Risk Factors - V

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

ITEM 1A. Risk Factors

Regulatory Risks

We are subject to complex and evolving global regulations that could harm our business and financial results.

As a global payments technology company, we are subject to complex and evolving regulations that govern our operations. See Item 1—Government Regulation for more information on the most significant areas of regulation that affect our business. The impact of these regulations on us, our clients, and other third parties could limit our ability to enforce our payments system rules; require us to adopt new rules or change existing rules; affect our existing contractual arrangements; increase our compliance costs; and require us to make our technology or intellectual property available to third parties, including competitors, in an undesirable manner. As discussed in more detail below, we may face differing rules and regulations in matters like interchange reimbursement rates, preferred routing, domestic processing and localization requirements, currency conversion, point-of-sale transaction rules and practices, privacy, data use and protection, licensing requirements, and associated product technology. As a result, the Visa operating rules and our other contractual commitments may differ from country to country, state to state, or by products. Complying with these and other regulations increases our costs and operational complexity, and reduces our revenue opportunities. Complying with these and other regulations increases our costs and reduces our revenue opportunities.

If widely varying regulations come into existence worldwide, we may have difficulty rapidly adjusting our products, services, fees and other important aspects of our business to comply with the regulations. Our compliance programs and policies are designed to support our compliance with a wide array of regulations and laws, such as regulations regarding anti-money laundering, anti-corruption, competition, money transfer services, privacy, and sanctions, and we continually adjust our compliance programs as regulations evolve. However, we cannot guarantee that our practices will be deemed compliant by all applicable regulatory authorities. In the event our controls should fail or we are found to be out of compliance for other reasons, we could be subject to monetary damages, civil and criminal penalties, litigation, investigations and proceedings, and damage to our global brands and reputation. Furthermore, the evolving and increased regulatory focus on the payments industry could negatively impact or reduce the number of Visa products our clients issue, the volume of payments we process, our net revenue, our brands, our competitive positioning, our ability to use our intellectual property to differentiate our products and services, the quality and types of products and services we offer, the countries in which our products are used, and the types of consumers and merchants who can obtain or accept our products, all of which could harm our business and financial results. Furthermore, the evolving and increased regulatory focus on the payments industry could negatively impact or reduce the number of Visa products our clients issue, the volume of payments we process, our revenues, our brands, our competitive positioning, our ability to use our intellectual property to differentiate our products and services, the quality and types of products and services we offer, the countries in which our products are used, and the types of consumers and merchants who can obtain or accept our products, all of which could harm our business and financial results.

Increased scrutiny and regulation of the global payments industry, including with respect to interchange reimbursement fees, merchant discount rates, operating rules, risk management protocols and other related practices, could harm our business.

Regulators around the world have been establishing or increasing their authority to regulate various aspects of the payments industry. See Item 1—Government Regulation for more information. In the U.S. and many other jurisdictions, we have historically set default interchange reimbursement fees. Even though we generally do not receive any revenue related to interchange reimbursement fees in a payment transaction (in the context of credit and debit transactions, those fees are paid by the acquirers to the issuers; the reverse is true for certain transactions like ATM), interchange reimbursement fees are a factor on which we compete with other payments providers and are therefore an important determinant of the volume of transactions we process. Consequently, changes to these fees, whether voluntarily or by mandate, can substantially affect our overall payments volumes and net revenue.

Interchange reimbursement fees, certain operating rules and related practices continue to be subject to increased government regulation globally, and regulatory authorities and central banks in a number of jurisdictions have reviewed or are reviewing these fees, rules, and practices. For example:

•Regulations adopted by the U.S. Federal Reserve cap the maximum U.S. debit interchange reimbursement rate received by large financial institutions at 21 cents plus 5 basis points per transaction, plus a possible fraud adjustment of 1 cent. Additionally, the Dodd-Frank Act limits issuers’ and payment networks’ ability to adopt network exclusivity and preferred routing in the debit and prepaid area, which also impacts our business. Additionally, the Dodd-Frank Act limits issuers’ and our ability to adopt network exclusivity and preferred routing in the debit and prepaid area, which also impacts our business. In response to merchant requests, the Federal Reserve has recently taken actions to revisit its regulations that implement these aspects of the Dodd-Frank Act. For example, in October 2022, the Federal Reserve published a final rule effectively requiring issuers to ensure that at least two unaffiliated networks

19

---

Table of Contents

are available for routing CNP debit transactions by July 1, 2023. In October 2023, the Federal Reserve issued a proposal for comment which would further lower debit interchange rates, with a mechanism for automatic adjustment every two years. Separately, there continues to be interest in regulation of credit interchange fees and routing practices by members of Congress and state legislators in the U.S. In June 2023, legislation was reintroduced in the U.S. House of Representatives and Senate, which among other things, would require large issuing banks to offer a choice of at least two unaffiliated networks over which electronic credit transactions may be processed. Similar legislation was introduced in the previous Congress in 2022 but failed to advance. The current legislation has additional bipartisan support, and while the ultimate outcome of the legislation remains unclear, its sponsors continue to strongly advocate for its passage. Finally, some states in the U.S. have passed or are considering passing laws that regulate how interchange can be assessed. For example, in May 2024, Illinois passed a law that restricts the assessment of interchange on the state tax and gratuity portions of a transaction, and restricts financial institutions and payment networks, among others, from using payment transaction data for any purpose other than facilitating or processing a transaction. Such laws may also impose significant technical and compliance burdens on our business. In Europe, the EU’s IFR places an effective cap on consumer credit and consumer debit interchange fees for both domestic and cross-border transactions within the EEA (30 basis points and 20 basis points, respectively).•In Europe, the EU’s IFR places an effective cap on consumer credit and consumer debit interchange fees for both domestic and cross-border transactions within the EEA (30 basis points and 20 basis points, respectively). EU member states have the ability to further reduce these interchange levels within their territories. The European Commission has announced its intention to conduct another impact assessment of the IFR, which could result in even lower caps on interchange rates and the expansion of regulation to other types of products, services and fees.

