Fraud monitoring programs
Last updated: May 17, 2023
Card schemes (like Visa and Mastercard) monitor your reported fraud activity month by month, comparing it to your sales. If the instances of fraud exceed the levels deemed acceptable by the scheme, you may be placed in their monitoring program.
Once you’re on a program, the scheme can charge you monthly fines until you reduce the fraud activity back down to acceptable levels.
We will let you know if you’re at risk of being placed, or have been placed, on a program, and work with you to reduce fraudulent transactions.
To learn how to defend against fraud-related dispute cases, read our guide on preventing fraudulent disputes.
If you fail to comply within a specified time period (this depends on the scheme), the scheme can refuse to continue processing your payments. This is rare, but it's best to take immediate action if you're enrolled on a program.
Learn about Visa’s and Mastercard’s fraud monitoring programs.
The Visa Fraud Monitoring Program (VFMP) is a merchant-level, fraud monitoring program used to:
- identify merchants with excessive fraud activity
- implement corrective plans to protect the integrity of the payment system
If you exceed both the VFMP and Visa Dispute Monitoring Program (VDMP) program thresholds in the same month, you will enter each program as separate identifications. Each case will continue in their respective program until they are remediated. However, if you are subject to assessments in both programs, the VDMP assessment will take precedence. Visa could still release 10.5 Dispute rights for the VFMP case.
To exit the VFMP, you need to perform below the Standard program thresholds for three consecutive months, no matter what timeline you're in. If you perform below the Standard program thresholds for less than the required three consecutive months:
- the program status continues from the previous identification
- the required three consecutive months restart the next month you're below Standard program thresholds
Visa may suspend or waive non-compliance assessments (fines), in whole or in part, to accommodate unique or extenuating circumstances. Through submission of a remediation plan, the acquirer can make requests for temporary suspension, or waiver of non-compliance assessments, on your behalf. This remediation plan should:
- state the root causes of the identification
- demonstrate actions taken to restore compliance
- outline milestones acceptable to Visa and dates for all corrective actions
Suspension of non-compliance assessments and program fees are:
- at Visa’s sole discretion
- for a set period of time If granted, the non-compliance assessment and program fees will continue to accrue during the suspension period. If you're unable to perform below program thresholds during the suspension period and are identified afterwards, the accrued non-compliance assessment may be levied.
This section covers all regions. See the VFMP-3DS section for information specific to VFMP-3DS (US only).
VFMP has four program timelines.
Applies if you are a non-High Risk Merchant Category Code (MCC) and meet or exceed both Standard fraud amount thresholds.
|Reported fraud||Fraud-to-sales amount ratio|
|Month 1||Months 2-4||Months 5-6||Months 7-9||Months 10-11||Months 12+|
Where enforcement includes 10.5 Dispute Liability, this means an issuer may initiate a dispute, under Dispute Condition 10.5, within 120 calendar days from the date of the report. You may continue to be subject to Dispute Condition 10.5 for trailing fraud activity that occurs up to 90 calendar days after you have stopped processing.
The VFMP uses fraud and sales transactions processed in the previous calendar month. The formula used for the Fraud-to-sales-amount ratio calculation is:
Fraud-to-sales-amount ratio = Total amount of fraud reported during the month / Total amount of sales during the month
Total amount of Visa transactions reported as fraud in May 2022
Total amount of Visa sales in May 2022
Fraud-to-sales amount ratio for May 2022
( 85000 / 2500000 ) * 10000 = 3.40%
Breaching the standard thresholds of the VFMP
Program monitoring includes domestic transactions and international transactions for the following acquirer regions:
- AP (Australia)
- Europe (France, Germany, United Kingdom)
- LAC (Brazil)
For all remaining regions, VFMP monitoring only includes international transactions:
- For the VDMP, only the first ten disputes, in a given calendar month, between you and a single account number are counted.
- VFMP excludes fraud type code 3 (fraud application).
- Domestic transaction: A transaction where the issuer of the card used is located in the transaction Country (the country where you are).
- International transaction: A transaction where the issuer of the card used is not located in the transaction Country (the country where you are).
The VFMP-Digital Goods program focuses on small ticket and digital goods merchant fraud transactions for the following MCCs:
- 5735 — Record Stores
- 5815 — Digital Goods Media — Books, Movies, Digital artwork/images, Music
- 5816 — Digital Goods — Games
- 5817 — Digital Goods — Applications (Excludes Games)
- 5818 — Digital Goods — Large Digital Goods Merchant
The program, which starts in early October 2023, will be based on September 2023 data.
The VFMP-Digital Goods program has two timelines.
Applies if you are non-High Risk MCC and meet or exceed both Standard fraud amount thresholds.
|Reported fraud||Fraud count||Fraud-to-sales amount ratio|
|Month 1||Months 2-4||Months 5-6||Months 7-9||Months 10-11||Months 12+|
- as with other fraud and dispute monitoring programs, the VFMP-Digital Goods program will be based on fraud and sales transactions that took place in the previous month
- merchants will be remediated out of the VFMP-Digital Goods program when they perform below the Standard program thresholds for three consecutive months.
