High-risk merchant compliance is not a single rule, checklist, or compliance document to be completed for each merchant every year. It is the way a business shows to the processors, banks, card networks, and customers that their card transactions are under control.
For 2026, high-risk merchants face additional compliance requirements and monitoring standards. High-risk merchants must comply with additional rules regarding fraud and disputes, PCI DSS 4.0.1, subscriptions, ACH transactions, product compliance, age verification, disclosure of information to customers, and documentation with the processor. However, the merchants that remain stable and under control are usually those that incorporate compliance into their general processes for accepting card transactions.
Why High-Risk Merchants Need Specialized Payment Compliance Strategies
Beyond ensuring that the products and services a merchant offers are legal, the payment processor considers a variety of factors when evaluating high-risk merchants. These factors include chargebacks, fraud reports, refund rates, billing practices, customer complaints, marketing and fulfillment practices, licenses, and changes in the merchant’s business model or responses to increases in their risk factors.
2026 continues to be an important year for payment security compliance. The PCI Security Standards Council (PCI SSC) published future-dated requirements for PCI DSS v4. x on March 31, 2025. PCI DSS v4.0.1 did not change the effective date of these requirements. For high-risk merchants, this indicates that compliance with payment security standards is required to effectively operate their businesses and integrate with third-party systems.
Finally, VAMP has also changed how merchants should approach compliance with their payment systems. VAMP stands for Visa Acquirer Monitoring Program and is the combined system Visa uses to monitor fraud and disputes within its network, having previously had separate programs for monitoring both fraud and chargebacks. VAMP’s ratio considers the combined number of fraud-related and non-fraud-related disputes in its settled transactions for the reporting period, divided by the total number of settled transactions for that period. Thus, high-risk merchants should pay close attention to their fraud and dispute reports to ensure accurate and efficient compliance with these programs.
Who Should Follow High-Risk Merchant Compliance Requirements
This guide is for:
- high-risk ecommerce merchants
- subscription and continuity businesses
- cbd, vape and nutraceutical businesses
- adult, dating and gaming businesses
- debt relief, tech support and travel businesses
- digital goods and SaaS companies
- MOTO and card-not-present merchants
- ACH-heavy high-risk merchants
- merchants with reserves, processor reviews, and account holds
- anyone seeking to understand high-risk merchant payment regulations
If your business relies on ecommerce, subscriptions, regulated products, high-ticket transactions, affiliates, phone sales, ACH transactions or card-not-present sales, then high-risk merchant compliance is for you. For high-risk merchants, getting approved is not the goal – maintaining long-term account stability is.
High-Risk Merchant Compliance Areas Compared
High-risk merchant compliance usually involves several overlapping areas. A processor may review all of them during underwriting or after a risk trigger.
| Compliance Area | What It Covers | Why It Matters |
|---|---|---|
| PCI DSS | Card-data security, access controls, vulnerability management and secure payment handling | Helps protect payment data and reduce breach risk |
| VAMP and Chargeback Monitoring | Visa fraud reports, disputes, enumeration attacks and ratio thresholds | Affects processor confidence and account stability |
| Product and Industry Rules | CBD, vape, firearms, adult, debt relief, healthcare, gaming, alcohol, or other regulated verticals | Determines whether the merchant can be supported by the acquirer |
| Subscription and Billing Compliance | Trial terms, renewal notices, cancellation paths, descriptors and refund rules | Reduces disputes and consumer-protection risk |
| ACH and Bank Payment Controls | Authorization, return codes, fraud monitoring and account validation | Helps keep ACH return risk under control |
| Underwriting Documentation | Licenses, policies, business documents, marketing materials and processing history | Helps prevent freezes, holds and misclassification issues |
The safest merchants do not treat these as separate silos. They connect compliance to the actual payment workflow, from checkout and authorization to support, refunds, disputes and reporting.
