From GARS to VARS: Visa’s new Regulatory Framework

The payments ecosystem has seen remarkable growth over recent years, driving the growth of new players, technology, and risks in an increasingly complex landscape.  Throughout this growth, effective risk management frameworks are paramount. Visa’s recent move from the Global Acquirer Risk Standards (GARS) to the Visa Acceptance Risk Standards (VARS) signals a continued focus on addressing contemporary risks and ensuring the resilience of the payments system. 

With changes that impact all parties from merchant to acquirer, VARS represents a notable evolution in approach from Visa. 

The changes from GARS to VARS will be explored in three key categories:  

• Dispute & Fraud Monitoring Programs

• Third Party Agent classifications

• Acquirer compliance

Dispute & Fraud Monitoring Programs

Two current monitoring programs - VDMP (Visa Dispute Monitoring Program) and VFMP (Visa Fraud Monitoring Program) will be merged into the Visa Acquirer Monitoring Program (VAMP) effective March 31, 2025. Total disputes (regardless of fraud classification) will be evaluated against total transactions, with a decreased threshold taking effect Jan 1, 2026. 

Enumeration attack thresholds are a new criteria for the placement of a merchant or acquirer under VAMP, in recognition of the increasing fraud in enumeration/BIN attacks. 

Third-Party Agent Classifications

VARS is explicit: Payment Facilitators, Digital Wallet Operators, Marketplaces, and ISOs all fall within the Third Party Agent classification, and VARS is primarily focused on the obligations of the acquirer itself. This is in contrast to GARS where it is not uncommon to see the obligations of a PayFac or Marketplace called out alongside those of an acquirer throughout the document.  

At RPY we see this change as an alignment to the growing complexity of payment models, and a more explicit definition of the acquirer accountability. 

Three years ago the Oct 2021 rule changes represented the most significant change to Payment Facilitation guidance in 10 years. The evolution and adoption of Payment Facilitation within the acquiring ecosystem drove increased attention and regulation on this model, with the expanded obligations and capabilities granted to PayFac’s a key component of the 2021 updates.

Meanwhile, the rapid technology growth seen within the Third Party Agent space has blurred the lines between referral, ISO, and Payment Facilitation models. While a PayFac is a registered entity that requires acquirer sponsorship and registration with the card brands, models commonly referred to as “Payfac-lite” or “Payfac in a box” allow non-PayFac entities to gain similar levels of control and perceived ownership of the merchant relationship. This drives the need for explicit Third Party Agent (TPA) management regardless of their specific entity type, and the need for clear acquirer accountability.

Does this mean Payment Facilitators are no longer subject to GARS/VARS oversight?

It may be tempting, on first read of VARS, to interpret a lessening of Visa controls on Payment Facilitators.  It is important to remember two key things:

• The sponsoring acquirer has always had the obligation to monitor all Third Party Agents, including Payment Facilitators;

• The absence of Payment Facilitator references in an acquirer-like fashion within VARS suggests this model is now commonplace and does not require additional call outs to understand obligations.

Payment Facilitators should be used to annual (or more frequent) acquirer audits which are a culmination of BSA/AML compliance, acquirer obligations as defined by card brands, and acquirer-specific requirements of their TPAs.  While specific reporting or review criteria may change with the move to VARS, compliance at a high level will likely remain the same for ISO’s, PayFacs, and Marketplaces. 

Acquirer Compliance

VARS has 2 thematic changes for acquirer compliance:

• Introduction of a new acquirer archetype model to create a modular audit approach,

• A linguistic shift towards acceptance criteria in place of specific methodology.

Acquirer archetypes acknowledge the many hats an acquirer can wear, and the need for tailored audit controls. Built on the combination of Client Type, Relationship Type and Transaction Types supported by the acquirer, VARS introduces 5 archetypes:

1. Acquirer (AACQ) - applies to acquirers regardless of functionality supported;

2. Acquirers sponsoring TPAs (ATPA),

3. Acquirers processing for High Integrity Risk Transaction Merchants (AHIR),

4. Acquirers processing for ATMs (AATM),

5. Money Movement Entities originating Visa Direct transactions (AVDC).

This segmentation allows for a targeted risk management strategy that reflects the nuances of each business model, providing greater clarity and precision within the compliance requirements.

Linguistically, VARS more closely aligns with other regulatory bodies such as PCI SSC in focusing on the required outcome, while not necessarily defining the steps to get there. This trend is commonly seen when an industry is as fast-paced as payments and gives a regulatory body the ability to decouple from the current processes used by other parties. Saying all sanctions screening obligations must be met, for example, is more future-proof than giving an itemized list of steps to complete sanction screenings using current tools. This change will be a challenge for some organizations that rely on GARS-specific values for underwriting or transaction monitoring, but it also closes loopholes utilized by organizations that focus on meeting the letter of the rules rather than the intent.

Conclusion

As VARS is effective immediately acquirers must review the new archetypes to identify their obligations; modifying their controls, policies, and procedures as needed.  Any acquirer sponsoring third-party agents must review their audits and controls to ensure all TPAs are acting in alignment with the acquirer’s obligation.  We at RPY encourage all acquirers to use the VARS framework as the foundation of a strong TPA program.

At RPY Innovations, we believe the introduction of VARS marks a shift in how acquirers, third-party agents, and merchants must approach risk in the payments ecosystem. The holistic approach to fraud/dispute monitoring, TPA classifications, and modular acquirer framework within VARS reflects the complexity and emergent risks faced today.  Acquirers must adapt quickly to these new standards, ensuring their controls, audits, and oversight align with the updated framework.  Whether you are an acquirer, ISO, or PayFac, contact us today for a compliance review against VARS standards to make sure you are set up for ongoing success.