•Several countries in Latin America continue to explore regulatory measures against payments networks and have either adopted or are exploring interchange caps, including Argentina, Brazil, Chile and Costa Rica. In Asia Pacific, the Reserve Bank of Australia (RBA) which already regulates interchange, continues to monitor issues related to the cost of acceptance, the potential merits of mandating merchant choice routing on dual network debit cards and competition in digital wallet payments. In 2022, the New Zealand Parliament passed legislation capping domestic interchange rates for debit and credit products, and the government remains focused on lowering costs of digital payments to businesses and consumers. Interchange is also regulated in certain countries in the Central and Eastern Europe, Middle East and Africa region, including the United Arab Emirates. Finally, many governments, including but not limited to governments in India, Costa Rica, and Turkey, are using regulation to further drive down MDR, which could negatively affect the economics of our transactions.

•While the focus of interchange and MDR regulation has primarily been on domestic rates historically, there are several examples of increasing focus on cross-border rates in recent years. For example, in 2019, we agreed to limit certain cross-border interchange rates in a settlement with the European Commission. For example, in 2019, we settled certain cross-border interchange rates with the European Commission. That agreement has been extended through 2029. In 2020, Costa Rica became the first country to formally regulate cross-border interchange rates by regulation. Cross-border MDR is also regulated in Costa Rica and Turkey. In June 2022, the UK’s PSR initiated a market review focusing on post-Brexit increases in interchange rates for transactions between the UK and Europe.

•As referenced above, with increased lobbying by merchants and other industry participants, we are also beginning to see regulatory interest in network fees. For example, the UK’s PSR is conducting a market review into scheme and processing fees. In its interim report, the PSR indicated that it is reviewing possible remedies, any of which, if adopted, could impose additional complexity and burdens on our business in the UK. Other regulators, for example, in Australia, the EU, and Chile, have expressed an interest in network fees, including issues related to transparency. Finally, in 2024, the Greek Parliament limited acquirer fees for certain small ticket transactions in some merchant categories for a period of three years.

•In addition, industry participants in some countries, including Argentina, Colombia, the Dominican Republic, Paraguay, Peru and South Africa have sought intervention from competition regulators or filed claims relating to certain network rules, including Visa’s restrictions on cross-border acquiring. The Central Bank of Chile recently enacted regulation that will permit cross-border acquiring for CNP transactions under certain conditions. Other countries, like Brazil, have adopted regulations that require us to seek government pre-approval for certain of our network rules, which could also impact the way we operate in certain markets. Other countries, like New Zealand, are adopting regulations that require us to seek government pre-approval of our network rules, which could also impact the way we operate in certain markets.

•Government regulations or pressure may also impact our rules and practices and require us to allow other payments networks to support Visa products or services, to have the other networks’ functionality or brand marks on our products, or to share our intellectual property with other networks. In addition, the EU’s

20

---

Table of Contents

requirement to separate scheme and processing adds costs and impacts the execution of our commercial, innovation and product strategies.

•We are also subject to central bank oversight in a growing number of countries, including Brazil, India, the UK and within the EU. In several jurisdictions, we have been designated as a “systemically important payment system.” Some countries with existing oversight frameworks are looking to further enhance their regulatory powers, while regulators in other jurisdictions are considering or adopting approaches based on these regulatory principles. For example, in October 2023, VisaNet was designated as a prominent payment system in Canada. These types of designations generally result in oversight of authorization, clearing and settlement activities, including policies, procedures and requirements related to governance, reporting, cybersecurity, processing infrastructure, capital, and/or credit risk management. We could also be required to adopt policies and practices designed to mitigate settlement and liquidity risks, including increased requirements to maintain sufficient levels of capital and financial resources locally, as well as localized risk management or governance. Increased oversight could also include new criteria for member participation and merchant access to our payment systems. Furthermore, as governments increase their focus on cybersecurity, parts of our business have become considered significant or critical infrastructure by certain central banks.

•As innovations in payment technology have enabled us to expand into new products and services, they have also expanded the potential scope of regulatory influence. For instance, new products and capabilities, including tokenization, push payments, and new flows (e.g., Visa B2B Connect) could bring increased licensing or authorization requirements in the countries where the product or capability is offered. Furthermore, certain portions of our business are regulated as payment institutions or as money transmitters, subjecting us to various licensing, supervisory, and other requirements. Furthermore, certain of our businesses are regulated as payment institutions or as money transmitters, subjecting us to various licensing, supervisory, and other requirements. As we continue to expand our capabilities and offerings in furtherance of our network of networks strategy, we will need to obtain new types of licenses. These licenses could result in increased supervisory and compliance obligations that are distinct from the obligations we are subject to in our capacity as a payment card network.

Regulators around the world increasingly take note of each other’s approaches to regulating the payments industry. Consequently, a development in one jurisdiction may influence regulatory approaches in another. The risks created by a new law, regulation or regulatory outcome in one jurisdiction have the potential to be replicated and to negatively affect our business in another jurisdiction or in other product offerings. For example, our settlement with the European Commission on cross-border interchange rates has drawn preliminary attention from some regulators in other parts of the world. Similarly, new regulations involving one product offering may prompt regulators to extend the regulations to other product offerings. Similarly, new regulations involving one product offering may prompt regulators to extend 19Table of Contentsthe regulations to other product offerings. For example, credit payments could become subject to similar regulation as debit payments (or vice versa). The RBA initially capped credit interchange, but subsequently capped debit interchange as well.

