Fraud Programs

Home    Security    Risk Guide    Fraud Programs

On this page:

Fraud to Sale Ratio

The fraud to sale (F2S) ratio is the ratio of transactions that were declared fraudulent by the issuing banks in relation to the merchant’s total sales for that month. This regulation is distinct from the chargeback ratio regulations. The issuer’s fraud-to-sale report does not necessarily contain chargebacks, but does contain transactions that have been detected and marked as fraudulent by their issuing banks.

In most cases, Nuvei receives these notifications after a long delay between the original transaction date and the date the cardholder was reported as fraudulent. For this reason, these transactions cannot be voided. When the authenticity of the transaction reported as fraudulent by the bank cannot be proven and the cardholder has not yet initiated a chargeback, Nuvei advises you to block the respective users from further deposits.

The credit card companies (Visa, Mastercard, and Amex) have several parameters by which they detect fraudulent or unauthorized activity with a card, such as:

  • Card reported lost or stolen
  • Card not received when mailed
  • Card issued on the basis of a fraudulent application
  • Issuer or acquirer reported counterfeit
  • Fraudulent use of an account number

You may see transactions that are reported as fraud in the Control Panel, under Risk > Fraud Transactions. Please bear in mind that this concerns only payments reported as fraud in Nuvei Acquirer.

Visa, Mastercard, and Amex have created several programs to reduce high fraud-to-sale ratios.

The tables below describe the different fraud-to-sale programs provided by Visa, Mastercard, and Amex, including the thresholds that must be exceeded to be placed in a program.

Visa Acquirer Monitoring Program (VAMP)

The Visa Acquirer Monitoring Program (VAMP) is a card-not-present (CNP) program that monitors fraud, dispute, and enumeration activity across the Visa payment ecosystem. The program applies globally to all CNP transactions processed through VisaNet, except in Brazil, Chile, and India, where it will be introduced at a later date.

VAMP consolidates the former Visa Fraud Monitoring Program (VFMP) and Visa Dispute Monitoring Program (VDMP) into a single, unified framework. Nuvei, as your acquirer, is responsible for monitoring performance and providing notification(s) if processing activity approaches or exceeds the program thresholds described in this document.

VAMP Calculation

Visa evaluates performance monthly using data from the previous calendar month. The ‘VAMP ratio’ and ‘VAMP Enumeration Ratio’ metrics are used in the evaluation.

MetricFormula
VAMP Ratio

Count of Reported Fraud (TC40) + Count of Processed Disputes (TC15)

Count of Total Settled Transactions (TC05)
VAMP Enumeration Ratio

Count of Enumerated Auth.Transactions (approved + declined)

Count of Total Auth.Transactions (approved + declined)

VAMP Ratio—Includes both fraud (TC40) and all categories of disputes (TC15) in the numerator. Both the fraud report and the dispute for the same underlying transaction may be counted, which means a single transaction can contribute twice to the ratio.

VAMP Enumeration Ratio—Measures card-not-present authorization attempts that the Visa Account Attack Intelligence (VAAI) system has identified as part of an enumeration or BIN attack, as a proportion of all CNP authorization attempts.

The minimum threshold of 1,500 combined fraud (TC40) and dispute (TC15) events per month must be reached before a merchant can be identified in VAMP. For CEMEA region merchants, the minimum is 150 combined events and a total fraud and dispute amount of at least USD 75,000.

Excluded from VAMP Calculation

The following items are excluded from the VAMP ratio calculation, subject to the timing of the Visa data extract:

  • Disputes resolved through pre-dispute solutions such as Rapid Dispute Resolution (RDR). If an RDR refund is processed and the issuer subsequently files a TC40, only the TC40 is counted.
  • Disputes resolved via the Cardholder Dispute Resolution Network (CDRN).
  • TC40 fraud transactions that qualify under Compelling Evidence 3.0.

Merchant Identification Thresholds

A merchant can be identified in VAMP at the Excessive level if its VAMP ratio or Enumeration ratio meets or exceeds the thresholds described in the following table. Merchant-level identification applies only if Nuvei’s overall acquirer VAMP ratio is less than 50 bps.

All thresholds are expressed in basis points (bps); 1 bps = 0.01% (for example, 150 bps = 1.50%). Fees are assessed per fraud (TC40) event and dispute (TC15) event above the threshold. There are no fees for an enumeration identification, but it does count towards the grace period.


Identification LevelRegionThreshold June 1, 2025 to March 31, 2026Threshold from April 1, 2026Fee per Count
Excessive (Merchant)NA, EU, AP≥ 220 bps≥ 150 bpsUSD 8
LAC≥ 150 bps≥ 150 bpsUSD 8
CEMEA≥ 220 bps (min. 150 count and ≥ USD 75,000)≥ 220 bps (min. 150 count and ≥ USD 75,000)USD 8
Excessive (Enumeration)Global≥ 2,000 bps (min. 300,000 enumerated auth. transactions)≥ 2,000 bps (min. 300,000 enumerated auth. transactions)No fee

Early Warning

Visa may issue a courtesy Early Warning notification if a merchant’s VAMP ratio reaches 40 bps or greater, but remains less than 50 bps with a minimum count of 1,500 combined fraud and dispute events. No fee is applied and no formal response is required. An Early Warning notifications is an invitation to review performance and take proactive steps before formal identification occurs.

