From GARS to VARS: An Overview of the New Standards

The payment industry’s rapid growth has ushered in new complexities, especially around risk management. In response to evolving threats, in October 2024, Visa retired its Global Acquirer Risk Standard (known as GARS) and replaced it with the Visa Acceptance Risk Standards (now known as VARS). While both sets of guidelines aim to maintain trust and security, the changes reflect how Visa is adapting to new market conditions, regulatory demands, and expanding digital transactions. This article explores why Visa implemented this transition, what the new standards entail, and how they will affect acquirers, merchants, and the broader payment ecosystem.

I will be writing bi-weekly articles to call out some of the changes.  Please comment below with questions or ways that the industry can meet these standards.

Why Visa Updated Its Risk Standards

Evolving Fraud and Security Challenges
With the rise of e-commerce and mobile payments, fraudsters have devised sophisticated tactics like account takeovers, phishing schemes, and identity theft. Visa recognized that the original Acquirer Risk Standard lacked the flexibility to address these quickly shifting threats. By modernizing its approach, Visa hopes to ensure a dynamic framework that protects transactions against an ever-changing fraud landscape.

A Broader Ecosystem
The old Acquirer Risk Standard was more narrowly focused on acquirers and their direct relationships with merchants. However, with emerging players like payment facilitators, marketplace platforms, and fintech startups, Visa recognized the need to expand its guidelines. The new standards address risks throughout the entire acceptance process, ensuring no gaps remain as the ecosystem grows.

Key Differences: Old vs. New

Shift in Focus
Under the old GARS, acquirers were primarily responsible for underwriting, onboarding, and monitoring merchants. The VARS broaden accountability across every link in the chain—acquirers, sub-merchants, and service providers. This wider lens underscores the importance of end-to-end oversight in today’s diverse payments landscape.

Stricter Underwriting Protocols
While the original guidelines emphasized Know Your Customer (KYC) checks, the new framework requires more robust processes when onboarding sub-merchants and third-party facilitators. Acquirers must ensure these partners follow consistent underwriting and monitoring rules, reducing vulnerabilities that arise when several intermediaries touch a transaction.

Enhanced Data Security
Data breaches harm brand reputations and potentially violate regulations. Though data security was mentioned in the older standard, the new Acceptance Risk Standards make it central. Visa highlights encryption, tokenization, and rapid incident response as essential elements. By emphasizing these security measures, Visa promotes a unified defense against breaches and fosters consumer confidence.

Dynamic Monitoring and Reporting
Traditionally, acquirers submitted monthly or quarterly reports to Visa on fraud levels and chargebacks. Under the new standards, reporting can become more frequent or even real-time if certain risk thresholds are exceeded.  In fact, the Standards call for Immediate.  This proactive stance helps acquirers and Visa address emerging fraud patterns before they escalate.

Impact on Acquirers and Merchants

Greater Accountability
Acquirers must now strengthen their controls over service providers and sub-merchants, ensuring consistent application of underwriting, monitoring, and compliance protocols. Merchants, in turn, must maintain transparent business practices and data handling. Failing to comply can trigger heightened scrutiny, potential fines, or termination of their Visa acceptance privileges.

Adapting to the New Standards

1. Revise Contracts
   Ensure contracts with sub-merchants and payment facilitators reflect the expanded obligations and reference the updated Visa Acceptance Risk Standards.

2. Upgrade Fraud Monitoring
   Adopt real-time analytics tools to identify irregular transaction patterns. Proactively preventing fraud can save considerable costs and maintain your reputation.

3. Implement Strong Security
   Encryption, tokenization, and multi-factor authentication are key recommendations. They not only fulfill Visa’s expectations but also reduce the risks of costly data breaches.

4. Educate Teams
   All relevant departments—compliance, IT, merchant support, and underwriting—should receive regular training to stay updated on roles, responsibilities, and best practices.

Looking Ahead – RPY Innovations can help.  

This will be a lot to unpack.  Visa’s transition from the GARS to the VARS is more than a name change. It reflects how risk management must evolve alongside innovations in digital commerce. By mandating broader oversight, prioritizing real-time data security, and emphasizing collaboration among all stakeholders, Visa aims to create a more resilient payment environment.

For acquirers and merchants, these updated standards may require new systems and investments in technology. Yet, they also present an opportunity to differentiate through better fraud prevention, stronger data protection, and increased consumer trust. In an era when a single security breach can unravel a brand’s credibility, adopting these best practices is not just about avoiding penalties, it’s a strategic move to flourish in an increasingly digital world.  And RPY can help.  We can review your current policies and procedures, retiring the old and revising the new.

Ultimately, embracing the VARS positions businesses offer secure and seamless transactions. As the payment ecosystem grows, those who align swiftly and effectively with new guidelines will be better equipped to handle emerging threats, regulatory demands, and consumer expectations, ensuring a future-ready approach to payment acceptance.

As noted above, I will be writing bi-weekly articles to call out some of the changes.  Please comment below with questions or ways that the industry can meet these standards.