user
Blog

How Visa and Mastercard Ensure Compliance for Acquirers and Issuers

Explore how the major card networks enforce compliance through monitoring programs, validation requirements, and penalties. Learn about the 2025 compliance changes—including Visa's consolidated VAMP program and stricter fraud thresholds—and prepare your payment organization for these evolving regulatory requirements.

April 06, 2025
How Visa & Mastercard Ensure Compliance for Acquirers & Issuers

Visa and Mastercard's international payment networks are safe, secure, and reliable due to the compliance structures that govern them. This article discusses the compliance programs and requirements established by card associations to keep their acquirers and issuers compliant with industry-mandated safety protocols and association rules.

Regulatory Framework and Compliance Requirements

PCI DSS Compliance Mandate

Visa and Mastercard are PCI compliance champions across their respective networks. Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is mandated for any individual or entity that engages in the acceptance, retention, processing, or transmission of cardholder data. This means merchants, service providers, and banks. While the PCI Security Standards Council owns and manages the compliance requirements relative to PCI-related standards, only the brand owners of Visa and Mastercard enforce all data security compliance requirements relative to their own networks.

  • Acquirers responsible for compliance
  • Issuers responsible for compliance

Mastercard's Security Monitoring Program is a form of monitoring that acquirers need to pay attention to after the requirement is passed down to the merchants and compliance is determined through the Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC). The same goes for the issuers who need to champion compliance through the review of the same SAQ or ROC.

Flowchart showing Visa and Mastercard compliance structure with dotted line from merchants to shared PCI DSS and rule compliance requirements

Core Rules and Governance Structures

The equivalent of rules for Mastercard is the Mastercard Rules—encompassing all the Security Rules and Procedures manual. The equivalent for Visa is the Visa Core Rules and International Fee Schedule and the Visa Product and Service Rules.

As of April 1, 2025, Visa implements a new Acquirer Monitoring Program (VAMP) which combines these five existing programs:

  • Visa Dispute Monitoring Program (VDMP)
  • Visa Fraud Monitoring Program (VFMP)
  • VFMP 3D Secure (3DS)
  • Digital Goods Merchant Fraud Monitoring Program (DGMFM)
  • VAMP (existing program)

The new Acquirer Monitoring Program adds two new measurements for monitoring:

  • VAMP Ratio: CC fraud (TC40) + nondisputed fraud (TC15) / total CNP transactions settled
  • Enumeration Ratio: Percentage of unauthorized authorizations which indicate potential card testing efforts

Acquirers will be monitored in the event of threshold breaches:

  • VAMP Ratio: Standard (>0.5%), Excessive (>1.5%)
  • Enumeration Ratio: Excessive (>20%)

Remember lower thresholds will be implemented in January 2026.

Monitoring Programs and Risk Management

Visa's Monitoring Infrastructure

Visa Acquirer Monitoring Program (VAMP)

With the new VAMP, merchants will be assessed starting October 1, 2025, with a six-month grace period. Merchants exceeding compliance thresholds must acknowledge and provide plans of remediation within 15 calendar days and cite failures. A variety of fee levels will be assessed based on the length and extent of non-compliance.

Visa Acceptance Risk Standards (VARS)

VARS are requirements of controls that acquirers must put in place with some variance including but not limited to:

  • Record of assessments/review
  • Ability to monitor for transaction anomalies

Mastercard's Monitoring Ecosystem

Business Risk Assessment and Mitigation (BRAM) Program

The BRAM Program aims to assess and mitigate any of the brands' high-risk merchants. These are often the merchants that exist on the edge of legality or put Mastercard's brand at risk. The program was established in 2005 and continues to broaden its scope to include new concerns which arise, such as fraud, counterfeiting, adult entertainment, and child pornography.

Questionable Merchant Audit Program (QMAP)

The QMAP seeks to assess those merchants who may be engaged in potentially fraudulent behaviour via a review of questionable merchant transactions in conjunction with excessive chargeback levels. If Mastercard determines a merchant is questionable, it communicates with the acquirer through the Company Contact Management system.

