What Is the Mastercard ECM Program?
The Mastercard Excessive Chargeback Merchant (ECM) program is a compliance enforcement mechanism that identifies merchants with chargeback rates significantly above industry norms. When a merchant's chargeback-to-transaction ratio exceeds 1.5% and the merchant receives more than 100 chargebacks in a single calendar month, Mastercard places them in the ECM program. This triggers escalating monthly fines, increased scrutiny from payment processors, and — if unresolved — potential termination of the merchant's processing account and placement on the MATCH list.
For subscription mobile apps and SaaS businesses, ECM is an existential threat. Unlike ecommerce merchants who deal primarily with stolen cards and shipping fraud, subscription businesses face unique vectors: card testing on low-cost trials, "subscription amnesia" friendly fraud, and high-volume recurring billing disputes.
Key takeaway: ECM is not just a fine — it's a countdown to losing your ability to process payments entirely. The program has two tiers: ECP (Excessive Chargeback Program) at 1.0% ratio and ECM at 1.5% ratio, with different fee structures.
ECM vs. Visa VAMP — Comparison
| Attribute | Mastercard ECM | Visa VAMP (from April 2025) |
|---|---|---|
| Threshold | 100 chargebacks + 1.5% ratio | Combined fraud-and-dispute ratio ≥ 0.3% |
| Lower tier | ECP: 100 CBs + 1.0% | Standard: 0.3% ratio |
| Monthly fines | $1,000 → $200,000 escalating | Per-dispute assessments |
| Exit criteria | Below thresholds for 3 consecutive months | Below thresholds for 3 consecutive months |
| Nuclear option | MATCH list (5-year ban) | VAMP disqualification |
How Do Merchants Enter ECM?
Most subscription app merchants don't enter ECM because of a single catastrophic fraud event. Instead, it's a gradual accumulation of systemic issues that compound over months. Here are the most common paths:
- Lax default Stripe Radar settings. Stripe's out-of-the-box risk threshold is calibrated for general ecommerce, not subscription apps. It allows transactions that a subscription-specific rule set would block.
- No velocity checks on trial sign-ups. Card testers use low-cost trials ($0.99-$2.99) to validate stolen card numbers. Without IP-based, device fingerprint, or BIN velocity checks, thousands of fraudulent trials convert into chargebacks 30-60 days later.
- Missing dispute interception. Without Ethoca or Verifi/CDRN integration, every cardholder dispute becomes an official chargeback. Interception networks can prevent 30-50% of disputes from becoming chargebacks.
- Difficult cancellation flows. When legitimate customers can't easily cancel a subscription, they call their bank instead. This creates "friendly fraud" chargebacks that are nearly impossible to win on representment.
- Stripe Link bypassing CVC/AVS. Stripe Link's stored-credential flow can bypass CVC and AVS verification checks, allowing previously-declined cards to process successfully through a different authentication path.
Key takeaway: ECM entry is almost always the result of 3-5 systemic issues compounding simultaneously, not a single point of failure. Fixing one issue while ignoring others will not bring the ratio below threshold.
What Happens When You're in ECM?
Once Mastercard places a merchant in the ECM program, the consequences escalate on a fixed monthly schedule. Understanding this timeline is critical for prioritizing remediation efforts.
ECM Escalation Timeline
| Month in ECM | Fine per Month | Processor Action |
|---|---|---|
| Month 1-3 | $1,000 | Warning letter, increased monitoring |
| Month 4-6 | $2,000 | Payout holds, remediation plan required |
| Month 7-11 | $25,000-$50,000 | Account review, possible offboarding |
| Month 12+ | $100,000-$200,000 | Account termination, MATCH listing |
Payment processors like Stripe, Adyen, and Braintree often act faster than Mastercard's escalation schedule. Many processors will freeze payouts, require a formal remediation plan, or begin offboarding within 30-60 days of ECM notification — well before the highest fines kick in.
