The Green Sheet Online Edition
August 25, 2025 • 25:08:02
Legal ease:
It's a VAR's world: Legal issues arising from ISO-VAR deals
VARs are all the rage in acquiring. A VAR is a third-party company that bundles payment processing services (merchant accounts, payment gateways, POS systems) with its own software, hardware or services to sell a more complete solution to merchants.
For example, a veterinary clinic software planform service could become an agent of an ISO and resell payment services to veterinarians that are integrated with the software platform. In this example, the veterinarian software platform business becomes a VAR for the ISO.
VARs are different from classic, or traditional, agents because VARs often have pre-existing relationships with merchants. That pre-existing relationship complicates the ISO's expectation of owning the relationship with the merchant, at least as it relates to payments.
Once upon a time, merchants were found grouped around chambers of commerce or industry associations. Increasingly, merchants are clustered in portfolios that cling to one digital platform or another. These clusters of merchants make for ideal sales targets for ISOs—with help from the platform. Given the popularity of VAR relationships in the acquiring sales business, it's a good time to consider some of the legal issues that it presents for ISOs.
1. Why a VAR is not just another agent
Historically, agents have not had a business relationship with the merchants they solicit for an ISO. Indeed, the agent's primary connection to a merchant that they solicit has traditionally been the merchant services sold. VARs often come to the table with a pre-existing portfolio of their own customers.
These could be veterinarians forming a portfolio of clients of a VAR that is a veterinary clinic platform provider. The VAR's primary business is to supply its veterinary platform services to merchants. By integrating the veterinary platform services with payments, the VAR stands to increase the stickiness of its service, supply a better service and perhaps earn more revenue if the ISO shares residuals with the VAR.
The VAR is different from a typical agent because it must manage its own distinct business relationship with the merchant. The VAR will be concerned about how adding payments may impact that relationship. For example, if the payments integration does not go well, that might have a negative impact on the core business. ISOs should be attuned to this sensitivity of the VAR while still staking out their own ground around the payments relationship.
2. Data flows
When zeroing in on getting APIs to work together, ISOs might lose sight of the flow of data between cardholder, merchant, VAR and ISO. An ISO that takes responsibility for cardholder or merchant data should have a clear understanding of the exact flow of data so that it can then isolate possible risks and create the right legal framework for the data.
For example, if the VAR has collected merchant information such as company name, shareholder information, etc., to what extent will the ISO rely on that information or go back to the merchant for fresh disclosure. The flow of cardholder data, such as card numbers, is highly regulated under PCI-DSS requirements, and the ISO should make sure that any party (VAR, the ISO itself or a third party) has the necessary PCI certifications to hold cardholder data.
3. Competing rights in data
Most acquirers expect to own data related to their merchant processing relationships. The ISO should consider navigating two complicated sets of competing rights in a single set of data, such as the merchant's identity.
On the one hand, the VAR will want to own that information in support of the equity value of its core business serving the merchant (outside of payments). On the other hand, the ISO is duty-bound to acquire rights in that information for the acquirer or for itself.
ISOs and VARs often advocate for a winner-take-all outcome, where either the ISO or the VAR owns all merchant data, each seeking to put the other in a secondary position. This kind of posturing is often unhelpful because it deprives the VAR of their rightful interest in merchant information for its core business, or it deprives the ISO of its industry-mandated interest in merchant data.
Without some legal discussion of the competing rights in that data, ISOs and VARs are setting themselves up for disappointment when either one tries to prevent the other from using merchant or cardholder data. This competition in rights for the same information is sometimes solved by the parties agreeing in writing that they will each own a set of the data outright for their respective purposes.
4. Sensitive data
Unless they are Health Insurance Portability and Accountability Act (HIPAA)-compliant, ISOs want to keep as far away from medical data as possible. Some VARs deal in medical data. ISOs should be wary to not let highly confidential medical data infect (ha ha) their systems by imposing on the ISO HIPAA compliance obligations it is not ready to assume. A patient's X-ray payment, for example, should not easily tumble out of an ISO server.
5. Non-solicitation
The VAR says to the ISO: These are my customers and I'll solicit them for whatever I want, whenever I want.
The ISO says to the VAR: I am legally prohibited from re-soliciting any merchant or allowing the VAR to re-solicit any merchant boarded with my acquirer.
These are both reasonable positions, but they are fundamentally incompatible. The ISO needs to entertain a degree of flexibility in its approach to non-solicitation by the ISO, and the VAR needs to learn about the real-world commitments of ISOs to their processors to not move merchants away from them willy-nilly.
There is no one-size-fits-all solution. What is certain is that to overlook these two opposing realities is to pre-program the relationship for challenges down the road. When the VAR finds a better deal with another ISO, the outgoing ISO will want to rely on the non-solicitation obligations in the VAR agreement to protect its portfolio. The ISO and VAR both have an interest in thinking ahead to that possible scenario.
As with all new sales channels, there is always a winning formula to be found. VARs, however, present additional challenges while unlocking enormous potential both for ISOs and the VARs themselves. 
In publishing The Green Sheet, neither the author nor the publisher are engaged in rendering legal, accounting, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought. For further information on this article, please contact Adam Atlas, Attorney at Law email: atlas@adamatlas.com, Tel. 514-842-0886.
Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.
