PEP Episode 070 — VAMP is Here: The Risk Game Just Changed: Are You Ready for Visa’s New Rules?

Q4 is Here. VAMP Is Live. The Risk Game Just Changed.

Welcome to the new frontier of merchant risk management. With Visa’s Acquirer Monitoring Program (VAMP) now officially live, the underwriting, compliance, and dispute mitigation landscape is shifting fast—and merchants, ISOs, and Payfacs who aren’t already adapting may find themselves in hot water come November.

In this episode of the Payments Experts Podcast, Matthew Steinbrecher from Sound Commerce (https://sound-commerce.com/) returns to break down what he’s seeing across the portfolios before the hammer drops. We dive deep into:

Tightening CNP underwriting standards

Why ISOs are requiring RDR & Ethoca enrollment upfront

And how siloed dispute data across platforms is killing response times, costing everyone margin

But this isn’t just about hypotheticals. We drop into a real-world Stripe case study that should send a chill through any merchant with recurring revenue:

7 years of clean processing, low chargeback ratios, and yet—suddenly terminated.
Funds frozen. Tokens locked. Access cut.
No refund runway. No warning.

Is VAMP pressure triggering automated purges? Or are platforms increasingly willing to let algorithms decide who survives, regardless of long-term merchant performance?

The Critical Risk Management Questions

Where does the duty of good faith lie when termination is automated?

If tokens aren’t portable and refund access is blocked, is that risk management—or engineered chargebacks?

How can ISOs and merchants regain control when everything from dispute visibility to billing mechanics is split across vendors?

Your Playbook to Stay Ahead

We don’t just raise red flags—we hand you the map:

✅ Monitor TC40s and VAMP metrics in near real-time
✅ Track VAMP ratios MID-by-MID, not portfolio-wide
✅ Negotiate API-level visibility if your ISO owns the RDR/Ethoca integration
✅ Reengineer long-tail service billing to cut refund optics and reduce late chargebacks

And if you’re thinking bigger:

💡 We outline when to go full Payfac, how to structure a responsible merchant offboarding (hint: token portability + escrow-backed refund flow), and why modular compliance tooling may be your best defense in 2025.

Who Should Watch?

ISOs building agent programs or managing large CNP portfolios

Merchant acquirers seeing dispute ratios creep upward

SaaS & eComm founders scaling MRR or navigating friendly fraud

Ops & compliance teams hunting for practical wins before policy hits become brand damage

This isn’t theory—it’s what’s already happening behind the scenes. Stay proactive. Stay protected.

*Matters discussed are all opinions and do not constitute legal advice.  All events or likeness to real people and events is a coincidence.*

Transcript

Matthew Steinbrecher (00:00):

They kind of just put parameters in this algorithm to go through and just chop heads and there’s not enough bodies on their risk team to genuinely look at case by case situations like this. And the only time that they will is if it’s very, very substantial volume.

Christopher Dryden (00:17):

But do you think that’s good faith? Here’s the thing about operating under a contract. You’ve got a duty to operate in good faith, and when you’re considering the livelihood of a business and then you’re considering that there’s a computer algorithm making decisions related to that, which is really black and white, has nothing to do with the gray in a contract of what actually constitutes good faith. I mean, that’s where I have an issue.

Jeremy Stock (00:47):

Welcome to the Payments Experts podcast, a podcast of global legal law firm. We hope you enjoy this episode. We’re really excited today. We’ve got in studio joining us, Christopher Dryden, who’s the founding and managing partner of Global Legal Law Firm, as well as our special guest. We got Matt Steinbrecker over from Sound Commerce. Matt, it was great having you on the podcast last time. We’re excited to continue the conversation. We’re discussing Vamp Visa’s new rules, and we’re looking forward to a great conversation. Gentlemen, take it away.

Christopher Dryden (01:24):

Alright, what’s up Matt? Good to see you again. Haven’t seen you since that Sweat Fest in Phoenix. Yeah, I think it was brutal, man. It was so hot over there. So when we were at WSAA, nothing had happened. Well, let’s actually backtrack a little bit more. Last time you were on, it was great to have you on. We talked a lot about certain merchant relationships, white glove service, what sound commerce kind of does and how it views the industry and the value add services that it provides for merchants out there. One of the topics of our discussion was vamp, which was going to go into effect after a six month extension on October 1st. And that’s happened and I think kind of our talk today is going to be about you see any difference. Is anybody raised anything to you? I will tell you, I’ll get into my story. I had something yesterday happen that I think was a product of Vamp, but ultimately, I’m not sure if it was triggered by it, but it was kind of interesting. I can give you the parameters for that one, but have you seen anything

Matthew Steinbrecher (02:42):

A little bit? Some we’re definitely not seeing drastic merchant shutdowns yet. I think the main thing I’m noticing is quite a bit of, sorry, can you hear me?