An Early Warning notification does not count as a VAMP identification and does not affect the grace period.

Grace Period

If a merchant has had no VAMP identification in the preceding 12 months, a consecutive 3-month grace period applies upon first identification. During the grace period, no enforcement fees are assessed. The grace period runs to completion regardless of whether further identifications occur during the 3-month period. Once the grace period ends, any subsequent identification is subject to immediate enforcement.

Notification and Remediation

If processing activity meets the VAMP identification thresholds, Nuvei notifies you and then works with you to investigate the root cause and to implement a remediation plan.

  • Nuvei contacts you to explain the reason for the identification and the potential consequences of non-compliance.
  • You are asked to investigate the root cause of the elevated fraud or dispute levels and to provide Nuvei with your findings and a remediation plan within ten calendar days.
  • Your remediation plan should identify the specific causes of the elevated activity and describe the concrete steps you will take to bring your ratio to below the applicable threshold.
  • Nuvei will support you throughout the remediation process and may suggest specific risk controls, 3D Secure optimizations, or fraud rule adjustments to help you return to compliance.

Exit Criteria

A VAMP identification is resolved if your VAMP ratio falls below the ‘Excessive (merchant)’ threshold for your region, as specified in the thresholds table in this document. For an Enumeration identification, a case closes if the Enumeration ratio falls below 2,000 bps.

Reducing VAMP Exposure

The following measures can help maintain VAMP compliance:

  • Ensure your 3D Secure routing and exemption settings are correctly configured to maximize authenticated traffic.
  • Consider enrolling in Rapid Dispute Resolution (RDR) to resolve pre-disputes before they become TC15 events counted in the VAMP ratio.
  • Monitor your chargeback and fraud levels regularly using the reporting tools available in the Nuvei Control Panel.
  • Respond promptly to fraud rule optimization suggestions from Nuvei’s Risk team.
  • If you process in regions with higher fraud exposure, ensure your fraud filters and velocity controls are appropriately calibrated.

For questions about VAMP performance or optimization options, contact the Nuvei Risk Team.

Mastercard Excessive Fraud Merchant Program

The goal of the Mastercard Excessive Fraud Merchant (EFM) Program is to reduce fraud on electronic commerce (e-commerce) transactions, create a more secure ecosystem, and provide a better experience for cardholders.

The EFM program measures compliance at the merchant ID (MID) level and sends notifications and potential financial assessments through the acquirer.

Merchants registered in the following countries are excluded from the EFM Program:

Aland IslandsFalkland Islands (Malvinas)IndiaMayotteSan Marino
AlbaniaFaroe IslandsKosovoMoldovaSerbia
AndorraFinlandLatviaMonacoSlovakia
AntarcticaFranceIrelandMontenegroSlovenia
AustriaFrench GuianaIsle of ManNetherlands (the)South Georgia and the South Sandwich Islands
BelgiumGibraltarItalyNorwaySpain
Bosnia and HerzegovinaGermanyJerseyPolandSvalbard and Jan Mayen
BulgariaGreeceLiechtensteinPortugalSweden
CroatiaGreenlandLithuaniaRéunionSwitzerland
CyprusGuadeloupeLuxembourgRomaniaUkraine
Czech RepublicGuernseyMacedoniaSaint BarthélemyUnited Kingdom
DenmarkHungaryMaltaSaint Martin (French part)Vatican City
EstoniaIcelandMartinique

Program Thresholds

The EFM program monitors the total amount of fraud-related chargebacks occurring at a given e-commerce merchant, as well as the number of transactions authenticated through 3DS.

Merchants are considered non-compliant when all of the following conditions are met in a given month:

  • Total volume from chargebacks with fraud reason of 50,000 USD or above for the reported month
  • Fraud chargeback ratio – 0.50% or above (0.20% for Australia)
  • Number of monthly cleared transactions – 1,000 or above
  • 3DS Usage – Less than 10% for non-regulated countries OR less than 50% for regulated countries

The term “regulated” refers to those countries with a legal or regulatory requirement for strong cardholder authentication. The term “non-regulated” refers to those countries without a legal or regulatory requirement for strong cardholder authentication.


ProgramMin. Number of TransactionsFraud ChargebacksFraud Count Ratio3D Utilization
EFM1,00050,000 USD0.50%Less than 10% non-regulated or less than 50% regulated

The tables list the countries identified as regulated or non-regulated.

Regulated Countries

  • Bangladesh
  • Malaysia
  • Singapore
  • Nigeria

Non-regulated Countries

All non-EU countries except for Bangladesh, Malaysia, Singapore, and Nigeria.

