-focused monitoring program for e-commerce merchants. It’s different from ECP in two important ways. First, it looks only at fraud-related e-commerce chargebacks, not all chargebacks. Second, it includes 3D Secure usage in the assessment, which gives merchants a clear action they can take to reduce their risk.
A merchant is generally identified under EFM only when all four criteria are met in the evaluated period:
EFM mainly focuses on fraud-coded chargebacks, especially Mastercard reason code 4837: No Cardholder Authorisation. This means a merchant may look acceptable when looking at total chargebacks, but still be exposed under EFM if fraud-related chargebacks are high enough.
The important point is that EFM works like a four-part gate: all four criteria must be true for the merchant to qualify. If the merchant fixes just one of them, they can fall out of scope.
That’s why 3DS is such an important lever. If a merchant increases 3DS coverage above the required threshold, they may no longer meet the EFM criteria, even if the fraud rate hasn’t fully normalised yet. This does not make 3DS a complete fraud prevention strategy, but it does make authentication coverage one of the clearest ways to reduce EFM exposure.
If a merchant exceeds both ECP and EFM thresholds at the same time, Mastercard generally places the merchant in EFM only rather than applying both programs. In practice, this means Mastercard is treating the issue primarily as an e-commerce fraud and authentication problem, not just a general chargeback problem.
MATCH: the termination list
MATCH is a Mastercard Member Alert to Control High-Risk Merchants system, a database used by acquirers to identify merchants that have been terminated for serious risk reasons.
Why MATCH is different from a monitoring program
The key difference is timing. A monitoring program says: your metrics are excessive and you need to remediate. MATCH says: an acquirer has terminated the relationship for cause and has reported that termination to the network. The first threatens your margin and the acquiring relationship. The second can block future merchant account approval.
How merchants land on MATCH and how to get off
Acquirers add merchants to MATCH after termination when a qualifying reason code applies. Common reasons include excessive chargebacks, fraud, money laundering, illegal transactions, account data compromise, and PCI non-compliance. A match list merchant account is therefore not simply a more expensive account; for many mainstream acquirers, a MATCH hit is grounds for declining onboarding altogether.
Records generally stay on MATCH for five years. Removal is narrow because the acquirer that placed the merchant is usually the party responsible for correcting or removing the listing. If the listing is wrong, the practical route is to gather evidence, contact the listing acquirer, and ask them to submit the correction. PCI-related listings may be curable once compliance is documented, but for most reason codes, the real defence is prevention: do not let a monitoring problem become a termination event.
The acquirer dimension: what PSPs and payment operators are responsible for
Merchants are not the only entities under the schemes' monitoring. If you run a PSP, ISO, PayFac, or any business managing a portfolio of merchants, the schemes also hold you accountable for the performance of that portfolio.
In practice, this means your risk is not limited to one merchant’s chargeback or fraud ratio. It also depends on how that merchant affects your aggregate exposure as an acquirer or payment operator.
Under VAMP, Visa measures acquirer portfolios at lower tolerance levels than individual merchants. This changes the commercial dynamics. A merchant may believe it is not yet at a formal merchant threshold, while the acquirer sees that merchant as a contributor to portfolio-level exposure. That is when reserves, caps, traffic restrictions, or offboarding can arrive before the merchant expected them.
On the Mastercard side, ECP and EFM sit within the Acquirer Chargeback Monitoring Program (ACMP), the umbrella that holds acquirers responsible for their merchants' performance. Acquirers do not just pass fines through; if a merchant stays in ECP too long, Mastercard can require the acquirer to run a remediation plan at its own expense and subject the acquirer's whole portfolio to a risk review.
For payment teams, the takeaway is operational: your compliance surface is the worst-performing merchants in your book, and the scheme will act against you for their behaviour. Portfolio-level visibility — knowing which merchants are trending towards a threshold before the scheme tells you — is the difference between trimming one account and being fined across many.