Christopher Dryden (02:59):

Yep.

Matthew Steinbrecher (03:01):

Okay, cool. The main thing I’m noticing is quite a bit of disruption in terms of the underwriting process for net new clients. So we’re seeing kind of a shift in the portfolio of what’s acceptable to certain agent like ISO setups and then just tier one processors as well that typically don’t work through the agent model. That’s kind of the main thing that we’re seeing right now and it’s the fines haven’t hit yet, so we got, what’s it October 8th today as of the day of recording and I think once November hits, that’s really where we’re going to start to see some shifts dramatically, and I think that’s where we’ll starting to see some heads getting chopped a little bit or just fines getting kicked in and merchants being pissed that maybe they are being overcharged or there’s not a lot of transparency in what’s going on. So I think really November is when things are going to kick in, but everyone’s starting to track it for sure. That’s been a big priority.

Christopher Dryden (03:59):

It’s interesting you say there’s been some changes in the underwriting process and what’s acceptable and what’s not. Outside of trial and error, is there anything where you kind of have some sort of foreseeability of how you need to approach the underwriting process and its changed format?

Matthew Steinbrecher (04:22):

Yeah, I think as an example, a lot of people now are asking for upfront RDR and itca verifying ITCA confirmation agreements before they even issue a merchant account, which is usually a little bit backwards as to the way that things were done. You kind of get your merchant account, you get your information that you need to enroll with Verify and itca, and then you kind of start to go live and ramp up quicker once you’re fully enrolled. So we’re starting to see a bit of a shift there where a lot of these ISOs are doing much more due diligence upfront. We’re seeing a lot of them as well will force depending on the risk profile of the merchant, but they might force enrollment on their side, which obviously is more revenue for them. But we are seeing there’s friction there for merchants because if you’re running a multi mid strategy and you’ve got one provider plugged in directly with Verify and itca and then you have three other mids that you have directly with some other reseller of Verify and itca, it gets kind of tricky to manage because you don’t have as much visibility at an aggregate level for each mid.

Matthew Steinbrecher (05:29):

So we’re starting to see some stuff like that as the preliminary underwriting and it really just comes down to make sure that you understand what your ratios are right now. So from our last conversation, what we were doing in anticipation for our portfolio and a lot of other shops that I work with, we were kind of just maintaining and managing the rates for vamp, pretty much ignoring the old thresholds and really just looking at the mid vamp ratio of that 2.2% as it is for now and it’ll go down next year, but we were really just maintaining and looking at those ratios with the TC forties and then trying to be upfront when you get a new merchant account or going to the risk team that we’ve kind of done our due diligence and we know what we’re looking at. Now granted for merchants that don’t operate with more strategic agent ISOs, it’s very hard for them to do that kind of stuff. The calculation seems simple, but getting all the data and doing it properly can be a little complex for someone who’s not in payments.

Christopher Dryden (06:33):

I want to go back to the Verify and Ithaca part of it because what I think I heard you say was that as the ISO underwriting becomes more stringent, you are seeing that they’re going to require these merchants to come under their umbrella with Verify and itca and there’s more money associated with that because now there’s another service that’s being strapped onto the merchant processing. But what does that mean for guys like you for visibility into what’s happening? Is that depriving you an opportunity to take your expertise in payments and utilize it to the benefit of the merchant and you’re somewhat being replaced by the iso? Is there going to be some symbiotic relationship there? I mean, I’m interested to look, to me part of what’s interesting is that every time that you consolidate things at the ISO level, the quality of service goes down. And I think where you are actually getting a foothold is that you’re not trying to be an iso, you’re trying to have strategic relationships with types of merchants and perform a service that the iso, they’ll take the processing and board the account, but they’re never going to give ’em that service. So when you kind of take a portion of that service and you upstream it, right, what does that look like for a guy like you?

