Subscription Payment Compliance 2026: VAMP, VIRP, MMP, SMM Explained
Subscription billing has always carried compliance obligations. Basic consent and disclosure requirements have been part of the card scheme rulebooks since 2011. The specific trial disclosure and cancellation access standards most merchants operate against today took effect in 2020. Most recently, what changed between 2024 and 2026 is the monitoring infrastructure behind those rules and the consequences for falling short.
Both Visa and Mastercard have overhauled their merchant oversight programs. Visa's enhanced Acquirer Monitoring Program (VAMP), the Integrity Risk Program (VIRP), Mastercard's revised Merchant Monitoring Program (MMP), and the upcoming Scam Merchant Monitoring program (SMM) have collectively changed what acquirers are required to do. They must now detect problems earlier, investigate faster, and document more thoroughly than before. That shift in acquirer obligation does not stay with acquirers. It flows directly to the merchants they process for.
If you run a subscription or recurring billing business and accept card payments online, this is the compliance landscape you are operating in right now.
Why Card Networks Tightened Subscription Merchant Rules
The immediate trigger is scam-based fraud in subscription and recurring billing.
In 2024, scams became the most prevalent type of website fraud, overtaking digital payment fraud. Scam-related fraud surged 56%, with financial losses rising 121%. Unauthorized recurring charges initiated after a legitimate first transaction, deceptive trial periods that roll into ongoing billing without adequate notice, and cancellation processes deliberately designed to frustrate cardholders.
Social media platforms generated the highest reported financial losses from scams in 2024, with $1.9 billion in losses attributed to scams that originated on social media, more than any other contact method. The scale and sophistication of these operations accelerated the card networks' response.
Both Visa and Mastercard responded with programs that treat subscription merchants not just as a compliance category but as a fraud risk category. Understanding that distinction matters for how you manage your payment infrastructure and your acquirer relationships. Visa stated that VAMP alone had the potential to address four times the amount of fraud globally compared to previous programs, accounting for more than $2.5 billion in losses.
How Visa's Subscription Rules Began
Visa's subscription rules began with basic consent and transparency requirements. Merchants needed to obtain cardholder permission for recurring charges and include transaction details on receipts. In 2011, negative option rules introduced explicit disclosure requirements: merchant name, description of goods or services, transaction amount and date for each recurring charge, trial period length, and cancellation policy, all disclosed before the initial transaction.
The 2020 Overhaul: Click-to-Accept, Reminders, and Cancellation Access
The most significant pre-VAMP update came in 2020, when Visa introduced new requirements that took effect globally on April 18, 2020. Key mandates included express consent via a click-to-accept button at checkout, enhanced enrollment notifications detailing terms, amounts, and frequency, reminder notifications seven days before post-trial charges, and easy online cancellation comparable to a one-click email unsubscribe.
In 2023, Visa updated the disclosure requirements for recurring transactions, free trials and subscriptions. Merchants in Europe had to ensure that all applicable disclosure information is displayed throughout the entire checkout and payment process.
VAMP: The Current Enforcement Framework
The Visa Acquirer Monitoring Program, known as VAMP, originally existed as a limited acquirer-level monitoring program. In April 2025, Visa fundamentally rebuilt and expanded it, consolidating the existing VAMP, the Visa Fraud Monitoring Program, and the Visa Dispute Monitoring Program into a single global framework. The consolidated program retained the VAMP name. This rebuild is the most consequential change for subscription merchants in the current compliance environment.
The core metric is the VAMP Ratio: combined card-absent fraud reports (TC40) and all disputes (TC15), divided by total settled transactions.
On April 1, 2026, the Excessive merchant threshold dropped from 2.2% to 1.5% across Europe, North America, and Asia Pacific. Merchants exceeding the Excessive threshold face fees of $8 per dispute and fraud report. In serious cases, merchants can lose the ability to accept Visa entirely. Scheme enforcement fees are subject to change and should be verified with your acquirer or Independent Sales Organisation (ISO).
Four things about VAMP that are not immediately obvious but create significant operational exposure.
One transaction can generate two counts.
A transaction reported as fraud by the cardholder generates a TC40 report from the issuer. If that same transaction then progresses to a formal chargeback, a TC15 is also filed. Both count independently in the VAMP ratio. A single fraudulent transaction can therefore generate two counts against your ratio, one for the fraud report and one for the dispute.
Winning a representment does not help you. Resolving before filing does.