Leading indicators: TC40, SAFE, and pre-dispute alerts
By the time you are formally placed in a monitoring program, you have already missed earlier signals. The leading indicators are fraud reporting, issuer alerts, pre-dispute activity, and your own ratio trendlines.
Visa: TC40 fraud reports
For Visa, the key signal is TC40. A TC40 is a fraud report submitted by an issuer when a cardholder reports a transaction as fraudulent. It’s not itself a chargeback, and it doesn’t move funds, but under VAMP, it can feed the fraud side of the ratio. TC40 monitoring is therefore not optional for merchants exposed to Visa VAMP — it is the earliest view of the numerator forming.
Mastercard: SAFE
For Mastercard, the equivalent fraud-reporting environment is SAFE, Mastercard’s fraud and loss reporting database. SAFE data helps Mastercard and acquirers see fraud patterns before they become only a chargeback story. If you manage Mastercard traffic, SAFE trends belong in the same operating dashboard as chargeback counts, reason codes, 3DS coverage, and refund outcomes.
Pre-dispute and chargeback alerts
Pre-dispute and chargeback alert tools sit between these signals and formal disputes. When a cardholder contacts the issuer, alert networks can notify the merchant before the chargeback posts, creating a short window to refund, cancel, or resolve. Used well, these tools support chargeback prevention and keep avoidable disputes from entering scheme ratios. Used poorly, they become another fragmented feed nobody reconciles until the monthly notice arrives.
How to stay out of monitoring programs
- Raise 3DS coverage. This is the most direct lever on EFM — clearing the 3DS criterion alone removes you from the program — and authenticated transactions shift liability and suppress the fraud chargebacks that feed every fraud ratio.
- Deflect disputes before they post. Pre-dispute alerts and Visa's Rapid Dispute Resolution resolve disputes inside the evaluation window, keeping them out of your VAMP ratio and your ECP count. Same-month resolution is what makes the deflection count.
- Refund confirmed fraud rather than fighting it. A refund on a transaction you know is fraudulent costs you the sale; a fraud chargeback costs you the sale, the fee, and a mark against your ratio. For confirmed fraud, the refund is the cheaper outcome.
- Fix non-fraud disputes at the source. Clear billing descriptors, accessible cancellation and refund policies, and responsive support cut the ‘I don't recognise this charge’ and ‘I couldn't get a refund’ disputes that inflate counts without any actual fraud.
- Watch your own ratios monthly. Track your TC40 and SAFE trend and your chargeback ratio against each program's threshold before the scheme does. The schemes evaluate monthly; so should you.
The harder problem for any team running real volume is that these levers live in different systems — fraud tooling, dispute alerts, acquirer reporting, routing logic — and the metrics that trigger a program are spread across all of them. This is where consolidating the payment stack pays off: when routing decisions, provider performance, and dispute and fraud data sit in one place, you can see a ratio trending towards a threshold and act, instead of assembling the picture after the acquirer's email arrives.
Key takeaways
- Visa VAMP combines fraud and disputes into one ratio. Teams need to manage TC40 fraud reports and TC15 disputes together, not as separate metrics.
- Mastercard ECP focuses on excessive chargebacks. It uses both chargeback count and basis points, with fines increasing the longer a merchant stays in the program.
- Mastercard EFM focuses on e-commerce fraud. 3DS coverage is one of the clearest levers, as it directly affects whether a merchant qualifies for the program.
- MATCH is not a monitoring program. It is a termination list, and a listing can make it difficult or impossible to secure new acquiring relationships.
- PSPs and payment operators are exposed at the portfolio level. A few high-risk merchants can affect the compliance standing of the wider merchant book.
- The best defence is proactive monitoring. Track TC40, SAFE, chargeback ratios, 3DS coverage, dispute alerts, and merchant-level trends before the scheme or acquirer flags them.
Build a payment stack that sees risk early
Book a demo and learn how Corefy can help you handle disputes and chargebacks efficiently.