Fraud to Sale Ratio
The fraud to sale (F2S) ratio is the ratio of transactions that were declared fraudulent by the issuing banks in relation to the merchant’s total sales for that month. This regulation is distinct from the chargeback ratio regulations. The issuer’s fraud-to-sale report does not necessarily contain chargebacks, but does contain transactions that have been detected and marked as fraudulent by their issuing banks.
In most cases, Nuvei receives these notifications after a long delay between the original transaction date and the date the cardholder was reported as fraudulent. For this reason, these transactions cannot be voided. When the authenticity of the transaction reported as fraudulent by the bank cannot be proven and the cardholder has not yet initiated a chargeback, Nuvei advises you to block the respective users from further deposits.
The credit card companies (Visa, Mastercard, and Amex) have several parameters by which they detect fraudulent or unauthorized activity with a card, such as:
- Card reported lost or stolen
- Card not received when mailed
- Card issued on the basis of a fraudulent application
- Issuer or acquirer reported counterfeit
- Fraudulent use of an account number
Visa, Mastercard, and Amex have created several programs to reduce high fraud-to-sale ratios.
The tables below describe the different fraud-to-sale programs provided by Visa, Mastercard, and Amex, including the thresholds that must be exceeded to be placed in a program.
Visa Acquirer Monitoring Program
Visa is introducing significant updates to its monitoring programs in 2025 to strengthen fraud prevention, enhance risk management, and optimize oversight of card-not-present (CNP) transactions. These enhancements aim to create a unified, more effective framework for identifying and mitigating fraud and disputes, improving the overall security and reliability of the payment ecosystem. Key highlights of these updates include consolidated program metrics, revised thresholds, and streamlined compliance requirements.
Program Focus
Visa is redesigning and consolidating its existing fraud and dispute monitoring efforts into a single, unified Acquirer Monitoring Program (VAMP) launching in 2025. The key changes include:
- Consolidation of six existing Visa Fraud & Dispute Programs into one streamlined Acquirer Program to simplify management and enforcement.
- Integration of previously separate variants—such as 3DS, Digital Goods, and Enumeration—into the new program design, eliminating merchant-level programs.
- Transition from an outlier-based management approach to a comprehensive lifecycle risk management model focused on continuous monitoring and mitigation.
These changes reflect Visa’s increased emphasis on acquirer accountability and a broader, more proactive risk management strategy for card-not-present (CNP) transactions and fraud prevention.
Metrics and Thresholds
The Visa Acquirer Monitoring Program (VAMP) uses a unified fraud and dispute ratio (the VAMP ratio) as its primary metric. This ratio is calculated monthly at the merchant or acquirer level, as follows:
VAMP Ratio =
_________________________________________________
Both the dispute and fraud events related to the same transaction are included in the ratio calculation. This metric applies to card-not-present VisaNet transactions, including both domestic and cross-border activity.
Additional criteria include:
- A minimum threshold of 1,500 monthly TC40 fraud and TC15 disputes at the merchant level.
- A minimum of 300,000 monthly enumerated transactions, identified and confirmed through Visa’s Account Attack Intelligence (VAAI) scoring system. Enumeration thresholds are based on total confirmed enumerated activity and enumeration rate metrics.
The following exclusions apply to the VAMP ratio calculation, depending on the timing of data extracts:
- Disputes resolved through pre-dispute programs such as Rapid Dispute Resolution (RDR) — if an RDR-based refund occurs followed by a TC40 dispute, only the TC40 is counted.
- Disputes resolved via the Cardholder Dispute Resolution Network (CDRN) are excluded.
- TC40 fraud transactions qualified under Compelling Evidence 3.0 are excluded.
Enforcement Periods: For first-time identifications within a rolling 12-month period, clients receive a three-month grace period to remediate their performance and bring metrics below the established thresholds. During this grace period, no enforcement actions or fines are applied, allowing time to implement necessary risk controls or operational improvements.