When we cannot set default interchange reimbursement rates at optimal levels, issuers and acquirers may find our payments system less attractive. This may increase the attractiveness of other payments systems, such as our competitors’ closed-loop payments systems with direct connections to both merchants and consumers. We believe some issuers may react to such regulations by charging new or higher fees, or reducing certain benefits to consumers, which make our products less appealing to consumers. Some acquirers may elect to charge higher MDR regardless of the Visa interchange reimbursement rate, causing merchants not to accept our products or to steer customers to alternative payments systems or forms of payment. In addition, in an effort to reduce the expense of their payment programs, some issuers and acquirers have obtained, and may continue to obtain, incentives from us, including reductions in the fees that we charge, which directly impacts our net revenue.

Finally, policymakers and regulatory bodies in the U.S., Europe, and other parts of the world are exploring ways to reform existing competition laws to meet the needs of the digital economy, including restricting large technology companies from engaging in mergers and acquisitions, requiring them to interoperate with potential competitors, and prohibiting certain kinds of self-preferencing behaviors. While the focus of these efforts remains primarily on increasing regulation of large technology, ecommerce and social media companies, they could also have implications for other types of companies including payments networks, which could constrain our ability to effectively manage our business or potentially limit how we make our products and services available.

21

---

Table of Contents

Government-imposed obligations and/or restrictions on international payments systems may prevent us from competing against providers in certain countries, including significant markets such as China and India.

Governments in a number of jurisdictions shield domestic payments providers, including card networks, brands, and processors, from international competition by imposing market access barriers and preferential domestic regulations. To varying degrees, these policies and regulations affect the terms of competition in the marketplace and impair the ability of international payments networks to compete. Public authorities may also impose regulatory requirements that favor domestic providers or mandate that domestic payments or data processing be performed entirely within that country, which could prevent us from managing the end-to-end processing of certain transactions.

In China, UnionPay remains the predominant processor of domestic payment card transactions and operates the predominant domestic acceptance mark. Although we filed an application with the People’s Bank of China (PBOC) in May 2020 to operate a Bank Card Clearing Institution (BCCI) in China, the timing and the procedural steps for approval remain uncertain. There is no guarantee that the license to operate a BCCI will be approved or, if we obtain such license, that we will be able to successfully compete with domestic payments networks. Co-badging and co-residency regulations also pose additional challenges in markets where Visa competes with national networks for issuance and routing. Certain banks have issued dual-branded cards for which domestic transactions in China are processed by UnionPay and transactions outside of China are processed by Visa or other international payments networks. The PBOC is contemplating that dual-branded cards be phased out over time as new licenses are issued to international companies to participate in China’s domestic payments market. Accordingly, we have been working with Chinese issuers to issue Visa-only branded cards for international travel, and later for domestic transactions should we obtain a BCCI license. However, notwithstanding such efforts, the phase out of dual-branded cards has decreased our payment volumes and impacted the net revenue we generate in China. However, notwithstanding such efforts, the phase out of dual-branded cards have decreased our payment volumes and impacted the revenue we generate in China.

UnionPay has grown rapidly in China and is actively pursuing international expansion plans, which could potentially lead to regulatory pressures on our international routing rule (which requires that international transactions on Visa cards be routed over VisaNet). Furthermore, although regulatory barriers shield UnionPay from competition in China, alternative payments providers such as Alipay and WeChat Pay have rapidly expanded into ecommerce, offline, and cross-border payments, which could make it difficult for us to compete even if our license is approved in China. NetsUnion Clearing Corp, a Chinese digital transaction routing system, and other such systems could have a competitive advantage in comparison with international payments networks.

Regulatory initiatives in India, including a data localization mandate implemented by the government, have cost implications for us and could affect our ability to effectively compete with domestic payments providers.Regulatory initiatives in India, including a data localization mandate passed by the government that suggest growing nationalistic priorities, has cost implications for us and could affect our ability to effectively compete with domestic payments providers. Furthermore, any inability to meet the requirements of the data localization mandate could impact our ability to do business in India. In Europe, with the support of the European Central Bank, a group of European banks announced their intent to launch a pan-European payment system, the European Payments Initiative (EPI). In Europe, with the support of the European Central Bank, a group of European banks have announced their intent to launch a pan-European payment system, the European Payments Initiative (EPI). While EPI subsequently announced a focus on account-to-account instant payments across a range of use cases, the purported motivation behind EPI is to reduce the risks of disintermediation of European providers by international technology companies and continued reliance on international payments networks for intra-Europe card transactions. While EPI subsequently announced a focus on account-to-account instant payments across a range of use cases, it is noteworthy that the purported motivation behind EPI is to reduce the risks of disintermediation of European providers by international technology companies and continued reliance on international payments networks for intra-Europe card transactions. Furthermore, regional groups of countries, such as the Gulf Cooperation Council (GCC) and a number of countries in Southeast Asia (e.g., Malaysia), have adopted or may consider, efforts to restrict our participation in the processing of regional transactions. The African Development Bank has also indicated an interest in supporting national payment systems in its efforts to expand financial inclusion and strengthen regional financial stability. Finally, some countries such as Nigeria and South Africa are mandating on-shore processing of domestic transactions. Finally, some countries such as South Africa are mandating on-shore processing of domestic transactions. Geopolitical events, including sanctions, trade tensions or other types of activities have intensified these activities, which could adversely affect our business. Geopolitical events, including sanctions, trade tensions or other types of activities have intensified any or all of these activities, which could adversely affect our business. For example, in the aftermath of U.S. and European sanctions against Russia and the decision by U.S. payments networks, including Visa, to suspend operations in the country, some countries have expressed concerns about their reliance on U.S. financial services companies, including payments networks, and have taken steps to bolster the development of domestic solutions. Separately, Russia has called for the BRICS countries (a five-country bloc made up of Brazil, Russia, India, China and South Africa, and which has recently expanded to include countries such as Egypt, Ethiopia, Iran, Saudi Arabia, and the United Arab Emirates), to lessen dependence on Western payments systems by, among other things, integrating payments systems and cards across member countries. Separately, Russia has called for the BRICS countries (a five-country bloc made up of Brazil, Russia, India, China and South Africa, and which recently extended invitations to Argentina, Egypt, Ethiopia, Iran, Saudi Arabia, and the United Arab Emirates), to lessen dependence on Western payments systems by, among other things, integrating payments systems and cards across member countries.

