Understand payments,
end to end.
Plain-language guides to the concepts, systems, and terminology that drive the global payments industry — written for operators, not engineers.
How Payments Work
The basics of what happens when a card is charged.
The Payment Lifecycle
Authorization, capture, settlement — explained clearly.
Card Networks
Visa, Mastercard, Amex — who does what and why it matters.
Interchange & Fees
Where your processing costs actually come from.
Chargebacks
What they are, why they happen, and how to fight them.
Types of Payment Fraud
Card testing, friendly fraud, account takeover and more.
Fraud Prevention
Layered strategies that protect revenue without killing conversion.
3D Secure
How strong customer authentication works and when to use it.
The Payment Stack
How all the pieces — PSPs, gateways, acquirers — fit together.
Tokenization
How sensitive card data is replaced with safe tokens.
PCI DSS
What compliance actually means and what it requires of you.
Cross-Border Payments
The challenges and strategies for accepting payments globally.
Card Network Monitoring Programs
VAMP, ECM, HECM, EFM — what they are, how thresholds work, and what's at stake.
How Payments Work
When a customer swipes, taps, or types their card number, they trigger a chain of events involving multiple parties — all in a matter of seconds. Here's what actually happens.
The four parties in every card transaction
Every card payment involves four key players. Understanding their roles is the foundation of understanding payments.
| Party | Who they are | Their role |
|---|---|---|
| Cardholder | Your customer | Initiates the payment using their card |
| Merchant | You | Accepts the payment and requests funds |
| Issuing bank | Customer's bank (e.g. Chase, Barclays) | Issued the card; approves or declines the transaction |
| Acquiring bank | Your bank / payment processor | Receives funds on your behalf and settles to your account |
In between these parties sit the card networks (Visa, Mastercard, Amex) — they set the rules and provide the rails that connect issuers and acquirers.
The transaction flow
Here's the simplified journey of a card payment from tap to settlement:
This entire round-trip typically completes in 1–3 seconds. The authorization is instant; the actual movement of money (settlement) happens later, usually within 1–2 business days.
Online vs. in-person payments
The underlying flow is the same whether a payment is made online or in person, but the method of capturing card data differs:
- In-person (card present): Data is read from the chip or NFC. These transactions carry lower fraud risk and therefore lower interchange rates.
- Online (card not present): The cardholder manually enters their card number, expiry, and CVV. Higher fraud risk means higher fees and stricter authentication requirements.
- Stored credentials / subscriptions: Card details saved on file are re-used for recurring charges. Tokenization makes this secure.
The Payment Lifecycle
A transaction doesn't end when a customer checks out. Authorization, capture, and settlement are three distinct steps — and confusing them is an expensive mistake.
Authorization
Authorization is the process of verifying that a cardholder's account is valid and has sufficient funds (or credit). When a customer pays, a request is sent to the issuing bank asking: "Can this transaction proceed?"
The issuer responds with an authorization code (approved) or a decline code. No money moves at this point — only a hold is placed on the customer's available balance.
Capture
Capture is the instruction to actually charge the authorized amount. For most e-commerce merchants, authorization and capture happen simultaneously. But in some industries they're separated:
- Hotels authorize at check-in, capture at checkout (often with adjustments)
- Marketplaces may authorize when an order is placed, capture only when shipped
- Car rentals hold a large authorization, then capture final amount after return
You can also do partial captures — capturing less than the authorized amount — and in some cases multiple captures against a single authorization.
Settlement
Settlement is when funds actually move from the issuing bank to your acquiring bank, and then to your account. This typically takes 1–3 business days, though some processors offer same-day or next-day settlement at a premium.
Refunds vs. Reversals
| Action | When used | Effect |
|---|---|---|
| Void / Reversal | Before settlement | Cancels the capture; hold releases |
| Refund | After settlement | New transaction pushed back to cardholder |
| Partial refund | After settlement | Returns only part of the charged amount |
Chargebacks
A chargeback is a forced reversal of a payment, initiated by the cardholder's bank. They're one of the most costly and misunderstood aspects of accepting card payments.
