Spring Visa Rule Changes: Updates to the Visa Acquirer Monitoring Program (VAMP)

Visa’s 2022 Spring Rule Changes

As mentioned in a previous blog post, Visa publishes their core rules twice a year. These changes are incredibly beneficial if you can take the time to devise a strategy for tracking and applying them effectively. Because the rules can apply to multiple entities in the payment ecosystem, it’s not enough to just consider how the merchant changes impact you; you must also explore how changes required of issuers and acquirers might influence your customer and operations. As a merchant, you’re smack dab in the middle of a complex set of rules for all parties. To follow them correctly, you’ll often have to make changes across your organization. When you get them wrong, it can cost you money.

There are over 890 pages in the April release, but Pagos is here to make this all more digestible. We can be a resource when you discuss these changes with your processor or acquirer, and we can provide context if you are looking to raise awareness with your internal teams around what is changing. You need to understand what changes you may see in terms of approval rates, average order size, disputes, and chargeback rates, and we’re here to help. 

Breaking down the mammoth document of Visa’s rules changes by regions we found:

• Global: 29 rule changes across 10 processes

• US Region: 3 rules changes to 2 processes

• Canada Region: 21 changes driven by the changes in surcharging rules that touch multiple processes

• Europe Region: 17 rules changes across 7 processes or country-specific rules

• AP Regions: 12 changes across 7 processes or country specific rules

• LAC Region: 5 changes across 3 processes 

So how do you eat an elephant? One bite at a time! While your customers (and perhaps your market) are not likely limited to a single region, we’re going to approach the changes one region at a time, starting with Global.

Visa Acquirer Monitoring Program (VAMP)

We’ll first focus on changes to one program that have the potential to impact all acquirers and their merchants globally: the Visa Acquirer Monitoring Program (VAMP). VAMP is not new, but it significantly changed as of April 1st 2022. 

Before we discuss the changes, it's important to understand that when Visa places your acquiring bank in VAMP, this action directly impacts your merchant activity and perhaps your payment processing costs. Why? The acquirer is responsible for ensuring their sponsored members and merchants adhere to Visa’s rules and regulations. As the responsible party, they often pass on any fines or assessment costs associated with VAMP to their merchants—that’s you. As such, it’s in both your and the acquirer’s best interest to ensure Visa doesn’t place the acquirer in this monitoring program. Keep this in mind as you read on.

Enumeration Attacks

As of April 1, 2022, Visa added a new scenario to the list of fraudulent activities they track for each of their acquirers (and subsequently, their merchants). When an acquirer reaches the established threshold of one of these fraud scenarios, they’re placed in VAMP. The new scenario is known as Enumeration Attacks, which Visa defines as “the systematic or routine submission of Card-Absent Environment Transactions into the Visa system to fraudulently obtain or validate payment information.” Merchants have long defined and described this in other terms, such as card testing, brute force testing, carding, card generators and likely other less friendly names.

In compliance with this new rule, acquirers are likely to put more pressure on merchants to stop or control Enumeration Attacks on their businesses. If a merchant can’t do this on their own, the acquirer will step in and make decisions to prevent suspicious authorizations from being sent, such as: 

• Verifying your sales records match your deposit/merchant account activity and ruling out any potential that your merchant account has been taken over by a fraudster 

• Making use of Visa’s Account Attack Intelligence serves for acquirers, which uses artificial intelligence to help detect potential attacks

• Modifying their reserve accounts (which could affect your cash flow and revenue recognition)

If your acquiring bank applies new rules or technology to limit enumeration attacks, this can result in changes in your approval rates. If your processor or acquirer steps in and rejects a transaction before sending it to the issuer, this may prevent attacks, or be the source of false positives (declining legitimate transaction).

You should also expect your acquirer to put mounting pressure on your business to employ EMV 3D Secure when processing transactions. If a fraudster successfully transacts even with EMV 3DS, this means they either established a fraudulent card account (fraud type 3/fraudulent application) or they have successfully taken over a customer’s bank account. These are rare instances in Enumeration Attacks, but they can happen and are use cases in which the issuer has more control. If you already use EMV 3DS and you still experience a lot of Enumeration Attacks, then you may also want to be prepared to deploy these additional strategies:

• Monitoring host and network traffic for unauthorized or suspect connections and probing activity 

• Leveraging Point-to-Point encryption (P2PE) or PCI-validated cryptographic keys for all host and transaction session activity

• Employing periodic password changes, avoiding the use of default login credentials, and educating staff on the risks of phishing scams and social engineering

• Using CAPTCHA controls on checkout/payment pages to prevent automated transaction initiation by bots or scripts (I admit, these are not effective in some cases, but it’s an expected response)

Timelines For VAMP

Visa has two timelines for placing acquirers in their acquirer monitoring program: the Standard Timeline and the Excessive Timeline. Visa defines the Standard Timeline as a block count of 5,000 transactions and an Enumeration Rate of 5%. The Excessive Timeline standards are defined as a block count of 50,000 transactions and Enumeration Rate of 10%, which—in addition to the Standard Timeline requirements—adds a Non-Compliance Assessment (fees which may well be passed on to merchants). 

The first month an acquirer exceeds the thresholds for the Standard Timeline, Visa places them in the Visa Acquirer Monitoring Program (unless the acquirer exceeds the Excessive Timeline in the first month). This is called the warning notice, and the acquirer can be required to take VAMP actions to:

• Review portfolio activity and determine the cause of the excessive Enumeration Attacks (this likely means finding out which merchants have the most activity on the impacted BINS)

• Within 10 calendar days of the date on the Notification, submit to Visa both:

  • Acceptable remediation plan

  • Any documentation requested by Visa

So what is the calculation for this block count threshold? This is not explicitly defined, but it is likely to represent the count from a single BIN where fraud is reported or detected on that same BIN at a rate specified by the timeline. For example, if an acquirer processes 4,999 authorizations on BIN 42345678 in a month, and 250 or more of these authorizations are determined to be fraudulent, the acquirer would not hit the Standard Timeline. Just add one more authorization request, however, and the criteria is met and the acquirer could be placed on VAMP warning notification.

What You Can Do

As a merchant who uses the acquirer in the example above, you have no no way of knowing how many cumulative authorizations that acquirer processes, but you can know yours. This is where Peacock and Canary by Pagos can be very helpful. You can set up alerts on authorizations by day and BIN by processor, then compare that to expected volumes and see if your merchant account is being targeted by enumeration attacks.

The importance of monitoring and applying this knowledge comes in when the acquirer moves into the second month or Excessive Timeline. At this point, Visa reviews the acquirer’s portfolio, which might indicate your merchant account was the point of attack. Knowing before you get that call allows you to formulate a response and remediation plan. Lets say your acquirer comes to you and expects you to take remediation actions or wants to pass on the assessment fees to you. If you know you had a minor contributing role in the fraud as a ratio by BIN, you could reasonably request they reconsider. 

You can read more about these changes to VAMP Visa Acquirer Monitoring Program (VAMP) in sections:

• Section 10.4.4.1, ID# 0029286

• Section 10.4.4.2, ID# 0029287

• Section 12.6.4.1, ID# 0029293

• Enumeration Attack, ID# 0030894 

Keep an eye on the Pagos Blog for more insights into rules changes and resources coming soon!

We've provided the content in this blog post solely to inform and educate. Pagos doesn't provide legal advice and this content shouldn't be taken as such. You're strongly encouraged to consult with your payments partners and legal teams before implementing any changes based on the content in this post.