Skip to content
iGaming Payment SolutionsiGaming Payment Solutions

Article

Visa VAMP 2026: The 1.5% Math for Gambling Operators

Visa's VAMP threshold fell to 1.5% on April 1, 2026, and a fraud-coded dispute counts twice. The count-based math for gambling books: the double-count, per-descriptor measurement, the exclusions that work, and the method-mix trap.

Editorial Team

Verified

iGaming Payment Solutions

Deep-diveUpdated

A player loses eleven straight deposits on a Friday night, sleeps on it, and disputes six of them on Monday as unauthorized. Each of those six lands at your acquirer as a fraud-coded chargeback, which means each one files a fraud report and a dispute. Under the , that is twelve line items in your numerator from one player, one card, one weekend. Before June 2025 a single card could contribute at most ten items to the old programs' counts; that cap did not survive the consolidation, so the same tilting player with thirty deposits and a grudge is now sixty line items with no ceiling.

Since April 1, 2026 the line those items count against sits at 1.5% for merchants in Europe, the US, Canada and Asia-Pacific, down from 2.2%. The chargeback-tool vendors writing about that drop cover retail; none of the pages ranking for mention a casino, and the program's math lands on gambling books differently than on merchandise sellers, because bet-regret disputes arrive fraud-coded and fraud-coded disputes count twice. This is the program in operator terms: what actually counts, where Visa measures you, which numbers are official and which only exist in acquirer bulletins, and which levers move the ratio before your acquirer moves you.

One tilting player is now sixty line items

The formula in Visa's official fact sheet is one line: the ratio is the count of fraud reports () plus disputes (), divided by the count of settled transactions (), measured each month on card-not-present VisaNet transactions, domestic and cross-border. Three properties of that sentence decide everything downstream.

It is count-based, not dollar-based. A disputed $10 deposit and a disputed $5,000 VIP deposit are one numerator item each, which is why a casino's small-ticket, high-frequency deposit pattern cuts both ways: lots of settled transactions pad the denominator, and lots of small disputes fill the numerator just as fast as big ones would.

It double-counts fraud-coded disputes. Stripe's monitoring-program documentation states it plainly: a transaction that appears in both the fraud report and the dispute report is counted twice. A bet-regret chargeback filed as reason 10.4 generates a and a for the same deposit, two items. A merchandise seller whose disputes arrive as reason 13 product complaints gets one item per unhappy customer; a casino whose disputes arrive as fraud claims gets two. The dispute side counts most reason families either way (Adyen lists codes 10 except 10.5, plus 11, 12 and 13), but only the fraud-coded ones double.

And the old per-card cap is gone. The Worldpay program bulletin marks the legacy limit of ten fraud and dispute items per card number as not carried over, alongside the retirement of the 3DS carve-out. Fraud reports older than 90 days from the purchase date drop out; nothing else in a player's history does.

~0.75%

Effective dispute tolerance for a book whose disputes arrive fraud-coded

Arithmetic, not a published figure: the Excessive line is 1.5% of settled count since April 1, 2026, and a fraud-coded dispute contributes two items (TC40 plus TC15). A casino where bet-regret 10.4s dominate reaches the threshold at roughly half the dispute rate that would flag a merchant whose disputes carry non-fraud codes.

The thresholds Visa published, and the fees it did not

The official fact sheet defines one merchant status, Excessive. There is no merchant Above Standard tier; the two-tier structure applies to acquirers. A merchant is identified as Excessive when both the ratio and a minimum monthly count are met, and the fact sheet adds a precondition: the merchant thresholds apply only if the acquirer itself is not already Above Standard or Excessive. If your acquirer's whole portfolio is flagged, remediation pressure arrives regardless of your own number.