How a chargeback happens
Common chargeback reason codes
| Category | Examples | Typical cause |
|---|---|---|
| Fraud | Visa 10.4, MC 4853 | Genuine unauthorized use or friendly fraud |
| Not as described | Visa 13.3, MC 4853 | Customer received something different than expected |
| Item not received | Visa 13.1, MC 4855 | Delivery failed or tracking not provided |
| Duplicate processing | Visa 12.6, MC 4834 | Customer charged twice |
| Credit not processed | Visa 13.6, MC 4841 | Refund was promised but not issued |
Friendly fraud
Friendly fraud (also called first-party fraud) occurs when a legitimate cardholder disputes a transaction they actually authorized. This is one of the most common and fastest-growing sources of chargebacks — estimates suggest it accounts for 40–80% of all chargebacks in e-commerce.
Common scenarios: buyer's remorse, family members making unrecognized purchases, or deliberate abuse of the dispute process to get goods for free.
How to fight a chargeback
When you receive a chargeback notification, you typically have 7–30 days to respond with evidence ("representment"). Strong evidence includes:
- Proof of delivery (tracking numbers, signature confirmation)
- IP address and geolocation data matching the customer
- Device fingerprint and browser data
- Email / chat correspondence with the customer
- Signed terms of service or refund policy acknowledgment
- AVS and CVV match confirmation
- 3DS authentication data (shifts liability to issuer)
Prevention is better than winning
The best chargeback strategy is one that avoids them in the first place. Key prevention levers:
- Clear billing descriptor (what customers see on their statement)
- Easy, prominent refund policy
- Proactive customer service before disputes escalate
- Order confirmation emails with clear itemization
- 3DS authentication to shift fraud liability
- Velocity checks and fraud rules to catch stolen cards early
Card Networks Explained
Visa, Mastercard, American Express, and Discover sit at the center of global card payments. Understanding what they do — and what they don't — is essential for any payments strategy.
What card networks actually do
Card networks are often mistaken for banks. They don't issue cards or hold money. Their role is to:
- Set the rules — interchange rates, acceptance requirements, dispute resolution procedures
- Provide the rails — the infrastructure that routes authorization requests between acquirers and issuers
- Manage the brand — the logo on a card signals to any merchant worldwide that it will be accepted
Open vs. closed network models
| Model | Examples | How it works |
|---|---|---|
| Open network | Visa, Mastercard | Separate issuers and acquirers. Hundreds of banks issue Visa cards; hundreds of banks act as Visa acquirers. |
| Closed network | American Express, Discover | The network also acts as issuer and/or acquirer. More control, but typically higher merchant fees. |
Why this matters for merchants
Networks set interchange rates — the baseline fee paid to the issuing bank on every transaction. Because Amex controls both sides, their merchant fees have historically been higher (though the gap has narrowed). Merchants in lower-margin industries sometimes choose not to accept Amex for this reason.
Interchange & Fees
Interchange is the largest component of what you pay to process cards. Most merchants have no idea they can influence it — which means most merchants are overpaying.
What is interchange?
Interchange is a fee paid to the issuing bank on every card transaction. It compensates the issuer for the cost of credit, fraud risk, and reward programs. It's set by the card networks (Visa, Mastercard) and varies by:
- Card type (debit, credit, premium rewards, corporate)
- Industry / merchant category code (MCC)
- Transaction type (card present vs. card not present)
- Data quality (does the transaction include Level 2/3 data?)
The fee layers
| Fee component | Who receives it | Negotiable? |
|---|---|---|
| Interchange | Issuing bank | No |
| Network assessment | Visa / Mastercard | No |
| Processor / acquirer markup | Your payment processor | Yes |
Pricing models
How your processor packages these costs determines your effective rate:
- Flat rate: One simple rate (e.g. 2.9% + $0.30). Easy to understand, but expensive for high-volume merchants. Common with Stripe and Square.
- Interchange-plus (cost-plus): You pay the actual interchange rate plus a fixed processor markup. Transparent and almost always cheaper for merchants doing meaningful volume.
- Tiered pricing: Transactions are bucketed into "qualified," "mid-qualified," and "non-qualified" tiers. Often misleading — many transactions fall into expensive tiers without explanation. Avoid if possible.
- Subscription / membership: Monthly fee plus a small per-transaction fee on top of interchange. Can be very cost-effective at scale.
Types of Payment Fraud
Payment fraud is not one thing. Understanding the different attack vectors is the first step to defending against them.
Card testing
Fraudsters obtain lists of stolen card numbers and run small transactions (often $0–$1) to check which cards are still active before using them for larger fraud. Symptoms: sudden spike in low-value declines, unusually high decline rates, multiple attempts from the same IP or device.
