Visa VIRP, Mastercard AN 5196 & VAMP Compliance Guide (2026)

Required Legal Pages

Every adult site needs these pages footer-linked and accessible without login or payment. Missing or paywalled pages are primary audit findings under both VIRP and AN 5196.

• Terms of Service — 18+ warranty, termination, governing law, refund/cancel link, unchecked acceptance checkbox on signup [Critical]
• Privacy Policy — Data controller, categories collected, third-party sharing (including processor), cookies, user rights, GDPR/CCPA language, no collection from minors [Critical]
• 2257 Compliance Statement — Heading "18 U.S.C. § 2257 Record-Keeping Requirements Compliance Statement"; all performers ≥18; Custodian of Records by name; physical street address (not P.O. Box); reference to 28 C.F.R. Part 75 [Critical]
• DMCA Policy — Designated Agent name + address + email + phone; "17 U.S.C. § 512"; counter-notification procedure; repeat-infringer termination [High]
• Complaints & Content Removal — "7 business days" (Mastercard) AND "48 hours" (TAKE IT DOWN Act for NCII) AND "immediate" (CSAM/NCMEC); reachable without login or cookies [Critical]
• Age Verification / 18+ Statement — "You must be 18 or older"; named AV vendor (Yoti, Jumio, Incode, Persona, Veriff, LA Wallet); state-by-state compliance notice [Critical]
• UGC Consent Policy — Written agreement requirement, government-issued ID, proof of consent for every depicted person, 48-hour records producibility [Critical for UGC platforms]
• Anti-Trafficking / FOSTA-SESTA Policy — References to 18 U.S.C. §§ 1591, 2421A; NCMEC CyberTipline [High]
• Refund / Cancellation Policy — One-click self-service cancel reachable in ≤2 clicks from homepage [Critical]
• Acceptable Use Policy — Must explicitly name all prohibited content categories [High]
• Customer / Billing Support — Phone number as text (not image), processor billing-support link, full merchant legal name and street address in footer [Critical]

Prohibited Processors — Do Not Use for Adult Content

These processors explicitly prohibit adult content and will freeze funds on detection. MCC miscoding to use them is a VIRP violation carrying a $25,000/merchant fine:

• Stripe — Prohibited per Stripe AUP §2
• PayPal, Venmo, Braintree — All PayPal properties prohibit adult content
• Square — Prohibited per Square AUP
• Cash App — Prohibited
• Authorize.Net — Prohibited per merchant agreement

Legitimate adult-friendly processors: CCBill, Epoch, Segpay, Verotel, RocketGate, NETbilling, Vendo, Paxum, Zombaio. See the payment processor directory for the full list.

Pre-Launch Compliance Checklist

Completing this does not guarantee underwriting approval — adult merchant approval is always discretionary. Missing any item guarantees rejection or later termination.

1. Registered with an adult-friendly processor (CCBill, Segpay, Epoch, Verotel, RocketGate, etc.)
2. Merchant registered under correct MCC (5967, 7273) — no miscoding
3. 2257 Compliance Statement with named Custodian + physical street address (not P.O. Box)
4. Consumer-facing age verification using a named third-party vendor
5. Performer KYC: government-issued photo ID verified via named tool (Veriff, Jumio, etc.)
6. Written consent on file for every depicted person, producible within 48 hours
7. Pre-publication content review process documented (human + automated tools)
8. Creator/uploader banned-identity registry in place
9. Billing descriptor matches brand/DBA, ≤22 characters
10. Subscription consent checkbox unchecked by default
11. 7-day pre-charge trial reminder configured with processor
12. One-click cancellation reachable in ≤2 clicks from homepage
13. Complaints/takedown page accessible without login, states 7-business-day and 48-hour (NCII) timelines
14. Monthly acquirer compliance reporting process configured (nil report required even with no incidents)
15. Anti-trafficking policy page with 18 U.S.C. §§ 1591, 2421A references
16. State AV compliance documented per jurisdiction (geoblocking or named AV tool)
17. Live stream kill-switch in place if offering live content
18. NCMEC CyberTipline reporting process for CSAM
19. AI-generated adult UGC only accepted with creator-verification and pre-publication review (Mastercard SPME Feb 2026)

Sources: Visa Ecosystem Risk Programs Guide (Oct 2024); Mastercard SPME Manual §9.4.1 (Feb 3, 2026); Visa Business News AI13408 (Apr 1, 2024); 18 U.S.C. §§ 2257/2257A; Free Speech Coalition v. Paxton, 606 U.S. 461 (June 27, 2025).

The Four Simultaneous Compliance Regimes (2026)

A US adult content website in 2026 must comply with all four of these simultaneously. Passing one does not satisfy another.

• Visa VIRP (Visa Integrity Risk Program) — Active since May 1, 2023. Scrutinizes what you sell. MCC 5967 and MCC 7273 are Tier 1 High Integrity Risk for all US card-absent transactions. Registration fee: $950/merchant. Per-transaction fee: $0.10 + 10 bps.
• Mastercard AN 5196 / SPME §9.4.1 — Effective October 15, 2021; codified in Mastercard SPME Manual §9.4.1 (current edition February 3, 2026, which adds AI-generated synthetic adult imagery). Scrutinizes content controls.
• Visa VAMP (Visa Acquirer Monitoring Program) — Effective April 1, 2025; fines since October 1, 2025. Scrutinizes dispute and fraud ratios. No warning tier — merchants go directly to "Excessive" at 1.5%. Fine: $8/transaction over threshold.
• State age-verification laws — Approximately 24 states as of April 2026, upheld by Free Speech Coalition v. Paxton, 606 U.S. 461 (June 27, 2025). VIRP requires per-jurisdiction documentation of your compliance method.