Best High-Risk Merchant Compliance Providers and Tools Compared
The best support depends on whether the merchant needs high-risk underwriting, PCI support, chargeback alerts, ACH controls, gateway security, subscription billing, or account remediation.
| Provider or Tool | Best Fit | Key Strength | Main Tradeoff |
|---|---|---|---|
| Payment Nerds | High-risk merchants that need payment compliance strategy, processor fit and account stability | Strong fit for high-risk underwriting, VAMP monitoring, fraud controls, Verifi, Ethoca, 3DS, ACH, gateway guidance and chargeback prevention | More consultative than a standalone compliance tool |
| Verifi | Merchants with elevated Visa disputes | Helps resolve disputes earlier through pre-dispute workflows | Works best with clear refund and support rules |
| Ethoca Alerts | Merchants that need early issuer fraud and dispute alerts | Gives faster notice to refund, stop fulfillment, or investigate | Does not replace root-cause dispute prevention |
| 3DS Through Gateway or Processor | Higher-risk card-not-present transactions | Adds issuer authentication for higher-risk payments | Poor setup can add checkout friction |
| PCI Compliance and Security Tools | Merchants that need to reduce card-data exposure | Supports payment security, scanning, access control and validation workflows | Needs active ownership, not just a checkbox |
| ACH Risk and Return Monitoring | Merchants using ACH or eCheck | Helps track unauthorized returns, administrative returns and failed payments | Does not replace card-side chargeback monitoring |
These are fit-based comparisons, not universal rankings. A CBD merchant, adult platform, debt relief company, SaaS subscription business and tech support provider may all need different compliance controls.
Understanding VAMP for High-Risk Merchant Compliance
VAMP has become one of the most important compliance topics to watch for high-risk merchants in 2026. VAMP stands for Visa’s Anti-Fraud and Merchant Protection program. The VAMP ratio measures the number of fraudulent and non-fraudulent disputes relative to the total number of transactions processed on the Visa account.
For high-risk merchants, there could be friendly fraud, billing issues, subscription issues, affiliate issues, fulfillment issues, testing issues, fraud issues, or a poor descriptor on the merchant’s account that creates issues for that merchant’s customers.
The Above Standard and Excessive tiers are risk thresholds monitored by Visa to merchants based on the number of fraud and dispute incidents on that account.
Payment Nerds can assist the merchant in monitoring the VAMP ratio by reviewing the fraud and dispute reports (TC40, TC15, chargebacks, refunds, failed purchases, enumeration attempts, Verifi attempts, and Ethoca attempts) to ensure that the merchant’s processor is not yet taking disciplinary action on the high-risk merchant’s account.
How to Build a High-Risk Merchant Compliance Program in 2026
Start by mapping the payment lifecycle. Identify where customers enter payment information, what they agree to, how orders are fulfilled, how refunds work, where support records live, which systems store payment data and how disputes are handled.
A practical compliance process usually includes:
- document the business model and supported products
- confirm licenses, age-gates, disclaimers and required disclosures
- review website claims, checkout language and refund policies
- map card, ACH, MOTO and alternative payment workflows
- assess PCI DSS 4.0.1 responsibilities
- set up fraud filters, 3DS, Verifi, Ethoca, or chargeback alerts where appropriate
- monitor VAMP ratio, TC40 fraud reports and TC15 disputes
- track enumeration attempts and failed authorizations
- review ACH returns and authorization records
- keep processors updated on major business changes
The best compliance program is practical enough for daily use. It should help staff know what to document, what to escalate and when to notify the processor.
High-Risk Merchant Compliance and Risk Management Costs Explained
Factors that impact high-risk merchant compliance costs include the type of business, how the business makes its sales, the payment methods used by the business, the volume of sales that the business processes each month, requirements from the payment processor, the chargeback history of the merchant, and whether the business has to comply with PCI.
Examples of compliance costs include the purchase of PCI security tools, fraud detection and prevention tools, chargeback alert systems, 3DES systems, transaction gateway fees, compliance review costs, legal costs, age verification software, and tools for KYC regulations, ACH compliance software, and the time required to comply with all regulations.