The MATCH list (Member Alert to Control High-risk Merchants) is the nuclear option. Once a merchant is MATCH-listed, they cannot obtain a new merchant account with any Mastercard-accepting processor for five years. This effectively ends the business's ability to accept card payments.
Are you currently in ECM or approaching the 1% threshold?
I've helped subscription apps exit ECM in under 90 days with a structured remediation program. Don't wait for escalating fines.
Book a Free Consultation →How to Exit ECM — A 90-Day Playbook
Exiting ECM requires a structured, phased approach. Random fixes applied without a systematic plan typically fail because they address symptoms rather than root causes. The following 90-day playbook is based on real engagements where I've helped subscription apps successfully exit the program.
Phase 1: Hemorrhage Control (Days 1-14)
The first priority is stopping new fraudulent transactions from entering the system. This involves an immediate Stripe Radar rule rebuild or equivalent processor fraud tuning.
- Audit all existing Radar rules for conflicts and gaps
- Configure strict velocity checks (IP, BIN, device fingerprint)
- Deploy dynamic 3D Secure (3DS) gating for high-risk regions and BINs
- Block Stripe Link for high-risk transaction types
- Implement real-time card testing detection
Phase 2: Dispute Interception (Days 15-45)
Once new fraud is blocked, the focus shifts to intercepting incoming disputes before they become official chargebacks. This phase typically reduces the effective chargeback ratio by 30-50%.
- Integrate Ethoca alerts for pre-chargeback dispute notification
- Set up Verifi/CDRN for Visa dispute interception
- Configure automated refund rules for intercepted disputes
- Build a blocked-card database from previous dispute cards
Phase 3: Structural Prevention (Days 46-75)
This phase addresses the root causes of "friendly fraud" and "unrecognized charge" disputes — the category of chargebacks that no amount of fraud-rule tuning will prevent.
- Audit and update the billing descriptor for clarity
- Redesign the cancellation flow to prioritize self-serve over bank disputes
- Review and update terms of service, especially around trial-to-paid conversion
- Implement pre-renewal email notifications
- Add proactive refund triggers for high-risk accounts
Phase 4: Compliance Documentation (Days 76-90)
Exiting ECM requires formal documentation proving that systemic issues have been remediated. Payment processors expect specific artifacts that demonstrate sustained improvement.
- Draft the formal remediation report with before/after metrics
- Prepare the compliance documentation package for Mastercard
- Document all Radar rule changes with rationale
- Compile 3-month trending data showing sustained ratio improvement
- Submit to the processor's risk team with supporting evidence
Key takeaway: Exiting ECM requires dropping below the threshold for 3 consecutive months. A single month above threshold resets the clock. This is why structural prevention (Phase 3) is as important as fraud blocking (Phase 1).
The 5 Most Common Chargeback Root Causes in Subscription Apps
Based on hands-on work with subscription mobile apps, these five root causes account for the vast majority of chargebacks that push merchants into ECM:
- Stripe Link bypassing CVC/AVS checks. Stripe Link's stored-credential flow uses a different authentication path that can bypass the CVC and AVS verification checks configured in Radar rules. Cards that would normally be declined process successfully through Link, creating fraud exposure.
- No blocked-card database. When a card generates a dispute, the same card number is not automatically blocked from future transactions. Repeat offenders can dispute multiple charges across different billing cycles.
- Default Stripe risk threshold too permissive. Stripe's default risk scoring is calibrated for general ecommerce where false positives are costly. Subscription apps with lower average transaction values can afford stricter thresholds without significant revenue impact.
- Unprotected credit bundle purchases. In-app credit purchases (top-ups, coin bundles) are high-value, non-refundable, and attractive to fraudsters. Without separate 3DS gating for these transactions, they become a primary fraud vector.
- No chargeback alert integration. Without Ethoca or Verifi, every dispute becomes an official chargeback. Alert networks intercept 30-50% of disputes before they're finalized, directly reducing the chargeback ratio.
