Cybersource Corp. fits so snugly into Silicon Valley stereotype-from the sound of its name to how its executives talk about electronic commerce- that it can be easy to miss its maturity level.
Born in 1994, about when the Internet went commercial, Cybersource is that rare new-age technology company from which banks and credit card companies have decided they can learn a thing or two about payment processing.
Before transaction processors like First Data Corp. or risk-scoring vendors like Fair, Isaac & Co. had begun to understand how the Internet would force changes in some business practices and assumptions, Cybersource already had a lot of these differences figured out.
"We learned early on that (credit card) authorizations were not always accurate," William S. McKiernan, president and chief executive officer of the San Jose, Calif., company, said recently. "Bad guys were able to get valid credit card numbers and did all sorts of damage."
Necessity led Cybersource to invent a fraud-screening system for Internet payments, accomplishing what the tools that existed at that time could not. Around that grew up a set of payment, security, and outsourcing capabilities for electronic businesses that Cybersource defines as "on- demand commerce."
Mr. McKiernan and his salespeople urge ventures on the World Wide Web to rely on Cybersource as a back office so they can better focus on differentiating their sites and services from those of competitors.
There are still many "missing links" in the on-line shopping experience, Mr. McKiernan said. "It is better to outsource to someone with scale and expertise."
Smoothing the glitches "is not about bandwidth," he added. "It's about creating better buying experiences, and that can really be done better on the Internet than in a retail store.
"We're getting there. The merchants are getting better at it."
Though still privately held, Cybersource can be seen as a proxy for Internet commerce-and for major corporations' interest in it, because they are beating paths to its door.
The service handled 8.8 million transactions in 1998, more than 10 times the 800,000 it did in 1997. In last year's fourth quarter, which exceeded nearly everybody's electronic commerce expectations, the company's dollar volume was $125 million, versus only $11 million a year earlier.
Cybersource's customer base grew tenfold in the 12 months through January, to 350, and it saw the Christmas-season transaction pace continue into the current quarter.
"That surprised us a bit," said chief financial officer Charles Noreen. "Whether it was because people got new computers or something else, their experience was such that they wanted to try it again." Indicating receptivity in the mass consumer market, more transactions were being initiated outside of business hours.
The company is not forecasting another year of 900% or 1,000% growth. Mr. McKiernan said 50 million transactions is a realistic target. But whatever the number, Cybersource will be preparing for new peaks.
"This is not something one can do out of a garage," the CEO said, underscoring how Cybersource is playing for keeps in its Internet-payment specialty. "Customers demand 100% uptime.
"If we go down, 400 merchants go down with us. This is not a start-up any more."
Equity investments from GE Capital Services and Visa International, emblematic of deeper "strategic relationships," would support that notion. Cybersource works cooperatively with First Data Corp. and Bank One Corp.'s Paymentech affiliate-they are sources of customer referrals. It also markets jointly with Wells Fargo & Co., perhaps the most experienced merchant-acquirer of card transactions on the Web.
Todd Chaffee, executive vice president of corporate development and alliances at Visa, said Cybersource caught the attention of the strategic investments program he oversees because it is "an important emerging company" that can contribute to Visa's goal of promoting e-commerce.
Cybersource is closely linked with Microsoft Corp. and its Site Server 3.0 Commerce edition for merchants. (Paul Allen, who co-founded the software giant with Bill Gates, is Cybersource's top outside investor.) And it has a long list of other "customers and partners," including Adobe, Autodesk, Beyond.com, Buy.com, Compaq, IBM, Netscape, Network Associates, Symantec, and T. Rowe Price.
Partner lists are as common in Silicon Valley as companies with "cyber" in their names or mission statements, but some of those organizations have particular significance for Cybersource and have been working with it for years.
Mr. McKiernan is a former CEO of McAfee, a company best known for anti- virus software and now part of Network Associates Inc. "We built a big business distributing products electronically, and that was before the World Wide Web explosion," he said. Customer interfaces then were slow and "character-based," unlike the colorful and animated graphic screens that characterize the Web.
That business of digital product distribution was Cybersource's first reason for being. It started as Software.net, an on-line software reseller. The fraud screen and other competencies led it to offer an outsourcing package for Web businesses, beginning in March 1997.
At the end of that year, the company was split in two. The software superstore became Beyond.com Corp. of Sunnyvale, Calif., now a hot Internet stock. Last month Beyond.com announced it would buy the software distributor Buydirect.com for $143 million of stock.
"That is going to be a great business," Mr. McKiernan said of on-line software sales. "It is a $96 billion market that is underserved, without a dominant player."
He views software retailing as a classic case of how established companies-CompUSA, Wal-Mart, OfficeMax, and Staples-were slow to adjust to new distribution media. Their physical-world legacies prevented them from taking bold action, he said, and neither manufacturers nor buyers were pleased.
"This is ripe for reengineering, and it has to be on the Net," Mr. McKiernan said.
The retailers' struggles may sound familiar to bankers trying to balance their own on-line strategies with branch networks and other internal considerations. As it happens, Mr. McKiernan is a commercial banker's son. His father, William P., started working at Citibank in New York at age 16 and retired from a senior post almost five decades later, in 1977.
"At Beyond.com, we had the luxury of not worrying about cannibalizing existing business," said the son, 42. "There were no arguments like Barnes & Noble had" before the bookseller spun off its Internet venture.
Mr. McKiernan is Beyond.com's chairman but devotes his full-time CEO energies to Cybersource because, he said, his interests gravitate toward technology businesses in more formative stages.
"This is a very well-run company," said Bill Burnham, who follows e- commerce for Credit Suisse First Boston in San Francisco.
