An enumeration attack involves bots attempting to enumerate the contents of a merchant’s checkout page. These bots use enumerated scripts to attempt to use stolen or guessed credit card details in their search for working credit card details.
Enumeration is also not a problem limited to fraud teams within merchants today. Under the VAMP program, merchants can monitor for enumeration attacks. The VAMP program, or Visa Acquirer Monitoring Program, is the program Visa has implemented to replace its separate fraud and chargeback monitoring programs. This program includes a separate monitoring system for enumeration attacks.
Why Businesses Need VAMP Enumeration Protection
Enumeration attacks happen before the customer completes their order. The merchant will see a flood of authorization attempts, all of which will be declined. While most of these transactions will be declined, they still will expose the merchant to VAMP ratios.
Visa uses a separate VAMP enumeration ratio to monitor for enumeration attacks. According to Visa’s fact sheet, the enumeration ratio is defined as having at least 2,000 basis points (20%), or at least 300,000 enumerated authorizations. While this is a high volume of enumerated attempts, merchants should not wait until they reach this threshold to begin protecting themselves from enumeration attacks.
Finally, Visa states in its VAAI material that enumerated accounts have a fraud rate 22 times higher than that of regular accounts. Thus, enumerated authorizations not only expose the merchant to Visa’s VAMP ratio but also expose them to fraud charges that will negatively impact the merchant’s business.
Who Needs to Understand VAMP Enumeration Attacks
This guide is for merchants who have:
- ecommerce websites
- high-risk websites
- websites that offer subscription or continuity products
- websites that sell digital goods
- SaaS marketplaces or platforms
- high volumes of failed authorizations
- websites using checkout forms
- experiences fraud increases after surges in checkout traffic
- fraud analysts or payment teams to monitor this type of activity
- an interest in understanding their VAMP enumeration ratio
Any business that relies upon card-not-present sales, online checkout processes, subscription sign-up forms, free trials, low-dollar sales, or links will eventually be targeted by fraudsters looking to test as many different credit cards as possible.
VAMP Enumeration Metrics Compared
VAMP introduces several related terms. The key is knowing which metric measures fraud and disputes, which metric measures bot-driven card testing and which records feed the broader monitoring picture.
| Term | Plain-English Meaning | Why It Matters |
|---|---|---|
| VAMP | Visa’s combined fraud and dispute monitoring program | Replaced older separate Visa fraud and chargeback programs |
| VAMP Ratio | Fraud plus non-fraud disputes divided by settled Visa transactions | Measures fraud and dispute pressure on card-not-present Visa activity |
| TC40 | Visa’s fraud report record | Shows fraud activity that can affect VAMP monitoring |
| TC15 | Visa’s dispute or chargeback record | Shows customer disputes that can affect the VAMP ratio |
| Enumeration Attack | Bot-driven card testing on a checkout page | Creates authorization abuse before or during attempted fraud |
| Enumeration Ratio | Enumerated authorization attempts divided by total authorization attempts | Measures how much of the merchant’s authorization activity looks like card testing |
| VAAI | Visa Account Attack Intelligence, the score Visa uses to flag enumeration | Helps Visa identify likely account-testing activity |
| Above Standard / Excessive | VAMP warning tiers that trigger fees and scrutiny | Signals that the merchant or acquirer may need remediation |
The practical takeaway is that VAMP is broader than chargebacks. Merchants need to monitor disputes, fraud reports and card-testing behavior together because all three can affect the payment relationship.
Tools and Providers for Reducing Enumeration Attacks
Reducing enumeration attacks usually requires a mix of gateway controls, fraud tools, processor support, bot protection and VAMP-aware monitoring.
| Provider or Tool | Best Fit | Key Strength | Main Tradeoff |
|---|---|---|---|
| Payment Nerds | High-risk and ecommerce merchants that need VAMP-aware payment strategy | Helps with processor fit, fraud controls, VAMP monitoring, gateway setup, Verifi, Ethoca, 3DS and account-stability guidance | More consultative than a standalone bot tool |
| Visa VAAI | Visa ecosystem monitoring of account-testing activity | Helps identify likely enumeration behavior across VisaNet | Merchants usually access insights through acquirers, processors, or partners |
| Gateway Velocity Rules | Merchants seeing repeated failed payment attempts | Blocks or slows suspicious authorization patterns | Needs careful tuning to avoid false declines |
| 3DS Authentication | Higher-risk card-not-present transactions | Adds issuer authentication for risky transactions | Too much use can add checkout friction |
| Bot Detection Tools | Checkout pages targeted by automated traffic | Helps identify non-human behavior before authorization | May require technical setup and ongoing tuning |
| Verifi and Ethoca | Merchants also managing disputes and fraud alerts | Helps address post-transaction dispute and fraud issues earlier | Does not replace checkout-level enumeration controls |
These are fit-based comparisons, not universal rankings. A merchant with card-testing bots needs checkout controls first. A merchant with fraud reports and disputes also needs broader VAMP monitoring and chargeback-prevention workflows.