Account takeover (ATO)
Attackers gain access to a customer's account using stolen credentials (often from data breaches) and use stored payment methods to make fraudulent purchases. Particularly damaging in subscription businesses and marketplaces.
Friendly fraud
A legitimate cardholder disputes a transaction they actually authorized — intentionally or because they don't recognize the charge. Represents the majority of e-commerce chargebacks and is increasing year-over-year.
Synthetic identity fraud
Fraudsters create fake identities by combining real and fabricated information (e.g. a real SSN with a fake name). These identities are "built up" over time with small credit activities before being used to commit fraud at scale.
Refund fraud
Abuse of return and refund policies — claiming non-delivery on items that were received, returning used or counterfeit goods, or social-engineering customer service agents into issuing refunds.
| Fraud type | Who bears the loss | Primary signal |
|---|---|---|
| Card testing | Merchant (fees + blocks) | High decline rate, low-value attempts |
| Account takeover | Merchant / customer | Login anomalies, new device on known account |
| Friendly fraud | Merchant | Chargebacks on fulfilled orders |
| Synthetic identity | Issuer / merchant | New customer, unusual behavior patterns |
| Refund fraud | Merchant | Return rate anomalies by account/address |
Fraud Prevention Strategies
The goal isn't to block all fraud at any cost — it's to minimize fraud losses without blocking legitimate customers. That balance requires layers, not a single tool.
The layered approach
No single tool catches all fraud. Effective fraud prevention stacks multiple signals and controls at different points in the transaction journey:
- Pre-authorization: Velocity rules, device fingerprinting, IP reputation, email risk scoring
- At authorization: CVV/AVS matching, 3DS authentication, ML-based risk scoring
- Post-authorization: Order review queues, manual review for high-risk orders, chargeback monitoring
Key fraud signals to monitor
| Signal | What it indicates |
|---|---|
| AVS mismatch | Billing address doesn't match card records — elevated fraud risk |
| CVV failure | Card-not-present fraud; card data may be stolen without physical card |
| Velocity | Multiple transactions from same card/IP/email in short window |
| Device fingerprint | Same device used across multiple accounts or cards |
| Shipping/billing mismatch | Ship-to address differs significantly from billing — common in fraud |
| High-risk email domains | Disposable or newly-created email addresses |
The false positive problem
Blocking fraud aggressively also blocks legitimate customers. False positives — declined transactions from real cardholders — are often more costly than the fraud they prevent, especially for high-AOV merchants. Every rule you add should be measured for its impact on both fraud decline rates and legitimate decline rates.
3D Secure & Authentication
3D Secure (3DS) is the authentication protocol behind "Verified by Visa" and "Mastercard Identity Check." Version 2 (3DS2) is now the standard — and it's far smarter than its predecessor.
What 3DS does
3DS adds an authentication step between payment submission and authorization. The cardholder is challenged to prove they are the legitimate account holder — either through a one-time password, biometric, or silent device authentication.
3DS1 vs 3DS2
| 3DS1 (old) | 3DS2 (current) | |
|---|---|---|
| Challenge method | Static password / redirect | OTP, biometric, app-based |
| Data sent to issuer | Minimal | 100+ data points (device, behavior, order) |
| Frictionless flow | No | Yes — most transactions skip the challenge |
| Mobile support | Poor | Native SDK support |
| Conversion impact | High friction, significant drop-off | Minimal when frictionless |
Liability shift
The key commercial benefit of 3DS: when a 3DS-authenticated transaction is later disputed as fraud, the liability shifts to the issuing bank, not the merchant. You still lose the sale if it's reversed, but you are not charged the chargeback fee.
When to use 3DS
- Required by law: PSD2 in Europe mandates Strong Customer Authentication (SCA) for most online payments
- High-value orders: Applying 3DS selectively to orders above a threshold
- High-risk indicators: New customers, mismatched billing/shipping, high-risk geographies
- Dispute-prone categories: Digital goods, travel, subscription renewals
The Payment Stack
Merchants often use the terms gateway, PSP, and acquirer interchangeably — but they're different things. Knowing the difference helps you make better vendor decisions and understand your cost structure.
Payment gateway
A gateway is the technology layer that captures payment data from your checkout and securely transmits it to the processor. Think of it as the pipe. It encrypts card data, connects to the acquiring network, and returns an authorization response.
