Visa Fraud and Chargeback Rules: Updated thresholds applicable to all merchants
0.9% is the new magic number for most merchants.
Back in 2016, Visa restructured its compliance programmes, namely Visa Fraud Monitoring Programme (VFMP) and Visa Chargeback Monitoring Programme (VCMP). Their purpose is to protect cardholders against fraud, protect the integrity of the Visa payment system, and introduce a standardised framework across the world. In February 2019, Visa issued a bulletin to announce a revision of these programs which will come into effect as of 1st October 2019.
What is VFMP and VCMP?
The two programmes are very similar, but one focuses on fraud, and the other on chargebacks. Both programs only take into consideration cross-border transactions. This means that only inter- and intraregional transactions are being reviewed.
In the case of VFMP, Visa looks at fraudulent transactions reported in the past month. These will then be divided by the sales of the merchant for the past month in order to get the fraud-to-sales ratio. Both fraud and amount of sales are calculated in USD. The VCMP takes into consideration the chargeback counts received and the sales count for the past month. By doing so, the chargeback ratio (CTR) is obtained.
If a merchant experiences extreme amounts of fraud/chargebacks from a particular card, Visa will only incorporate the first 10 fraudulent transactions or 10 chargebacks from this particular card.
Visa has three thresholds; one that qualifies for a warning, a standard, and an excessive. Whenever a merchant exceeds one of the thresholds, Visa will notify the acquirer. In return, the acquirer is obliged to notify the merchant. Both merchant and acquirer will then work on bringing down the fraud/chargeback levels.
Merchants qualified as high risk (MCC’s: 5962, 5966, 5967, 7995, 5912, 5122), will automatically follow the “excessive” Non-Compliance Assessments (fees/fines), even if they only break the “standard” threshold.
What has changed - the new thresholds
What happens if a merchant exceeds a threshold?
In Visa terms, non-compliant activity triggers a Non-Compliance Assessment, which is equivalent to a fine.
The threshold for “Early warning” triggers a warning. It is a notification to inform both merchant and acquirer to look into the root cause of the increasing levels of fraud and identify any gaps or issues before it becomes a breach.
If a merchant exceeds the “standard” threshold, the merchant will get a four-month workout period, during which they must try to bring down the fraud/chargeback levels. If they do not succeed, they will enter into the enforcement period.
In the VFMP “standard” enforcement period, there are no Non-Compliance Assessments involved. However, the possibility of refuting a chargeback with reason code 93 ‘Fraud’ is no longer an option, even if there is proof. Any fraud-related chargebacks are to be automatically accepted by the merchant.
The VCMP has an enforcement period of 8 months which is split into three separate periods (month 5-7, 8-9, and 10-12). In the first period, the merchant must pay $50 per chargeback, and in the second and third period, the fee is $100. Furthermore, the merchant is subject to a $25,000 review fee in period three.
What about the excessive threshold?
For high-risk merchants or merchants breaching the VFMP “excessive” threshold, a Non-Compliance Assessment fine is assigned for each month of breaching.
Furthermore, identified merchants must pay any chargebacks with reason code 93 (Fraud).
Merchants identified as high risk or merchants breaching the “excessive” thresholds must pay $100 per chargeback for the full 12 month period. After month 6, they must also pay a $25,000 review fee.
All Non-Compliance Assessments are charged via the acquirer which in return will charge the merchant accordingly.
A merchant is considered out of the programme when they are below the “standard” thresholds for three consecutive months. Should the merchant ever exceed the thresholds again, it will be considered a new case.
If the merchant is below the threshold for less than three consecutive months before once more breaching the threshold, the programme will continue from the month of the merchant’s last breach. Here’s an example:
NOTE: If a merchant exceeds the “excessive” threshold, they will stay in this category until they manage to stay below the “standard” threshold for three consecutive months and thereby exiting the programme completely.
What if the merchant is in both VFMP and VCMP?
If a merchant exceeds the thresholds for both programmes, they will be tracked in both programmes and receive monthly reports on both but only be subject to the Non-Compliance Assessments of the VCMP.
If the merchant drops below the threshold for VCMP but is still above the VFMP-threshold, the merchant will continue on the VFMP timeline. The table below shows an example of this.
What happens if a merchant is not below the threshold after 12 months?
If a merchant is not below the threshold within 12 months they may be banned from Visa’s payment system, and hence will no longer be allowed to accept Visa payments in their online shop. If you have an acquirer like Clearhaus, we’ll do our best to help you exit the programmes. However, if the thresholds are not lowered within an adequate time frame, the acquiring contract may be terminated with the possibility of being listed on Visa Merchant Alert System (VMAS) due to high fraud or chargebacks.
How can merchants avoid fraud when doing e-Commerce?
These new thresholds encourage online merchants to amp up their fraud protection efforts. There are several measures to be taken to fend of fraudsters:
- Make sure the website has an SSL certificate issued in the merchant’s name.
- Doing manual checks on transactions. If there’s any unusual behaviour (for example many transactions, high transaction values, from high-risk countries etc.) it’s an indicator that the online shop is being the victim of fraud.
- Using and analysing the TC40 and SAFE data that is offered daily through Clearhaus’ API. The data helps in detecting unusual patterns in cards or BINs.
- Implementing 3-D Secure. The feature requires 2-factor authentication of customers, making it difficult for fraudsters to use stolen cards in your shop. As of September 2019, PSD2 mandates 2-factor authentication for transactions above 30 Euros.
- Choosing an acquirer with fraud-prevention tools. At Clearhaus, we offer our own fraud detection tool. It will automatically reject “risky” transactions, in this case meaning transactions with cards that have previously been involved in fraudulent transactions. This tool has saved our merchants around 2.3 million euros.
Want to know more about PSD2 and its Strong Customer Authentication requirement? Download our free e-book here.
If you have any questions regarding Visa’s new fraud thresholds, feel free to write us an email at firstname.lastname@example.org.