Central banks in a number of countries, including those in Argentina, Australia, Brazil, Canada, Europe, India, and Mexico, are in the process of developing or expanding national RTP networks and instant payment solutions with the goal of driving a greater number of domestic transactions onto these systems.Central banks in a number of countries, including those in Argentina, Australia, Canada, Brazil, Europe and Mexico, are in the process of developing or expanding national RTP networks and instant payment solutions with the goal of driving a greater number of domestic transactions onto these systems. In July 2023, the U.S.

22

---

Table of Contents

Federal Reserve launched its FedNow Service with core clearing and settlement functionality, and expects to add more features and enhancements over time. Some countries are also exploring cross-border connectivity of their respective RTP systems. Finally, an increasing number of jurisdictions are exploring the concept of building central bank digital currencies for retail payments, such as the European Central Bank’s Digital Euro initiative. Finally, an increasing number of jurisdictions are exploring the concept of building central bank digital currencies for retail payments. If successfully deployed, these national payment platforms and digital currencies could have significant implications for Visa’s domestic and cross-border payments, including potential disintermediation.

Due to our inability to manage the end-to-end processing of transactions for cards in certain countries (e.g., Thailand), we depend on our close working relationships with our clients or third-party service providers to ensure transactions involving our products are processed effectively. Our ability to do so may be adversely affected by regulatory requirements and policies pertaining to transaction routing or on-shore processing. In general, national laws that protect or otherwise support domestic providers or processing may increase our costs; decrease our payments volumes and impact the net revenue we generate in those countries; decrease the number of Visa products issued or processed; impede us from utilizing our global processing capabilities and controlling the quality of the services supporting our brands; restrict our activities; limit our growth and the ability to introduce new products, services and innovations; force us to leave countries or prevent us from entering new markets; and create new competitors, all of which could harm our business. In general, national laws that protect or otherwise support domestic providers or processing may increase our costs; decrease our payments volumes and impact the revenue we generate in those countries; decrease the number of Visa products issued or processed; impede us from utilizing our global processing capabilities and controlling the quality of the services supporting our brands; restrict our activities; limit our growth and the ability to introduce new products, services and innovations; force us to leave countries or prevent us from entering new markets; and create new competitors, all of which could harm our business.

Laws and regulations regarding the handling of personal data, including laws and regulations related to privacy, cybersecurity and AI, may impede our services or result in increased costs, legal claims, or fines against us.

Our business relies on the processing of data across national borders. Legal requirements relating to the collection, storage, handling, use, disclosure, transfer, disposal and security of personal data continue to evolve, and we are subject to an increasing number of privacy, data protection, cybersecurity and AI requirements around the world. Legal requirements relating to the collection, storage, handling, use, disclosure, transfer and security of personal data continue to evolve, and we are subject to an increasing number of privacy and data protection requirements around the world. For example, our ongoing efforts to comply with complex U.S. state privacy and data protection regulations, and emerging international privacy and data protection laws, may increase the complexity of our compliance operations, entail substantial expenses, divert resources from other initiatives and projects, and limit the services we are able to offer. Additionally, privacy laws in other regions, such as China’s Personal Information Protection Law and India’s Personal Data Protection Act, may have extraterritorial application and include restrictions on cross-border data transfers, extensive notification and localization requirements, and substantial compliance and audit obligations. 21Table of ContentsAdditionally, privacy laws in other regions, such as China’s Personal Information Protection Law and India’s Personal Data Protection Act, have extraterritorial application and include restrictions on processing sensitive data, extensive notification requirements, and substantial compliance and audit obligations. The global proliferation of new privacy and data protection laws may lead to inconsistent and conflicting requirements, which create an uncertain regulatory environment. Noncompliance could also result in regulatory penalties and significant legal liability. Enforcement actions and investigations by regulatory authorities into companies related to data security incidents and privacy violations are generally increasing. In Europe, data protection authorities continue to apply and enforce the General Data Protection Regulation (GDPR), imposing record setting fines.

We are also subject to a variety of laws and regulations governing the development, use, and deployment of AI technologies. These laws and regulations are still evolving, and there is no single global regulatory framework for AI. The market is still assessing how regulators may apply existing consumer protection and other laws in the context of AI. There is thus uncertainty on what new laws will look like and how existing laws will apply to our development, use, and deployment of AI. In the midst of this uncertainty, we may face challenges due to the complexity and rapidly changing nature of AI technology and applicable laws. Our use of AI and machine learning is subject to various risks at each stage of use. In the context of AI development, risks include those related to intellectual property considerations, the collection and use of personal information, third party risks, technical limitations of algorithms and the accuracy of training data, and compliance with emerging AI legal standards. In the context of use and deployment, risks include ethical and compliance considerations, and our ability to monitor and safely deploy AI systems throughout the organization with appropriate safeguards. In the context of use and deployment, risks include ethical considerations regarding the outputs, and our ability to safely deploy AI throughout the organization. The EU has adopted a comprehensive AI Act that applies harmonized rules across Europe with the aim of fostering innovation and respecting fundamental rights. The EU AI Act comes into force in stages with the key provisions related to high risk AI coming into force in August 2026. There is still limited guidance on the EU AI Act, but it could, depending on how provisions are interpreted and enforced, limit the ability to create and deploy AI systems for uses deemed high-risk in the EU or add increased compliance costs associated with these systems. Our development and implementation of governance frameworks for our AI and machine learning systems may not be successful in mitigating all of these emerging risks.

