[V – Visa; MA – Mastercard] Expanding the Rails, Part 2

The most enduring companies, as the old bit goes, obsess over timeless universals: “paying for stuff should be easy, fast, and safe”.  Sizing a market helps to scope the problem that a product is meant to attack, but fixating on any given market or product can be a bad idea because the surrounding context is always shifting.  Consider how the payments landscape has changed over the last few decades.  Acceptance points have morphed from knuckle busters to landline-linked terminals to QR codes; payment instruments have evolved from plastic cards nestled in leather wallets to online buttons embedded in online checkout sites, digital wallets downloaded on smartphones, contactless cards embedded with microchips.  PayPal, Braintree, Stripe, Square, Adyan, and other online-native and API-interfacing facilitators have created impressive value as intermediating layers.  While V/MA’s moatiness is often taken for granted, it’s not too difficult to imagine how these two could have circumscribed their opportunity set by product or geography or obstinately closed their networks to stave off ostensible competition.  Instead, both companies recognize that how we pay for stuff conforms to the broader contours of how we interact with the world, and have adapted their networks to that reality.

At the heart of both companies’ competitive advantages lies the resolution of a coordination problem.  From Expanding the Rails, Part 1:

“If you wanted to build your own payments network to compete with Visa, you’d need to win over the issuing banks.  Of course, you won’t get the issuers if you don’t have merchants to accept your card and you won’t get the merchants unless you have the issuers’ card customers, who want to know that the card is accepted nearly everywhere…and, critically, you won’t get anyone unless you can ensure security, which itself depends on the insights garnered from the 100bn+ of transactions these two networks process every year.  Every time you swipe your card, Visa evaluates over 500 different data points to determine fraud risk, calculates a risk score, and sends that score to the issuer to approve the transaction.all in a fraction of a second.  Clearly, this is a tough chicken/egg nut to crack.”

The feedback dynamic between issuers, merchants, and consumers is ensconced within several big trends.  First, cash still makes up nearly half of relevant global Personal Consumption Expenditures (excluding Russia and China) but is losing ground to electronic payment methods due in meaningful part to e-commerce sales growing 4x-5x faster than in-store transactions.  If we assume ~4%-5% global PCE growth, add to it 3 to 5 points to account for the shift to electronic payments, and another 2 to 3 points for share gains, we arrive at what seems a reasonable hsd/ldd base case payments volume growth going forward, in line with what we’ve seen for both companies over the last 5-6 years¹.

Second, potential acceptance points are nowhere near saturated.  Electronic payments are no longer mediated by expensive point-of-sale terminals, but can be enabled by scanning lightweight QR code printouts, reducing the cost of electronic payments acceptance for vast swaths of financially constrained micro merchants in sparsely populated regions with remedial telecom infrastructure.  QR codes, while still uncommon in the US – where plastic payment cards preceded smartphones – are ubiquitous in Asia, where the maturity of electronic payments has coincided with smartphone adoption.  Acceptance points in India have more than doubled over the last year to 3mn-4mn, thanks partly to the late 2016 launch of BharatQR, a universal QR standard developed by the Indian government in partnership with several payment networks, including Visa and Mastercard, as part of an aggressive “demonetization” initiative designed to spur electronic payment adoption.  There are nearly 60mn small/micro merchants and 300mn smartphone users in India.  Nearly 95% of retail transactions in India are still consummated with cash.  The opportunity for digital payments is massive and the conditions for doing so – growing smartphone penetration, cost effective point-of-sale setup, concerted efforts by the government to combat cash – are ever ripening. 

But the proliferation of acceptance points is not just limited to mobile first emerging markets.  Even in a mature market like the US, Mastercard has grown acceptance by 11%/year over the last 5 years, hitting an inflection point at around 2012 as on-premise commerce ecosystems like Square and API interfacing solutions like Stripe and Braintree found traction and extended Mastercard’s rails to a long tail of small merchants (including myself).  And we can all idly speculate about when connected cars, refrigerators, and various other IoT trinkets function as payment acceptance devices. The main point is that regardless of the interface, Mastercard and Visa will own the underlying payments plumbing and tax the volume running through it. 