Mr. Burnham said Cybersource may need "a little more run time" before it goes public, but in Mr. McKiernan, with his Network Associates and Beyond.com start-up experience, it has "a very experienced entrepreneur in a market that is growing incredibly quickly."
Mr. Chaffee of Visa added, "Bill understands not just the Internet, security, and the fundamentals of e-commerce, but he is also a CPA and knows his way around the venture and investment banking worlds. They are going to do well."
Competitive lines can be be blurry, though, and Cybersource's success has attracted sniping.
John McGuire, chief executive officer of Trintech Group, a leader in on- line payment systems including those that comply with the MasterCard-Visa SET protocol, has held up Cybersource as a potential threat to merchant banks in global Internet commerce. (Mr. McGuire also put in that class Brokat of Germany, iCat Corp., and Cybercash Inc., a company that Mr. McKiernan said Cybersource has taken business from because of "reliability problems.")
Mr. McKiernan seems to be going about his business without singling out any one class of foe. Of Fair, Isaac and HNC Software Inc., which have developed sophisticated antifraud products, he said, "We actually rely on them" because their systems remain at the heart of the payment authorization process.
Michael Malloy, senior vice president of marketing at Fair, Isaac in San Rafael, Calif., said Cybersource occupies a small part of its spectrum. "They have a negative file, which is good for spotting repeat offenders," he said. That contrasts with Fair, Isaac's broader and deeper focus on "the characteristics of transactions."
But Cybersource's experience as an on-line mall uncovered shortcomings in available authorization data.
"Acquiring and issuing banks didn't have the buyer information that resides at the merchant," said Nick DiGiacomo, a payment security expert who is vice president of the electronic markets business unit at Scient Corp. in San Francisco. Cybersource "got e-mail addresses correlated. The problem was that a lot of banks didn't get the kind of information needed to do on-line filtering."
The delayed acceptance of SET, or Secure Electronic Transaction, which is plodding along especially slowly in North America, made Cybersource's antifraud weapon that much more welcome. It may have attracted Visa's interest for that reason, though Mr. Chaffee said that was not a factor.
"They are able to play in both SET and SSL," the Secure Sockets Layer technology that is more prevalent on the Web, said the Visa official. "They provide all the things an Internet merchant has to deal with-it's not always sexy, but it's important, like real-time payment processing and tax calculations-and SET is one of the things they can do."
Mr. McKiernan said Cybersource is indeed SET-compliant and needs to "stay abreast of it," in part because it has made progress internationally. "E-commerce is happening a lot faster than SET is happening," he said. "So much needs to happen for SET, and the value proposition has not been well articulated. But there are elements to SET that are very desirable."
Cybersource's APIs-applications programming interfaces-"make it very easy to begin accepting payments," Mr. McKiernan said. "I think Visa recognized that our fraud screen is the best one out there" and saw fit to supplement its equity investment with joint marketing and development projects.
Mr. Chaffee said the fraud screen is "state-of-the-art" and "we are working with them to augment it."
The Internet fraud screen, which Cybersource dubs IVS to differentiate it from a credit card address verification system, or AVS, reduces fraud risk to less than 1%, according to company literature. The technology, a form of artificial intelligence, involves more than 150 calculations to arrive at risk scores, and merchants can act on the information as they see fit.
"Software.net started selling software in late 1994, and by February 1995 they had more fraud than sales," said Tom Arnold, Cybersource's chief technology officer. The No. 1 problem was identity theft because "there was not even a voice to connect with."
After warning flags from Bank of America, which was alarmed by its 8% chargeback rate, Cybersource began working on a "learning engine" that would accumulate data on various risk factors and their interactions. A message originating from an anonymous e-mail host might be a problem; flowers ordered by credit card and sent to an address other than the cardholder's would probably be all right.
"A lot of our customers get referred by banks to clear up chargebacks or repudiated transactions," said Mr. Arnold, who joined the company from Silicon Graphics in 1996, when "the rudiments of the fraud system were in place."
IVS gets billing in the Cybersource catalogue alongside its Geopay global payment processing system, GlobalTax for tax calculations, TerritoryManager for distribution control, Notify for hard-goods fulfillment messages, SmartCert digital certificates for secure content downloads, and Global Rights Registry and Professional Services.
Aside from being a window on e-commerce, Cybersource has a first-hand view of fraud-pattern changes. Mr. Arnold said identity theft is still prominent and fraudulent credit card numbers generated from illegal software on the Net are epidemic. "We've put 16 people in jail on this," he said. "Actual stolen cards are being tested. We saw that when card numbers were coming in to buy products but they never took delivery of the goods."
"Digital fulfillment was especially susceptible" to fraud, Mr. McKiernan said, referring to on-line software distribution. "There is an anonymity to it that is not like shipping a box. Hackers would do this for sport, and it's expensive stuff."
"We started out focusing on digital products, but now we find that physical goods are just as susceptible when you are dealing with big-ticket items like computers," the CEO said.
While Cybersource was going about refining the fraud screen and linking it to the rest of "on-demand commerce," Mr. McKiernan said, he was as frustrated as any of his technology-industry peers at the unwillingness of bankers and other traditionalists to accept the revolutionary nature of the Web.
"One guy on a conference panel two years ago said it took 25 years for one-third of the people to use automated teller machines, and he saw the same progression for the Internet," Mr. McKiernan said.
"There might have been some question before the past holiday season whether on-line buying would be mainstream, but now there is no doubt," he added. "What took ATMs 20 years has happened here in less than four.
"I said four years ago that software (selling) was perfect for the Internet, but I didn't think people would buy cars on the Internet. They absolutely do. The experience is not everything it can be, but absolutely everything is being bought on-line."