Further, as we develop integrated and personalized products and services and acquire new companies to meet the needs of a changing marketplace, we may expand our data profile through additional data types and sources, across multiple channels, and involving new partners. This potential expansion could amplify the impact of these various laws and regulations on our business. As a result, we are required to constantly monitor our privacy,

23

---

Table of Contents

data and cybersecurity practices and potentially change them when necessary or appropriate. We also may need to provide increased care in our data management, governance and quality practices, particularly as it relates to the use of data in products leveraging AI.

We may be subject to tax examinations or disputes, or changes in tax laws.

The application of tax laws requires significant judgment and can be subject to uncertainty and differing interpretations. We are currently under examination by, or in disputes with, the U.S. Internal Revenue Service as well as tax authorities in other jurisdictions, and we may be subject to additional examinations or disputes in the future. We exercise significant judgment and make estimates that we believe to be reasonable in calculating our worldwide provision for income taxes and other tax liabilities. However, relevant tax authorities may disagree with our estimates, interpretations or tax treatment of certain material items. Failure to sustain our position in these matters could adversely affect our cash flows and financial position. Failure to sustain our position in these matters could harm our cash flow and financial position.

In addition, changes in existing laws in the U.S. or foreign jurisdictions, including unilateral actions of foreign jurisdictions to introduce digital services taxes, or changes resulting from the Organization for Economic Cooperation and Development’s proposals for modernizing the international tax system, including the introduction of a global minimum tax with widespread implementation by member countries expected by 2025, may also materially affect our effective tax rate and could increase our tax payments. Please see Item 7 and Note 19—Income Taxes to our consolidated financial statements included in Item 8 of this report.

Litigation Risks

We may be adversely affected by the outcome of litigation or investigations.

We are involved in numerous litigation matters, investigations, and proceedings asserted by civil litigants, governments, and enforcement bodies investigating or alleging, among other things, violations of competition and antitrust law, consumer protection law, privacy law and intellectual property law (these are referred to as “actions” in this section). Details of the most significant actions we face are described more fully in Note 20—Legal Matters to our consolidated financial statements included in Item 8 of this report. These actions are inherently uncertain, expensive and disruptive to our operations. In the event we are found liable or reach a settlement in any action, particularly in a large class action lawsuit, such as one involving an antitrust claim entitling the plaintiff to treble damages in the U.S., or we incur liability arising from a government investigation, we may be required to pay significant awards or judgments, settlements, costs or fines. In addition, settlement terms, judgments, orders, pressures or events in or resulting from actions have impacted and may continue to impact our business by creating uncertainty for our business or by influencing or requiring us to modify, among other things, the default interchange reimbursement rates we set, the Visa operating rules or the way in which we enforce those rules, our fees or pricing, or the way we do business. In addition, settlement terms, judgments, orders or pressures resulting from actions may harm our business by influencing or requiring us to modify, among other things, the default interchange reimbursement rates we set, the Visa operating rules or the way in which we enforce those rules, our fees or pricing, or the way we do business. These actions or their outcomes may also influence regulators, investigators, governments or civil litigants in the same or other jurisdictions, which may lead to additional actions against Visa. Finally, we are required by some of our commercial agreements to indemnify other entities for litigation brought against them, even if Visa is not a defendant.

For certain actions like those that are U.S. covered litigation or VE territory covered litigation, as described in Note 5—U.S. and Europe Retrospective Responsibility Plans and Note 20—Legal Matters to our consolidated financial statements included in Item 8 of this report, we have certain financial protections pursuant to the respective retrospective responsibility plans. The two retrospective responsibility plans are different in the protections they provide and the mechanisms by which we are protected. The failure of one or both of the retrospective responsibility plans to adequately insulate us from the impact of such settlements, judgments, losses, or liabilities could materially harm our financial condition or cash flows, or even cause us to become insolvent.

Business Risks

We face intense competition in our industry.

The global payments space is intensely competitive. As technology evolves and consumer expectations change, new competitors or methods of payment emerge, and existing clients and competitors assume different roles. Our products compete with cash, checks, electronic payments, virtual currency payments, global or multi-regional networks, other domestic and closed-loop payments systems, digital wallets and alternative payments providers primarily focused on enabling payments through ecommerce and mobile channels. As the global payments space becomes more complex, we face increasing competition from our clients, other emerging payment providers such as fintechs, other digital payments, technology companies that have developed payments systems

24

---

Table of Contents

enabled through online activity in ecommerce, social media, and mobile channels, other providers of new flows and value-added service offerings, as well as governments in a number of jurisdictions (e.g., Brazil and India) as discussed above, that are developing, supporting and/or operating national schemes, RTP networks and other payment platforms. For more information, please see Item 1—Competition above.

Our competitors may acquire, develop, or make better use of substantially better technology, have more widely adopted delivery channels, or have greater financial resources. They may offer more effective, innovative or a wider range of programs, products and services. They may use more effective advertising and marketing strategies that result in broader brand recognition and greater use, including with respect to issuance and merchant acceptance. They may also develop better security solutions or more favorable pricing arrangements. Moreover, even if we successfully adapt to technological change and the proliferation of alternative types of payment services by developing and offering our own services in these areas, such services may provide less favorable financial terms for us than we currently receive from VisaNet transactions, which could hurt our financial results and prospects.