RegionExcessive Merchant ratioMinimum monthly count
AP, Canada, EU, US220bps; 150bps since April 1, 20261,500 fraud + disputes
LAC150bps from the start1,500 fraud + disputes
CEMEA220bps150 items and USD 75,000 in fraud + dispute amount
Brazil, Chile, IndiaNot yet in the program; thresholds to be announcedn/a

Acquirer portfolios are flagged Above Standard at 0.5% and Excessive at 0.7%, with the same count floors. That 0.5% is the number that governs your day-to-day reality more than the 1.5% does, because an acquirer defending its own portfolio ratio sets internal limits for merchants well below Visa's merchant line and starts conversations long before Visa would, a dynamic our acquirer underwriting guide covers from the application side. The program also carries a second, separate metric for card testing: an enumeration ratio of 20% with a 300,000-transaction count floor, measured on authorizations including declines. Visa assesses no fees on the enumeration side (Checkout.com and Stripe both note this), but it obliges acquirers to force remediation, and because declined authorizations count, a bot attack hurts the metric even when every attempt is refused.

The canonical VAMP dates

  1. Mar 31, 2025

    Legacy VDMP and VFMP programs discontinued; the digital-goods variant had already retired a year earlier.

  2. Apr 1, 2025

    VAMP takes effect as a single global program, opening with an advisory period.

  3. May 15, 2025

    Mid-flight revision: entry count floor raised to 1,500, fees cut to $8/$4, pre-dispute and CE 3.0 exclusions confirmed.

  4. Jun 1, 2025

    Updated thresholds and formula effective (official fact sheet).

  5. Sep 30, 2025

    Advisory period ends (official fact sheet).

  6. Oct 1, 2025

    Fee enforcement begins for Excessive identifications, per acquirer bulletins.

  7. Jan 1, 2026

    Above Standard acquirer enforcement begins, per vendor recaps of Visa Business News; not stated in the public fact sheet.

  8. Apr 1, 2026

    Excessive Merchant threshold drops from 220bps to 150bps in AP, Canada, EU and US.

The public fact sheet contains no dollar amounts at all. The fee figures every blog quotes, $8 per fraud-and-dispute item for an Excessive merchant and $4 at the acquirer's Above Standard tier, come from acquirer bulletins and vendor recaps of Visa Business News, and they reflect the May 15, 2025 revision that cut them from the originally announced $10 and $5. The three-month grace period for a first identification within a rolling 12-month window sits in the same category: consistently reported by Chargebacks911, Ravelin and acquirer guidance, absent from the public document. Visa charges the acquirer; the acquirer passes it through, and PSP terms say so openly (Trust Payments: if we incur these costs, we pass them on). Treat any article quoting $10 fees, a 0.9% merchant threshold, a 1,000-item floor or January 2026 merchant enforcement as recycling the abandoned original plan.

Why a casino book crosses 1.5% before a retailer does

The dispute profile of is friendly fraud wearing a fraud code. A player who regrets a losing session does not file a product complaint; the plausible story is always that the card was used without authorization, so the dispute arrives as 10.4, the issuer files the , and the double-count fires. Visa's own materials put friendly fraud at up to 75% of all chargebacks in its 2023 internal reporting (cited through its Verifi arm), while the current Visa Protect page frames it as around 20% of fraudulent disputes globally and up to 30% for high-volume online merchants; the frames differ, the direction does not. The 2026 Chargebacks911 Field Report has 83% of enterprise merchants reporting friendly-fraud growth over three years. For the vertical itself, Sumsub's iGaming fraud report measured overall fraud at 1.53% of the vertical's activity in Q1 2026, up 18% year over year, and that measures a different behavior set than the dispute-side conduct this program prices.

Now put the count mechanics on a real book. A mid-size operator settling 100,000 card deposits a month crosses the 1,500-item floor and the 1.5% line at the same point, 750 fraud-coded disputes, because each one counts twice. Losing streaks cluster, and with the per-card cap gone, a hundred tilting players in a bad sports month can carry you most of the way there on their own. Meanwhile the same behavior carries two more costs: the disputed deposits already paid the roughly 3-6% high-risk card MDR discussed in our card processing guide once, and every item accrues that $8 fee once the grace window closes.