Bottom line: A weak billing descriptor or hard-to-cancel subscription causes VAMP ratio problems faster than content violations do. The highest-yield compliance check is whether your site names specific third-party vendors for age verification, KYC, and dispute prevention — vagueness is the top audit failure mode.

US Federal Law Intersections

18 U.S.C. §§ 2257 / 2257A

Primary and secondary producers must verify every performer's age by government-issued photo ID, record every alias, retain records for as long as content is publicly available plus five years after cessation of production, and post a "18 U.S.C. § 2257 Record-Keeping Requirements Compliance Statement" accessible without login. The Custodian of Records must be identified by name, title, and physical street address — not a P.O. Box. A P.O. Box is the first thing a VIRP or BRAM auditor flags. Penalties: up to five years first offense, ten years repeat.

TAKE IT DOWN Act (2025)

FTC-enforced. Requires removal of non-consensual intimate imagery (NCII) within 48 hours of a verified request. This is stricter than Mastercard's 7-business-day standard and must be reflected as the floor in your complaints policy — not the ceiling. North Carolina HB 805 (effective December 1, 2025) sets a 72-hour NCII takedown with $10,000/day per image fines, retroactive.

FOSTA-SESTA (2018)

Amended 47 U.S.C. § 230, carving out sex-trafficking claims. The ongoing Fleites v. MindGeek litigation (C.D. Cal., 2:21-cv-04920; April 2025 partial denial of motion to dismiss) keeps acquirer FOSTA exposure live. Every adult acquirer factors this into underwriting decisions.

State age-verification laws — post-Paxton landscape

Free Speech Coalition v. Paxton, 606 U.S. 461 (June 27, 2025, 6-3) upheld Texas HB 1181 under intermediate scrutiny — the first time the Court allowed an adult-content AV mandate at that standard of review. Approximately 24 states had enacted such laws by April 2026, including Louisiana, Utah, Texas, Virginia, Arkansas, North Carolina, Florida, Georgia, and others.

VIRP now requires merchants to document which states' AV laws they comply with and by what method. Geoblocking and anonymous-verification tools (e.g., Louisiana's LA Wallet) are both acceptable — the key is documenting your per-jurisdiction approach. Aylo reported an 80% traffic drop in Louisiana when it implemented ID-based verification instead of geoblocking.

Visa VAMP — Acquirer Monitoring Program

Effective April 1, 2025. Consolidates VDMP, VFMP, and three other programs. Enforcement fines began October 1, 2025. Runs in parallel with VIRP — VIRP scrutinizes what you sell; VAMP scrutinizes your ratios.

How the ratio is calculated

VAMP Ratio = (TC40 fraud reports + TC15 disputes) ÷ settled CNP transactions (TC05)

Minimum eligibility floor: 1,500 applicable events/month. There is no warning tier — merchants go directly to "Excessive" at 1.5%. Fine: $8 per fraud or dispute transaction above threshold since October 1, 2025.

Important: Acquirers typically enforce internal caps at 0.5–1.0%, well below the network threshold. Your effective limit is not 1.5%.

How to reduce your VAMP ratio

• Billing descriptor must match your brand/DBA — mismatch is the primary driver of Mastercard 4863 "does not recognize" disputes
• One-click cancellation reachable in ≤2 clicks from homepage — Visa 13.1/13.2 and Mastercard 4853 (cancelled recurring) are driven by hard-to-cancel subscriptions
• Subscription consent checkbox must be unchecked by default — pre-checked is a Visa April 2020 violation
• Send 7-day pre-charge trial reminder (Visa requirement)
• Enroll in Rapid Dispute Resolution, Verifi CDRN, or use Compelling Evidence 3.0 — disputes resolved in the same month are excluded from the VAMP calculation
• Enable 3-D Secure — Mastercard EFM program triggers at <3% 3DS adoption above 1,000 CNP transactions with >$50K fraud

Common adult chargeback codes

Visa: 10.4 (card-absent fraud), 13.1/13.2 (cancelled recurring), 13.5 (misrepresentation — free trial models), 13.7 (cancelled services)

Mastercard: 4837 (no authorization), 4853 (cancelled recurring), 4863 (does not recognize — driven by opaque descriptors)

Visa VIRP — Requirements and Financial Penalties

VIRP replaced the legacy Global Brand Protection Program on May 1, 2023 (Visa Business News AI12842). The fee structure was updated April 1, 2024 (AI13408).

What VIRP requires

• Documented performer age verification before content is posted (2257-aligned)
• Consumer-side age verification using a named third-party vendor: Yoti, Jumio, Incode, Veriff, Persona, or LA Wallet — generic "we verify age" fails the audit
• Pre-publication UGC moderation using both human review and automated detection — human-only is explicitly insufficient
• Written consent on file for every depicted person with an appeals removal process
• Complaint resolution within seven business days; CSAM removal immediate
• Monthly reports to your acquirer — nil reports required even with no incidents
• Banned-uploader identity registry to prevent re-registration
• Per-jurisdiction documentation of state AV law compliance method
• Marketing/search terms must not suggest CSAM or non-consensual content

Fees and penalties

Terminated merchants are placed on MATCH under Reason Code 12 (Violation of Visa Rules) for five years, effectively ending mainstream processing access.