Certain of our competitors operate with different business models, have different cost structures or participate in different market segments. Many of these competitors are also able to use existing payment networks without being subject to many of the associated costs. Moreover, these competitors also occupy various roles in the payments ecosystem that enable them to influence payment choice of other participants. Those business models may ultimately prove more successful or more adaptable to regulatory, technological and other developments. In some cases, these competitors have the support of government mandates that prohibit, limit or otherwise hinder our ability to compete for transactions within certain countries and regions. Some of our competitors, including American Express, Discover, private-label card networks, virtual currency providers, technology companies that enable the exchange of digital assets, and certain alternative payments systems like Alipay and WeChat Pay, operate closed-loop payments systems, with direct connections to both merchants and consumers. Government actions or initiatives such as the Dodd-Frank Act, the IFR in Europe, or RTP initiatives by governments such as the U.S. Federal Reserve’s FedNow or the Central Bank of Brazil’s Pix system may provide competitors with increased opportunities to derive competitive advantages from these business models, and may create new competitors, including in some cases the government itself. Similarly, regulation in Europe under PSD2 and the IFR may require us to open up access to, and allow participation in, our network to additional participants, and reduce the infrastructure investment and regulatory burden on competitors. In addition to the open banking provisions under PSD2, efforts to implement or facilitate open banking and open finance requirements are underway across a number of countries, including Australia, Brazil, Canada and the U.S., which could impose additional requirements on financial institutions or others regarding access to and use of financial data. We also run the risk of disintermediation due to factors such as emerging technologies and platforms, including mobile payments, alternative payment credentials, other ledger technologies or payment forms, and by virtue of increasing bilateral agreements between entities that prefer not to use our payments network for processing transactions. For example, merchants could process transactions directly with issuers, or processors could process transactions directly with issuers and acquirers.

We expect the competitive landscape to continue to shift and evolve. For example:

•We, along with our competitors, clients, network participants, and others are developing or participating in alternative payments systems or products, such as mobile payment services, ecommerce payment services, P2P payment services, real-time and faster payment initiatives, and payment services that permit ACH or direct debits from or to consumer checking accounts, that could either reduce our role or otherwise disintermediate us from the transaction processing or the value-added services we provide to support such processing. Examples include initiatives from The Clearing House, an association consisting of large financial institutions that has developed its own faster payments system; Early Warning Services, which operates Zelle, a bank-offered alternative network that provides another platform for faster funds or real-time payments across a variety of payment types, including P2P, corporate and government disbursement, bill pay and deposit check transactions; and cryptocurrency or stablecoin-based payments initiatives. Examples include initiatives from The Clearing House, an association consisting of large financial institutions that has developed its own faster payments system; Early Warning Services, which 23Table of Contentsoperates Zelle, a bank-offered alternative network that provides another platform for faster funds or real-time payments across a variety of payment types, including P2P, corporate and government disbursement, bill pay and deposit check transactions; and cryptocurrency or stablecoin-based payments initiatives.

•Many countries or regions are developing or promoting domestic networks, switches and RTP systems (e.g., U.S., Brazil, India and Europe) and in some countries the government itself owns and operates these RTP systems (e.g., Brazil). To the extent these governments mandate local banks and merchants to use and accept these systems for domestic or other transactions, prohibit international payments networks, like Visa, from participating on those systems, and/or impose restrictions or prohibitions on international payments networks from offering payment services on such transactions, we could face the risk of our business being disintermediated in those countries. For example, in some regions (Latin America, Southeast Asia and the Middle East), including through intergovernmental organizations such as the

25

---

Table of Contents

Association of Southeast Asian Nations and the GCC, some countries are at varying stages of exploring or operationalizing the cross-border connectivity of such domestic systems. Similarly, India has expressed interest in expanding its digital public infrastructure, which includes its RTP system, Unified Payments Interface (UPI), outside the country and for cross-border payments. Similarly, India has expressed interest in expanding its digital public infrastructure, which includes its RTP system, UPI, outside the country and for cross-border payments. Currently, international payment networks like Visa are unable to participate in UPI.

•Parties that process our transactions may try to minimize or eliminate our position in the payments value chain.

•Parties that access our payment credentials, tokens and technologies, including clients, technology solution providers or others might be able to migrate or steer account holders and other clients to alternative payment methods or use our payment credentials, tokens and technologies to establish or help bolster alternate payment methods and platforms.

•Participants in the payments industry may merge, form joint ventures or enable or enter into other business combinations that strengthen their existing business propositions or create new, competing payment services.

•New or revised industry standards related to online checkout and web payments, cloud-based payments, tokenization or other payments-related technologies set by individual countries, regions or organizations such as the International Organization for Standardization, American National Standards Institute, World Wide Web Consortium, European Card Standards Group, PCI Co, Nexo and EMVCo may result in additional costs and expenses for Visa and its clients, or otherwise negatively impact the functionality and competitiveness of our products and services.

As the competitive landscape is quickly evolving, we may not be able to foresee or respond sufficiently to emerging risks associated with new businesses, products, services and practices. We may be asked to adjust our local rules and practices, develop or customize certain aspects of our payment services, or agree to business arrangements that may be less protective of Visa’s proprietary technology and interests in order to compete and we may face increasing operational costs and risk of litigation concerning intellectual property. Our failure to compete effectively in light of any such developments could harm our business and prospects for future growth.

Our net revenue and profits are dependent on our client and merchant base, which may be costly to win, retain and develop.

Our financial institution clients and merchants can reassess their commitments to us at any time or develop their own competitive services. While we have certain contractual protections, our clients, including some of our largest clients, generally have flexibility to issue non-Visa products. Further, in certain circumstances, our financial institution clients may decide to terminate our contractual relationship on relatively short notice without paying significant early termination fees. Because a significant portion of our net revenue is concentrated among our largest clients, the loss of business from any one of these larger clients could harm our business, results of operations and financial condition. Because a significant portion of our net revenues is concentrated among our largest clients, the loss of business from any one of these larger clients could harm our business, results of operations and financial condition. For more information, please see Note 14—Enterprise-wide Disclosures and Concentration of Business to our consolidated financial statements included in Item 8 of this report.