Program Calculation and Fee Structure
| Acquirer Portfolio | Merchant | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Identification Level | Early Warning | Above Standard | Excessive | Excessive | Excessive | ||||
| Data Elements | VAMP Ratio (%) | VAMP Ratio (%) | Enumeration Ratio | ||||||
| Region | Global | Global | Global | NA | EU | AP | CEMEA | LAC | |
| Thresholds Effective Date June 1, 2025 | - | - | >=0.7% | >=2.2% | >=2.2% | >=2.2% | >=2.2% | >=1.5% | >=20% |
| Thresholds Effective Date January 1, 2026 | >=0.4% to <0.5% | >=0.5% to <0.7% | >=0.7% | >=2.2% | >=2.2% | >=2.2% | >=2.2% | >=1.5% | >=20% |
| Thresholds Effective Date April 1, 2026 | >=0.4% to <0.5% | >=0.5% to <0.7% | >=0.7% | >=1.5% | >=1.5% | >=1.5% | >=2.2% | >=1.5% | >=20% |
| Fee | - | USD 4 | USD 8 | USD 8 | USD 8 | USD 8 | USD 8 | USD 8 | - |
Non-compliance and Remediation Processes
- If a VAMP notification of program non-compliance and exceeding the program thresholds is received, a merchant must perform a root cause investigation, take actions accordingly, and respond within 10 calendar days.
- Merchants must send a written response to Nuvei that includes the investigation details and documentation.
- Merchants must execute a remediation plan to bring the fraud and dispute ratio below the threshold.
Mastercard Excessive Fraud Merchant Program
The goal of the Mastercard Excessive Fraud Merchant (EFM) Program is to reduce fraud on electronic commerce (e-commerce) transactions, create a more secure ecosystem, and provide a better experience for cardholders.
The EFM program measures compliance at the merchant ID (MID) level and sends notifications and potential financial assessments through the acquirer.
Merchants registered in the following countries are excluded from the EFM Program:
| Aland Islands | Falkland Islands (Malvinas) | India | Mayotte | San Marino |
| Albania | Faroe Islands | Kosovo | Moldova | Serbia |
| Andorra | Finland | Latvia | Monaco | Slovakia |
| Antarctica | France | Ireland | Montenegro | Slovenia |
| Austria | French Guiana | Isle of Man | Netherlands (the) | South Georgia and the South Sandwich Islands |
| Belgium | Gibraltar | Italy | Norway | Spain |
| Bosnia and Herzegovina | Germany | Jersey | Poland | Svalbard and Jan Mayen |
| Bulgaria | Greece | Liechtenstein | Portugal | Sweden |
| Croatia | Greenland | Lithuania | Réunion | Switzerland |
| Cyprus | Guadeloupe | Luxembourg | Romania | Ukraine |
| Czech Republic | Guernsey | Macedonia | Saint Barthélemy | United Kingdom |
| Denmark | Hungary | Malta | Saint Martin (French part) | Vatican City |
| Estonia | Iceland | Martinique |
Program Thresholds
The EFM program monitors the total amount of fraud-related chargebacks occurring at a given e-commerce merchant, as well as the number of transactions authenticated through 3DS.
Merchants are considered non-compliant when all of the following conditions are met in a given month:
- Total volume from chargebacks with fraud reason of 50,000 USD or above for the reported month
- Fraud chargeback ratio – 0.50% or above (0.20% for Australia)
- Number of monthly cleared transactions – 1,000 or above
- 3DS Usage – Less than 10% for non-regulated countries OR less than 50% for regulated countries
| Program | Min. Number of Transactions | Fraud Chargebacks | Fraud Count Ratio | 3D Utilization |
|---|---|---|---|---|
| EFM | 1,000 | 50,000 USD | 0.50% | Less than 10% non-regulated or less than 50% regulated |
The tables list the countries identified as regulated or non-regulated.
Regulated Countries
- Bangladesh
- Malaysia
- Singapore
- Nigeria
Non-regulated Countries
All non-EU countries except for Bangladesh, Malaysia, Singapore, and Nigeria.
Fines
Mastercard applies assessments for appearing on the EFM program at increasing increments depending on how long a Merchant ID appears on the program.
| Number of Months above EFM Thresholds | Violation Assessment |
|---|---|
| 1 | 0 |
| 2 | EUR/USD 500 |
| 3 | EUR/USD 1,000 |
| 4 to 6 | EUR/USD 5,000 |
| 7 to 11 | EUR/USD 25,000 |
| 12 to 18 | EUR/USD 50,000 |
| 19+ | EUR/USD 100,000 |
Exit Parameters
When the merchant is below the program thresholds for three consecutive months.
Amex Fraud Program
Under the Amex Fraud Program, Merchants’ F2S performance thresholds fall into either a Low Tier or High Tier calculation. This calculation excludes Fraudulent Applications and SafeKey/3DS Transaction Attempts.
