Fraud monitoring programs
Last updated: January 11, 2023
Card schemes (like Visa and Mastercard) monitor your reported fraud activity month by month, comparing it to your sales. If the instances of fraud exceed the levels deemed acceptable by the scheme, you may be placed in their monitoring program.
Once you’re on a program, the scheme can charge you monthly fines until you reduce the fraud activity back down to acceptable levels.
We will let you know if you’re at risk of being placed, or have been placed, on a program, and work with you to reduce fraudulent transactions.
To learn how to defend against fraud-related dispute cases, read our guide on preventing fraudulent disputes.
If you fail to comply within a specified time period (this depends on the scheme), the scheme can refuse to continue processing your payments. This is rare, but it's best to take immediate action if you're enrolled on a program.
Learn about Visa’s and Mastercard’s fraud monitoring programs.
Visa's Fraud Monitoring Program
The Visa Fraud Monitoring Program (VFMP) is a merchant-level, fraud monitoring program used to:
- identify merchants with excessive fraud activity
- implement corrective plans to protect the integrity of the payment system
Breaching both the VFMP and VDMP in the same month
If you exceed both the VFMP and Visa Dispute Monitoring Program (VDMP) program thresholds in the same month, you will enter each program as separate identifications. Each case will continue in their respective program until they are remediated. However, if you are subject to assessments in both programs, the VDMP assessment will take precedence. Visa could still release 10.5 Dispute rights for the VFMP case.
Program Exit Criteria
To exit the VFMP, you need to perform below the Standard program thresholds for three consecutive months, no matter what timeline you're in. If you perform below the Standard program thresholds for less than the required three consecutive months:
- the program status continues from the previous identification
- the required three consecutive months restart the next month you're below Standard program thresholds
Suspension of non-compliance assessments
Visa may suspend or waive non-compliance assessments (fines), in whole or in part, to accommodate unique or extenuating circumstances. Through submission of a remediation plan, the acquirer can make requests for temporary suspension, or waiver of non-compliance assessments, on your behalf. This remediation plan should:
- state the root causes of the identification
- demonstrate actions taken to restore compliance
- outline milestones acceptable to Visa and dates for all corrective actions
Suspension of non-compliance assessments and program fees are:
- at Visa’s sole discretion
- for a set period of time If granted, the non-compliance assessment and program fees will continue to accrue during the suspension period. If you're unable to perform below program thresholds during the suspension period and are identified afterwards, the accrued non-compliance assessment may be levied.
This section covers all regions. See the VFMP-3DS section for information specific to VFMP-3DS (US only).
Thresholds, timelines, and fines
VFMP has four program timelines.
Applies if you are non-High Risk Merchant Category Code (MCC) and meet or exceed both Standard fraud amount thresholds.
|Reported fraud||Fraud-to-sales amount ratio|
Timeline, fines, and fees - above the VFMP Standard thresholds
|Months 1||Months 2-4||Months 5-6||Months 7-9||Months 10-11||Months 12+|
EU region and UK
All other regions
Where enforcement includes 10.5 Dispute Liability, this means an issuer may initiate a dispute, under Dispute Condition 10.5, within 120 calendar days from the date of the report. You may continue to be subject to Dispute Condition 10.5 for trailing fraud activity that occurs up to 90 calendar days after you have stopped processing.
Example: Visa violation month May 2022 (Computations made in June 2022)
The VFMP uses fraud and sales transactions processed in the previous calendar month. The formula used for the Fraud-to-sales-amount ratio calculation is:
Fraud-to-sales-amount ratio = Total amount of fraud reported during the month / Total amount of sales during the month
Total amount of Visa transactions reported as fraud in May 2022
Total amount of Visa sales in May 2022
Fraud-to-sales amount ratio for May 2022
( 85000 / 2500000 ) * 10000 = 3.40%
Breaching the standard thresholds of the VFMP
Additional information for the VFMP program
Program monitoring includes domestic transactions and international transactions for the following acquirer regions:
- AP (Australia)
- Europe (Germany, United Kingdom)
- LAC (Brazil)
For all remaining regions, VFMP monitoring only includes international transactions:
- For the VDMP, only the first ten disputes, in a given calendar month, between you and a single account number are counted.
- VFMP excludes fraud type code 3 (fraud application).
- Domestic transaction: A transaction where the issuer of the card used is located in the transaction Country (the country where you are).
- International transaction: A transaction where the issuer of the card used is not located in the transaction Country (the country where you are).
This section covers VFMP-3DS, only available in the US.
Thresholds, timelines, and fines
The VFMP-3DS program has two timelines.