The vertical also pays an entry toll before a single dispute happens. Card-absent gambling is a Tier 1 category under the Visa Integrity Risk Program, the successor to GBPP, with registration at $950 initially and annually per Corepay and PaymentCloud, raised from $500 in April 2024. VIRP polices what you are and whether you may process; prices how your traffic behaves. You live under both at once.

Per MID, per descriptor, per acquirer: what isolation can and cannot do

Where does Visa draw the box around "the merchant"? Not around your company, and not around a single either. Stripe's documentation describes identification by the static component of the statement descriptor combined with the acquiring bank, with volumes aggregated across EU countries under one descriptor; Trust Payments describes it as applying per or acquiring entity. The operational translation: your counters live per descriptor, per acquirer, and they do not sum across acquirers.

That gives a multi-acquirer book two legitimate structural facts to work with. Exposure splits: a brand processing through two acquirers runs two separate ratios and two separate 1,500-item floors, and a smaller descriptor that never reaches 1,500 monthly items is below the program's radar entirely, whatever its percentage. This is ordinary treasury structure, the same reason a treasury desk never runs a book on a single acquirer, and it is not a loophole.

The boundary is on the other side of a bright line. Running the same business and the same traffic through multiple MIDs, names or MCCs to dilute a ratio or dodge registration is misrepresentation, and VIRP prices it at a $25,000 non-compliance assessment per impacted merchant, with transaction laundering handled as the serious violation it is. Separate legal entities with their own licenses, products, markets, acquiring agreements and honest registration are segmentation; one casino wearing four descriptors is evasion. And two forces limit what even legitimate splitting buys you. The acquirer's own portfolio threshold at 0.5% aggregates everything it processes, so a book that stays under 1.5% per descriptor while feeding an acquirer's ratio still gets the internal-limit conversation. And the fact sheet's precondition cuts the other way too: once an acquirer is flagged, Visa's merchant-level thresholds stop being your shield, because remediation flows down the whole portfolio.

The exclusions that move the number, and the 3DS one that does not

The fact sheet names two things that come out of the ratio, both with the same caveat: disputes resolved through pre-dispute solutions, and TC40s qualified under Compelling Evidence 3.0, each contingent on the timing of the data extract. Resolve or qualify before the monthly cut and the item never counts; after, it counts this month. That timing caveat explains most of the contradictions between vendor write-ups.

Rapid Dispute Resolution reliably removes the dispute leg: an auto-refund rule fires at pre-dispute and no enters the count. What happens to the paired is where sources diverge, with the Worldpay bulletin's element table marking RDR fraud excluded while Chargeback Gurus reports the fraud count surviving; the extract-timing language explains how both can be locally true. Budget RDR as a stop-loss on the dispute component of small-ticket bet-regret, not as a eraser. CDRN, its case-routed sibling, is excluded in the final rules, and if you have read the opposite, that is an artifact of an early draft of the rules that said CDRN would count; the final version reversed it. Verifi Order Insight works one stage earlier and is cleaner still: the issuer surfaces your session data inside the banking app at inquiry, the player recognizes the charge and no dispute is ever filed, so nothing enters the count in the first place.

Compelling Evidence 3.0 is the casino-native lever. Qualification wants two prior undisputed transactions on the same identity, aged 120 to 365 days, matching at least two elements from login ID, device fingerprint, IP and delivery address, at least one of them IP or device. A depositing player generates that footprint on every visit, which makes gambling one of the few verticals where CE 3.0 evidence exists by default rather than by engineering effort. Since April 18, 2026 the same mechanism extends to non-disputed fraud, letting you knock standalone TC40s out of the count for repeat depositors who never even filed a chargeback.