Payment processor / acquirer
The processor (or acquiring bank) is the financial institution that processes transactions on your behalf. They hold your merchant account, receive funds from the card networks, and settle them to your bank. Some processors are also banks; others are third-party processors working on behalf of acquiring banks.
Payment Service Provider (PSP)
A PSP bundles gateway and processing functionality into one service. Stripe, Adyen, Braintree, and Worldpay are all PSPs. They handle the full stack — from capturing card data to settling funds — under one contract. This simplifies setup but may limit flexibility at scale.
| Setup | Typical for | Pros / Cons |
|---|---|---|
| PSP (all-in-one) | Startups to mid-market | Simple, fast to launch / Less pricing control |
| Gateway + dedicated merchant account | Mid-market to enterprise | Better rates, more control / More complexity |
| Direct acquiring relationships | Large enterprises | Maximum control and cost efficiency / Significant operational overhead |
Tokenization
Tokenization replaces sensitive card data with a non-sensitive placeholder (a token). It's the foundation of secure card storage, recurring payments, and network-level security.
How it works
When a card is tokenized, the real card number (PAN) is replaced with a randomly generated string. The token has no exploitable value outside the specific system it was created in.
PSP tokens vs. network tokens
| Type | Created by | Scope | Key benefit |
|---|---|---|---|
| PSP token | Stripe, Adyen, etc. | Works only with that PSP | Secure card storage for recurring payments |
| Network token | Visa / Mastercard | Portable across acquirers | Higher auth rates, lower fraud, lower interchange |
Network tokenization is increasingly important. Tokens are issued by the card networks and updated automatically when cards are reissued — solving the problem of failed recurring payments due to expired cards.
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements for any business that stores, processes, or transmits cardholder data. Non-compliance carries significant financial and reputational risk.
Who needs to comply?
Every merchant that accepts card payments. The level of compliance required (SAQ A through SAQ D, or a full audit) depends on your transaction volume and how you handle card data.
PCI merchant levels
| Level | Annual transaction volume | Requirements |
|---|---|---|
| Level 1 | Over 6 million | Annual on-site audit by QSA + quarterly network scan |
| Level 2 | 1–6 million | Annual SAQ + quarterly network scan |
| Level 3 | 20,000–1 million (e-commerce) | Annual SAQ + quarterly network scan |
| Level 4 | Under 20,000 (e-commerce) | Annual SAQ recommended + quarterly scan |
SAQ types
The Self-Assessment Questionnaire (SAQ) type you need depends on how you accept payments:
- SAQ A: All payment processing outsourced (e.g. Stripe, PayPal hosted page). Simplest. ~22 requirements.
- SAQ A-EP: E-commerce with JavaScript-based payment form on your page. Slightly more involved.
- SAQ D: You store, process or transmit card data yourself. Most complex — ~329 requirements.
PSD2 & Open Banking
The Revised Payment Services Directive (PSD2) reshaped European payments — introducing Strong Customer Authentication and opening the door to Open Banking. Its ripple effects are felt globally.
Strong Customer Authentication (SCA)
PSD2 requires that most online payments in Europe use SCA — authentication based on at least two of three factors:
- Something you know — password or PIN
- Something you have — phone or hardware token
- Something you are — biometric (fingerprint, face ID)
In practice, SCA is most commonly implemented via 3DS2. Certain transactions are exempt — low-value payments (<€30), trusted beneficiaries, recurring transactions with fixed amount — and these exemptions are important for managing conversion.
Open Banking
PSD2 also mandated that banks open their data and payment infrastructure to licensed third parties via APIs. This enabled two new categories of payment services:
- Account Information Services (AIS): Aggregating account data across banks (used in personal finance apps, credit underwriting)
- Payment Initiation Services (PIS): Initiating bank transfers directly from a customer's account, bypassing card networks entirely
PSPs vs. Gateways vs. Acquirers
Three terms used interchangeably but meaning very different things. Getting this right matters when you're choosing vendors or renegotiating contracts.
Quick definitions
Gateway: Technology layer. Securely captures card data and routes it to the processor. Examples: Authorize.Net, NMI, Stripe (gateway-only mode).
Acquirer / Acquiring bank: The financial institution that holds your merchant account, processes transactions, and settles funds. Examples: Chase Paymentech, Worldpay, Elavon.