Applies if you meet or exceed both Standard fraud amount thresholds.
|US domestic 3DS reported fraud||US domestic 3DS fraud-to-sales amount ratio|
Timeline, fines, and fees - above the VFMP-3DS Standard thresholds
The VFMP-3DS Standard timeline does not have a Workout period, only Enforcement. You may be subject to Dispute Condition 10.5 from the first month in the program, and any subsequent months, until you are remediated out of the program.
10.5 Dispute Liability means an issuer may initiate a dispute, under Dispute Condition 10.5, within 120 calendar days from the date of the report. You may continue to be subject to Dispute Condition 10.5 for trailing fraud activity that occurs up to 90 calendar days after you have stopped processing.
Within 30 days of notification from Visa that you are identified in the VFMP-3DS program, you are required to reclassify all Visa 3DS transactions (ECI 5: Authentication Successful and ECI 6: Authentication Attempted) to ECI 7 (Non-Authenticated Security Transaction).
Additional information for the VFMP-3DS program
- The VFMP-3DS program uses US domestic 3DS (ECI 5 and 6) fraud and sales transactions processed in the previous calendar month.
- Only the first ten fraudulent transactions, in a given calendar month, between you and a single account number are included.
- VFMP-3DS program excludes fraud type code 3 (fraud application).
- You will be remediated out of the VFMP-3DS program when it appears below the Standard program thresholds for three consecutive months.
Mastercard's Acquirer Chargeback Monitoring Program
Mastercard's Acquirer Chargeback Monitoring Program (ACMP) consists of two programs, the Excessive Chargeback Program (ECP) and the Excessive Fraud Merchant (EFM) program.
The ECP program has two levels, Excessive Chargeback Merchant (ECM) and High Excessive Chargeback Merchant (HECM).
The EFM program monitors and identifies merchants with excessive fraud activity. The goal is to reduce fraud on e-commerce transactions and to create a more secure ecosystem.
This program does not apply if you are in St. Helena, Ascension and Tristan Da Cunha, Germany, India, Liechtenstein, or Switzerland.
You will be placed in the EFM program if, in the previous calendar month, you met all the following conditions:
- You processed 1,000 or more Mastercard sales transactions in the previous month.
- You were subject to at least €/$50,000 or more in Mastercard fraud-related chargebacks with reason codes 4837 (No Cardholder Authorization).
- Your fraud chargebacks-to-sales ratio is 0.50% or more.
- Your percentage of monthly clearing volume processed using 3DS (including Data Only transactions) or DSRP (Digital Secure Remote Payment) is less than 10% in non-regulated countries, or less than 50% in regulated countries.
Notes for calculating EFM thresholds
- 3DS transactions identified in clearing in private data sub-element (PDS) 0052 (Security Level Indicators) with a value of 211, 212, 214, 216, or 217.
- Digital Secure Remote Payment transactions identified in clearing in PDS 0052 with a value of 242 (Issuer Fully Authenticated) or 246 (Merchant Risk Based Decisioning).
- Data Only refers to non-3DS transactions in which Mastercard performs risk scoring and inserts Digital Transaction Insights to the authorization request message.
- The term 'non-regulated' refers to those countries without a legal or regulatory requirement for strong cardholder authentication. The term 'regulated' refers to those countries with a legal or regulatory requirement for strong cardholder authentication.
How to exit the EFM
Mastercard will remove you from the program if your dispute activity falls below the EFM thresholds for three consecutive months. Where an extension is in place, if you successfully comply with the program for three consecutive months before the extension period ends, assessments will not apply. However, if you receive approval for an extension request, compliance must be achieved by the end of the extension period. Otherwise, you will be retroactively billed for any assessments you would have accrued while the extension was in place. You will also be retroactively billed for any assessments you would have accrued while the extension was in place if you:
- leave before the end of the extension period, for example, if you process zero sales in a calendar month
- you do not successfully exit the program by having three consecutive months below the program thresholds
Non-compliance for both EFM and ECM in the same month
If you are identified as non-compliant for both EFM and ECM in the same month will only be subject to the applicable EFM assessments. If you have been identified in either the ECM or EFM for 12 months, the highest of the program assessments (whether ECM or EFM) will apply.
If you are unable to comply with the programs, you may contact Checkout.com to request an extension from Mastercard.
Usually, extensions should be requested if you can quickly address the causes of identification in the Acquirer Chargeback Monitoring Program. An extension will allow time for the remaining chargebacks to be processed, and for you to return to compliance with program thresholds.
Extensions are reviewed and granted on a case-by-case basis. Mastercard may request additional information, such as an action plan, to evaluate an extension request.
Timeline and fines
Once you're placed in the EFM program, you will be charged monthly violation assessment fines from the second month of non-compliance. These fines are on top of any existing fees applied for fraudulent transactions and fraud-related disputes.
|Number of months above EFM thresholds||Violation assessment fines|