VAMP is Here: The Risk Game Just Changed: Are You Ready for Visa's New Rules? | PEP070

Show Notes

Q4 is Here. VAMP Is Live. The Risk Game Just Changed.

Welcome to the new frontier of merchant risk management. With Visa’s Acquirer Monitoring Program (VAMP) now officially live, the underwriting, compliance, and dispute mitigation landscape is shifting fast—and merchants, ISOs, and Payfacs who aren’t already adapting may find themselves in hot water come November.

In this episode of the Payments Experts Podcast, Matthew Steinbrecher from Sound Commerce (https://sound-commerce.com/) returns to break down what he's seeing across the portfolios before the hammer drops. We dive deep into:

Tightening CNP underwriting standards

Why ISOs are requiring RDR & Ethoca enrollment upfront

And how siloed dispute data across platforms is killing response times, costing everyone margin

But this isn’t just about hypotheticals. We drop into a real-world Stripe case study that should send a chill through any merchant with recurring revenue:

7 years of clean processing, low chargeback ratios, and yet—suddenly terminated.
Funds frozen. Tokens locked. Access cut.
No refund runway. No warning.

Is VAMP pressure triggering automated purges? Or are platforms increasingly willing to let algorithms decide who survives, regardless of long-term merchant performance?

The Critical Risk Management Questions

Where does the duty of good faith lie when termination is automated?

If tokens aren’t portable and refund access is blocked, is that risk management—or engineered chargebacks?

How can ISOs and merchants regain control when everything from dispute visibility to billing mechanics is split across vendors?

Your Playbook to Stay Ahead

We don’t just raise red flags—we hand you the map:

✅ Monitor TC40s and VAMP metrics in near real-time
✅ Track VAMP ratios MID-by-MID, not portfolio-wide
✅ Negotiate API-level visibility if your ISO owns the RDR/Ethoca integration
✅ Reengineer long-tail service billing to cut refund optics and reduce late chargebacks

And if you're thinking bigger:

💡 We outline when to go full Payfac, how to structure a responsible merchant offboarding (hint: token portability + escrow-backed refund flow), and why modular compliance tooling may be your best defense in 2025.

Who Should Watch?

ISOs building agent programs or managing large CNP portfolios

Merchant acquirers seeing dispute ratios creep upward

SaaS & eComm founders scaling MRR or navigating friendly fraud

Ops & compliance teams hunting for practical wins before policy hits become brand damage

This isn’t theory—it’s what's already happening behind the scenes. Stay proactive. Stay protected.

**Matters discussed are all opinions and do not constitute legal advice.  All events or likeness to real people and events is a coincidence.**

🔗 Subscribe to the Payments Experts Podcast https://www.globallegallawfirm.com/podcasts/
 and leave a review with your biggest VAMP concern—we may tackle it next

A payments podcast of Global Legal Law Firm

Chapters

• 0:00: Algorithms vs. Good Faith
• 0:47: Show Open and Guest Intro
• 1:45: VAMP Goes Live: Early Signals
• 3:02: Underwriting Gets Stricter
• 4:22: Mandatory RDR/Ethoca Debated
• 6:28: Visibility, Control, and ISO Conflicts
• 8:34: Pricing Friction and Merchant Impact
• 10:26: Payfac Temptation and Tradeoffs
• 13:24: The Stripe Termination Case
• 17:16: Tokens, Refunds, and Data Lock-In
• 20:24: Is This VAMP-Driven Risk Purge?
• 22:36: Good Faith vs. Clickwrap Terms
• 24:26: Closing and Resources
• 24:42: A Better Offboarding Playbook

Transcript

SPEAKER_01: 0:00

Um, they kind of just put parameters in this algorithm to go through and just chop heads, and there's not enough bodies on their risk team to genuinely look at case-by-case situations like this, and the only time that they will is if it's like very, very substantial volume.

SPEAKER_02: 0:16

Um do you think that's good faith? Right? Because here's the thing about operating under a contract, you've got a duty to operate in good faith. And when you have a when you're considering the livelihood of a business, and then you're considering that there's a computer algorithm making decisions related to that, which is really black and white, and has nothing to do with the gray in a contract of what actually constitutes good faith. I I mean, I that's where I have an issue.

SPEAKER_00: 0:47

Welcome to the Payments Experts Podcast, a podcast of global legal law firm. We hope you enjoyed this episode. We're really excited today. We've got in the studio joining us for delighted and managing legal law firm, as well as our special guest at Matt Timebreaker over from South Commerce. Matt, it was great having you on the podcast last time. We're excited to continue the conversation. Gentlemen, take it away.

