Every Card Network Monitoring Program Subscription Apps Need to Know

Why there are so many programs (and why they don't replace each other)

Every major card network runs at least one merchant monitoring program. The programs all exist for the same fundamental reason: card networks pass risk through to acquirers, and acquirers need a structured way to know which merchants threaten the chain. But each network measures slightly different things, on different cadences, with different volume floors, and with different enforcement consequences. A merchant breaching one program is often breaching others at the same time, but the timeline and the remediation playbook differ per network.

For subscription apps specifically, the relevant programs are: Visa VAMP, Mastercard ECM/ECP, Mastercard EFM, American Express CMP, and Discover's chargeback monitoring program. Above all of them sits the MATCH list — the nuclear outcome that bars the merchant principal from acquiring relationships across networks for five years.

On top of the network programs, every acquirer (Stripe, Adyen, Braintree, Checkout.com, PayPal) runs an internal risk-management layer that typically activates at lower thresholds than the network programs. That internal layer is often the first thing a merchant actually notices — a Stripe risk team email, a sudden reserve hold, a payout delay — well before any Visa or Mastercard notification reaches the merchant directly.

Visa VAMP — the program most subscription apps trip first

The Visa Acquirer Monitoring Program (VAMP) took effect April 1, 2025, consolidating the previously separate VDMP (dispute monitoring) and VFMP (fraud monitoring) into a single combined ratio. VAMP is the program most subscription apps trip first, for one critical structural reason: VAMP has no volume floor. The ratio applies at any volume — a small merchant with 5,000 transactions and 16 combined fraud-plus-disputes is at 0.32%, already above the Above-Standard threshold.

VAMP tier	Combined ratio	What happens
Below Standard	< 0.30%	No enforcement
Above Standard	≥ 0.30%	Acquirer monitoring + remediation plan required
Excessive	≥ 0.90%	Per-dispute assessments + offboarding risk

The combined ratio formula: (TC40 fraud reports + TC15 non-fraud chargebacks) ÷ settled transactions, measured per calendar month. Exit from either tier requires the ratio to fall below threshold for three consecutive calendar months.

The full operator guide for VAMP — including the structural moves that drive a successful exit and how VAMP compares directly to Mastercard ECM — is available at /vamp-guide.

Mastercard ECM and ECP

Mastercard runs two related programs: the Excessive Chargeback Program (ECP, the early-warning tier) and the Excessive Chargeback Merchant (ECM, the full enforcement tier). Both measure chargeback ratio against transaction count, and both require an absolute count floor — a structural detail that protects smaller merchants.

Tier	Chargeback ratio	Volume floor	What happens
Below	< 1.00%	any	No enforcement
ECP	≥ 1.00%	≥ 100 chargebacks/month	Acquirer monitoring begins
ECM	≥ 1.50%	≥ 100 chargebacks/month	Per-dispute assessments + formal enrollment

The 100-chargeback floor matters more than it looks. A small merchant with 50 chargebacks per month at a 3% chargeback ratio is shielded from Mastercard ECM enrollment despite a ratio that would trip every other program. Conversely, a large merchant at 1.6% chargeback ratio with 5,000 monthly chargebacks is squarely in ECM regardless of how "moderate" the ratio looks in isolation.

Full operator guide for ECM exit: /ecm-guide. Side-by-side comparison with VAMP: /ecm-vs-vamp.

Mastercard EFM — the fraud track

The Excessive Fraud Merchant (EFM) program is Mastercard's separate fraud monitoring track, distinct from chargeback-focused ECM. EFM uses a fraud-to-sales dollar ratio rather than a transaction count ratio, which has subtle implications for subscription apps. A subscription app with many low-dollar fraud transactions can stay under the EFM dollar floor even at elevated fraud counts — the program is structured to catch high-dollar fraud concentration, not high-frequency low-dollar fraud.

Tier	Fraud-to-sales	Dollar/volume floor	What happens
Below	< 0.50%	any	No enforcement
EFM	≥ 0.50%	≥ $50K monthly fraud and ≥ 1,000 transactions	Acquirer enforcement + fines

For most subscription apps, EFM is less likely to be the first triggered program than VAMP — the dollar floor protects low-ARR merchants, and the fraud-only measurement excludes the non-fraud "friendly fraud" disputes that drive most subscription chargebacks.

American Express CMP

American Express runs the Chargeback Monitoring Program (CMP), but Amex's program is structured differently from Visa or Mastercard's. Amex operates a closed loop — both acquirer and issuer roles are performed by Amex itself — which means enforcement is direct and bilateral. There is no acquirer between Amex and the merchant.

Amex's CMP thresholds are less publicly documented than Visa or Mastercard programs. The commonly cited entry threshold is approximately 1.00% chargeback ratio, but specific values are typically disclosed to merchants during direct enforcement contact rather than published in operating guides accessible to merchants. Amex can also place merchants under direct review at very low transaction volume — there's no meaningful volume floor.

For most subscription apps, Amex transaction share is small enough (typically 5-15% of total volume) that Amex enforcement comes later than Visa or Mastercard. But Amex's review process is faster and more direct once triggered.

Discover's program

Discover runs an Excessive Chargeback Merchant Program functionally similar to Mastercard ECM — chargeback ratio with an absolute count component, but with US-centric enforcement and smaller volume reach. For subscription apps with significant US Discover volume, the program operates at approximately a 1.00% standard threshold and 1.50% excessive threshold, though the specifics are less publicly documented than Visa or Mastercard.

