n
by Steve Mott
While most observers have viewed Visa’s recent string of acquisitions as a mere broadening of its conventional card franchise, a long-time analyst of the payments business sees a clever play for dominance of the digital future.
Just when the U.S. payments industry appears poised to enter a period of unprecedented innovation and opened-ended competition, the industry’s most successful and powerful player is racing to dominate digital transacting in the future, and with it, payments at the point of sale. A cascade of strategic moves by Visa Inc. over the past year reveals a simple, but brilliant and sweeping, plan to control the fate of the industry before it ever really opens up.
The story of how Visa plans to dominate digital payments begins with the company’s initial public offering in 2008, and builds with a string of acquisitions and investments that followed.
To most observers, Visa has appeared to be merely broadening its business model. But in fact, just about everything it has done in the intervening three years has been done to perpetuate the status quo until it’s ready to pull the trigger on its ultimate strategy: taking payments and all related transactions fully into the cloud.
Breathtaking Potential
By going public, Visa was compelled to reveal that is has been spending many billions of dollars keeping big issuers and big merchants from getting too restive by rebating their fees. In its 2010 10-K, Visa reports its dependence on rebates as a business risk:
“The intense pressure we face on client pricing may materially and adversely affect our revenues and profits.
We offer incentives to clients in order to increase payments volume, enter new market segments and expand our card base. These include up-front cash payments, fee discounts, credits, performance-based incentives, marketing support payments and other support. Over the past several years, we have increased the use of incentives such as up-front cash payments and fee discounts in many countries, including the United States. In order to stay competitive, we may have to continue to increase our use of incentives.”
Such volume and early contract-renewal incentives totaled $1.5 billion in 2010—up from $1.1 billion in 2008. That’s a 16% reduction from what would have been $9.5 billion in revenue, netting just over $8 billion. This mechanism is a key to keeping the Visa machine humming while its technology strategy has a chance to unfold.
For however vehemently Visa and its member banks defend interchange in principle and level, the reality is the bigger players benefit materially from sticking with the leader—while smaller banks and merchants continue to pay full freight and sustain the system.
But that gambit just buys time for Visa’s comprehensive remote transacting strategy to fall into place. That strategy took on vivid relief in July 2010 with the acquisition of CyberSource Corp., the leading Internet gateway. Nominally, that asset provides Visa with a number of ostensible benefits, but few observers viewed these as justifying the $2 billion price tag:
– A core base of online customers in dozens of countries;
– A wealth of online risk-management experience and plethora of authentication tools;
– A mechanism that allocates processing interchangeably among the biggest processors (giving Visa added leverage over them and insights into how they work);
– The ability to ease into the acquiring business directly; and
– A ready set of global interconnectivity that can compete with Payment Service Providers (PSPs) around the globe.
Visa’s bet on CyberSource became much more explicable when it bought PlaySpan, an all-encompassing digital media and entertainment platform.
Visa acquired the digital games and media monetization platform provider for $190 million in the second quarter of this year. In the official announcement’s fine print on Feb. 9, 2011, were several strategic nuggets that revealed how Visa plans to dominate the rapidly emerging marketplace for digital content:
“PlaySpan is the trusted partner in global monetization solutions for leading publishers and developers of digital media, online games, mobile apps, and social networks. Its patent-pending in-game digital goods commerce and Monetization-as-a-Service (MaaS)™ platform enables publishers and developers to generate new revenues, acquire new users, and extend the loyalty of existing users.
Within the eCommerce category, PlaySpan is a leader in the relatively new segment of digital goods, which generated an estimated $25 billion in consumer spending globally in 2010, a figure expected to reach $280 billion by 2014.
It provides a global payments solution through its UltimatePay product, which enables users to make safe, convenient and friendly in-app purchases using over 85 global payment methods in 180 countries.”
The significance of Visa’s acquisition of this asset was all but lost in the industry’s histrionics over the debit card rate cuts, pro-consumer regulation of financial services, and other hot topics.