In that spirit, they have been opening up more and more of their APIs over the last 6-7 years – Mastercard doubled the number of APIs available to developers in 2017 across data, security, and payments functions and will double it again this year – allowing social networks, banks, and payment facilitators to plug into their pipes.  And even while facilitators like PayPal, Square, Stripe, Apple Pay, etc. have burrowed their way into the payment stack, there has been no discernible impact on Visa or Mastercard’s yields [net revenue divided into global purchase volumes], which have held steady for Visa (after normalizing for Visa Europe) over the last 5 years, and have inched higher for Mastercard, even after stripping out the latter’s fast growing services revenue and including lower yielding volumes from the May 2017 Vocalink acquisition.  This should not be all that surprising given the market power that V/MA wield as indispensable and ubiquitous infrastructure providers.  New intermediators will take their ~7/8bps out of interchange and, as has been the case with Durbin interchange caps, banks will simply pass the hit onto consumers.

Let’s wade into some murkier waters, starting with Europe. Nearly 3 years after the European Parliament adopted it, the Payment Services Directive part Deux (PSD2) is going into effect this year.  The regulation requires banks to expose APIs that grant external non-bank financial service providers access to customer accounts, allowing those providers to build on top of banks’ data and infrastructure.  Third parties, by wedging themselves between banks and their customers and leveraging direct consumer relationships to modularize and re-bundle services that were once tightly controlled by banks, can consolidate accounts from different financial institutions into a single record or provide a menu of financial services.  Treefin, for instance, is a German app launched in 2015 that analyzes insurance, banking, and investment accounts and recommends ways to improve your personal finances; figo (also German) sees itself as one day providing an “app store” of financial services from different banks. 

You can see why the latter are so freaked out by this legislation.  Now, it’s also true that the regulation gives banks the ability to extend services to new markets and customers, but those benefits are equally available to all banks and, in my opinion, far outweighed by the the deleterious impact of exposing their bundles to disaggregation and losing the point of customer contact. The legislation also potentially poses some risk to Visa and Mastercard.  Notably, Deutsche Bank recently announced a pilot project with the International Air Transport Association (IATA), whereby Deutsche will intermediate payments between travelers and IATA’s member airlines, cutting out credit and debit rails, and presumably saving IATA members $8bn in costs from payment processing and fraudulent activity.  We’ll just have to see how far this goes, but for the time being, I see PSD2 as a neutral-to-positive for Visa and Mastercard.  It presents them with a wide array of services opportunity – from dual factor authentication to analytics to real time payments – as banks are forced to step up their game in the face of new competition.  And I have a hard time seeing new fintech start-ups shifting the balance of power away from V/MA.  Even with permissioned access to bank accounts and infrastructure, any payments intermediary must still spin up an ecosystem of consumers and merchants, which in turn requires a strong brand, impregnable security, and a frictionless user experience.  While the relative share of V/MA, wallets, direct debit, and local card schemes in e-commerce transactions varies by country, PayPal, Visa, and Mastercard are (according to Dataprovider) really the dominant three payment methods [The Netherlands, where inter-bank transfer system iDeal has 80% share, is a rare exception]. 

PSD2 or no, a new payments player in most European countries will have to draw the volumes necessary to justify the substantial marketing and technology investments required to compete directly against these entrenched payment methods.  Far more likely is the scenario that is playing out in the US, where customer-facing payments applications simply access V/MA’s rails and commit themselves to the consumer experience.  So, for now, I think Visa and Mastercard gain from both nimble fintech upstarts extending the reach of card rails and from sclerotic banks beckoning for assistance.  Visa has a particularly bright future in Europe, with higher yields to come as it steers Visa Europe from a sleepy member-owned association to a profit-oriented commercial entity pursuing more profitable credit volumes (vs. lower yielding debit), cross-selling value-added products to issuers and implementing price hikes (as a standalone entity, Visa Europe realized net revenue yields of just 9bps vs. Visa’s mid-20s yield).