Practical reality for subscription apps: Discover's transaction share is usually small enough that Discover enforcement rarely binds. If it does, the remediation playbook overlaps almost entirely with Mastercard ECM exit work.

MATCH list — the nuclear outcome

The Member Alert to Control High-risk merchants (MATCH) list is Mastercard's cross-network risk-merchant registry. It's the worst outcome in payment compliance for a merchant principal.

Attribute	Detail
Owner	Mastercard maintains; Visa and others query during onboarding
Duration	5 years from placement
Effect	Effective industry ban — most major acquirers refuse to onboard MATCH-listed merchants
Triggers	Excessive chargebacks, fraud convictions, identity theft, money laundering, bankruptcy/insolvency, illegal merchant activity
Reason codes	13 numeric reason codes; for subscription apps, most common are 12 (excessive chargebacks) and 04 (excessive fraud)
Exit	Not removable on demand; serves full 5-year term unless successfully challenged

Processor-internal thresholds (the layer most teams miss)

The single most important thing about payment compliance for subscription apps in 2026 is that the processor's internal risk thresholds usually trigger before any card network program. Stripe, Adyen, Braintree, Checkout.com, and other major acquirers all run internal risk-monitoring that activates at lower thresholds than VAMP, ECM, or any network-level program.

Common processor-internal triggers I've observed across engagements:

Trigger type	Approximate threshold	Typical processor response
Combined fraud-plus-dispute ratio	0.40-0.50%	Enhanced review by processor risk team
Sudden ratio spike (week-over-week)	2x prior 4-week average	Reserve increase + payout delay
Dispute reason concentration	40%+ of disputes in one reason code	Specific remediation request (e.g., billing descriptor fix)
Card-testing fingerprint detected	Pattern-based, not ratio-based	Velocity throttling on the merchant's account

The implication: monitoring only the public Visa and Mastercard thresholds gives a false sense of safety. The processor's risk team often acts on internal triggers that no public threshold publishes. The first time most subscription operators learn their processor was watching is when a payout gets delayed.

PayPal and alternative payment networks

For subscription apps with significant PayPal volume, PayPal's Seller Protection program operates as a parallel compliance layer. PayPal monitors a Seller Performance metric (combining dispute rate, refund rate, and customer claim frequency) and can place merchants under enhanced reserves, processing limits, or account holds independently of card network programs.

PayPal's specific threshold values are less publicly documented than Visa or Mastercard. The commonly observed entry threshold is approximately 1.0-1.5% Item Not Received plus Significantly Not As Described dispute rate, but PayPal's enforcement is often pattern-based rather than ratio-based — a sudden dispute spike or unusual customer-complaint pattern can trigger review at much lower ratios.

For other alternative payment methods (Apple Pay, Google Pay, Klarna, Afterpay, etc.) the underlying risk attribution flows back to the card network or BNPL provider's own monitoring. There is no separate Apple Pay or Google Pay merchant monitoring program — those payment methods inherit the card network rules.

The typical order of escalation for subscription apps

From observed pattern across engagements, the typical order in which a subscription app experiencing chargeback growth gets formally notified, in approximate sequence:

1. Processor-internal review (Stripe risk team email, payout delay, reserve increase) — usually triggered between 0.40-0.50% combined ratio.
2. Visa VAMP Above-Standard notification (via acquirer) — triggered at 0.30% combined ratio.
3. Mastercard ECP early warning — triggered at 1.00% chargeback ratio + 100 chargebacks.
4. Visa VAMP Excessive — triggered at 0.90% combined ratio. Per-dispute assessments begin.
5. Mastercard ECM full enrollment — triggered at 1.50% chargeback ratio + 100 chargebacks.
6. Amex CMP direct contact — depends on Amex transaction share; usually after Visa/Mastercard thresholds breach.
7. Processor offboarding warning — depends on processor's contractual thresholds; often around the same time as VAMP Excessive or Mastercard ECM.
8. MATCH placement — only if account is offboarded under unfavorable conditions and remediation was not undertaken.

What to actually monitor, monthly

The minimum monitoring set for any subscription app processing meaningful card volume:

• VAMP combined ratio — calculate monthly using TC40 fraud + TC15 disputes ÷ settled transactions. Use the calculator for current-month estimates.
• Mastercard chargeback ratio — chargebacks ÷ transactions, with absolute chargeback count tracked separately.
• Fraud-to-sales dollar ratio — fraud dollar volume ÷ total sales dollar volume, for Mastercard EFM monitoring.
• Dispute reason code distribution — concentration in any single reason code is a structural signal of a fixable root cause (e.g., billing descriptor confusion driving "unrecognized charge" disputes).
• Processor-internal signals — payout cadence, reserve levels, any communication from the risk team. These are leading indicators that arrive before any network program triggers.

Quarterly review of the threshold tracker page to confirm no network has updated values since last review.

Read next

• → Visa VAMP Explained — full operator guide
• → How to Exit Mastercard's ECM Program
• → ECM vs VAMP — side-by-side comparison
• → Stripe Radar Rules That Actually Reduce Chargebacks
• → Live threshold tracker
• → Free risk calculator