The following table describes the two tiers within the Performance criteria:
Program Thresholds
| Threshold | Fraud Amount | Ratio |
|---|---|---|
| Low Tier | $25,000 | 0.90% |
| High Tier | $50,000 | 1.80% |
In the “Low Tier” period, the merchants have the opportunity to reduce the fraud levels before being added to the High-Risk List. If the Merchant does not remain below the program thresholds for three consecutive months, they are subject to Fraud Full Recourse Chargebacks and can no longer qualify for liability shift with Safekey/3D.
If the merchant reaches the “High Tier”, they are subject to Fraud Full Recourse Chargebacks and can no longer qualify for liability shift with Safekey/3D. The merchant remains on the High-Risk list until their F2S ratio falls below 0.9% or $25,000 for three (3) consecutive months.
While being in this program, the Merchant is subject to the following penalties:
| Non-compliance | Fee | ||
|---|---|---|---|
| 1st violation | $1,000 | ||
| 2nd violation | $5,000 | ||
| 3rd violation | $10,000 | ||
| 4th violation | $25,000 | ||
| 5th violation | The fee will be at discretion of Amex. | ||
| 6th violation or more | Additional fees will be equal to all penalty fees levied for a 12-month period. The 12-month period begins upon the 1st violation. |
Visa and Mastercard Programs for Mitigation of Card Testing and Enumeration / BIN Attacks
An enumeration attack is a scheme in which criminals systematically submit card-not-present transactions with enumerated values such as card number, CVV, expiration date, and postal code to derive legitimate payment account details. The fraudsters use the authentication response to identify valid payment accounts.
Account testing occurs by initiating transactions of $1 to $2 to verify if an account is active in order to use it for fraudulent purchases or to sell it over the dark web. Typically, these attacks focus on a single Bank Identification Number (BIN) range and use the same name, email address, and/or billing address for multiple transactions.
Merchant account takeover – Fraudsters may also gain access to the payment system by obtaining a merchant’s login credentials, and subsequently taking over their payment gateway to conduct illicit transactions. These credentials can be obtained when a merchant falls victim to phishing schemes.
The following activities may indicate an enumeration attack or account testing:
- A high number of transaction attempts sent within a few hours or one day, possibly from one IP address, or for a specific BIN / account range.
- An increased number of rejected or timed-out authentication attempts that receive a challenge request.
Mastercard defines a third-party fraud attack as a BIN attack when the following conditions are met:
- At least 100 authorization requests or authentication requests are sent within one hour for the BIN or BIN Account range from one or more Merchants.
- The Issuer, its Service Provider, or Mastercard (using a network fraud detection tool) declined fifty percent (50%) or more of the authorization requests or authentication requests within one hour.
Visa monitors for Card-Absent authorization attempts concentrating on a single BIN or multiple BINs while iterating through various combinations of payment values. These payment values generally include the Primary Account Number (PAN), expiration date, Card Verification Value 2 (CVV2), and postal code. Issuers decline the authorization attempts until the right combination of payment values returns an approval response. An approved authorization response (and often a subsequent sale) is an indicator to the fraudsters that they have obtained a combination of valid payment values. This scheme is also known as a brute force attack. Visa identifies situations where the Merchant or the acquirer meets or exceeds the monthly enumeration thresholds.
Enumeration Monitoring Program Thresholds
- Early Warning Timeline Thresholds
Enumeration Risk Operation Center (ROC) Block Count>=1,000 and <=5,000; AND Enumeration ROC Block Rate >= 10%
OR
Enumeration ROC Block Count >= 50,000; AND Enumeration ROC Block Rate >= 1% and <= 5%
* The ROC Block Rate is calculated by the number of ROC blocked transactions divided by the total card-absent transaction count.
- Standard Timeline Thresholds
Enumeration Risk Operation Center (ROC) Block Count >= 5,000; AND Enumeration ROC Block Rate >= 5%
- Excessive Timeline Thresholds
Enumeration ROC Block Count >= 50,000; AND Enumeration ROC Block Rate >= 10%
Flagging in this Visa program may incur additional per-authorization fees to the Merchant whose systems are not well protected and are attacked by the fraudsters.
In its fraud prevention systems, Nuvei has implemented internal controls to mitigate such attacks as much as possible.
Last modified October 2025