The ratio counts disputes filed, not disputes resolved in your favor. Win a chargeback representment and it still counts. TC40 fraud reports count regardless of outcome and cannot be removed through pre-dispute resolution. Where pre-dispute tools make a material difference is on the TC15 side. Disputes resolved via Verifi CDRN or RDR before filing are excluded from your VAMP ratio. Pre-dispute tools give you control over your TC15 exposure. Your TC40 exposure is not within your control in the same way.
Your ratio travels upstream to your acquirer.
Your ratio affects your acquirer at the portfolio level, not just at your merchant level. Acquirers are identified as Above Standard at 0.5% and Excessive at 0.7%. Merchants with elevated dispute activity contribute to the acquirer's aggregate portfolio ratio. When that portfolio ratio approaches either threshold, acquirers act to protect their own position. They tighten internal merchant limits, raise reserve requirements, and restrict accounts before scheme-level enforcement arrives. In our experience, those internal thresholds are typically stricter than the published scheme limits and are not always communicated to merchants in advance.
VAMP also monitors for enumeration attacks, separately from the fraud and dispute ratio.
Enumeration, also known as card testing, occurs when fraudsters systematically test stolen or generated card numbers against your checkout to identify valid credentials. Visa measures this through a separate VAMP Enumeration Ratio. Acquirers are required to take proactive steps to prevent merchants from exceeding the enumeration thresholds: an enumeration ratio of 20% or above and a minimum of 300,000 enumerated transactions. If your checkout has weak bot protection, enumeration exposure can create VAMP risk even when your dispute numbers are clean. Speak to your acquirer or ISO about your enumeration exposure and what detection tools are available.
VIRP: Additional Acquirer Obligations for Subscription “Negative Option” Merchants (October 2025)
In October 2025, Visa added the Integrity Risk Program, known as VIRP, placing additional acquirer oversight obligations specifically around negative option billing. Where VAMP monitors fraud and dispute ratios across all card-not-present merchants, VIRP targets a more specific pattern: merchants using deceptive marketing, unauthorized recurring charges, or legitimate initial transactions as a gateway to further unauthorized billing.
For subscription merchants operating clean billing practices, VIRP does not introduce new direct obligations. What it does is increase the scrutiny acquirers are required to apply when these patterns are present in their portfolio, which raises the bar for how acquirers assess and manage subscription merchant risk overall.
In practice, if your billing model generates any of these signals, your acquirer is now required to apply stricter due diligence requirements and with less tolerance for ambiguity than before.
Mastercard: The Core Requirements (2018)
Mastercard's updated subscription merchant rules were published in 2018, with enforcement beginning April 2019. The new standards focused on targeting high-risk negative option billing for physical products. The initial focus was nutraceutical merchants offering free samples that rolled into recurring charges. Acquirers were required to assign MCC 5968 to these merchants, register them through the Mastercard Registration Program, and monitor for cross-billing patterns where the same cardholder account appeared across multiple negative option merchant IDs within a 60-day period.
2022 Expansion to Digital Subscriptions
Effective October 2022, Mastercard extended its requirements to digital goods including streaming services, club memberships, website access, and software licenses. The key addition was a mandatory pre-charge reminder notification sent between three and seven days before the end of a trial period, including subscription terms and cancellation instructions.
Additional requirements applicable to all negative option billing merchants from this update included clear subscription terms on the website payment page, email confirmation at enrollment, transaction receipts after every billing cycle with cancellation instructions, and mandatory online cancellation method .
2025 and 2026: Scam Merchant Focus
From 2025, Mastercard's focus shifted toward elevated fraud in subscription and recurring billing models, the same pattern that drove Visa's VAMP rebuild. Two separate programs address this, one already in effect and one launching later this year.
The revised Merchant Monitoring Program standards took effect January 1, 2026. MMP is a broad ongoing monitoring framework that applies across an acquirer's merchant portfolio. Under the revised standards, any merchant onboarded from January 1, 2026 must undergo an initial content and transaction laundering scan before their first transaction can be processed. Ongoing monitoring must now extend into password-protected and restricted areas of merchant websites. Acquirers are required to engage approved monitoring service providers to perform ongoing Business Risk Assessment and Mitigation (BRAM) monitoring and transaction laundering detection.
Scam Merchant Monitoring is a separate and additional program launching July 24, 2026. Where MMP covers merchant onboarding and ongoing portfolio monitoring broadly, SMM specifically targets merchants generating scam-related signals. Under this program, acquirers must investigate flagged merchants within 72 hours when specific triggers are breached:
An approval rate that drops more than 50 percentage points over a 72-hour period.
An approval rate that falls below 30%, with a minimum of 25 purchase transactions.
For merchants under six months old, either 2 TC40 transactions or 2 initiated chargebacks related to manipulation of cardholder.