Fines

Mastercard applies assessments for appearing on the EFM program at increasing increments depending on how long a Merchant ID appears on the program.

Number of Months above EFM ThresholdsViolation Assessment
10
2EUR/USD 500
3EUR/USD 1,000
4 to 6EUR/USD 5,000
7 to 11EUR/USD 25,000
12 to 18EUR/USD 50,000
19+EUR/USD 100,000

Exit Parameters

When the merchant is below the program thresholds for three consecutive months.

Amex Fraud Program

Under the Amex Fraud Program, Merchants’ F2S performance thresholds fall into either a Low Tier or High Tier calculation. This calculation excludes Fraudulent Applications and SafeKey/3DS Transaction Attempts.

Program Thresholds

The following table describes the two tiers within the Performance criteria.

ThresholdFraud AmountRatio
Low Tier$25,000 0.90%
High Tier$50,000 1.80%

In the “Low Tier” period, the merchants have the opportunity to reduce the fraud levels before being added to the High-Risk List. If the Merchant does not remain below the program thresholds for three consecutive months, they are subject to Fraud Full Recourse Chargebacks and can no longer qualify for liability shift with Safekey/3D.

If the merchant reaches the “High Tier”, they are subject to Fraud Full Recourse Chargebacks and can no longer qualify for liability shift with Safekey/3D. The merchant remains on the High-Risk list until their F2S ratio falls below 0.9% or $25,000 for three (3) consecutive months.

While being in this program, the Merchant is subject to the following penalties:

Non-complianceFee
1st violation$1,000
2nd violation$5,000
3rd violation$10,000
4th violation$25,000
5th violationThe fee will be at discretion of Amex.
6th violation or moreAdditional fees will be equal to all penalty fees levied for a 12-month period. The 12-month period begins upon the 1st violation.

Visa and Mastercard Programs for Mitigation of Card Testing and Enumeration / BIN Attacks

An enumeration attack is a scheme in which criminals systematically submit card-not-present transactions with enumerated values such as card number, CVV, expiration date, and postal code to derive legitimate payment account details. The fraudsters use the authentication response to identify valid payment accounts.

Account testing occurs by initiating transactions of $1 to $2 to verify if an account is active in order to use it for fraudulent purchases or to sell it over the dark web. Typically, these attacks focus on a single Bank Identification Number (BIN) range and use the same name, email address, and/or billing address for multiple transactions.

Merchant account takeover – Fraudsters may also gain access to the payment system by obtaining a merchant’s login credentials, and subsequently taking over their payment gateway to conduct illicit transactions. These credentials can be obtained when a merchant falls victim to phishing schemes.

The following activities may indicate an enumeration attack or account testing:

  • A high number of transaction attempts sent within a few hours or one day, possibly from one IP address, or for a specific BIN / account range.
  • An increased number of rejected or timed-out authentication attempts that receive a challenge request.

Mastercard defines a third-party fraud attack as a BIN attack when the following conditions are met:

  • At least 100 authorization requests or authentication requests are sent within one hour for the BIN or BIN Account range from one or more Merchants.
  • The Issuer, its Service Provider, or Mastercard (using a network fraud detection tool) declined fifty percent (50%) or more of the authorization requests or authentication requests within one hour.

Visa monitors for Card-Absent authorization attempts concentrating on a single BIN or multiple BINs while iterating through various combinations of payment values. These payment values generally include the Primary Account Number (PAN), expiration date, Card Verification Value 2 (CVV2), and postal code. Issuers decline the authorization attempts until the right combination of payment values returns an approval response. An approved authorization response (and often a subsequent sale) is an indicator to the fraudsters that they have obtained a combination of valid payment values. This scheme is also known as a brute force attack. Visa identifies situations where the Merchant or the acquirer meets or exceeds the monthly enumeration thresholds.

Enumeration Monitoring Program Thresholds

  • Early Warning Timeline Thresholds

Enumeration Risk Operation Center (ROC) Block Count>=1,000 and <=5,000; AND Enumeration ROC Block Rate >= 10%
OR
Enumeration ROC Block Count >= 50,000; AND Enumeration ROC Block Rate >= 1% and <= 5%
* The ROC Block Rate is calculated by the number of ROC blocked transactions divided by the total card-absent transaction count.

  • Standard Timeline Thresholds

Enumeration Risk Operation Center (ROC) Block Count >= 5,000; AND Enumeration ROC Block Rate >= 5%

  • Excessive Timeline Thresholds

Enumeration ROC Block Count >= 50,000; AND Enumeration ROC Block Rate >= 10%

Flagging in this Visa program may incur additional per-authorization fees to the Merchant whose systems are not well protected and are attacked by the fraudsters.

In its fraud prevention systems, Nuvei has implemented internal controls to mitigate such attacks as much as possible.

Last update iconLast modified April 2026