SPEAKER_02: 1:24

Hey, what's up, Matt? Good to see you again. Since that sweat fest in Phoenix, yeah. Uh so when we were at WSAA, nothing had happened. Well, let's let's let's actually backtrack a little bit more. Last time you were on, um, you know, it was great to great to have you on. We talked a lot about you know, certain merchant relationships, white glove service, what sound commerce kind of does, and how it views the industry and the the value add services that it provides for merchants out there. Um the the one of the topics of our discussion was Vamp, which was gonna go into effect after a six-month uh extension on October 1st, and that's happened. And I think kind of our our talk today is gonna be about you see any difference? Is like anybody raised anything to you? I I will tell you, I'll get into my story because I had something yesterday happen that I think was a product of Vamp, um, but ultimately I'm not sure if it was triggered by it, but it it was kind of interesting. Um, I can give you the parameters for that one, but have you seen anything?

SPEAKER_01: 2:42

A little bit. Um we're we're definitely not seeing like drastic merchant shutdowns yet. I think the the main thing I'm noticing is quite a bit of um sorry, can you hear me? Yep. Okay, cool. Um, the main thing I'm noticing is quite a bit of disruption in terms of the underwriting process for net new clients. So we're seeing kind of a shift in the portfolio of what's acceptable to certain agent, you know, like ISO setups, uh, and then just, you know, tier one processors as well that typically don't work through the agent model. Um, that's kind of the main thing that we're seeing right now, and it's because the fines haven't hit yet. So we got what's it, October 8th today, as of the day of recording. And I think once November hits, that's really where we're going to we're gonna start to see some shifts dramatically, and I think that's where we'll start to see some heads getting chopped a little bit, or just fines getting kicked in and merchants being pissed that maybe they are being overcharged or there's not a lot of transparency and what's going on. So I think really November is when things are gonna kick in, but everyone's starting to track it for sure. Uh that's been a big priority.

SPEAKER_02: 3:59

It's interesting you say like there's been some changes in the underwriting process and what's acceptable and what's not outside of trial and error. Is there anything where you kind of have some sort of foreseeability of of how you need to approach the underwriting process and its changed format?

SPEAKER_01: 4:22

Yeah, I I think it's uh, you know, as an example, a lot of people now are asking for upfront, you know, RDR and Ethica, Verify and Ethica confirmation agreements before they even issue a merchant account, um, which is usually a little bit backwards as to the way that things were done. You kind of get your merchant account, you get your your information that you need to enroll with Verify and Ethica, uh, and then you kind of start to go live and ramp up quicker once you're fully enrolled. So we're starting to see a bit of a shift there where a lot of these ISOs are doing much more due diligence up front. We're seeing a lot of them as well will force, depending on the risk profile of the merchant, but they might force enrollment on their side, um, which obviously is more revenue for them. Um, but we are seeing there's friction there for merchants because if you're running a multi-mid strategy and you've got one provider plugged in uh directly with Verifying Ethica, and then you have you know three other mids that you have directly with some other reseller of Verifying Ethica, it gets kind of tricky to manage because you don't have as much visibility at an you know aggregate level for each mid. Um so we're starting to see some stuff like that as like the preliminary underwriting, and it really just comes down to like make sure that you understand what your ratios are right now. So from our last conversation, you know, what we were doing in anticipation for our portfolios and and a lot of other shops that I work with, um we were kind of just maintaining and managing the rates for VAMP, uh, pretty much ignoring the old uh thresholds and really just looking at the per mid VAMP ratio uh of you know the kind of that 2.2% as it is for now, uh, and it'll go down next year. But we were really just maintaining and looking at those ratios with the TC40s and then trying to be upfront when you know you get a new merchant account or going to the risk team that we've kind of done our due diligence and we know what we're looking at. Um now, granted, for merchants that don't operate with more strategic agent ISOs, it's very hard for them to do that kind of stuff because it's you know, the the calculation seems simple, but getting all the data and and doing it properly can be a little complex for someone who's not in payments.

SPEAKER_02: 6:33

I want to go back to the verify and ethica part of it because what I think I heard you say was that as the ISO underwriting becomes more stringent, you're seeing that they're going to require these merchants to come under their umbrella with Verify and Ethica. And there's more money associated with that because now there's another service that's being strapped onto the merchant processing. But what does that mean for guys like you for visibility into what's happening? Is that depriving you an opportunity to take your expertise in payments and utilize it to the benefit of the merchant? And you're somewhat being replaced by the ISO. Is there going to be some symbiotic relationship there? I mean, I'm interested to because as look, here's the to me, part of what's interesting is that every time that you consolidate things at the ISO level, the quality of service goes down. And I think where you are actually getting a foothold is that you're not trying to be an ISO, you're trying to have strategic relationships with types of merchants and perform a service that the ISO they'll take the processing and board the account, but they're never going to give them that service. So when you kind of take a portion of that service and you and you upstream it, right? What does that look like for a guy like you?

