What VIRP Is and Why It Now Sets the Compliance Ceiling
Visa's Integrity Risk Program is the framework Visa uses to manage acquirer risk on merchants processing adult content. Originally narrow, VIRP has expanded substantially over the past three years and now imposes operational requirements that go well beyond federal 18 U.S.C. § 2257.
Federal 2257 sets the floor for adult content compliance: ID records, cross-reference index, Custodian of Records, retention. VIRP sets the ceiling: signed model releases, an unauthenticated removal portal, defined takedown SLAs, monthly compliance reporting, and (above certain merchant volume) annual third-party attestation.
The key thing to understand in 2026: your processor will drop you for VIRP non-compliance long before the DOJ inspects you for 2257 non-compliance. The binding pressure on adult content businesses comes from the card networks now, not federal regulators.
What VIRP Requires
VIRP requirements apply to every merchant in Visa's adult content tier, including individual creators selling direct, clip-site sellers, studios, and platforms. Specific requirements:
1. Documented Performer Consent
Every performer in every piece of content monetized through Visa rails must have a signed, dated model release explicitly consenting to the specific content and its distribution. The release must:
- Identify the performer by legal name
- Identify the specific content (scene, clip, set, photo session)
- Document the date of production
- Capture the performer's signature with timestamp
- Be retainable as a PDF for audit
The release is separate from the 2257 ID record. ID verifies age; the release documents consent.
2. Unauthenticated Removal Portal
A public-facing intake form where anyone depicted in your content can request removal without creating an account. The portal must:
- Be reachable from every page where content is published (or via your 2257 statement)
- Accept submissions without account creation, login, or payment
- Capture the requester's claim, the content URL, and a verification method
- Route requests to a designated removal-handling workflow
Easy2257 hosts a VIRP-compliant portal at /report/removal — every paid plan covers this for the producer's content.
3. Defined Takedown SLAs
VIRP imposes specific hour-level SLAs for takedown response. The current baselines:
| Request type | SLA |
|---|---|
| Non-consensual intimate imagery (NCII) | 48 hours (also TAKE IT DOWN Act) |
| State-level NCII statute reports | 72 hours |
| AN 5196 / VIRP general removal | 7 business days |
| Copyright (DMCA) | Per DMCA statute |
| CSAM (any age verification gap) | Immediate, with NCMEC report |
Failure to meet the SLA triggers escalation to the acquiring bank and, beyond that, to Visa directly.
4. Monthly Compliance Reporting
Merchants must produce a monthly compliance report covering:
- Total removal requests received
- Resolution times by category
- SLA breaches with reasons
- Status of the Custodian of Records designation
- Count of new performers verified during the month
- Affirmation of 2257 record retention
The report goes to the acquiring bank. Easy2257 generates this automatically on the 2nd of each month for every active producer.
5. Annual Third-Party Attestation (Higher-Volume Merchants)
Merchants above defined annual processing thresholds must obtain an annual third-party attestation from a qualified compliance auditor confirming program adherence. Below the threshold, the monthly report is sufficient.
Who Is in Scope
Anyone processing Visa payments for adult content is in scope. That includes:
- Solo creators selling direct (your own site, custom content invoiced through processors)
- Studios with merchant accounts
- Platforms (OnlyFans, Fansly, ManyVids, Clips4Sale, etc.) at the platform level
- Cam sites and live-content services
- Subscription content businesses
If you sell only through a platform that handles its own VIRP compliance (e.g., OnlyFans takes payment, you receive a payout), the platform carries the VIRP obligation for those transactions. Any direct sale outside the platform — your own checkout, tip jars on your own site, custom-content invoicing — moves the obligation back to you personally.
VIRP vs. 2257 vs. AN 5196
These three frameworks overlap but are distinct:
| Federal 2257 | Mastercard AN 5196 | Visa VIRP | |
|---|---|---|---|
| Enforcement | DOJ | Mastercard via acquirer | Visa via acquirer |
| Penalty | Federal criminal (up to 10 years) | Loss of Mastercard processing | Loss of Visa processing |
| ID records | Required | Required | Required |
| Custodian of Records | Required | Required | Required |
| Model releases | Not explicit | Required | Required |
| Removal portal | Not explicit | Required | Required (unauthenticated) |
| Monthly report | Not required | Required | Required |
| SLA enforcement | Not specified | Defined | Defined (48h NCII) |
In practice, complying with VIRP also satisfies AN 5196 and goes well beyond 2257.
How Easy2257 Handles VIRP
- Signed model releases per performer per scene, PDF-archived
- Unauthenticated removal portal at
/report/removal— VIRP-compliant intake, no login required - SLA monitoring cron every 15 minutes — automatic escalation on approaching breach
- 48-hour NCII SLA enforced at the software level with automatic NCMEC routing for CSAM
- Monthly acquirer compliance report auto-generated on the 2nd, PDF + JSON, SHA-256 hashed, emailed to producer
- Annual compliance archive ZIP with every record, every release, every report — ready to hand to a third-party attestation auditor
Solo Creator plan: $9.95/month or $107.40/year.
See pricing · How it works · Get started free
Related: Complete 2257 compliance guide (2026) · Mastercard AN 5196 and Visa VIRP · TAKE IT DOWN Act compliance guide
Informational only — not legal advice.