On their own, the reach and merchant value-add (and potential patent protection) of the PlaySpan asset are clearly considerable. When layered into CyberSource’s doorway to conventional payment processing and risk management, the potential is quite breathtaking: A customizable transaction suite to meet the specific needs of digital product-and-services providers all over the globe—and a digital platform that lays the foundation for transacting virtually, in the cloud.
The Gatekeeper
What Visa realized early on is that digital is digital, and the expected fusion of e-commerce and mobile commerce means that transaction provision, automation, security, and marketing tie-ins ultimately work in all venues served virtually. Transacting digitally enables an escape from 20th-century silos between banking and purchases. And digital is inherently global, as is Visa.
To expand beyond conventional card payments, in mid-2009, Visa made a minority investment in Monitise PLC, a U.K.-based mobile-banking applications and platform company with broad international reach. Ostensibly, this partnership enabled Visa to offer its member banks around the world a best-of-breed mobile-banking platform to get them in the mobile game.
But Monitise has steadily moved from banking applications to mobile payments and commerce. In early June, for example, it announced a joint venture with Standard Chartered Bank in India to provide users with the ability to “[v]iew bank and credit card accounts, [t]ransfer funds to other banks in India, [p]ay utility bills – offering over 100 billers across the country, [l]ocate the nearest SCB branch/ATM using an ATM Locator, [f]ind and pay–[c]hoose a cinema, locate seats and purchase their tickets, as well as find, book and pay for airline tickets….”
Last month, Visa doubled down on this global, mobile outreach for a wide array of financial-services transactions by buying Fundamo. Visa paid $110 million in cash for the South African enterprise mobile financial-services provider.
From Fundamo’s Web site comes several clues as to what role this asset will play in Visa’s strategy: “Fundamo´s Mobile Wallet provides a rich set of mobile financial applications such as local and international money remittances, airtime purchases (own and family and friends), person to person payments, bill payments, and a full set of account management options such as balance enquiries, and card and pin management.”
Meanwhile, after 18 months of testing, Visa announced at the end of last year that its mobile-payments configuration called In2Pay, which uses near-field communication (NFC) in conjunction with micro SD chips provided by Device Fidelity, was in commercial release around the globe.
Millions of consumers already use micro SD chips to move photos between mobile devices and PCs on all sorts of mobile handsets, so this form factor for mobile payments is thought to be at least an important bridge to the day full NFC capabilities come embedded in smart phones. Better still, the wireless carriers have few options to restrict consumer use of these cards. So Visa takes the lead in mobile payments that can happen immediately.
For online and mobile payments that are expected to dominate in the future, Visa’s announcement in May of its plans to field a digital wallet later this year stole even more thunder.
While few details were publicly revealed, this wallet overtly blends e-commerce with m-commerce into a single, front-end interface for remote transacting. As declared, the Visa wallet (with the Visa brand, rather than its members’ brands) will support Visa payment cards and—in theory—non-Visa payment options. But Visa will clearly be the gatekeeper for all applications and interfaces for this wallet, and will unilaterally assess fees and charges for this new digital real estate.
Marketplace Oxygen
This is all bad news for new-generation competitors. PayPal Inc., which made its digital wallet nearly ubiquitous, now has to figure out if it can co-exist with the Visa wallet, in addition to the Google wallet, also announced in May.
Its recent plans to move to the point of sale (with its acquisition of Fig Card Corp., after reportedly being rejected for an investment in the hot mobile startup Square Inc.) are now threatened. And its person-to-person business is under attack by Visa’s three biggest issuers, which introduced their clearXchange P2P service in May.
Isis, the mobile NFC payments initiative supported by three of the nation’s biggest wireless carriers, is still scrambling to come up with a business model in the wake of Durbin-mandated reductions in debit card rates, which undercut the decoupled debit card preferred payment option originally planned. Merchants are still leery of Isis’s vague and interchange-like pricing model, and can’t figure out whether and when Isis will offer a truly open mobile wallet, one that could support merchant-friendly payment types.
