Trends & Tactics

A Look at Durbin’s Early Impact

Things went pretty much according to script in the first three months of Durbin Amendment debit card price controls. Debit market leader Visa Inc. got dented while MasterCard Inc. picked up speed.

Visa chairman and chief executive Joseph Saunders predicted that the slowdown Visa’s U.S. debit business suffered in the first quarter of fiscal 2012 ended Dec. 31 would be only temporary. But he conceded that the federal Durbin Amendment, which took effect Oct. 1 and cuts debit card interchange roughly in half for issuers with more than $10 billion in assets, is proving to be a drag on growth. Debit payment volume grew only 5.4% versus 16.6% a year earlier.

“Deceleration in the first quarter was an early sign of this impact,” Saunders said at a conference call with stock analysts last month, brought on by issuers’ elimination of debit rewards programs and reduced marketing.

But Visa expected the slowdown and predicts the worst impact this year, with higher growth resuming in 2013, Saunders said.

Also hurting the business, he said, was a decision by an unnamed “major financial institution” to remove the Interlink brand from its cards. Owned by Visa, Interlink is one of the largest U.S. PIN-debit networks. The issuer, Saunders said, was acting in response to a Durbin routing rule that requires issuers by April 1 to have at least two unaffiliated debit-network brands on their cards.

But Saunders added that Visa is pursuing Interlink agreements with other banks that currently feature competing brands and is close to signing an undisclosed number of them.

In response to the routing rule, Visa said last year that it has the capability to process PIN transactions on its signature-debit system and will offer that capability to issuers. It is also spending more lavishly on so-called network incentives to issuers and merchants to stick with Visa. That sum grew 19% in the quarter year-over-year to $481 million. Also, last summer, Visa introduced a fixed network participation fee and reduced a variable processing fee for U.S. debit cards in a bid for merchant business.

MasterCard, which for years has eaten Visa’s debit dust, had a happier experience in its fourth quarter ended Dec. 31. U.S. debit card purchase volume jumped 19% from year-earlier levels to $104 billion, far ahead of debit’s 3.7% year-over-year growth rate in 2010’s fourth quarter.

MasterCard, owner of the Maestro PIN-debit brand, and the national electronic funds transfer networks that offer point-of-sale PIN-debit services all hope to pick up new business from Visa/Interlink issuers as a result of the new routing rules. First Data Corp. says its Star EFT network has picked up at least 20 new issuers. MasterCard is adding debit issuers, though not as many as Star.

“At this point I can tell you we have won PIN deals with a couple of major U.S. banks and have already begun to see some of those transactions,” MasterCard president and chief executive Ajay Banga told analysts at the company’s quarterly conference call last month.

Banga didn’t identify the issuers but also said that Cleveland-based KeyBank is expanding its MasterCard debit agreement to include PIN debit. Last year, Columbus, Ohio-based Huntington Bank said it would convert its signature-debit card file to MasterCard. In all of 2011, MasterCard signed debit or credit card deals with nearly 150 new issuers, Banga said, some of which were conversions from Visa.

Both network chiefs reported respectable credit card growth. Some of that growth can be attributed to big banks encouraging consumers to use credit cards, whose interchange is unregulated, rather than debit cards.

And both were united in claiming that they wouldn’t make major concessions on credit card interchange rates to settle a massive legal attack by merchants on the controversial fee through lawsuits against Visa, MasterCard, and some of their biggest bank customers and former owners.

MasterCard took a $495 million after-tax charge ($770 million pre-tax) in the fourth quarter as its share of a potential settlement with the merchants. The cases, pending since 2005, are set for trial in September in U.S. District Court in Brooklyn, N.Y., but the parties are in mediation.

MasterCard and Visa have liability-sharing agreements with the banks, with MasterCard itself on the hook for 12% of damages awarded. That implies a possible pre-tax settlement of $6.4 billion.

Banga refused to speculate about the talks, but he was emphatic that “we would not agree to any significant or long-term reduction in MasterCard’s credit interchange rates as part of any settlement.”

Visa’s Saunders sounded nearly identical. “We are unwilling to agree to any significant or long-term credit-interchange rate reduction,” he told analysts.

He added a conciliatory tone, however, allowing that the likelihood of a settlement might be rising. Visa now has placed $4.3 billion in an escrow account against a possible settlement.

 

Facebook Faces Its Payments Future

Facebook Inc.’s payment operation is booming as the giant social network prepares for an initial public offering. But analysts say Facebook is not invulnerable to competition in the payments space, and the company itself recognizes the need to expand the usage of its Facebook Credits virtual currency, which still has a fairly small user base.

In the registration statement for its IPO, Menlo Park, Calif.-based Facebook lists $557 million in revenues from payments and a small amount of other fees in 2011, quintuple 2010’s revenues. Facebook, which has 845 million monthly active users worldwide, reported total revenues of $3.71 billion, with 85%, or $3.15 billion, coming from advertising.