The trap is 3-D Secure: it does not take a transaction out of . The liability shift moves the chargeback's cost to the issuer, but the still files and still counts in your ratio, and the old fraud-program carve-out for authenticated transactions (reason 10.5) was explicitly not carried over. Mastercard runs the opposite design: its program only captures merchants whose 3DS usage sits below 10% of volume in unregulated markets or 50% in regulated ones, per Stripe's program documentation, so at Mastercard authentication is a program exit, at Visa it is only a probability reducer; our EFM deep dive runs that program's math for gambling books. 3DS still earns its place by making the fraud claim itself less likely to file. Challenge selectively, on new devices, VPN sessions and first deposits: a blanket challenge wall pays for its ratio effect in failed and abandoned deposits, and the decline-recovery math rarely favors it.

Move the disputing cohort, not the clean volume

The method-mix lever is real and it is the one most likely to backfire, because the ratio has a denominator. Take that 100,000-deposit book running 1,400 monthly items, a 1.4% ratio, uncomfortable but under the line. Move 30,000 of its cleanest card deposits to wallets and open banking because those players convert fine anywhere, and next month the same 1,400 items sit over 70,000 settled transactions: 2.0%, identified, grace clock running. Shrinking the denominator with well-behaved volume is self-sabotage. The move that works is surgical: find the cohorts that generate the items, repeat disputers, first-deposit tilt profiles, mismatched-geo card users, and route those to rails where the dispute mechanic dies. A wallet deposit's dispute stays inside the wallet, which is what operators are actually buying at that MDR; a voucher deposit is prepaid cash with nothing to charge back at all; an open-banking pull has no to file. Your card channel keeps its volume and loses its worst passengers.

Around that, the unglamorous controls do the counting work. Per-card and per-device deposit velocity matters more now than under the old rules, because the ten-item cap that used to contain a single player's damage is gone. A descriptor the player recognizes on a statement prevents the honest half of 10.4s. A refund offered at first complaint is cheaper than an $8 line item plus a lost representment. A blocklist for players who have disputed and redeposited, and a KYC re-trigger on the first chargeback, close the revolving door. All of it feeds one monthly discipline: pull and counts by descriptor and by acquirer, watch them against the 1,500 floor and your acquirer's internal limit rather than Visa's headline number, and treat a bad sports weekend as a leading indicator, not a surprise.

did not make cards unworkable for gambling. It repriced bet-regret at two count units and $8 a line item, moved the real enforcement line down to your acquirer's 0.5%, and left the exclusions sitting on data a casino already owns. The books that get hurt by the 1.5% era will mostly be the ones that never learned which descriptor their tilting players dispute against; the ones that run the count per descriptor, wire CE 3.0 to their session data and move their disputing cohort off cards will find the program did them the favor of charging their competitors for sloppiness.

Sources (18)

  1. 01Visa: Acquirer Monitoring Program fact sheet (official PDF)
  2. 02Visa Perspectives: Introducing the Visa Acquirer Monitoring Program
  3. 03Visa Protect: Friendly fraud insights
  4. 04Verifi (Visa): Friendly fraud on the rise
  5. 05Worldpay: Enhancements to the Visa Acquirer Monitoring Program (March 2025 bulletin, PDF)
  6. 06Stripe Docs: Fraud and dispute monitoring programs
  7. 07Adyen Docs: Dispute and fraud monitoring
  8. 08Checkout.com: The Visa Acquirer Monitoring Program explained
  9. 09Chargeback Gurus: Visa announces even more VAMP changes (May 15, 2025 revision)
  10. 10Chargebacks911: Visa Acquirer Monitoring Program
  11. 11Chargebacks911: Compelling Evidence 3.0 update, April 2026
  12. 12Ravelin: Visa VAMP changes and chargeback disputes timeline
  13. 13Businesswire: Chargebacks911 2026 Chargeback Field Report
  14. 14Corepay: The Visa Integrity Risk Program
  15. 15PaymentCloud: Visa Integrity Risk Program guide for high-risk merchants
  16. 16PAAY: VAMP and 3-D Secure
  17. 17Sumsub: iGaming Fraud Report
  18. 18Trust Payments: VAMP merchant guidance