PCI 360 Education Program

The PCI 360 Education Program seeks to help acquirers teach merchants how to reinforce and expand PCI Security Standards compliance.

Validation Processes and Requirements

Both card associations assess levels of merchants and service providers according to the volume of transactions and necessary validations.

Merchant and Service Provider Classification

Visa's Validation Structure

Visa levels merchants according to aggregate transaction volume over a 12-month period. Some merchants require an Annual On-Site Security Assessment and Quarterly Network Vulnerability Scan, while others only require an Annual Self-Assessment Questionnaire and Quarterly Network Vulnerability Scan.

Visa's PCI compliance attributes mean that as long as all efforts have been made to remain compliant and the merchant has little control over a third-party failing, compliance will still not be warranted. For instance, PCI compliance is waived for compliant technology implementations, for instance, 75% of annual transactions are processed through EMV chip-enabled terminals verified point-to-point encryption, or tokenization implementations. Recently, to pivot PCI compliance as a standard, merchants who undertake PCI-compliant efforts qualify for Visa's Technology Innovation Program (TIP) which waives PCI compliance assessment.

Mastercard's Validation Framework

With respect to the Site Data Protection (SDP) Program, acquirers must:

  • Submit the SDP Acquirer Submission and Compliance Status Form for Level 1 and Level 2 merchants every 6 months.
  • Submit forms for Level 3 merchants as requested, where required by applicable law or regulations.
  • Validate to Mastercard that they have a risk management program in place for Level 3 and Level 4 portfolios.

Special Validation Programs

Enforcement Mechanisms and Penalties

Visa's Enforcement Structure

If a merchant does not comply, and a service provider is found not adhering to PCI DSS requirements, Visa can levy Non-Compliance Assessments. These can be charged to the issuer or acquirer, yet waived for those with clear PCI DSS compliance for a reasonable period before the breach and during the breach to forensic assessment.

Mastercard's Enforcement Approach

Mastercard has similar enforcement provisions, including assessments for non-compliance. For instance, with QMAP, if fraud occurs, the merchant is to be terminated by the acquirer and the issuer may initiate chargebacks in order to recover the issuer's funds.

Special Programs and Initiatives

Third-Party Agent Registration

Visa requires registration of Third Party Agents (TPAs). A Third Party Agent is defined as any person or entity that solicits for an acquirer/issuer, installs acceptance devices, issues en/decryption keys, or has access to cardholder data. Without TPAs registered pursuant to the TPA Registration Program, no issuer/acquirer/merchant may engage in TPA services.

Global Registry of Service Providers

Visa holds the Global Registry of Service Providers, which is the industry's official registry for payment processing to check if agents affiliated with any party are registered and in good standing. This is to promote proper operations and use licensed service providers.

Visa Direct Controls

For all transactions using Visa Direct, the acquirer must ensure all senders are in compliance with applicable money licensing requirements, that all Know Your Customer (KYC) and screening requirements are completed, and that velocity controls are established.

Future Developments and Implications

The payment card network will evolve within the next year.

Visa's VAMP Transformation

The merger of various monitoring programs to the new Visa VAMP brand hints at a selection of moving from anomaly detection to preemptable fraud prevention. This could greatly change how acquirers and merchants assess risk with mandated monitoring technology adjustments and a more hands-on approach to prevention in-house.

Enhanced Authentication Requirements

New authentication requirements are being layered on by both networks; for example, Mastercard's Authentication Best Practices guide and required authentication data in the authorization and clearing messages.

Conclusion

Visa and Mastercard don't leave compliance to acquirers and issuers up to chance with an array of steps to ensure compliance. From mandatory standards to monitoring programs to validation requirements to enforcement actions, they've taken every step necessary to preserve the security of their payment network. As the global nature of fraud changes over time, so does compliance—many effective in 2025—with both networks.

The union of Visa's supervisory initiatives and increasing minimum expected levels suggests that the networks are in a preventative mode instead of an after-the-fact one. Yet, to remain compliant, acquirers and issuers will continue to need to invest in security measures, vigilant oversight, and efforts to remedy any issues found promptly.