PSP (Payment Service Provider): An all-in-one service that bundles gateway, processing, and merchant account into one product. Examples: Stripe, Adyen, Square, Braintree.
Why the distinction matters
When you use an all-in-one PSP, you're a sub-merchant on their master merchant account. This is fine for most businesses but can create complications at high volume (pricing leverage, reserve requirements, account stability). At scale, having your own direct acquiring relationship gives you more control, better pricing, and a direct relationship with the institution holding your money.
Cross-Border Payments
Accepting payments internationally sounds simple. In practice, it involves currency conversion, local acquiring, compliance, and payment method complexity that can quietly cost you significant revenue.
The cross-border cost problem
When a card issued in one country is charged by a merchant in another country, it's a cross-border transaction. The card networks add a surcharge (typically 0.4–1.5%) on top of standard interchange. If you're processing in a currency that's then converted, you're also paying FX fees.
Local acquiring vs. cross-border acquiring
The most effective way to reduce cross-border costs is local acquiring — having a merchant account in each market so that transactions are processed domestically. This typically reduces authorization failure rates (issuers are more likely to approve domestic transactions) and eliminates cross-border surcharges.
| Cross-border acquiring | Local acquiring | |
|---|---|---|
| Setup complexity | Low | High (entity, banking, compliance per market) |
| Transaction cost | Higher (CB surcharge + FX) | Lower (domestic rates) |
| Authorization rate | Lower | Higher |
| Right for | Testing new markets | Established volume in a market |
Currency strategy
Customers convert better when they see prices in their local currency. Options for presenting and processing in local currency:
- Dynamic Currency Conversion (DCC): Customer chooses to pay in home currency at point of sale. Typically expensive for the customer — often considered bad practice.
- Multi-currency pricing: You display and settle in local currencies using your processor's FX rates. Simpler than local acquiring; monitor the FX markup closely.
- Local settlement: Accept and settle in local currency, convert periodically at favorable rates.
Local Payment Methods
Cards dominate in the US and UK, but globally, a huge portion of commerce happens on payment methods that have no card network involved at all. Ignoring them means leaving revenue on the table.
Why local methods matter
In many markets, the majority of consumers either don't have credit cards, prefer alternatives, or actively distrust entering card details online. Offering local payment methods can dramatically improve conversion in those markets.
| Region | Key payment methods | Notes |
|---|---|---|
| Europe | iDEAL (NL), SEPA Direct Debit, Bancontact (BE), Sofort (DE) | Bank-based; often lower fees than cards |
| Asia-Pacific | Alipay, WeChat Pay, GrabPay, PayNow (SG), UPI (IN) | QR-code and wallet-based; massive volume |
| Latin America | Boleto (BR), OXXO (MX), PIX (BR) | Cash vouchers and instant bank transfers |
| Middle East | KNET (KW), Mada (SA), Fawry (EG) | Local debit schemes dominate |
| US | ACH / bank transfer, Buy Now Pay Later | Growing for B2B and high-AOV |
Card Network Monitoring Programs
Visa and Mastercard don't just process your payments — they actively monitor how you operate. If your chargeback or fraud rates breach defined thresholds, they place you into a formal monitoring program with escalating monthly fines, potential reserves, and ultimately the risk of losing your ability to accept card payments entirely.
How monitoring programs work
Both Visa and Mastercard evaluate your activity on a monthly cycle, but they measure rates differently. Visa calculates your dispute and fraud ratio against the same calendar month's transaction volume. Mastercard calculates your chargeback ratio against the previous month's sales. This difference matters for remediation timing — a drop in chargebacks this month improves your Visa numbers immediately but won't show up in Mastercard's calculation until next month.
Monitoring programs count all disputes regardless of outcome. Winning a representment does not remove the chargeback from the calculation. Refunds issued before a dispute was raised usually don't remove it either — the network is measuring your dispute prevention, not your win rate.
Visa programs
VAMP — Visa Acquirer Monitoring Program (Effective May 15, 2025)
VAMP is Visa's consolidated monitoring program effective May 2025. It tracks two separate risk categories — disputes and fraud, and card enumeration (card testing) — independently. Exceeding the threshold in one category places you into monitoring only for that category.
For disputes and fraud, Visa calculates three metrics each month from the prior month's data. The VAMP Count is the total number of disputes (via TC15 reporting) plus early fraud warnings or EFWs (via TC40 reporting). If the same transaction appears in both TC15 and TC40, it is counted twice. The VAMP Volume is the total USD value of those events. The VAMP Ratio is VAMP Count divided by total captured transactions.