Understanding VAMP Enumeration for High-Risk Merchants
Enumeration should be part of every merchant’s account health. If a merchant already attracts the attention of acquiring banks due to their industry, chargebacks, subscriptions, products, or card-not-present sales, then enumeration is likely to draw even more scrutiny from those banks.
This is especially true for subscription, nutraceutical, CBD, vape, adult, gaming, dating, travel, digital goods, ticketing, and other high-risk ecommerce models. These ecommerce models typically feature online forms, trials, instant delivery, and high-risk traffic sources that may result in enumeration activity.
Payment Nerds can assist merchants in examining enumeration in the context of the rest of the VAMP information. That means looking at all of the failed authorizations, fraud, TC40, TC15, chargebacks, refunds, 3DS, and the acquiring bank’s expectations for the merchant’s account health together to get a complete picture of the state of their accounts.
How to Reduce VAMP Enumeration Attacks in 2026
Start with authorization data to spot enumeration attacks. Monitor for spikes in declined payments, declined payments from the same device or IP, high decline rates for specific BINs, low approval rates, many small ticket-sized payments with unusual transaction patterns.
Then tighten the checkout process with:
- Velocity limits on IP addresses, devices, cards, emails and BINs
- CAPTCHA challenges
- Limits on repeated failed payments
- Blocking abusive traffic sources
- Device fingerprinting
- Prepaid and high-risk BIN checks
- 3DS for high-risk transactions
- Monitoring payment gateway attempts
- Processor coordination in the case of VAAI or VAMP concerns
A layered approach is the best defense. While a CAPTCHA or a declined payment limit may stop enumeration attacks for a while, a more comprehensive approach that includes payment gateway rules, fraud monitoring and bot management will provide better protection.
VAMP Enumeration Costs Explained
Enumeration attacks can cost money. There are numerous fees associated with enumeration, including gateway fees, authorization fees, fraud tool fees and the time to review each transaction. Furthermore, if those transactions are related to VAMP or the acquirer, the costs can become even larger.
Another cost associated with enumeration is the potential conversion cost. If merchants create rules in response to enumeration that are too strict, good customers may get blocked from the merchant’s website. Enumeration rules should be precise to avoid such issues.
There are costs associated with the tools used to prevent VAMP, but they are usually lower than the costs of unmanaged fraud. Costs for velocity filters, bot controls and 3DS, Verifi, Ethoca, fraud scoring and active monitoring tools can prevent merchants’ accounts from being compromised by avoidable fraud.
Common VAMP Enumeration Mistakes to Avoid
The biggest mistake is looking only at settled transactions. VAMP enumeration can appear in authorization attempts before a sale. By looking only at transactions that have already settled, merchants may not detect the attack until the payment processor or acquiring bank notifies them of an issue.
Another mistake some merchants make is ignoring that declined transactions may also be important to review. If merchants focus only on settled transactions, they are overlooking failed transactions that may indicate a problem with card testing.
Finally, another mistake that some merchants make is overcorrecting the issue. Any attempt to apply 3DS to all transactions, or to block transactions with overly aggressive rules, sets the merchant up to see an increase in false declines. The best approach is to use the data to determine which transactions are most likely to be card testing and take action accordingly, rather than taking action against all transactions.
Key Features of VAMP Enumeration Monitoring
Bot-Driven Card Testing
Enumeration attacks are usually automated. A fraudster will not manually enter thousands of credit card numbers onto a checkout page. Instead, bots will automatically test numerous combinations of credit card data. These attacks may appear as a series of failed payments, unusual traffic to a website, numerous payments with the same credit card numbers, or numerous tests of the credit card’s security number and expiration date.
Monitoring Approved and Declined Authorization Attempts
The enumeration ratio includes both approved and declined authorization transaction attempts. Merchants may think that declined authorization attempts are not of concern as no sale has occurred. However, numerous failed authorization attempts for a checkout page can be of concern to merchants as they may indicate that a bots are attempting to enumerate cards on that page. Merchants can monitor for numerous failed authorization attempts by credit card BIN, IP address, device, country of origin, email address patterns, payment page and time window.
