Visa Gets More Personal With Data

Visa plans to roll out new, highly customized incentive and reward programs based on more detailed consumer information, including data on purchases, buying habits, and retailer loyalty.

Having completed a multi-year upgrade and modernization of its payment processing systems, credit-card giant Visa plans to roll out new, highly customized incentive and reward programs based on more detailed consumer information, including data on purchases, buying habits, and retailer loyalty, company officials said during a tour of the company's central-United States data center.

Crafted two years ago and known as "account-level processing," the plan will enable Visa's payment processing system to manage transactions in real time using the entire 16-digit credit card number, rather than the six-digit bank identification number (BIN) that has traditionally been used. It will allow consumers to carry their account numbers with them if they move up to pricier and more exclusive cards, and merchants to offer new services and benefits, such as loyalty programs, to customers, said senior VP Jim McCarthy, head of consumer products for Visa USA: "This allows us to take a specific action in real time based on consumer behavior at a specific merchant and a specific location."

The shift to account-level processing coincides with Visa's preparation to go public by early next year, a move that is expected to raise billions of dollars to help Visa compete in the increasingly competitive and litigious credit-card processing business.

Last Tuesday, the world's largest credit card network said it had hired Hans Morris from Citigroup Inc. to fill the new position of president of Visa Inc., the new combined entity that will result from the IPO. John Philip Coghlan resigned as president and chief executive of Visa USA, a post he had held since July 2005, the company said.

The move also comes as credit-card processors and financial institutions are under increasing scrutiny and threat of litigation thanks to several massive and well-publicized thefts of consumer credit card information. Earlier this month TJX Companies, the parent company of a family of retailers that includes T.J. Maxx, Marshalls, and other nationwide chains, said it took a $20 million computer-intrusion-related charge for its most recent quarter, related to an IT security breach in which 45 million credit and debit card numbers were stolen. Thieves later used fake cards based on the data to steal $8 million in merchandise from Wal-Mart stores in Florida.

Following huge credit-card data losses from payment processor CardSystems Solutions and from Lowe's hardware stores, the TJX case "was a stark reminder to all of us that such events can have vast reach and consequences," said Coghlan, the former Visa USA CEO, at a data-security summit in March.

Visa has spent five years and hundreds of millions of dollars annually modernizing and upgrading its transaction system, known as Visa Integrated Payments. The company processes some 6,800 transactions per second during the peak holiday season, and its transaction volume is growing at around 20% a year. The central-region data center -- the precise location of which Visa requires visitors not to divulge -- replaced an older data center on the West Coast in 2006 and will process some $1 trillion in transactions this year.

Among other things, the re-engineering of the global authorization engine involved replacing legacy code with new, streamlined software, resulting in a modular architecture that allows Windows Visa to add new functions and deploy new technology on the fly. The Operations Center Central, as the data center is called, is one of two centers in the U.S. and includes Z9 IBM mainframe CPUs running 2500 million instructions per second each, along with disc drives from a variety of vendors. The OCC actually has two separate data center buildings connected by two self-healing SONET rings.

Account-level processing will include sending immediate discount offers and the like to merchants serving eligible customers, to "enhance and improve the customer experience at the point of sale," as McCarthy put it. But Visa will not share actual consumer information with merchants at the edge of its network -- a practice that would automatically increase the risk of fraud since most security breaches take place at the retail level, not in the Visa system proper. While the platform will be able to make instantaneous judgments about customer behavior and qualifications for specific benefits, and alert the merchant based on that information, "the data resides in the same safe walls as all our data does," said Visa spokesperson Elvira Swanson.

The system also will provide what McCarthy calls an "in-flight scoring engine" that rates specific transactions by specific users for the risk of fraud. Using real-time fraud scoring based on certain risk conditions (whether the transaction matches up with past purchasing behavior, for instance), the system can provide a "fraud index" that calculates the likelihood of chicanery. The card issuer can then make a determination about whether to allow the transaction to proceed -- all within milliseconds.

"We build this stuff into the cloud so that issuers and merchants can take action faster," said McCarthy. "It's not good enough anymore to identify negative patterns 15 minutes after the fraud occurs," added Swanson.

The new Visa Inc. will comprise Visa USA, Visa International, and Visa Canada. Visa Europe plans to remain a traditional member association owned by the financial institutions. Visa Inc. will become the third standalone, publicly traded credit-card processor along with MasterCard Inc. and Discover Financial Services LLC. MasterCard shares have more than quadrupled in value since that company went public in May 2006.