Visa Inc.’s planned $2 billion cash purchase of CyberSource Corp., a payment-services and fraud-management provider, suggests the card company is serious about mobile payments–and the risks that the mobile channel may attract.
Though CyberSource’s worldwide business extends well beyond mobile, Visa specifically called out that emerging channel as a distinct one from e-commerce when it announced the transaction.
“We need to have solutions and tools in the marketplace that will help us address each and every channel, ... [and] mobile is clearly a growing and important channel for us,” says Gerry Sweeney, Visa head of global e-commerce and authentication.
Indeed, “as e-commerce increasingly migrates to mobile devices, we believe the combination of Visa and CyberSource technology and services will position Visa to lead in mobile e-commerce,” Joseph W. Saunders, Visa chairman and chief executive, said in a press release.
Visa and CyberSource have worked together since 1999, and the landscape for payments and risk has changed a lot in that time. In a signal that the Web had gone mainstream, Visa in 2006 changed the way it categorizes merchants under the Payment Card Industry Data Security Standard. Under its new definitions, being an online merchant no longer was in and of itself considered a major risk factor.
But times change, and channels once considered secure again can become risky as fraudsters adapt.
Visa’s action in 2006 “was very reflective of the 2006 environment,” Sweeney says. “While we are concerned about fraud in every channel, in 2006 we were seeing much more of a trend around fraudsters attacking the physical card-present merchants because of the value of the track data.”
That changed when merchants began to fight back, he said.
“Over the course of the last four to five years, we have seen tremendous progress in physical merchants actually shoring up their systems,” Sweeney says. “When you shore up one part of the payment chain, the fraud will migrate to another part.”
Despite this trend, mobile is not inherently risky, Sweeney says. “I would not characterize mobile as less secure today,” but Visa’s attention to the channel reflects its desire to stay on top of fraud trends, he says.
Though mobile banking in the U.S. is still in its infancy, mobile devices already are coming under attack from hackers who have figured out how to harvest the increasingly sensitive information stored in smartphones. And as the financial industry pushes to turn handsets into mobile wallets, the channel will attract the attention of more determined fraudsters, and the defenses in place today may not be enough, observers say.
“Nobody’s figured out how to solve mobile fraud yet because there’s not a lot of it,” says Avivah Litan, a vice president and analyst at the Stamford, Conn.-based market research company Gartner Inc.
Visa’s planned acquisition is a signal it is aware of its own shortcomings and is working to address them, she says.
“I don’t think they’re going to make a ton of money in” owning CyberSource, Litan says. “It’s mainly to get visibility into e-commerce transactions because of the high risk levels. Right now, they don’t have any visibility like they do with point of sale.”
And perpetuating the ebb and flow of fraud across channels, Visa’s existing visibility into payment activity at the physical point of sale may play a part in driving it back to e-commerce and, by extension, the mobile Web.
In 2006, when Visa’s rules around merchant categorization demonstrated its knowledge that the Internet was not an inherently less secure channel, fraudsters were attacking physical cards because they now considered card-present transactions to be less secure.
One of the main frustrations for fraudsters today is the EMV chip-and-PIN card. In countries that adopted the antifraud standard, fraud began to move away from cards and back online, Litan says. Though “the crooks don’t care about e-commerce data as much as they do about plastic, ... e-commerce fraud is going up, that’s a trend,” she says.
Visa expects the acquisition to close in the third quarter of the calendar year (Visa’s fiscal fourth quarter). Michael Walsh, CyberSource president and CEO, will continue to head the company as a Visa subsidiary, whereas William S. McKiernan, CyberSource’s executive, chairman and founder, will become an executive advisor at Visa to facilitate the companies’ integration.
Besides CyberSource’s prowess for online and mobile fraud management, Visa praised the company’s deep merchant relationships and potential for global expansion, particularly in Asia and Latin America.
“The transaction is about long-term growth,” Saunders said during a conference call. “Visa must touch as much of each transaction as possible in order to enable a long-term differentiated value proposition. This acquisition fulfills this aspiration head-on.”
Saunders also characterized the acquisition as a defensive move against alternative payment providers such as PayPal Inc., a unit of eBay Inc. and a payment company with global reach.
“We’re paying attention to what PayPal as well as other companies are getting into [in] the e-commerce space,” Saunders said. “And we are obviously concerned that that would have an effect on our market share over a moderate or longer-term period of time.”
The CyberSource purchase is “somewhat in reaction to” the growing influence of PayPal and other alternative payment providers, but “this is also happens to be consistent with what we think our long-term strategies should be to grow Visa,” he said.