SPEAKER_01: 7:55

Yeah, it's um that was the that was my exact reaction when I saw some of the shops requiring it and kind of had to, you know, most most of the most of the you know registered ISOs that have been sponsors that I work with uh in the US, you know, they they understand my business model, but it was kind of just rehashing that with them and letting them know if I don't have that visibility, it makes it difficult for me to protect all of us involved, right? And make sure that the merchants on side with ratios. If I see something going south, that I can start acting on it, maybe we get hit with a fraud attack, whatever. Um, so that way I'm looking at TC40 count as of October 8th, not as of you know November 1 when it's too late.

SPEAKER_02: 8:36

Yeah.

SPEAKER_01: 8:36

So um that's really where it's more of a strategic conversation, but a lot of them just kind of they they want like a no exception type of rule because if they make an exception for one agent ISO, then there's gonna be exceptions for others, and you know, it might depend on residual size and and merchant profiles and all that kind of stuff. But these are for both low and and high-risk merchants, by the way. Anything card not present, pretty much it's it's getting mandatory for most of these guys to be able to run the RDR and Ethica. Um, but yeah, I mean it's a little bit prohibitive. Most of them give insight, like they'll give, you know, um like a read-only access to whatever platform that they're using so we can see some of it, but it makes it a huge pain for us to do it. So a lot of those shops, we either said, hey, we need to figure something out here that works so like programmatically we can get it on our end into a single view and really be able to look at all the mids at once because that helps us protect the entire portfolio for everyone. Um, or we can't work together. Um, and I've seen a couple, I've I've chatted with a lot of the other larger agent ISO shops too, who who kind of do more of a bespoke thing where they're a little bit more involved than your typical guy who's like, hey, here's an account, let's see in three years. Um and those those are all having similar conversations with these larger registered ISOs that are trying to force it on their end, especially too, because it's cost prohibitive. You know, they might be charging like 10 bucks over what their buy rate is because of course it's a new line of revenue for them, and they pitch it to the agent, it's like, oh yeah, well, you're gonna make some new money here. And the agent's like, yeah, but everyone knows you're ripping them off, and so they're not gonna accept this price because it's you know, it would be like increasing your buy rates by a percent, you know.

SPEAKER_02: 10:21

It's an ISO that doesn't really understand the high risk or e or e-commerce segment, right? I mean, I almost wonder if this maybe isn't an opportunity for guys like you to just go full on PayFAC and figure out how to get in the stream of it all because if you manage the risk better than the ISO is gonna manage it anyways, you know, like and you're doing it real time. Do you just want to get into the mix of the whole thing and figure out how you're gonna you know hold risk and just be a payfack associated with it? Because I see pay facre like true pay facre going out, and I don't know what the full qualification process is because I just look at the agreement and I and I understand how the agreement operates, but I don't know from the underwriting of the pay fAC what they're really looking for. But you know, I recently saw a world pay one, you know. I mean, it's uh they're out there, and you know, from what I'm being told, like it's a potential relationship that exists, but I almost feel like it's forcing you to maybe like move that direction. Am I off base with saying that, or what do you think?

SPEAKER_01: 11:25

Yeah, I think I think to a degree, uh once you get large enough. I mean, normally from what I've seen in the space, like you need to have maybe a hundred to two hundred solid new clients coming in monthly to justify like regulatory payfack um overhead compliance, right? Um, and then just having the velocity. But we're seeing it more and more that you know there's gonna be a big consolidation in the space as well on just the acquiring side and and some of these, but particularly these higher risk bins. I think they're gonna get swallowed up by some of the larger shops. Um, but looking at you know, kind of the agent ISO that moves towards a pay fact model in order to have more control and of course more risk, but um really just have more control of the overall book and then still have the redundancy with a few different bin sponsors potentially. That's for sure something that a lot of again, a lot of the other shops that I'm chatting to about like how are you navigating this, what's kind of your general strategy, and you know, no one totally opens up the Komodo, sort of say, but uh I think a lot of people are starting to consider that route. Um, but it is a lot more work, right? It's a it's a whole different ball game of um having to bring everything in-house for the most part. And we do quite a bit of it in-house already, so it wouldn't be like too much of a shift for us as a shop at sound, but some of the other guys, it would be pretty dramatic in terms of a lift to you know bring in in-house underwriters and wrist team and all of that. Um, KYC, KYB, and all the different tools that come with that. It can be a pretty expensive lift up front, but ultimately I think that's the best way to get the control and really just manage your overall portfolio super well. Um, because then you're much more flexibility, I think.