For subscription merchants operating clean billing practices with transparent terms, accessible cancellation, and active dispute monitoring, neither MMP nor SMM introduces direct new obligations beyond what good operational practice already requires. What both programs do is raise the bar for how quickly acquirers must act when signals appear.
The merchants most exposed are not necessarily running bad operations. They are running practices that generate the signals these programs are designed to detect, confusing descriptors, buried cancellation flows, and approval rate volatility that looks like a scam pattern even when it is not. Getting ahead of those signals is operationally straightforward. Waiting until an acquirer investigation opens is not.
What Subscription Merchants Need to Do Now
The following applies regardless of which scheme generates the majority of your transaction volume. Both programs are live and both affect your payment operations and how your acquirer manages your account.
Audit your website against current disclosure requirements: Subscription terms, billing amounts, and trial conditions must appear on the payment page itself, not only in terms and conditions linked elsewhere. Cancellation must be straightforward, visible, and accessible from your home page. This is the standard both Visa and Mastercard expect and the first thing an acquirer or scheme review will check.
Review your email flows and transaction receipts: Every billing cycle should generate a receipt that includes clear cancellation instructions.Trial-to-paid conversions for negative option billing with digital goods require advance notification within the three to seven day window before the charge posts. For subscriptions billing less frequently than every six months, a similar notification is required before each billing date. These are not best practice recommendations. They are current scheme requirements for both Visa and Mastercard.
Confirm your billing descriptor is correctly configured: A confusing descriptor is a leading cause of unrecognized chargebacks, and every unrecognized chargeback feeds your VAMP ratio. Confirm the descriptor showing your base business name or URL is clear, and a customer service contact number or business location is alongside it.
Monitor your chargeback, fraud, and refund ratios actively: Do not wait for a notice from your acquirer or processor. Acquirer internal thresholds are typically stricter than the published scheme limits and are frequently not shared with merchants. By the time a formal notice arrives, your acquirer has usually been watching for some time.
Track your authorization approval rates across acquirers: A sustained or sudden drop in approval rates is often the earliest signal that scrutiny is building, whether from the scheme's monitoring systems, your acquirer's internal risk team, or issuer-level friction on your transactions. Under Mastercard's Scam Merchant Monitoring launching July 2026, a drop of more than 50 percentage points over a 72-hour period, or a rate falling below 30% with a minimum of 25 transactions can trigger a mandatory acquirer investigation within 72 hours. This signal typically arrives before any formal communication.
Implement pre-dispute resolution tools: Verifi CDRN and RDR for Visa, and Ethoca Alerts for Mastercard, allow you to resolve disputes before they file. For subscription merchants operating near threshold, this infrastructure is not optional.
Communicate proactively with your ISO or acquirer: Pricing changes, new product launches, trial period adjustments, and any shift in your business model should be discussed before they happen. Volume spikes, model changes, and new market entries all affect how your acquirer reads your risk profile. If you work with an ISO, that relationship is your primary channel for proactive acquirer communication. The conversation is significantly easier before a change than after a data anomaly triggers a review.
The Compliance Environment Is Not Getting Easier
For merchants running clean operations with transparent billing, accessible cancellation, and active dispute monitoring, compliance with these requirements is operationally manageable. The risk sits with operators who have not updated their practices since the 2020 overhaul, who rely on a single acquirer without understanding that acquirer's internal thresholds, or who learn about compliance pressure when it arrives as a restriction rather than a signal.
Compliance pressure rarely begins as enforcement. It starts earlier, as friction. Slower approvals, more questions from your acquirer, tighter scrutiny on volume growth. Recognizing those signals before limits are imposed is what separates stable operators from those managing reactive crises.
The merchants who stay stable in this environment are not necessarily the ones with the most sophisticated infrastructure. They are the ones who treat scheme requirements as an operational baseline and adjust before they are asked to.
If you want to audit your current setup against both schemes, we put together a practical compliance reference for payments, finance, and compliance teams. It covers current Visa and Mastercard requirements with scheme-specific attribution for every action item.
[Download the Subscription Payment Compliance Guide]
If this raises questions about your setup, we are happy to give a direct assessment of where your infrastructure stands. Reach us at info@streampayments.com
Frequently Asked Questions
Understanding the Programs
What is VAMP?
VAMP stands for the Visa Acquirer Monitoring Program. It is Visa's primary framework for monitoring fraud and dispute activity across card-not-present transactions. It measures a single ratio, the VAMP Ratio, combining fraud reports (TC40) and all disputes (TC15) divided by total settled transactions. Merchants and acquirers exceeding defined thresholds face fees and in serious cases can lose the ability to accept Visa. The program was fundamentally rebuilt in April 2025, consolidating several previous programs into a single global framework.