In addition, we face intense competitive pressure on the prices we charge our financial institution clients. In certain regions, we are increasingly facing competition from RTP networks, other payment facilitators offering lower pricing, and government involvement in domestic and cross-border payments. In certain regions, we are increasingly facing competition from RTP networks and other payment facilitators offering lower pricing, as well as initiatives to lower costs, such as the G20 Roadmap for Enhancing Cross-border Payments. In order to stay competitive, we may need to adjust our pricing or offer incentives to our clients to grow payments volume, enter new market segments, adapt to regulatory changes, and expand their use and acceptance of Visa products and services. In order to stay competitive, we may need to adjust our pricing or offer incentives to our clients to increase payments volume, enter new market segments, adapt to regulatory changes, and expand their use and acceptance of Visa products and services. These include up-front cash payments, fee discounts, rebates, credits, performance-based incentives, marketing and other support payments that impact our net revenue and profitability. These include up-front cash payments, fee discounts, rebates, credits, 24Table of Contentsperformance-based incentives, marketing and other support payments that impact our revenues and profitability. In addition, we offer incentives to certain merchants and acquirers to encourage them to route transactions to Visa. In addition, we offer incentives to certain merchants and acquirers to win routing preference in relation to other network options or forms of payment. Pressures on pricing, incentives, fee discounts and rebates could moderate our growth. Market pressures on pricing, incentives, fee discounts and rebates could moderate our growth. If we are not able to implement cost containment and productivity initiatives in other areas of our business or grow our volumes in other ways to offset or absorb the financial impact of these incentives, fee discounts and rebates, it may harm our net revenue and profits. If we are not able to implement cost containment and productivity initiatives in other areas of our business or increase our volumes in other ways to offset or absorb the financial impact of these incentives, fee discounts and rebates, it may harm our net revenues and profits.

In addition, it may be difficult or costly for us to acquire or conduct business with financial institutions or merchants that have longstanding exclusive, or nearly exclusive, relationships with our competitors. These financial institutions or merchants may be more successful and may grow more quickly than our existing clients or merchants. In addition, if there is a consolidation or acquisition of one or more of our largest clients or co-brand partners by a financial institution client or merchant with a strong relationship with one of our competitors, it could

26

---

Table of Contents

result in our business shifting to a competitor, which could put us at a competitive disadvantage and harm our business.

Merchants’ and processors’ continued push to lower acceptance costs and challenge industry practices could harm our business.

We rely in part on merchants and their relationships with our clients or their agents to maintain and expand the use and acceptance of Visa products. Certain merchants and merchant-affiliated groups have been exerting their influence in the global payments system in certain jurisdictions, such as the U.S., Australia, Canada and Europe, to attempt to lower acceptance costs paid by merchants to acquirers or their agents to accept payment products or services, by lobbying for new legislation, seeking regulatory intervention, filing lawsuits and in some cases, surcharging or refusing to accept Visa products. If they are successful in their efforts, we may face increased compliance and litigation expenses, issuers may decrease their issuance of our products, and consumer usage of our products could be adversely impacted. For example, in the U.S., certain stakeholders have raised concerns regarding how payment security standards and rules may impact debit routing choice and the cost of payment card acceptance. In addition to ongoing litigation related to the U.S. migration to EMV-capable cards and point-of-sale terminals, U.S. merchant-affiliated groups and processors have expressed concerns regarding the EMV certification process and some policymakers have expressed concerns about the roles of industry bodies such as EMVCo and the Payment Card Industry Security Standards Council in the development of payment card standards. Additionally, many merchants have advocated for lower acceptance costs in the form of reduced interchange rates, which could result in some issuers eliminating or reducing their promotion or use of Visa’s products and services, eliminating or reducing cardholder benefits such as rewards programs, or charging account holders increased or new fees for using Visa-branded products, all of which could negatively impact Visa’s transaction volumes and related revenue. Finally, some merchants and processors have advocated for changes to industry practices and Visa acceptance requirements at the point of sale, including the ability for merchants to accept only certain types of Visa products, to mandate only PIN authenticated transactions, to differentiate or steer among Visa product types issued by different financial institutions, and to impose surcharges on customers presenting Visa products as their form of payment. If successful, these efforts could adversely impact consumers’ usage of our products and decrease our overall transaction volumes and net revenue, lead to regulatory enforcement and/or litigation that increases our compliance and litigation expenses, and ultimately harm our business.

We depend on relationships with financial institutions, acquirers, processors, merchants, payment facilitators, ecommerce platforms, fintechs and other third parties.

As noted above, our relationships with industry participants are complex and require us to balance the interests of multiple third parties. For instance, we depend significantly on relationships with our financial institution clients and on their relationships with account holders and merchants to provide our products and services, and thereby compete effectively in the marketplace. We offer incentives to merchants, acquirers, ecommerce platforms and processors to encourage routing preference and acceptance growth. We provide incentives to merchants, acquirers, ecommerce platforms and processors to promote routing preference and acceptance growth. We also engage in many payment card co-branding efforts with merchants, who receive incentives from us. As emerging participants such as fintechs enter the payments industry, we engage in discussions to address the role they may play in the ecosystem, whether as, for example, an issuer, merchant, ecommerce platform or digital wallet provider. As these and other relationships become more prevalent and take on a greater importance to our business, our success will increasingly depend on our ability to sustain and grow these relationships. In addition, we depend on our clients and third parties, including network partners, vendors and suppliers, to submit, facilitate and process transactions properly, provide various services associated with our payments network on our behalf, and otherwise adhere to our operating rules and applicable laws. As our clients expand their global footprint, their legal and regulatory obligations can become even more complex. From time to time, our relationships may be affected by actions of our clients and industry participants that may materially and adversely impact our business, products or services, and to the extent we or such parties fail to perform or deliver adequate services or comply with regulatory obligations, it may result in negative experiences for account holders or others when using their Visa-branded payment products, which could harm our business and reputation.

Our business could be harmed if we are not able to maintain and enhance our brand, if events occur that have the potential to damage our brand or reputation, or if we experience brand disintermediation.