SPEAKER_02: 13:13

Um Yeah, I I think from uh a transaction management standpoint, it's just way better. I mean, it you know, it's kind of like being the bank of the casino a little bit. Uh it's kind of how I see it, right? Like the odds are gonna be in your favor as long as you don't operate super poorly. So I I do believe that, like, you know, taking that risk, there is a substantial reward associated with it. But let me tell you what I came across yesterday, which I thought was really interesting. I'd love to get your opinion on. Yeah, I had some guys call me yesterday. They have a new corporate filings, registered agent, like you know, corporate governance document, uh, registered agent service doc uh, like uh will be your registered agent in a in a particular jurisdiction. And these guys have people that sign up with them, and it's a legitimate business. They do new new limited liability companies, corporations, your your annual reports, you know, whatever's kind of needed for somebody who wants to start a business and just wants somebody to kind of hold their hand through it. And they were processing with Stripe for seven years, and I can only attribute to what has taken place to me, because they told me that there wasn't really a spike in anything, to Vamp. So they're with Stripe for seven years, they process, they have a ton of recurring billing. And the reason that they have recurring billing is because the packages that people buy with them, those packages include all of these services, some to take place in the future. So when that future service is going to be delivered, they they actually do some sort of transaction at that point, and their contract, which has a click to agree, um, you know, and it's an electronic application. There's some sort of ISP capture, and you know, somebody's signing, but these are legitimate businesses. And and you know, over a weekend, Stripe held, and it wasn't really the held money that bothered him, but held a significant amount of money, and then basically said, We're terminating you, you're too high risk. So these guys are like, I don't know if they saw it coming, but they pivoted and found a relationship with the payment gateway. The held funds wasn't their issue. That was that was like level two. Level one was we got a whole bunch of recurring billings coming up at the end of the year in the beginning of the year. Will you please migrate the tokens from Stripe over to our new payment gateway? And I asked them, is there anything in the contract in the terms and conditions that talks about data migration and like a fee per token or whatever? Because, like, it's possible. It's just a matter of, you know, is it contemplated under the relationship with Stripe? And the hard part with Stripe is all their term and terms and conditions, like everything's online. You don't know what fucking terms and conditions really applies, right? I mean, like you don't know necessarily prices. Yeah, it's pretty nebulous, right? So yeah, so that aspect of it, I don't even know what the contract rights are necessarily. I don't know what terms may apply based on different time periods. These guys have been processing for seven years, and their big thing was we don't want to have to go and contact everybody that we already have the authority to do a recurring billing to recapture the information. Okay. So, and this came without warning, like no warning at all. Level two was that they cut them out of the back end, and so now they cannot do returns. And so not only is there going to be a return, anyways, and there's money on hand, right? But now Stripe's gonna make a little bit of money off each one of those chargebacks because they get to assess a fee, and that fee is uh is originated basically by them not cooperating. These guys went to Stripe and said specifically, hey, you can keep that money and then we'll fund a escrow account with you because you have treasury services, and we'll can we do returns out of that. Stripe said no. I mean, it's crazy, right? I mean, how can you not see this as opportunistic on Stripe's part? But we'll see where it goes. But think about the level of interference with their existing business relationships that is taking place that Stripe is aware of because they've been processing it for him for seven years. I don't care if Stripe knows specifically, they specifically know just based on the relationship and how these things take place and everything that they've been doing for this business. And these guys, to their credit, weren't like like the obviously their concern, they kind of looked at it as more of a huge pain in the ass, and what's my potential loss gonna look like? Weren't angry, didn't seem like guys that would come at you, but it's gonna, I mean, even even right now, I mean, they were talking these are significant losses if they can't get some of this because the the amount of manpower to go and notify these people. And so I asked them, what's your what what's your been your historical writ return rate? And they're like, and I said, because you guys are aware of VAMP, right? And they said, Yes. And I said, what is it? And they're saying, well, it's kind of high. I don't even want to say what it is on on this, but it was kind of high. And I said, Well, what's it what's attributable to that, right? And they said, We're actually penalized because we freely return money to people. Let me give you an example. Do you know what percentage of businesses fail in the first year or that just are abandoned? That we have the authority to go bang a card for the following year, but nobody notified us. So once they see the charge and they notify us, we just give them back the money, right? So that artificially somewhat inflates our return rate. Another thing is that people order a service through us that is like six months out, right? Like, we don't even need to do it. We're not gonna hold their money for that period of time, you know, and and then give them the service in five months. Like, so we return a lot of people to a lot of people and say, hey, this is premature. We'll notify you about 30 days out from the deadline, we'll gather any new information, just look for our email. But here's your money back, right? And they said that's just like that's just a couple of like easy examples, but that's why our return rate has been what it's been. But really, our actual like default rate on transactions is is under 1%. It's more like 0.7 percent. We're just because of how we've operated, we've never had to worry about this. And I said, look, right, I don't know if this is because of Vamp, but it's October 7th, and I'm thinking that this is just a change in operations related to Vamp. What do you think about that?