VAAI Scoring
VAAI stands for Visa Account Attack Intelligence. This score is used by Visa to detect enumeration and card testing activity on credit card transactions that do not require a card swipe. Visa does not require merchants to create a VAAI algorithm for their websites. However, merchants must have some visibility into VAAI activity with their credit card gateway and processors to take any action in response to such alerts.
Enumeration Ratio
The enumeration ratio is the main metric for VAMP that detects card testing activity. The enumeration ratio can be calculated by dividing the number of enumerated authorization transactions by the total number of authorization transactions for a given time period. This ratio is different from the standard VAMP ratio that calculates the number of fraud alerts or disputes within a period relative to the total number of settled transactions.
Gateway Velocity Controls and Fraud Prevention
To combat enumeration attacks on merchant websites, gateways may offer various controls that limit automated traffic. Such controls can include velocity filters, device recognition, IP address filtering, BIN-based filtering, CAPTCHA challenges, geolocation filters, and rate limiting of transactions and fraud rules. These controls should be implemented carefully to ensure that legitimate customers are not being declined from making purchases on these merchants’ websites.
Enumeration Reporting and Remediation
Enumeration monitoring is useless if not for for any action. Merchants need to review and analyze all aspects of their transactions and failed authorization attempts and all VAAI-related alerts to determine if there is an enumeration attack on one of their payment pages. If there is, the merchant should be able to recognize which payment page is being enumerated to resolve the problem.
FAQs About VAMP Enumeration Attacks
Q: What is an enumeration attack?
A: An enumeration attack is when bots perform card testing on a merchant’s checkout page. Fraudsters use it to test their stolen or guessed credit and debit card details.
Q: What is the VAMP enumeration definition?
A: Enumeration in the context of VAMP means suspected card testing on a checkout page. In plain English, it means Visa measures how many times people use the checkout page to test their cards.
Q: What is the VAMP enumeration ratio?
A: The VAMP enumeration ratio is the number of enumerated authorizations divided by the total authorizations. This includes both approved and declined transactions. Therefore, failed transactions do factor into this calculation.
Q: What is VAAI?
A: VAAI is Visa Account Attack Intelligence. This score helps merchants and Visa identify account enumeration and card testing.
Q: Does enumeration have an effect on the normal VAMP ratio?
A: Enumeration is separately calculated from the VAMP ratio. The VAMP ratio is calculated by taking the number of fraud and non-fraud disputes divided by the total number of settled Visa transactions. However, both ratios can affect the merchant’s processor or acquiring bank.
Q: How can merchants detect enumeration attacks?
A: Merchants can detect enumeration attacks by monitoring their failed authorization transactions. They can also monitor for multiple failed transactions from a single IP address or device, a high volume of transactions from a specific bank or country, a high volume of failed transactions with a low approval rate, or when their payment processor notifies them of such activity.
Q: How can Payment Nerds help with VAMP enumeration risk?
A: Payment Nerds can help merchants by reviewing their gateway, their processor, and their fraud solutions. Specifically, we can review their 3DS implementation, bot mitigation, failed authorizations, VAMP ratio, and overall account stability.
Conclusion
Enumeration attacks are not just failed checkout attempts. Enumeration attacks occur when bots test credit card details to create fraud and VAMP risk for the company. Businesses need to monitor authorization attempts, not just sales and chargebacks. If you would like to learn more about enumeration attacks or reduce your enumeration ratio risk, the Payment Nerds can assist your business.
Sources
- Payment Nerds. “How Businesses Can Reduce Chargebacks Under Visa’s New VAMP Program.” Accessed May 2026.
- Payment Nerds. “Chargeback Ratio Thresholds Explained.” Accessed May 2026.
- Payment Nerds. “How to Avoid Merchant Account Termination in High-Risk Verticals.” Accessed May 2026.
- Visa. “Visa Acquirer Monitoring Program Fact Sheet.” Accessed May 2026.
- Visa. “Visa Account Attack Intelligence Score.” Accessed May 2026.
- Visa Acceptance Solutions. “2026 Global eCommerce Payments & Fraud Report.” Accessed May 2026.
- Verifi. “Resolve Pre-Disputes Automatically.” Accessed May 2026.
- Ethoca. “Ethoca Alerts.” Accessed May 2026.
- Stripe. “3D Secure 101.” Accessed May 2026.
- PCI Security Standards Council. “Merchant Resources.” Accessed May 2026.