Matthew Steinbrecher (07:55):

Yeah, that was my exact reaction when I saw some of the shops requiring it and had to, most of the registered ISOs that have been sponsors that I work with in the us, they understand my business model, but it was kind of just rehashing that with them and letting them know if I don’t have that visibility, it makes it difficult for me to protect all of us involved and make sure that the merchants on side with ratios. If I see something going south that I can start acting on it, maybe we get hit with a fraud attack, whatever. So that way I’m looking at TC 40 count as of October eight, not as of November one when it’s too late.

Christopher Dryden (08:36):

So

Matthew Steinbrecher (08:38):

That’s really where it’s more of a strategic conversation, but a lot of ’em just kind of, they want a no exception type of rule because if they make an exception for one Agent ISO, then there’s going to be exceptions for others. And it might depend on residual size and merchant profiles and all that kind of stuff. But these are for both low and high risk merchants. By the way, anything card not present pretty much it’s getting mandatory for most of these guys to be able to run the RDR and ethica. But yeah, I mean it’s a little bit prohibitive. Most of ’em give insight. They’ll give a read only access to whatever platform that they’re using so we can see some of it, but it makes it a huge pain for us to do it. So a lot of those shops, we either said, Hey, we need to figure something out here that works so programmatically we can get it on our end into a single view and really be able to look at all the mids at once because that helps us protect the entire portfolio for everyone or we can’t work together.

Matthew Steinbrecher (09:37):

And I’ve seen a couple, I’ve chatted with a lot of the other larger agent ISO shops too who kind of do more of a bespoke thing where they’re a little bit more involved in your typical guys like, Hey, here’s an account, see in three years. And those are all having similar conversations with these larger registered ISOs that are trying to force it on their end, especially too because cost prohibitive, they might be charging like 10 bucks over what their buy rate is because of course it’s a new line of revenue for them and they pitch it to the agent. It’s like, oh yeah, well you’re going to make some new money here. And the agent’s like, yeah, but everyone knows you’re ripping ’em off and so they’re not going to accept this price. It would be increasing your buy rates by a percent.

Christopher Dryden (10:21):

It’s an ISO that doesn’t really understand the high risk or e-commerce segment. I mean, I almost wonder if this maybe isn’t an opportunity for guys like you to just go full on payback and figure out how to get in the stream of it all. If you manage the risk better than the ISO is going to manage it anyways and you’re doing it real time, do you just want to get into the mix of the whole thing and figure out how you’re going to hold risk and just be a pay fac associated with it? I see pay FAC agreements, like True Pay FAC agreements going out, and I don’t know what the full qualification process is. I just look at the agreement and I understand how the agreement operates, but I don’t know from the underwriting of the PFAC what they’re really looking for. But I recently saw a Worldpay one. I mean they’re out there and from what I’m being told, it’s a potential relationship that exists, but I almost feel like it’s forcing you to maybe move that direction. Am I off base with saying that or what do you think?

Matthew Steinbrecher (11:25):

Yeah, I think to a degree, once you get large enough, I mean normally from what I’ve seen in the space, you need to have maybe a hundred to 200 solid new clients coming in monthly to justify regulatory payback overhead compliance, and then just having the velocity. But we’re seeing it more and more that there’s going to be a big consolidation in the space as well on just the acquiring side and some of particularly these higher risk bins, I think they’re going to get swallowed up by some of the larger shops, but looking at the agent ISO, that moves towards a pay fac model in order to have more control and of course more risk, but really just have more control of the overall book and then still have the redundancy with a few different bin sponsors potentially. That’s for sure. Something that a lot, again, a lot of the other shops that I’m chatting to about how are you navigating this, what’s kind of your general strategy?

Matthew Steinbrecher (12:27):

And no one totally opens up the Komodo, so to say, but I think a lot of people are starting to consider that route. But it is a lot more work. It’s a whole different ballgame of having to bring everything in-house for the most part. And we do quite a bit of it in-house already, so it wouldn’t be too much of a shift for us as a shop at Sound. But some of the other guys, it would be pretty dramatic in terms of a lift to bring in in-house underwriters and risk team and all of that, K-Y-C-K-Y-B, and all the different tools that come with that can be a pretty expensive lift upfront, but ultimately I think that’s the best way to get the control and really just manage your overall portfolio super well then you’re much more flexibility I think.