Network members generate payment revenues when they purchase Facebook Credits to in turn buy digital items, such as tools or weapons, for their games available through Facebook from third-party software developers.

Members can use credit or debit cards, PayPal, gift cards, or other methods to buy Facebook Credits, which cost 10 cents per credit. Facebook takes a 30% cut of Facebook Credits transactions.

The Facebook Payments segment began generating significant revenue in 2011’s fourth quarter after Facebook last July required third-party developers to use its payments system.

“For now, they have a good position because of the fact that they mandated acceptance of Facebook Credits across their platform,” says Beth Robertson, director of payments research at Pleasanton, Calif.-based Javelin Strategy & Research.

By far the biggest of Facebook’s third-party developers is Zynga Inc., publisher of Zynga Poker, FarmVille, CityVille, CastleVille, and others. The five most popular games currently on Facebook all come from Zynga.

Though they are independent companies, the fortunes of Facebook and San Francisco-based Zynga are closely intertwined. Some 12% of Facebook’s total advertising and payment revenues come from Zynga.

“Apps built by developers of social games, particularly Zynga, are currently responsible for substantially all of our revenue derived from payments,” Facebook’s filing says.

Zynga, in turn, generates “substantially all” of its revenues through players on Facebook’s platform, according to the registration statement Zynga filed ahead of its own IPO in December.

While its heavy dependence on Zynga is one vulnerability, other forces could lower the steep upward trajectory of Facebook’s payments revenues. Developers might start pushing for a reduction in Facebook’s 30% take of Facebook Credits transactions. And outside payments companies are buying digital firms that could give developers at lower cost the micropayment services valued by online game players, Robertson notes.

Examples include Visa Inc., which owns PlaySpan, and American Express Co., which last year rolled out its Serve platform for digital payments and in September bought a virtual-currency and in-game payments provider, Sometrics, for $30 million.

“Ultimately there is going to be pressure for [Facebook] to bring that fee down, and I think it’s from the merchant side and the competitive side,” Robertson says.

Facebook also said its payments operation could face regulatory scrutiny in the U.S. and abroad. The company is trying to mitigate that risk by applying for money-transmitter licenses.

For now, however, Facebook’s major concern may be building up the base of Facebook Credits users. While virtual currency sparks plenty of discussion, few people actually use it.

The most telling evidence for that assertion comes from Zynga. The now-public company reported that its overall player base, or monthly unique users (MUUs), grew to 153 million in December, up 38% from 111 million a year earlier. Not bad.

But most social games can be played for free.

In fact, only 1.9% of MUUs, or 2.9 million people, are what Zynga calls monthly unique payers (MUPs)—customers who buy something within a game. The number of MUPs grew 13% from 2.6 million in 2011’s third quarter.

Executives from both Facebook and Zynga frequently talk about “monetization,” a term for tactics that generate revenues from social-network members. Facebook last month tried to do just that with Facebook Credits by using a centuries-old tactic: cutting prices temporarily.

Facebook told its third-party developers that it would encourage game players to make a first-time purchase by enabling them to get $4 of value for free if they buy 10 Facebook Credits at the regular price of $1. Facebook is absorbing the cost.

A Facebook spokesperson would not comment about the promotion beyond what the company revealed on its developer blog.

“Facebook has begun sponsoring promotions to help developers convert game players into paying users,” the blog posting says. Facebook didn’t say how long the promotion would last.

The social network offered some users 80% discounts on Facebook Credits last year and early this year, according to Inside Facebook, an independent online newsletter. In its blog post, Facebook said it would “evolve these promotions over time to better grow our ecosystem.”

Facebook has indicated that it could expand the required use of Facebook Credits to other merchants on the network, a requirement that today only covers online games, Inside Facebook said.

 

Recipe for a Breach

Among all the types of merchants that accept card transactions, coffee shops, pizza parlors, burger places, and food stores might need to keep an extra-careful watch on their card data.

If they’re operating as a franchisee and part of a chain, they might want to be especially wary. And if they use a third-party service for system support and maintenance, they’d be well-advised to take even more steps to secure their customers’ information.

Call it the trifecta of data-breach vulnerability. But it’s not one you want to win.

That’s because the food-and-beverage category was especially vulnerable to breaches in 2011, accounting for nearly 44% of the more than 300 data compromises investigated by Trustwave Holdings Inc., a Chicago-based supplier of security technology.

This was the second straight year that the category accounted for the highest number of cases, according to Trustwave, whose SpiderLabs unit investigates breach incidents around the world. About 45% of all of the cases investigated last year were in North America, says Nicholas J. Percoco, head of SpiderLabs and a senior vice president at Trustwave, which last month released its 2012 Global Security Report.

But if you’re a franchisee, you really need to watch out. Cybercriminals tended to target franchise operations, which accounted for more than one-third of the cases, according to the report. Outlets that are part of a chain-store model are similarly vulnerable.