The Google wallet introduced an embryonic mobile ecosystem designed to manifest a full NFC solution for the first time:
– Citibank makes its MasterCard credit cards available for loading in the wallet, along with Google’s own prepaid payment offering;
– Sprint configures and supports the Samsung Nexus S 4G handset, with MasterCard’s help;
– NXP configures the chips;
– And First Data facilitates and upgrades both the POS terminal and chip security infrastructure through its Trusted Service Manager (TSM).
Piloting initially in New York and San Francisco, Google has signed up more than 20 merchants, and created tremendous industry buzz. Ostensibly, it has a leg up on Visa, which won’t debut until the fall.
But the Google model leaves the payment-system component pretty much intact, enabling bank payment cards to get their interchange as-is, while siphoning off the important prepaid option for itself. Like Visa, Google becomes the gatekeeper for any participation in the wallet front end, and retains for itself all the marketing goodies available at the back end of the two-way NFC configuration (i.e., coupons, marketing promotions, advertising, referrals, etc.).
These marketing opportunities are believed to be immensely valuable with the enhanced buyer-seller interactions that digital, mobile connectivity affords. So many merchants (and banks, and carriers, and other third parties) are adamant about not surrendering them to someone else—especially Google, which already dominates advertising and marketing in the e-commerce realm.
Visa’s wallet positioning carries with it challenges similar to those of AmEx, Discover (with and without Isis), and even some prospective merchant variations of a truly open digital wallet—all of which must now vie with this Visa steamroller for marketplace oxygen and commercial viability. No wonder Apple Inc. prefers to do all this within its walled garden!
Then, in late April, came Visa’s investment in Square. To many, this Twitter-pedigreed startup looms as a highly disruptive development, even though Intuit Inc.’s GoPayment and other similar configurations preceded it (see this month’s cover story).
Anybody can become a merchant with a $1 mobile-phone app and a small, square card reader/swiper that plugs into the audio jack. Several weeks ago, Square announced that users could register a payment card used at a Square-accepting merchant to make payments as well, and store it in the Square cloud for future use, once it has been swiped the first time. And after a very public spat over security with terminal kingpin VeriFone Systems Inc., Square announced it would encrypt card credentials at the origin by late this summer.
Once again, Visa’s investment represents a lot more than just hedging its bets against an uncertain future. If Visa and its partners acquire Square transactions, and Visa and its partners register most of the cards being used to make transactions, and all the information flow occurs in the “ether,” then how long is it before on-us transacting, in the cloud, becomes commonplace?
Mish-mash of Options
Making payments go mobile has been a component of every Visa initiative in the past three years. But the big nuance is Visa’s core emerging strategy to leverage the existing payment infrastructure in all of its quirky manifestations by simply tweaking things here and there in order to get mobile transacting options up and going as quickly as possible.
That means, instead of investing time, effort, and financial resources to migrate to an entirely new and upgraded POS infrastructure, Visa constituents can focus on promoting faster adoption instead. So Visa directs the market to low-friction solutions that it can influence and control, while avoiding sweeping changes in security and interoperability that it cannot.
The rising interest in the EMV smart card standard is a case in point. In recent conferences, Visa’s mobile team has announced a preference for chip-and-signature in both contact and contactless EMV implementations, rather than the more common chip-and-PIN deployment that countries like the U.K., France, and Canada depend on to mitigate the fraud inherent in the mag-stripe paradigm EMV replaces.
Chips can do the same work in both instances, though Visa prefers leaving the primary account number (PAN) and the expiry date in the clear in its preferred deployment, using the chip to scramble the card-verification value (CVV), matched up to some unique transaction data. In that deployment, the retailer can simply process the transaction without requiring PIN entry, and for a growing proportion of transactions under $100, without a signature. The encrypted data ride in a specific field in the existing POS format, so even relatively outdated POS terminals without PIN pads will work, and Visa acquirers and issuers can minimize changes on their end.
That’s a simple path to EMV acceptance, but it leaves merchants saddled with PCI exposure for the credentials in the clear, credentials that can be used, fraudulently, on up to 30% of Web sites that process transactions without requiring a CVV. And the absence of a PIN means cardholders can still repudiate transactions—a significant portion of which result in so-called friendly fraud.
