Before diving into this article you should really read Part 1 to understand the history (and avarice) of the card brands.
As before, we tapped the inimitable Jason Kafer to ensure accuracy. We see a ton of incorrect information being shared and felt it was important to clear this up, and Jason just knows this stuff so, so well.
If you’re in payments you’ve undoubtedly heard about Visa’s VAMP program.
In broad strokes, the intent of VAMP is to crack down on high risk merchants and reduce fraud.
Recall that Visa and Mastercard love screaming about how bad fraud is… then monetize systems that avoid fraud detection.
By the way, can you find a better example of a duopoly?
It’s illegal to smoke!
Also, if you pay me, you can smoke.
To discuss the VAMP changes we first need to understand how fraud is handled.
Everything in fraud comes down to pre-settlement and post-settlement.
Jason Kafer
Let’s clarify with some examples.
You receive a mobile alert from your bank for a suspicious transaction. You log into your bank portal and see a pending charge for $100.
This transaction has been authorized but not settled (i.e. the merchant has not yet received the $100).
This is an example of pre-settlement fraud identification.
Next example.
You log into your bank portal to pay your monthly credit card bill and notice some suspicious transactions from two weeks ago.
These funds have already made it to their intended destination and you’ll need your bank to work their magic to recoup the funds in your account.
This is an example of post-settlement fraud identification.
In the first example your bank will immediately block your card as “lost or stolen” and prevent future transactions from settling.
Your bank (the issuing bank) will send a TC40 message (which is unique to VISA – other networks have their own flavor) to the acquiring bank (the merchant’s bank).
A TC40 message essentially says, “Hey, we’re letting you know that this transaction is fraud, and if you settle the transaction we’re going to issue a chargeback.”
The TC40 gives the acquiring bank the chance to tell their merchant to cancel the order, reverse the transaction, and not ship the product.
TC40s haven’t been factored into the equation when the card schemes calculate a merchant’s fraud risk (i.e. number of chargebacks vs the processed volume/transaction count).
In the second example your recourse would be to issue a chargeback.
However, recall that the acquiring bank can work with the issuing bank to prevent that chargeback from hurting the merchant’s fraud rating by paying the card duopolies $45 and settling the matter on the CDRN rail (assuming obviously that both issuing and acquiring banks are a part of the CDRN racketeering).
The major change with VAMP is that TC40 messages now count against a merchant’s fraud score.
Here’s why this matters in practical terms.
All the scumbag merchants sought out acquirers who knew what TC40 was and would provide the data to an issuing bank to avoid a chargeback. For example, negative option billing, where the consumer gets charged automatically unless they explicitly opt out.
Imagine ordering penis pills and getting 14 days of pills for free then your card gets auto-whacked (no pun intended). When you realize that you forgot about the subscription and receive the shipping alert, you call your bank.
Well, your bank then sends off the TC40 record before settlement, the scumbag merchant voids the transaction so you get repaid, and no harm, no foul.
This behavior now comes with penalties.
The below table summarizes the changes VAMP makes to Visa’s fraud calculations.
The most critical mention?
The green font.
Visa doesn’t dare bite its own hand, and consequently still allows merchants to skirt fraud scrutiny under VAMP by paying Visa $45 for CDRN.
Uh, how many times do we have to say monopoly?
To demonstrate a mathematical example for how this works in practice, see below.
You can see that the Fraud Ratio, which was previously below the 0.9% threshold, jumps up once you include the TC40 transactions.
Also notice that the threshold limits under VAMP are changing so that they’re more strict starting April 2026.
On the surface it looks like Visa is cleaning up some of the fraud that was swept under the rug with the TC40 pre-settlement messaging.
But – and we acknowledge that this is speculative but we wouldn’t put it past Visa given their pattern of behavior – the real data point to monitor post-VAMP will be TC40s vs CDRNs.
What if TC40s decline, which would be expected, but CDRNs skyrocket?
To us it would mean that Visa is colluding with the issuing banks to push more volume to CDRN, which Visa monetizes.
Maybe Visa would cut the banks in on the CDRN revenue or throw them some other kickback.
Think of Visa telling the banks something like this:
Don’t bother sending TC40s anymore. Instead, just let it settle, become a chargeback, and wipe it clean on CDRN. That way you don’t get any dings against your fraud limits.
Issuing banks would receive this poorly if it meant that they lost cardholders, BUT if Visa paid the banks out of the CDRN honeypot?
It’s straightforward math.
This should be very closely watched.
You just can’t trust a monopolist.
Because if you visualized the hierarchy of the worst in humanity, Visa is pretty damn near the top.
[…] Hopefully this is no longer news, but Visa has decided to overhaul their risk reporting program, now termed VAMP, which we’ve written about previously. […]