Christopher Dryden (13:14):

Yeah, I think from a transaction management standpoint, it’s just way better. I mean, it’s kind like being the bank of the casino a little bit. It’s kind of how I see it, right? Pretty much the odds are going to be in your favor as long as you don’t operate super poorly. So I do believe that taking that risk there is a substantial reward associated with it. But lemme tell you what I came across yesterday, which I thought was really interesting. I’d love to get your opinion on,

Christopher Dryden (13:43):

I had some guys call me yesterday. They have a new corporate filings registered agent corporate governance document. Registered agent service will be your registered agent in a particular jurisdiction, and these guys have people that sign up with them. It’s a legitimate business. They do new limited liability companies, corporations, your annual reports, whatever’s needed for somebody who wants to start a business and just wants somebody to hold their hand through it. They were processing with Stripe for seven years. I can only attribute to what has taken place to me because they told me that there wasn’t really a spike in anything to vamp. So they’re with Stripe for seven years. They process, they have a ton of recurring billing. The reason that they have recurring billing is because the packages that people buy with them, those packages include all of these services, some to take place in the future.

Christopher Dryden (14:49):

So when that future service is going to be delivered, they actually do some sort of transaction at that point. And their contract, which has a click to agree, and it’s an electronic application, there’s some sort of ISP capture and somebody signing with these are legitimate businesses, and over a weekend Stripe held, and it wasn’t really the held money that bothered him, but held a significant amount of money and then basically said, we’re terminating you, you’re too high risk. So these guys are like, I don’t know if they saw it coming, but they pivoted and found a relationship with a payment gateway. The held funds wasn’t their issue. That was like level two. Level one was we got a whole bunch of recurring billings coming up at the end of the year and the beginning of the year, will you please migrate the tokens from Stripe over to our new payment gateway? And I asked them, is there anything in the contract in the terms and conditions that talks about data migration and a fee per token or whatever? Because possible, it’s just a matter of is it contemplated under the relationship with Stripe? And the hard part with Stripe is all their terms and conditions, everything’s online. You don’t know what fucking terms and conditions really applies, right? I mean you don’t know necessarily prices and it changes. Yeah, it’s pretty nebulous. So

Christopher Dryden (16:13):

That aspect of it, I don’t even know what the contract rights are necessarily. I don’t know what terms may apply based on different time periods. These guys have been processing for seven years, and their big thing was we don’t want to have to go and contact everybody that we already have the authority to do a recurring billing to recapture the information. And this came without warning, no warning at all. Level two was that they cut ’em out of the backend. And so now they cannot do returns. And so not only is there going to be a return anyways and there’s money on hand, but now Stripes going to make a little bit of money off each one of those chargebacks because they get to assess a fee and that fee is originated basically by them not cooperating. These guys went to Stripe and said specifically, Hey, you can keep that money and then we’ll fund a escrow account with you. You have treasury services and can we do returns out of that? Stripe said no.

Christopher Dryden (17:22):

I mean it’s crazy, right? I mean, how can you not see this as opportunistic on Stripes Park? But we’ll see where it goes. But think about the level of interference with their existing business relationships that is taking place that Stripe is aware of because they’ve been processing it for seven years. I don’t care if Stripe knows specifically, they specifically know just based on the relationship and how these things take place and everything that they’ve been doing for this business. And these guys, to their credit, weren’t obviously their concern. They kind of looked at it as more of a huge pain in the ass and what’s my potential loss going to look like? Weren’t angry, didn’t seem like guys that would come at you, but it’s going to, I mean, even right now mean they were talking, these are significant losses if they can’t get some of this because the amount of manpower to go and notify these people.

Christopher Dryden (18:20):

And so I asked them, what’s your been historical return rate? And they’re like, and I said, because you guys are aware of vamp. And they said Yes. And I said, what is it? And they said, well, it’s kind of high. I don’t even want to say what it is on this, but it was kind of high. And I said, well, what’s attributable to that? And they said, we’re actually penalized because we freely returned money to people. Let me give you an example. Do you know what percentage of businesses fail in the first year or that just are abandoned that we have the authority to go bang a card for the following year, but nobody notified us. So once they see the charge and they notify us, we just give ’em back the money. So that artificially somewhat inflates our return rate. Another thing is, is that people order a service through us that is six months out, we don’t even need to do it.