And if you rely on third parties for IT help, you’ve invited even more trouble. Stores that depend on outside help to update and maintain their point-of-sale systems were also more likely to sustain a breach. More than three-quarters of the investigations found that a third-party outfit responsible for system support or development had, wittingly or not, introduced the vulnerability.

The good news is that law-enforcement authorities appear to be increasingly effective in detecting breaches. They discovered one-third of the cases Trustwave examined, up from only 7% in 2010. Tempering that positive news, however, is that self-detected cases fell from 20% to 16%.

That’s bad news, says Percoco, because self detection usually occurs much earlier in the duration of a breach, limiting the damage. Hackers were discovered, on average, fully 173.5 days after infiltrating the system in cases where the breach was detected by an outside entity, but in cases of self-detection that was cut to 43 days.

While police and other outside entities may be more on the ball, “unfortunately that’s a little too late for some of these merchants,” Percoco says.

Franchises and chains tend to be especially vulnerable because they typically rely on common systems imposed on them by a franchisor or other central corporate authority, Percoco says. If these systems are misconfigured, criminals can replicate their attacks at multiple locations once they’ve spent some time at the first one.

They are patient, too, sometimes spending as many as several months in one location before propagating their attacks with cookie-cutter efficiency. “They’ll invest time upfront and then stamp out as many attacks as possible,” says Percoco.

It doesn’t take much to undermine the security of a system. In many cases, Trustwave found that passwords and user names used to log into systems were “pitifully simple,” according to the report. In fact, “Password1” was found to be a common password in actual use. Not surprisingly, what the report calls “use of weak administrative credentials” accounted for 80% of attack propagations.

Often, compliance with industry standards might have prevented the breach or limited the damage. Indeed, in none of the cases Trustwave investigated was the victim compliant with the Payment Card Industry data-security standard (PCI), Percoco says.

Yet, the remedies were in plain sight. “Many of the issues we identified were clearly defined in PCI,” he notes.

 

E-Commerce Premium: How Long Will It Last?

A longstanding truism in the acquiring business is that smaller merchants tend to generate more profit than their larger counterparts. But now research has emerged to show that smaller online merchants are even more profitable for acquirers and processors than brick-and-mortar stores of the same size.

In fact, across all volume tiers between $25,000 and $300 million in annual Visa and MasterCard sales, e-commerce merchants produce a higher net spread, or difference between revenue and costs, than do physical merchants, according to a study by First Annapolis Consulting, Linthicum, Md.

As might be expected, margins drop as volumes increase, but the e-commerce premium is actually greatest in the $50 million-to-$300 million volume tier, the largest one studied. Here, online sellers produce 23 basis points of net spread on average, more than doubling the 10 basis points generated by physical stores, according to the research, which examined some half a million merchant records.

For the smallest merchants, by contrast, e-commerce merchants averaged 243 basis points, compared to 177 for physical retailers, for a 37% premium. These are merchants recording $25,000 to $100,000 in annual card-based sales.

Across the board, First Annapolis estimates that net spreads for e-commerce merchants are around 40% higher than the industry average for all merchants in the $25,000-to-$300 million annual-sales class, or some 80 basis points compared to 58 basis points.

Heather Pollock, a consultant at First Annapolis specializing in merchant acquiring, cautions that the firm is still examining factors that might account for the e-commerce premium. But she says some preliminary conclusions are possible. “Among other variables, risk, merchant vintage, and price sensitivity account for at least some of the divide,” she says via e-mail.

Online merchants incur so-called card-not-present interchange, which many acquirers might mark up more than the card-present rates charged to physical merchants, for example. Card-not-present rates are higher than card-present pricing to account for a higher perceived risk. Interchange is established by card networks and levied on acquirers, which pass the fees on to merchants.

Mobile transactions, however, don’t appear to carry the same kind of premium. While it’s early days in mobile acquiring, Pollock says pricing so far has been set low. “This would squeeze margins across the board,” Pollock says.

Over time, that could affect the entire small-merchant e-commerce category as more and more consumers conduct Web-based transactions on handsets. “Although it’s too early to provide data, we expect smaller margins to result in a smaller e-commerce premium,” she notes.

Indeed, as competition and other market forces drive down pricing overall, acquirers and processors shouldn’t expect the e-commerce premium to last forever. “Because we expect net spread to decrease over time, we expect the e-commerce premium to shrink as well,” Pollock says.

But for now, with e-commerce booming by comparison to physical stores, processors and independent sales organizations that concentrate in physical-world sellers would do well to build up their online business. First Annapolis projects that online sales will average a 16% annual rate of growth over the next four years, well ahead of physical-store sales growth.

“In general,” says Pollock, “acquirers and ISOs could capture value from the rising e-commerce trend by keeping a wide variety of merchants in their portfolios.”