Visa changed the rules in April 2025. Mastercard waited eight months — then changed them too. The era of “checkout-only” fraud protection is officially over – Unless you are willing to give on a lot of business you will need to further monitor the transactions yourself.
If you read our piece on Visa’s Acquirer Monitoring Program (VAMP) earlier this year, you already know the punchline: card networks are no longer satisfied with merchants who manage fraud reactively. They want continuous, lifecycle-level oversight — and they’re willing to fine acquirers, payfacs, and merchants who can’t deliver it.
What you may not have noticed is that Mastercard quietly did the same thing. On January 1, 2026, the revised standards of Mastercard’s Merchant Monitoring Program (MMP) went into effect. Together with VAMP — which began enforcement on October 1, 2025 — the two programs represent the most significant shift in payments compliance in over a decade.
If your fraud strategy still ends at the checkout button, the next twelve months are going to hurt.
Two programs, one direction
It’s worth getting the architecture right, because the two programs are often mashed together in conversation and they shouldn’t be. They overlap in spirit, not in mechanics.
Visa VAMP is the consolidated monitoring framework that replaced VDMP and VFMP in April 2025. It collapses fraud reports (TC40) and disputes (TC15) into a single VAMP ratio, evaluated monthly. Starting April 1, 2026, the “Excessive” merchant threshold drops from 2.2% to 1.5% in the U.S., Canada, EU, and APAC — a 32% reduction in tolerance, with $10-per-transaction fines for every dispute or fraud event while a merchant is in the program. There is no early warning phase and, in most cases, no grace period.
Mastercard MMP isn’t a chargeback program — that’s still ECP and EFM, which run in parallel. MMP targets something different: merchant content, transaction laundering, and BRAM (Business Risk Assessment Model) violations. The new requirements force acquirers to:
- Run an initial scan of every newly onboarded merchant before the first transaction
- Maintain continuous, lifecycle monitoring of merchant websites — including gated, password-protected, and members-only areas
- Document evidence of monitoring activity
- Resolve any flagged issues within a 15-day remediation window
The two programs target different surfaces of the same problem: Visa watches the transactions, Mastercard watches the merchant. Together, they close a net that used to have a lot of holes in it.
Strip away the acronyms and you find a single thesis underneath both programs: a transaction-level decision at checkout is no longer enough to constitute fraud protection.
Three things are now expected of every merchant and every acquirer:
- Detection has to happen earlier in the lifecycle. MMP requires a scan before the merchant ever processes a payment. VAMP penalizes merchants whose fraud signals weren’t caught fast enough to prevent disputes.
- Monitoring has to go deeper. Surface-level checks are explicitly insufficient. Mastercard now requires monitoring of restricted content. Visa now folds enumeration attacks and issuer fraud reports into the same ratio as chargebacks.
- Accountability runs across the relationship. A merchant approved twelve months ago whose risk profile has shifted is the acquirer’s problem today. There is no “we cleared them at onboarding” defense anymore.
For merchants and PSPs, the implication is hard to misread. Continuous, post-checkout monitoring has stopped being a competitive advantage and started being regulatory infrastructure.
Most fraud stacks were built around a single moment: the authorization decision. Score the transaction, accept or decline, move on. That model worked when networks measured merchants on raw chargeback ratios and gave them months to course-correct.
It does not work when:
- Fraud reports and disputes are combined into one ratio, with no grace period (VAMP)
- A 1.5% combined ratio puts you in the “Excessive” tier — meaning a merchant with $10M monthly volume can absorb roughly 150 disputes per month before triggering $1,500+ in per-transaction fines on top of normal chargeback costs
- Acquirers are required to maintain visibility into merchant behavior after onboarding in a way they were never asked to before (MMP)
- Friendly fraud and enumeration attacks — both rising sharply with AI-assisted fraud automation — show up in your VAMP ratio whether or not they ever became chargebacks
Checkout-only systems can’t distinguish a legitimate customer from a sophisticated fraudster in the 200ms it takes to authorize a payment. They never could. What’s changed is that networks are no longer pretending they can.
What “continuous monitoring” actually means
This is where vague compliance language meets real architecture. Continuous, post-checkout monitoring is not a stricter version of checkout fraud detection — it’s a different design.
In practice, it means:
- Decoupling acceptance from verification. Approve the payment to maximize conversion; verify and analyze the transaction continuously afterward, with the ability to flag, hold, or refund before fraud crystallizes into a chargeback.
- Tracking signals over time, not at a single point. Device fingerprints, behavioral anomalies, velocity patterns, and graph-based connections between users and transactions only reveal themselves across hours and days, not milliseconds.
- Preventing chargebacks before they happen. A flagged transaction caught 24 hours after authorization can be refunded — which keeps it out of your VAMP ratio entirely.
- Producing the audit trail networks now expect. Both VAMP and MMP reward merchants who can document proactive monitoring with reduced exposure and, in MMP’s case, eligibility for assessment mitigation.
This is exactly the architecture FUGU was built around — not because we anticipated the regulation, but because checkout-only fraud detection was never going to scale. The networks are now codifying what the math already forced.
Â
What to do in the next 90 days
Whether you’re a merchant managing your own ratios or a PSP responsible for a portfolio, the practical steps are the same:
- Pull your current VAMP ratio. If you’re between 1.0% and 1.5%, you have less than two months before the threshold drops underneath you.
- Audit your post-checkout visibility. What happens to a transaction after it’s authorized? If the answer is “nothing until a dispute lands,” you have a structural gap.
- Map your friendly fraud exposure. Friendly fraud doesn’t show up at checkout. It shows up 30–90 days later, fully scored against your VAMP ratio.
- Document everything. MMP eligibility for assessment mitigation depends on it. VAMP exits depend on it.
- Stop treating fraud protection as a checkout feature. It’s a lifecycle function now. The networks have made that explicit.
The bottom line
VAMP and MMP are not coordinated, but they are aligned. They’re saying the same thing in different vocabularies: payment acceptance is not the same as payment verification, and the industry is going to be measured on both.
Merchants and PSPs who get ahead of this will spend the next year refining a real continuous-monitoring posture. The ones who don’t, will spend it paying fines.
Unless you’re willing to give up 2–7% of your business because you’re afraid of xMP, you’ll need to start using smarter fraud monitoring tools. They might cost a bit more — but they’ll let you safely accept more payments and stop worrying about the next ratio update.
At FUGU, we built the platform around a single conviction: every payment counts, and every payment deserves to be analyzed beyond the checkout. The card networks just made that conviction a requirement.