Christopher Dryden (19:12):

We’re not going to hold their money for that period of time and then give ’em the service in five months. So we return a lot of people to a lot of people and say, Hey, this is premature. We’ll notify you about 30 days out from the deadline. We’ll gather any new information, just look for our email, but here’s your money back. And they said, that’s just a couple of easy examples, but that’s why our return rate has been what it’s been, but really our actual default rate on transactions is under 1%. It’s more like 0.7% because of how we’ve operated. We’ve never had to worry about this. And I said, look, I don’t know if this is because of Vamp, but it’s October 7th and I’m thinking that this is just a change in operations related to vam. What do you think about that?

Matthew Steinbrecher (20:06):

Yeah, I mean it’s not an uncommon story for them,

Christopher Dryden (20:09):

Not for Stripe. I get that. I agree. I think Stripe does shit all the time. That doesn’t make a lot of sense. I don’t even know if they’re looking to make money from what they’re doing. I think it’s just not really. They’re a technology company, they’re not a payments company. So sometimes I think that that’s an issue, but this seemed the timeliness of it seemed odd.

Matthew Steinbrecher (20:36):

Yeah, I mean it definitely could be related. The high return rate is for sure something that they’re looking at, especially with their open exposure, just their total book. But when they’re, I mean, everything’s done with, like you said, it’s a tech company, so they’re using an AI risk algorithm. And a lot of the time, because they have so many millions and millions of clients and merchant accounts, even the ones that have been existing for seven years versus the ones that have been existing for seven days, they kind of just put parameters in this algorithm to go through and just chop heads. And there’s not enough bodies on their risk team to genuinely look at case by case situations like this. And the only time that they will is if it’s very, very substantial volume.

Christopher Dryden (21:25):

But do you think that’s good faith, right? Because the thing about operating under a contract, you’ve got a duty to operate in good faith, and when you’re considering the livelihood of a business and then you’re considering that there’s a computer algorithm making decisions related to that, which is really black and white, has nothing to do with the gray in a contract of what actually constitutes good faith. I mean, that’s where I have an issue.

Matthew Steinbrecher (21:54):

Yeah, I agree. I mean, I think as we know, they do this stuff all the time. It’s not new. And I think they definitely are starting to purge the portfolio. They have been slowly for a while, but they’re definitely getting more and more aggressive, I think for two parts. One is that they’re very heavy in e-commerce, which is generally cyclically a big, big time in Q4. They’re also very heavy in SaaS, which now SaaS companies are also offering discounts and stuff within Q4 for the holidays. So general spend is going up right now, and I think their concern is that if they don’t chop some of these accounts that they perceive as high risk for whatever reason, like a refund rate of 40 or 50% or whatever it might be for this example where the justification is there, they just look at it black and white as you said, and I think it’s totally in bad faith.

Matthew Steinbrecher (22:49):

I don’t think they have an obligation to kind of fulfill their side of the contract, but as you said, their terms are online, you click to sign, and unless you kind of redline that contract heavily and can hold them to it, it’s very hard to see that moving target, particularly when you’ve been a client for seven years and the contract has wildly changed in that timeframe, I’m sure. And I think for them to do this in a responsible way, it makes sense for them to say, okay, we don’t want your account, but give them some sort of termination timeframe. Don’t stop ’em from submitting refunds because that’s bad for everyone. And obviously allow tokens to be migrated and say, Hey, you’ve got 30 days to get off the platform. We’re going to allow you to do refunds.

Christopher Dryden (23:40):

Charge me

Matthew Steinbrecher (23:41):

For it. In order for us to do that, you need to load up your Apartment X.

Christopher Dryden (23:44):

Yeah, charge me for it. I don’t have any problems with that. Go ahead. That’s the thing that is, it’s the disruption in a merchant’s business that they just look at the merchant as a cog and don’t see the real life impact of what they’re causing to individuals that own it, whatever employees, whatever stress they’re about to put on this business. There has to be some sort of balancing of equities associated with that. And I just think it really gets missed, especially when you deal with a tech company that they want to embed chips and people and just have ’em fucking be inhuman. So that’s my little diatribe.

Jeremy Stock (24:24):

Excellent. You guys, that was a great conversation, Matt. So much we’re so grateful for you joining us once again, everybody listening, please. You can find Matt Steinbrecker sound commerce@soundcommerce.com. We’ve got all the information down below. Thank you for this conversation today. We’re looking forward to the next one. Thank you for listening to this episode of the Payments Experts podcast, a podcast of global legal law firm. Visit us online today at global legal law firm.com. Matters discussed are all opinions and do not constitute legal advice. All events or likeness to real people and events is a coincidence.