Instead of asking about the compliance costs for high-risk merchants, it is more important to ask about the noncompliance costs for such merchants. The answer to that question would reveal that there can be serious consequences for merchants with weak compliance systems, including account freezes, increases in reserve requirements, termination by their processing company, customer disputes, payment of refunds, fines, and increased fees related to chargebacks and migration to another payment processor.
For high-risk merchants, compliance is part of the payment processing system that businesses should consider more valuable than seeking the highest transaction rate for their sales channel.
Common High-Risk Merchant Compliance Mistakes to Avoid
The biggest mistake is assuming that approval to open an account with a payment processor means the business is compliant with the processor’s compliance policy. Approval simply means that the payment processor was willing to work with the merchant based on the information provided. If the merchant changes their products or the way in which they take sales, they may no longer be in compliance.
Another mistake is to think that compliance is solely the legal department’s job. Compliance is everybody’s job. From marketing to sales to fulfillment, compliance impacts every department in the organization.
Ignoring VAMP is yet another mistake that many merchants make. Instead of waiting until a merchant reaches the Above Standard or Excessive tiers in their compliance score, merchants should review their compliance with VAMP and take steps to correct any issues as soon as they arise to avoid long-term damage to the business.
Key High-Risk Merchant Compliance Strategies for 2026
Keep Processor Documentation Current
High-risk merchants should always have their business and operational documentation ready at the ready for review by their payment processor. This information may include business documents, licenses, bank statements, refund policies, fulfillment policies and marketing examples. These may be requested during underwriting or in response to specific events in the merchant’s business. For instance, should a merchant add a new product to their business, start offering recurring billing, cross state lines, change suppliers, start using affiliates to promote their business, or add a new checkout flow altogether, their processor may require that this information is presented. The approval of one business model does not imply the same approval for the next version of that same model.
Monitor VAMP, Fraud and Disputes Together
For high-risk merchants, the Volume and Amount of Merchant transactions (VAMP) metric will be one of the primary compliance metrics to monitor in 2025. VAMP’s TC40 metric reports on the number of instances of fraud within a given reporting period while the TC15 metric measures the number of instances of merchant disputes or chargebacks in that same period. Both of these metrics are watched by payment processors for high-risk merchants. High-risk merchants should keep track of all of their disputes to determine their root cause. Tools such as Verifi, Ethoca, 3DS and proactive monitoring for VAMP ratios can be used to increase the number of fraud prevention measures in place to ensure that merchants are not having as many disputes as they do.
Prepare for Enumeration Attacks
Enumeration attacks are the result of bots attempting to use different credit card details on a merchant’s checkout page. These attempts can be used by fraudsters to test stolen credit cards. Visa also monitors for these instances under the VAMP metric. Enumeration is calculated as the number of instances where a credit card was attempted to be used divided by the total number of authorization attempts for that merchant. Visa uses VAAI to calculate this instance. High-risk merchants can use velocity rules, CAPTCHA software in high-risk situations, device checks, gateway filters, blocked BIN and failed authorization attempts to protect their checkout pages.
Strengthen PCI DSS 4.0.1 Controls
PCI DSS compliance should not happen once a year for a merchant. PCI DSS 4.0.1 specifically addresses issues related to the management of the merchant’s payment pages and methods. These methods may include scripts, access, vulnerability checks, authentication methods and third-party service providers. High-risk merchants should find ways to reduce the amount of data from credit card holders that they use within their systems. Methods to accomplish this can include using hosted checkout software, using tokenization methods, using only encrypted devices, implementing secure APIs and access permissions according to roles and checking for compliance with these systems on a regular basis.
Tighten Subscription and Refund Workflows
For subscription and continuity merchants, the FTC placed a regulation in 2026 that would have created a “click to cancel” policy for subscription merchants. However, this policy was vacated by the Eighth Circuit in July of 2024. As such, high-risk merchants in this category should continue to ensure that their terms for free trials, subscription lengths, prices and methods for cancelling subscriptions and requesting refunds are easy for customers to find. Providing clear billing information for subscriptions can reduce the number of subscription disputes for merchants. Additionally, the same clear way of cancelling subscriptions will reduce the number of calls to the merchant’s bank from customers who are attempting to cancel those subscriptions themselves.