So merchants get little relief from fraud and chargebacks in Visa’s design for EMV. Frustrated with that prospect, many merchants are turning to interim solutions from providers like First Data (end-to-end encryption, tokenization, utility security and authentication bundles, etc.) to escape the tribulations of PCI and the mounting inefficiencies of mag-stripe transactions.
Visa also appears to be distancing itself from the EMV contactless specification, which came out last year, and—according to a variety of sources—is moving rapidly in a more proprietary direction, rather than embracing global standards.
This should come as no surprise (except perhaps to regulatory agencies, which hold out hopes for a more holistic and effective new payments paradigm). Most EMV implementations to date are a mish-mash of incompatible, often ineffectual, options that serve the primary purpose of enabling Visa members to minimize the changes they have to make to their systems.
The Endgame
Dumbing down EMV and militating against the use of the PIN serves a broader purpose for Visa. While activities that marginally improve the current system (e.g., Visa’s Technology Innovation Program, which offers non-U.S. merchants relief from annual PCI audits once more than 75% of their Visa volume is processed as EMV chip card transactions) appear more substantive than they actually are, in reality, such “market-enabling” initiatives simply divert the marketplace into a cacophony of relatively ineffective and incompatible solutions.
Moreover, even the most optimistic scenario for upgrading the U.S. payments system to chip and PIN or its equivalent has it taking no less than five years to complete. In the intervening period, the more fragmented and chaotic the marketplace becomes, the more the system will need Visa to sort things out, and the more likely that merchants and processors will gravitate to a Visa solution—no matter how proprietary or suboptimal—because it is the one most likely to have critical mass.
And there’s the rub. Visa valiantly protects the status quo—all the while buying time for itself by cutting deals on the side, complicating and confounding any meaningful changes to the current payment system ,and building up a broad coalition of partially safe, partly efficient mobile adherents. Then magically, say five years from now, Visa announces to the world that it has resolved all these problems by moving payments entirely to the cloud, using all the building blocks and experience it is amassing in the interim.
And by that time, it just happens to have wired itself into every possible form of digital transacting, in every single venue, all over the globe.
That’s called the endgame. While the rest of society can only hope that Visa behaves like a benign dictator when it comes to rule this new world of payments, the big players from both the old and new payments world—AmEx, Discover, First Data, PayPal, Google, the carriers, and especially the merchants—had better realize that their chances for setting a different agenda for the new payments system of the future might well be over before they even get started.
A Closer Look at Visa’s Digital Wallet
On the surface, the Visa digital wallet appears to use very simple technology to secure the use of its card account credentials. According to insiders, a one-time pseudo number will be generated in the wallet using an application by SecureKey, a Canadian company whose security model is reminiscent of similar technology deployed in various forms in the mid-2000s.
For example, Orbiscom was a marketplace leader with a similar solution midway in the last decade, used by Discover and others, before being purchased by MasterCard for $100 million in early 2009. The Star network chose a one-time-password (OTP) mechanism for its CertiFlash contactless/mobile wallet, instead of exposing an entered PIN. So OTP can be a viable security solution.
PayPal Inc. proved that in early 2007 with its virtual debit card pilot. Four million users downloaded the application before it was mysteriously mothballed in 2009. Online shoppers simply downloaded the virtual debit card application to a browser tool bar linked to a PayPal account, and activated it by initiating a two-way log-in (a password entered to verify the user to PayPal, and a graphic produced by PayPal to verify itself to the user.)
When a checkout page was encountered, the second log-in window appeared, and upon a successful log-in, the user was asked if he wanted to auto-fill the page. The auto-fill included a one-time-use MasterCard primary account number (PAN) and expiry date, and included a cardholder verification number. The mechanism worked at any Web site that accepted MasterCard, but no one except PayPal ever knew what account was paying for the purchase.
So, apparently Visa decided to go with a simple solution that its competitors already proved would work.
As well, Visa wallet’s provides a one-click payment mechanism that Amazon users have long enjoyed. And, reportedly, its intention is to do digital signing with Elliptic Curve Cryptography (ECC) rather than RSA.
—Steve Mott
n