Visa Inc.'s agreement to buy CyberSource Corp. shows that the payments company is serious about mobile commerce — and the potential risks of this emerging channel.
Visa said that the $2 billion cash deal announced Wednesday is part of a strategic effort to expand its security efforts. Antifraud capabilities at retail locations have improved dramatically in recent years, and Visa wants to focus more attention on the Internet and especially on mobile phones.
"Mobile is clearly a growing and important channel for us," Gerry Sweeney, Visa's head of global e-commerce and authentication, said in an interview Wednesday.
CyberSource, of Mountain View, Calif., is a major player in e-commerce. It has more than 295,000 merchant clients and says it handles about a quarter of all U.S. online transactions.
However, Visa specifically mentioned CyberSource's mobile operations as an appealing asset, and stressed that mobile commerce is a separate channel from traditional online sales.
Joseph W. Saunders, the San Francisco company's chairman and chief executive, said in a press release that "as e-commerce increasingly migrates to mobile devices, we believe the combination of Visa and CyberSource technology and services will position Visa to lead in mobile e-commerce."
CyberSource is also well known for its security technology, and Sweeney said the acquisition will play an important role in Visa's evolving antifraud efforts for online transactions.
Visa and CyberSource have worked together since 1999, and the landscape for payments and risk has changed significantly since then.
In 2006, in a signal that the Web had gone mainstream, Visa changed the way it categorizes merchants under the Payment Card Industry data security standard.
Under its new definitions, being an online merchant was no longer in and of itself considered a significant risk factor. Since then, many retailers have taken pains to safeguard the point of sale, Sweeney said.
Visa's action in 2006 "was very reflective of the 2006 environment," Sweeney said. "In 2006, we were seeing much more of a trend around fraudsters attacking the physical card-present merchants."
But that changed in recent years, largely because merchants have fought back, he said.
"Over the course of the last four to five years, we have seen tremendous progress in physical merchants actually shoring up their systems," Sweeney said. "When you shore up one part of the payment chain, the fraud will migrate to another part," including the Web and the mobile phone.
Sweeney emphasized that using phones to make payments is not inherently risky — "I would not characterize mobile as less secure today" — but said that Visa wants to stay ahead of the curve as more consumers use mobile devices to manage, move and spend their money.
Though mobile banking and commerce in the United States is still in its infancy, phones are already coming under attack from hackers who have figured out how to harvest the increasingly sensitive information stored on smart phones.
Observers say that as banks continue to push the idea that phones can be used as mobile wallets, the channel will attract the attention of more determined hackers, and the defenses in place today may not be enough.
Avivah Litan, a vice president and distinguished analyst at Gartner Inc. in Stamford, Conn., said "nobody's figured out how to solve mobile fraud yet, because there's not a lot of it."
But that will eventually change, she said, and the CyberSource deal signals that the payments company is aware of its shortcomings and is working to address them.
"I don't think they're going to make a ton of money in" owning CyberSource, Litan said. "I think it's mainly to get visibility into e-commerce transactions because of the high risk levels. Right now they don't have any visibility like they do with point of sale."
And, with fraud constantly shifting back and forth across channels, Visa's ability to monitor payment activity at the physical point of sale may play a part in driving fraud artists back to e-commerce and, by extension, the mobile Web.
In 2006, when Visa's rules around merchant categorization demonstrated its knowledge that the Internet was not an inherently less secure channel, fraudsters were attacking physical cards because they saw card-present transactions as an easy target.
One of the main frustrations for hackers today is the chip-and-PIN card. In countries that adopted the EMV Integrated Circuit Card Specifications, fraud has begun to move away from cards and back online, Litan said. Even though "the crooks don't care about e-commerce data as much as they do about plastic … e-commerce fraud is going up, that's a trend."
In addition to CyberSource's prowess for online and mobile fraud management, Visa praised the company's deep merchant relationships and potential for global expansion, particularly in Asia and Latin America.
"The transaction is about long-term growth," Saunders said in a conference call. "Visa must touch as much of each transaction as possible in order to enable a long-term differentiated value proposition. This acquisition fulfills this aspiration head-on."
Saunders also characterized the acquisition as a defensive move against alternative payment providers such as eBay Inc.'s PayPal, another payments operation with global reach.
"We're paying attention to what PayPal as well as other companies are getting into [in] the e-commerce space," Saunders said, "and we are obviously concerned that that would have an effect on our market share over a moderate or longer-term period of time."
The CyberSource deal is "somewhat in reaction to" the growing influence of PayPal and other alternative payment providers, but "this is also happens to be consistent with what we think our long-term strategies should be to grow Visa," he said.
Visa said the deal is expected to close in the third quarter of the calendar year (Visa's fourth fiscal quarter).
Michael Walsh, CyberSource's president and CEO, would continue to head the company, which would be a Visa subsidiary, and William S. McKiernan, CyberSource's executive chairman and founder, would become an executive adviser at Visa to facilitate the companies' integration.