Two transactions can be excluded from VAMP counts: disputes resolved through pre-dispute products, and TC40 fraud that qualified for Compelling Evidence 3.0.
| Criteria | Non-Compliant Threshold | Excessive Threshold |
|---|---|---|
| VAMP Count | ≥ 5 | ≥ 1,500 globally (≥ 150 in CEMEA) |
| VAMP Ratio | ≥ 0.5% | ≥ 2.2% globally (≥ 1.5% in LAC); from Apr 2026: 2.2% in CEMEA, 1.5% elsewhere |
| VAMP Volume | N/A | ≥ $75,000 USD (CEMEA only) |
Merchants exceeding the Excessive threshold are fined monthly by Visa. Merchants in the Non-Compliant tier may also face fees at Visa's discretion. Fines are communicated through your acquirer.
VAMP Enumeration Monitoring
Separately, VAMP monitors for card testing activity. Visa identifies enumerated transactions using a machine learning model — these are card testing attempts that reach the processor regardless of whether the payment was approved or declined. Two thresholds must both be exceeded to enter enumeration monitoring:
| Criteria | Excessive Threshold |
|---|---|
| VAMP Enumeration Count | ≥ 300,000 transactions |
| VAMP Enumeration Ratio | ≥ 20% of all authorization transactions |
No fines are currently assessed for VAMP enumeration monitoring, but Visa uses it to encourage merchants to identify and mitigate card testing attacks proactively.
VSEFP — Visa Secure Excessive Fraud Program (US only)
This program targets US merchants with excessive fraud specifically on Visa transactions that were authenticated via 3D Secure. It only applies to US-based businesses on US-issued cards. Two thresholds must both be exceeded in the same month to be placed into the program:
| Criteria | Threshold | Consequence |
|---|---|---|
| Fraud Volume (EFWs on 3DS transactions) | ≥ $75,000 USD | Loss of 3DS liability shift on domestic transactions until fully exited — no direct monetary fines |
| Fraud Rate (EFW volume ÷ 3DS transaction volume) | ≥ 0.9% |
The consequence is not a direct fine, but losing liability shift means you bear full responsibility for fraud on 3DS-authenticated transactions that were supposed to be protected. For high-volume 3DS merchants this can represent a significant financial exposure. You remain in the program until you fall below both thresholds for a sustained period.
Mastercard programs
Mastercard runs three programs: the Excessive Chargeback Program (ECP) with two escalating tiers — ECM and HECM — and a separate Excessive Fraud Merchant program (EFM) focused on CNP fraud. ECP applies globally. EFM applies in all markets except Germany, India, and Switzerland.
If you exceed both EFM and ECP thresholds simultaneously, Mastercard places you in EFM — but continues tracking both. You can be in month 2 of EFM and month 3 of ECP concurrently, meaning your fine history for each program progresses independently.
Mastercard removes you from a program only after your rates fall below the relevant threshold for 3 consecutive months. If you're in HECM and drop below the HECM threshold but still exceed ECM thresholds, you move to ECM rather than exiting entirely.
ECM — Excessive Chargeback Merchant
ECM is triggered when a merchant's chargeback count is between 100–299 in a month, with a chargeback rate of 1.5%–2.99%. Chargebacks are measured in the current month; sales are measured from the prior month.
| Months in ECM | Monthly Fine | Issuer Recovery Assessment |
|---|---|---|
| Month 1 | $0 | No |
| Months 2–3 | $1,000 | No |
| Months 4–6 | $5,000 | Yes — $5 per chargeback over 300 |
| Months 7–11 | $25,000 | Yes |
| Months 12–18 | $50,000 | Yes |
| Month 19+ | $100,000 | Yes |
The issuer recovery assessment adds $5 per chargeback for each chargeback beyond 300. For example: a merchant in month 4 of ECM with 400 disputes pays $5,000 + (100 × $5) = $5,500.