What is VIRP?
VIRP stands for the Visa Integrity Risk Program, added in October 2025. It places additional acquirer oversight obligations specifically around scam merchant activity, targeting merchants using deceptive marketing, unauthorized recurring charges, or legitimate initial transactions as a gateway to further unauthorized billing. It operates alongside VAMP rather than replacing it.
What is MMP?
MMP stands for the Mastercard Merchant Monitoring Program. It is a broad ongoing monitoring framework that applies across an acquirer's merchant portfolio. Revised standards effective January 1, 2026 require acquirers to conduct a content and transaction laundering scan before a new merchant's first transaction processes, and to extend ongoing monitoring into password-protected and restricted areas of merchant websites.
What is SMM?
SMM stands for Scam Merchant Monitoring, a separate Mastercard program launching July 24, 2026. Unlike MMP which covers broad portfolio monitoring, SMM specifically targets merchants generating scam-related signals. When defined triggers are breached, acquirers must open an investigation within 72 hours. Confirmed scam merchants lose Mastercard processing immediately.
What is negative option billing?
Negative option billing is a billing model where a cardholder is automatically enrolled in a paid subscription unless they actively cancel before a defined date. Free trials that convert to recurring paid subscriptions are the most common example. Both Visa and Mastercard have specific compliance requirements for merchants using this model, covering consent, disclosure, notification, and cancellation access.
What is BRAM?
BRAM stands for Business Risk Assessment and Mitigation, Mastercard's compliance framework that holds acquiring banks accountable for identifying and preventing illegal or brand-damaging merchant activity within the Mastercard network. It covers a range of prohibited activities including transaction laundering, illegal goods, and certain content violations. MMP requires acquirers to engage approved monitoring service providers specifically to perform BRAM monitoring on their merchant portfolios.
What is the VAMP Ratio?
The VAMP Ratio is calculated as the combined count of card-absent fraud reports (TC40) and all disputes (TC15) divided by total settled transactions. It applies to card-not-present transactions only. Merchants exceeding the Excessive threshold of 1.5% as of April 1, 2026 face fees. The ratio is calculated monthly.
What is a TC40?
A TC40 is a fraud report filed by the card issuer when a cardholder reports a transaction as unauthorized. It is not the same as a chargeback. A TC40 counts toward the VAMP Ratio independently of whether a chargeback is subsequently filed. If the same transaction generates both a TC40 and a chargeback, both count separately in the ratio.
What is a TC15?
A TC15 is the data record associated with a formal dispute or chargeback filed through the Visa network. All disputes, both fraud-related and non-fraud, are counted as TC15s in the VAMP Ratio. Disputes resolved through Verifi CDRN or RDR before they file as a TC15 are excluded from the ratio.
How the Mechanics Work
Why does winning a chargeback representment not help my VAMP ratio?
The VAMP Ratio counts disputes filed, not disputes resolved in your favor. Once a TC15 is filed, it counts against your ratio regardless of the outcome. Winning a representment means you recovered the funds. It does not remove the dispute from the ratio calculation. The only way to keep a dispute out of your ratio is to resolve it before it files, which is what pre-dispute tools like Verifi CDRN and RDR are designed to do.
Why does my ratio affect my acquirer?
Your ratio feeds into your acquirer's aggregate portfolio ratio. Acquirers have their own VAMP thresholds, Above Standard at 0.5% and Excessive at 0.7%, which are significantly lower than the merchant threshold. This means that merchants with elevated dispute activity can contribute to an acquirer breaching their own threshold. Acquirers do not wait for Visa to act when this happens. They tighten internal merchant limits and restrict accounts before scheme-level enforcement arrives.
What is enumeration and why does VAMP monitor it?
Enumeration, also known as card testing, is when fraudsters systematically test stolen or generated card numbers against a checkout to identify valid credentials. VAMP measures this through a separate Enumeration Ratio. Merchants with an enumeration ratio of 20% or above and a minimum of 300,000 enumerated transactions can create VAMP risk for their acquirer even when their fraud and dispute ratio is clean. Bot protection at the checkout level is the primary defence.
What triggers a Mastercard SMM investigation?
Three triggers can open a mandatory acquirer investigation within 72 hours under Scam Merchant Monitoring launching July 24, 2026. An approval rate drop of more than 50 percentage points within a 72-hour period. An approval rate falling below 30% with a minimum of 25 purchase transactions. For merchants under six months old, as few as two TC40 fraud reports or two chargebacks referencing manipulation of cardholder from different issuers.