Why Generic Fraud Solutions Fail for Subscription Apps
Out-of-the-box machine learning fraud models are designed for ecommerce, where the primary threat is stolen credit cards used to buy physical goods for resale. Subscription apps face fundamentally different fraud vectors that these models don't address.
Ecommerce fraud is about unauthorized transactions — someone stole a card and used it. Subscription fraud includes authorized transactions that are later disputed: a customer signs up for a free trial, forgets about it, sees a charge, and disputes it rather than cancelling. This "subscription amnesia" is technically friendly fraud, and no ML model can predict it because the original transaction was genuinely authorized.
Additionally, subscription apps face card testing at scale. Fraudsters use low-cost trial sign-ups ($0.99-$2.99) to validate stolen card numbers in bulk. A general-purpose fraud model sees each individual $0.99 transaction as low-risk, but the aggregate pattern — hundreds of trials from similar IPs, device fingerprints, or BIN ranges — is the actual signal.
Effective chargeback prevention for subscription apps requires custom rule sets tuned to the specific business model, transaction patterns, and user behavior. This is specialized work that requires deep understanding of both the payment processor's tools (Stripe Radar, Adyen risk engine) and the subscription business model.
When to Hire a Chargeback Consultant
Not every chargeback problem requires external help. Here's a framework for deciding when DIY remediation is sufficient and when you need specialist intervention:
| Situation | DIY | Hire a Consultant |
|---|---|---|
| Chargeback ratio below 0.5% | ✓ Basic Radar tuning | |
| Ratio approaching 1.0% | ✓ Preventive audit | |
| Already in ECP/ECM | ✓ Structured remediation | |
| Processor requesting remediation plan | ✓ Compliance documentation | |
| No Ethoca/Verifi integration | ✓ Integration + rule design | |
| Payout holds or offboarding threat | ✓ Urgent intervention |
I've helped subscription apps reduce chargebacks from 13% to below 1%
My 90-day Chargeback Rescue program covers Stripe Radar rule rebuilds, Ethoca integration, 3DS gating, cancellation flow redesign, and the formal compliance documentation that processors actually accept.
Book a Free Consultation →Frequently Asked Questions
Mastercard's ECM program triggers when a merchant exceeds both 100 chargebacks and a 1.5% chargeback-to-transaction ratio in a single calendar month. The earlier ECP tier triggers at 100 chargebacks and a 1.0% ratio. Both counts are based on Mastercard transactions only.
With a structured remediation program, most merchants exit ECM within 60-90 days. The timeline depends on root cause identification, Stripe Radar rule deployment, Ethoca/Verifi integration, and formal compliance documentation. You must remain below threshold for 3 consecutive months to officially exit.
Mastercard ECM triggers at 100 chargebacks and a 1.5% ratio with escalating monthly fines. Visa's VAMP (replacing VDMP in April 2025) uses a combined fraud-and-dispute ratio with a 0.3% threshold. Both can result in account termination, but VAMP's lower threshold means many merchants hit Visa limits before Mastercard limits.
Technically yes, but it requires deep expertise in payment processor fraud tools, dispute interception networks, and compliance documentation. Most subscription app teams lack this specialized knowledge. The cost of failed remediation — potential processor account termination and MATCH listing — far exceeds consulting fees.
Failure to exit ECM results in escalating monthly fines (from $1,000 to $200,000), potential MATCH listing (a 5-year ban from obtaining new merchant accounts), and eventual account termination by your payment processor. Being MATCH-listed effectively ends your ability to accept card payments.
Ethoca is a Mastercard-owned dispute interception network. When a cardholder initiates a dispute, Ethoca alerts the merchant before the chargeback is finalized. The merchant can then issue a proactive refund, preventing the dispute from counting toward the official chargeback ratio. This typically intercepts 30-50% of incoming disputes.