SPEAKER_01: 20:06

Yeah, I mean, it's not an uncommon story for them.

SPEAKER_02: 20:09

Not for Stripe, I get that. I like I I agree. I think Stripe does shit all the time that doesn't make a lot of sense. I don't even know if they're looking to make money from what they're doing. I think it's just not really they're a technology company, they're not a payments company. So sometimes I think that that's an issue, but this seemed time the timeliness of it seemed odd.

SPEAKER_01: 20:36

Yeah, I mean it it definitely could be related. You know, the the high return rate um is for sure something that they're looking at, especially with their open exposure and just their their total book. But when they're I mean, everything's done with like a you know like you said, it's a tech company, so they're using like an AI risk algorithm. And a lot of the time because they have so many, you know, millions and millions of clients and merchant accounts, even the ones that have been existing for seven years versus the ones that have been existing for seven days, um, they kind of just put parameters in this algorithm to go through and just chop heads. And there's not enough bodies on their risk team to genuinely look at case-by-case situations like this. And the only time that they will is if it's like very, very substantial volume.

SPEAKER_02: 21:24

Um do you think that's good faith? Right? Because here's the thing about operating under a contract, you've got a duty to operate in good faith. And when you have a when you're considering the livelihood of a business, and then you're considering that there's a computer algorithm making decisions related to that, which is really black and white, has nothing to do with the gray in a contract of what actually constitutes good faith. I I I mean, I that's where I have an issue.

SPEAKER_01: 21:54

Yeah, I agree. I mean, I think it's um, you know, they as we as we know, they they do this stuff all the time. It's not new. And I think they definitely are starting to purge the portfolio. They have been slowly for a while, um, but they're they're definitely getting more and more aggressive. I think for two parts. One is that they're very heavy in e-commerce, which is generally cyclically, you know, a big big time in Q4. Um, they're also very heavy in SaaS, which now SaaS companies are also you know offering discounts and stuff within Q4 for the holidays. So general spend is going up right now, and I think their concern is that if they don't sort of chop some of these accounts that they perceive as high risk for whatever reason, like a refund rate of 40 or 50 percent or whatever it might be for this example, um where the justification is there, they just look at it, you know, black and white, as you said. And I think it's totally in bad faith. I d I don't think that it's you know, I think they have an obligation to kind of fulfill their side of the contract. But as you said, their terms are online, you click to sign, and unless you kind of redline that contract heavily and and can hold them to it, it's very hard to see that moving target, particularly when you've been a client for seven years and the contract has wildly changed in that time frame, I'm sure. Um and I think like you know, for them to do this in a responsible way, like it it makes sense for them to say, okay, we don't want your account, but give them some sort of termination time frame. Yeah, like don't don't stop them from submitting refunds because that's bad for everyone. Um, and obviously allow tokens to be migrated and say, hey, you've got 30 days to get off the platform, we're gonna allow you to do refunds. Charge me for it. In order for us to do that, you need to load up your account with X.

SPEAKER_02: 23:44

Yeah, charge me for it. I don't have any problems with that. Go ahead. You know, it's it's that's the thing that is it's the disruption in a merchant's business that they just look at the merchant as a cog and don't see the real life impact of what they're causing to individuals like that own it, whatever employees, whatever stress they're about to put on this business, like that there has to be some sort of balancing of equities associated with that. Like, and I just think it really gets missed, especially when you deal with a tech company that they want to embed chips in people and just have them fucking be inhuman. So um, you know, that's that's my little diatribe.

SPEAKER_00: 24:24

Excellent. You guys, that was a great conversation, Matt. So much. We're so grateful for you joining us once again. Everybody listening, please. You can find Matt's time breaker, sound commerce, at sound-commerce.com. We got all the information down below. Thank you for this conversation today. We're looking forward to the next one. Thank you for listening to this episode of the Payment Expert Podcast, a podcast of Global Legal Law Firm. Visit us online today at Global Legal Law Firm.com. Matters discussed are all opinions that do not constitute legal advice. All events or likeness to real people and events is a coincidence.