- if a merchant meets or exceeds the thresholds for both the VFMP and the VFMP-Digital Goods programs, they will be subject to a single non-compliance assessment (NCA)
This section covers VFMP-3DS, only available in the US.
The VFMP-3DS program has two timelines.
Applies if you meet or exceed both Standard fraud amount thresholds.
|US domestic 3DS reported fraud||US domestic 3DS fraud-to-sales amount ratio|
The VFMP-3DS Standard timeline does not have a Workout period, only Enforcement. You may be subject to Dispute Condition 10.5 from the first month in the program, and any subsequent months, until you are remediated out of the program.
10.5 Dispute Liability means an issuer may initiate a dispute, under Dispute Condition 10.5, within 120 calendar days from the date of the report. You may continue to be subject to Dispute Condition 10.5 for trailing fraud activity that occurs up to 90 calendar days after you have stopped processing.
Within 30 days of notification from Visa that you are identified in the VFMP-3DS program, you are required to reclassify all Visa 3DS transactions (ECI 5: Authentication Successful and ECI 6: Authentication Attempted) to ECI 7 (Non-Authenticated Security Transaction).
- The VFMP-3DS program uses US domestic 3DS (ECI 5 and 6) fraud and sales transactions processed in the previous calendar month.
- Only the first ten fraudulent transactions, in a given calendar month, between you and a single account number are included.
- VFMP-3DS program excludes fraud type code 3 (fraud application).
- You will be remediated out of the VFMP-3DS program when it appears below the Standard program thresholds for three consecutive months.
Mastercard's Acquirer Chargeback Monitoring Program (ACMP) consists of two programs, the Excessive Chargeback Program (ECP) and the Excessive Fraud Merchant (EFM) program.
The ECP program has two levels, Excessive Chargeback Merchant (ECM) and High Excessive Chargeback Merchant (HECM).
The EFM program monitors and identifies merchants with excessive fraud activity. The goal is to reduce fraud on ecommerce transactions and to create a more secure ecosystem.
This program does not apply if you are in St. Helena, Ascension and Tristan Da Cunha, Germany, India, Liechtenstein, or Switzerland.
You will be placed in the EFM program if, in the previous calendar month, you met all the following conditions:
- you processed 1,000 or more Mastercard sales transactions in the previous month
- you were subject to at least 50,000 USD or EUR or more in Mastercard fraud-related chargebacks with reason codes 4837 (No Cardholder Authorization)
- your fraud chargebacks-to-sales ratio is 0.5% or more
- your percentage of monthly clearing volume processed using 3DS (including Data Only transactions) or DSRP (Digital Secure Remote Payment) is less than 10% in non-regulated countries, or less than 50% in regulated countries
- 3DS transactions identified in clearing in private data sub-element (PDS) 0052 (Security Level Indicators) with a value of 211, 212, 214, 216, or 217.
- Digital Secure Remote Payment transactions identified in clearing in PDS 0052 with a value of 242 (Issuer Fully Authenticated) or 246 (Merchant Risk Based Decisioning).
- Data Only refers to non-3DS transactions in which Mastercard performs risk scoring and inserts Digital Transaction Insights to the authorization request message.
- The term 'non-regulated' refers to those countries without a legal or regulatory requirement for strong cardholder authentication. The term 'regulated' refers to those countries with a legal or regulatory requirement for strong cardholder authentication.
Mastercard will remove you from the program if your dispute activity falls below the EFM thresholds for three consecutive months. Where an extension is in place, if you successfully comply with the program for three consecutive months before the extension period ends, assessments will not apply. However, if you receive approval for an extension request, compliance must be achieved by the end of the extension period. Otherwise, you will be retroactively billed for any assessments you would have accrued while the extension was in place. You will also be retroactively billed for any assessments you would have accrued while the extension was in place if you:
- leave before the end of the extension period, for example, if you process zero sales in a calendar month
- you do not successfully exit the program by having three consecutive months below the program thresholds
If you are identified as non-compliant for both EFM and ECM in the same month will only be subject to the applicable EFM assessments. If you have been identified in either the ECM or EFM for 12 months, the highest of the program assessments (whether ECM or EFM) will apply.
If you are unable to comply with the programs, you may contact Checkout.com to request an extension from Mastercard.
Usually, extensions should be requested if you can quickly address the causes of identification in the Acquirer Chargeback Monitoring Program. An extension will allow time for the remaining chargebacks to be processed, and for you to return to compliance with program thresholds.
Extensions are reviewed and granted on a case-by-case basis. Mastercard may request additional information, such as an action plan, to evaluate an extension request.
Once you're placed in the EFM program, you will be charged monthly violation assessment fines from the second month of non-compliance. These fines are on top of any existing fees applied for fraudulent transactions and fraud-related disputes.
|Number of months above EFM thresholds||Violation assessment fines|
0 USD or EUR
500 USD or EUR
1,000 USD or EUR
5,000 USD or EUR
25,000 USD or EUR
50,000 USD or EUR
100,000 USD or EUR