Control ACH, MOTO and Alternative Payment Risk
Many high-risk merchants use alternative payments methods in addition to credit cards. These alternative methods include eCheck, ACH, MOTO, payment links, crypto and wallets. Each method comes with its own compliance requirements. ACH transactions must have authorization records with returns codes and account validation. MOTO payments require merchants to utilize virtual terminals for transactions and they cannot store credit card data in messages, spreadsheets, call notes or tickets. Other alternative payments methods can be used in place of credit and debit cards to reduce the risks related to those card transactions. However, these methods should not be overlooked or become blind spots in the merchant’s compliance efforts.
FAQs About High-Risk Merchant Compliance
Q: What is high-risk merchant compliance?
A: High-risk merchant compliance refers to the regulatory requirements for merchants that process payments with a high degree of scrutiny from the payment processors, card networks, security companies, and other regulatory bodies in the industry.
Q: What are the biggest payment compliance strategies for 2026?
A: The biggest payment compliance strategies for 2026 will include compliance with the new PCI DSS 4.0.1 standards, VAMP monitoring, chargeback prevention, fraud controls, billing terms, ACH compliance, and underwriting documentation with the payment processor.
Q: What is VAMP?
A: VAMP stands for Visa Acquirer Monitoring Program. This program was created to replace the separate Visa fraud and chargeback programs. It is a program that oversees both fraud and chargeback activity for merchants using the Visa network.
Q: What is the VAMP ratio?
A: The VAMP ratio is expressed as the fraction: (fraud disputes + non-fraud disputes) / total settled Visa transactions. The VAMP ratio measures a merchant’s level of fraud and chargeback activity relative to their total Visa sales.
Q: What is an enumeration attack?
A: An enumeration attack is the act of bots attempting to use different credit card numbers on a merchant’s website checkout page. These bots use various stolen credit card details to attempt to authorize transactions from these cards.
Q: Why do high-risk merchant accounts get terminated?
A: High-risk merchant accounts can be terminated due to chargebacks, the products that are sold, the claims that are made about those products, licenses to sell the products, refund policies, fraud, PCI compliance, classification by the payment processor, and changes to the merchant’s business model.
Q: How can Payment Nerds help with high-risk merchant compliance?
A: Payment Nerds can assist high-risk merchants by performing a thorough evaluation of their current payment processor, payment processes, fraud controls, VAMP activity, ACH processes, and strategies to prevent chargebacks and maintain their merchant account.
Conclusion
Accepting payments in 2025 was not enough for high-risk merchants. Additional documentation and compliance requirements had to be met in order to maintain payment processing.
If your business is looking for assistance with high-risk merchant compliance and payment compliance strategies for 2026, Payment Nerds can help. We want to assist you in passing your merchant underwriting and maintaining your payment processing activity going forward.
Sources
- Visa. “Visa Acquirer Monitoring Program Fact Sheet.” Accessed May 2026.
- Visa. “Introducing the Visa Acquirer Monitoring Program.” Accessed May 2026.
- Visa. “Visa Account Attack Intelligence Score.” Accessed May 2026.
- PCI Security Standards Council. “Now Is the Time for Organizations to Adopt the Future-Dated Requirements of PCI DSS v4.x.” Accessed May 2026.
- PCI Security Standards Council. “Just Published: PCI DSS v4.0.1.” Accessed May 2026.
- PCI Security Standards Council. “Merchant Resources.” Accessed May 2026.
- Federal Trade Commission. “Negative Option Rule.” Accessed May 2026.
- Sidley. “U.S. FTC Click-to-Cancel Rule Struck Down.” Accessed May 2026.
- Nacha. “Risk Management Resources.” Accessed May 2026.
- Nacha. “New Nacha Risk Management Rules Now in Effect.” Accessed May 2026.