HECM — High Excessive Chargeback Merchant
HECM is triggered when chargeback count reaches 300 or more and the chargeback rate exceeds 3.0%. Fines escalate faster and reach higher maximums than ECM.
| Months in HECM | Monthly Fine | Issuer Recovery Assessment |
|---|---|---|
| Month 1 | $0 | No |
| Month 2 | $1,000 | No |
| Month 3 | $2,000 | No |
| Months 4–6 | $10,000 | Yes — $5 per chargeback over 300 |
| Months 7–11 | $50,000 | Yes |
| Months 12–18 | $100,000 | Yes |
| Month 19+ | $200,000 | Yes |
EFM — Excessive Fraud Merchant Compliance Program
EFM targets merchants with disproportionate card-not-present fraud where 3D Secure is underutilised. All four of the following criteria must be met simultaneously to enter the program:
| Criteria | Threshold |
|---|---|
| Monthly e-commerce Mastercard transactions | ≥ 1,000 |
| Net fraud volume (reason codes 4837/4863) | > $50,000 USD (> $15,000 AUD for Australia) |
| Fraud chargeback rate (fraud CBs ÷ prior month e-com transactions) | > 0.50% (> 0.20% for Australia) |
| 3DS usage rate | ≤ 10% of Mastercard transactions (≤ 50% in regulated markets) |
| Months in EFM | Monthly Fine |
|---|---|
| Month 1 | $0 |
| Month 2 | $500 |
| Month 3 | $1,000 |
| Months 4–6 | $5,000 |
| Months 7–11 | $25,000 |
| Months 12–18 | $50,000 |
| Month 19+ | $100,000 |
Mastercard allows merchants to request a one-time fine suspension during an active EFM case — but only if you are highly confident you will exit the program within 3 months. If you request a suspension and then fail to exit, fines resume and continue escalating.
AusPayNet — Australia CNP Fraud Monitoring
Merchants processing Australian card-not-present transactions are also subject to the AusPayNet (APN) Card-Not-Present Fraud Mitigation Program, which tracks activity quarterly rather than monthly. The program triggers when fraud chargeback value exceeds $50,000 AUD and the fraud-to-sales ratio exceeds 0.20% in a quarter. 3DS-authenticated transactions are excluded from these calculations.
| Quarters Above Threshold | Required Action |
|---|---|
| 1st quarter | Implement fraud controls; recommend SCA on high-risk CNP transactions |
| 2nd quarter | Apply risk-based SCA on all CNP transactions, or introduce more sensitive fraud controls |
| 3rd quarter | Mandatory SCA on all CNP transactions or risk off-boarding |
| 4th quarter+ | Possible off-boarding from Australian acquiring |
What happens when you're placed in a program
Your acquirer sits between you and the card network and bears their own liability for merchants that remain in monitoring programs. This is why they move quickly — they will often require a written remediation plan, may restrict your processing volume, impose rolling reserves, or in extreme cases terminate your merchant account to protect themselves from escalating network penalties.
Prevention and remediation best practices
Prevent fraud chargebacks
- Use separate authorization and capture: Issuers must report fraud on captured transactions, but not on reversals. Identifying and reversing suspicious authorizations before capture removes them from monitoring calculations entirely.
- Deploy 3DS on high-risk segments: 3DS shifts liability to the issuer for authenticated transactions and directly reduces your EFM exposure. Even partial 3DS deployment on your highest-risk transaction types provides meaningful protection.
- Monitor Early Fraud Warnings weekly: EFWs via TC40 are a leading indicator. A sustained rise in EFWs nearly always precedes a VAMP or EFM breach by 30–60 days — acting early is far cheaper than remediation.
- Implement layered fraud tooling: Velocity rules, BIN analysis, device fingerprinting, address verification, and behavioral signals all reduce fraud that feeds into monitoring calculations.
Prevent dispute chargebacks
- Make cancellations frictionless: The single biggest source of preventable chargebacks is subscription cancellations. An in-app cancel button with immediate confirmation is far cheaper than the chargeback that follows a frustrated customer calling their bank.
- Communicate billing terms clearly: Require explicit agreement to billing terms before capturing payment. Send renewal reminders 7 days before annual renewals, 2–3 days before monthly ones.
- Ship fast and communicate delays: Disputes for non-receipt are largely preventable. Provide tracking numbers, proactively communicate delays, and offer refunds when items are significantly delayed.
- Use clear statement descriptors: A large number of "unrecognized transaction" disputes often trace back to a confusing or truncated statement descriptor. Make sure your descriptor clearly identifies your business.
- Leverage pre-dispute solutions: Tools like Ethoca and Verifi allow issuers to flag a potential chargeback before it's filed, giving you the opportunity to refund and prevent it from entering your monitoring count.