Visa's acquisition of CyberSource: Potential for growth but not quite a home run

Since going public, Visa's expansion plans had to be well calibrated to not upset a lucrative business while trying to take advantage of upcoming trends.  Visa's M&A considerations ere driven by the following factors:

Ecommerce segment is more lucrative: Prima facie it makes sense.  The interchange rates charged for  credit card payments is around 1.8%.  However, ecommerce merchants pay around 2.5%+$0.30.  This provides payment gateway providers, such as CyberSource revenues of around 70 bps.  This kind of revenue is huge, considering that the financial risk as a payment gateway service provider is minimal.  The percentage revenue to a payment gateway provider in only second to that of an issuer.

Mobile Payments are coming:  They will change the dynamics of merchant acquiring, not in as far as displacing incumbents, but as they are expected to take a significant share of future growth.  This holds true for both developed and emerging economies.

Brick-n-Mortar still rules: While ecommerce and mobile payments have folks gushing, transaction volumes from these sources account for less than 20%.  The bulk of the revenues come from brick-n-mortar stores which Visa wouldn't want to impact.

Visa's decision to acquire CyberSource met these criteria.  Having said that, it is not clear how much of the upside from ecommerce CyberSource can deliver to Visa.  It is interesting to note that CyberSource's revenue per dollar processed is only 22 bps (Revenues of $265M from TPV of $120.4B).  This is pretty small compared to expectations of over 50 bps.  However, CyberSource's TPV per merchant is also a whopping $400K/merchant/year ($120.4B from 300K merchants).  The high number is consistent with CyberSource's clientele of both high-volume retailers and SMB online merchants.  Compare this against PayPal's TPV of over $10,000 per merchant per year ($20.1B/quarter from 8M merchants).

Consequently, the opportunity then for Visa is to increase both revenues per transaction, and revenues per dollar processed.  Additionally, the mobile payments world will be dominated by lower value transactions and smaller/micro merchants which requires the payments service provider to have low acquisition, fixed and variable costs.  Both Visa and CyberSource are both used to medium and large retailers.  To effectively compete and take advantage of mobile payments, the new entity has to fill the above holes, either thru' internal capability or thru' yet another acquisition.

While the acquisition looks like a base hit, it will require a lot of chutzpah from Visa's management to convert it into a triple, which Visa really needs if it is going to be something more than a payment scheme (which its shareholders demand) and to take on PayPal in any meaningful manner.

Online Fraud Double Whammy

I am sure that you have heard about the startling discovery that a malware (Sinowal Trojan) has been harvesting financial data, including credit card numbers for nearly three years. The cache of stolen data exceeds half million records reports RSA FraudAction Research Lab.

On a related note, The New York Times reports

Microsoft plans to report on Monday that the security of its Windows operating system has significantly improved, while at the same time the threat of computer viruses, frauds and other online scourges has become much more serious.

News like the above are bad news for the online commerce industry. Especially, given the current mood of the consumer and economic environment. Improvements in technology can be leveraged to minimize the ability of fraudsters to profit from data collected by crimeware/malware.

A variety of participants, including CyberSource, Iovation, 41st Parameter have been working on combating this kind of fraud. However, what is becoming clear is that the fraudsters are a lot savvier and that we need to approach this problem very differently.

Call to action: Support the below technologies (some of which are already deployed for offline transactions) for online commerce transactions:

1. Support one-time credit card number, such as those offered by MasterCard in association with Orbiscom
2. Support use of dynamic CVx (CVV / CVC...)
3. Support multi-factor authentication, including utilizing CVM (Card holder verification) methods that are part of the current MasterCard and Visa specifications
   

The above advances will make the stolen information unusable. As credit card issue cycle is on average three years, the higher security cards will make it to the hands of the consumer over the course of the normal card replacement cycle. The cost differential of the higher security card will be made up by issuers if the consumer makes one additional transaction because of the higher security card.

Would love to hear about innovations that you are working on or are aware of that would remove the profitability from stolen data.