Our brand is globally recognized and is a key asset of our business. We believe that our clients and their account holders associate our brand with acceptance, security, convenience, speed, and reliability. Our success depends in large part on our ability to maintain the value of our brand and reputation of our products and services in the payments ecosystem, elevate the brand through new and existing products, services and partnerships, and

27

---

Table of Contents

uphold our corporate reputation. The popularity of products that we have developed in partnership with technology companies and financial institutions as well as government actions that mandate other networks to process Visa-branded card transactions may have the potential to cause brand disintermediation at the point of sale, in ecommerce and mobile channels, and decrease the presence of our brand. Our brand reputation may also be negatively impacted by a number of factors, including authorization, clearing and settlement service disruptions; data security breaches; compliance failures by Visa, including by our employees, agents, clients, partners or suppliers; failure to meet expectations of our clients, consumers, or other stakeholders; negative perception of our industry, the industries of our clients, Visa-accepting merchants, or our clients’ customers and agents, including third-party payments providers; ill-perceived actions or affiliations by clients, partners or other third parties, such as sponsorship or co-brand partners; and fraudulent, or illegal activities using our payment products or services, and which we may not always be in a position to detect and/or prevent from occurring over our network. Our brand could also be negatively impacted when our products are used to facilitate payment for legal, but controversial, products and services, including, adult content, cryptocurrencies, firearms, and gambling activities. Additionally, these risks could be exacerbated if our financial institution partners and/or merchants fail to maintain necessary controls to ensure the legality of these transactions, if any legal liability associated with such goods or services is extended to ancillary participants in the value chain like payments networks, or if our network and industry become entangled in political or social debates concerning such legal, but controversial, commerce. If we are unable to maintain our reputation, the value of our brand may be impaired, which could harm our relationships with clients, account holders, employees, prospective employees, governments and the public, as well as impact our business.

Global economic, political, market, health and social events or conditions may harm our business.

More than half of our net revenue is earned outside the U.S. In addition, international cross-border transaction revenue represents a significant part of our net revenue and is an important part of our growth strategy. Our net revenue is dependent on the volume and number of payment transactions made by consumers, governments, and businesses whose spending patterns may be affected by economic, political, market, health and social events or conditions. Our revenues are dependent on the volume and number of payment transactions made by consumers, governments, and businesses whose spending patterns may be affected by economic, political, market, health and social events or conditions. Adverse macroeconomic conditions within the U.S. or internationally, including but not limited to recessions, inflation, rising interest rates, high unemployment, currency fluctuations, actual or anticipated large-scale defaults or failures, rising energy prices, or a slowdown of global trade, and reduced consumer, small business, government, and corporate spending, have a direct impact on our volumes, transactions and net revenue. Furthermore, in efforts to deal with adverse macroeconomic conditions, governments may introduce new or additional initiatives or requests to reduce or eliminate payment fees or other costs. In an overall soft global economy, such pricing measures could result in additional financial pressures on our business.

In addition, outbreaks of illnesses, pandemics like COVID-19, or other local or global health issues, political uncertainties, international hostilities, armed conflicts, wars, civil unrest, climate-related events, including the increasing frequency of extreme weather events, impacts to the power grid, and natural disasters have to varying degrees negatively impacted our operations, clients, third-party suppliers, activities, and cross-border travel and spend.

Geopolitical trends towards nationalism, protectionism, and restrictive visa requirements, as well as continued activity and uncertainty around economic sanctions, tariffs or trade restrictions, including restrictions on the cross-border flow of data, also limit the expansion of our business in certain regions and have resulted in us suspending our operations in other regions. During fiscal 2022, economic sanctions were imposed on Russia by the U.S., the EU, United Kingdom and other jurisdictions and authorities, impacting Visa and its clients. In March 2022, we suspended our operations in Russia and as a result, are no longer generating revenue from domestic and cross-border activities related to Russia. The war in Ukraine and any further actions by, or in response to such actions by, Russia or its allies could have lasting impacts on Ukraine as well as other regional and global economies, any or all of which could adversely affect our business. The ongoing military conflict in the Middle East, and any resulting conflicts in the region, could potentially have similar negative impacts.

A decline in economic, political, market, health and social conditions could impact our clients as well, and their decisions could reduce the number of cards, accounts, and credit lines of their account holders, and impact overall consumption by consumers and businesses, which would ultimately impact our net revenue. Our clients may implement cost-reduction initiatives that reduce or eliminate marketing budgets, and decrease spending on optional or enhanced value-added services from us. Any events or conditions that impair the functioning of the financial markets, tighten the credit market, or lead to a downgrade of our current credit rating could increase our future borrowing costs and impair our ability to access the capital and credit markets on favorable terms, which could affect our liquidity and capital resources, or significantly increase our cost of capital.

28

---

Table of Contents

Finally, as governments, investors and other stakeholders face additional pressures to accelerate actions to address climate change and other environmental, governance and social topics, governments are implementing regulations and investors and other stakeholders are imposing new expectations or focusing investments in ways that may cause significant shifts in disclosure, commerce and consumption behaviors that may have negative impacts on our business. As a result of any of these factors, any decline in cross-border travel and spend would impact our cross-border volumes, the number of cross-border transactions we process and our currency exchange activities, which in turn would reduce our international transaction revenue.

Our aspirations to address corporate responsibility and sustainability (CRS) matters and considerations could adversely affect our business and financial results or negatively impact our reputation.

We are subject to laws, regulations and other measures that govern a wide range of topics, including those that are related to matters beyond our core products and services, such as matters that touch upon sustainability, climate change, human capital, inclusion and diversity, and human rights. A wide range of stakeholders, including governments, customers, employees, and investors, are increasingly focused on and are developing expectations regarding these corporate responsibility matters. We have established CRS-related initiatives, adopted reporting frameworks, and announced several related goals. These goals may change from time to time, implementation of these goals may require considerable investments, and ultimately, we cannot guarantee that we will achieve them.

Our ability to achieve any CRS objectives is subject to numerous risks, many of which are outside of our control, including the evolving legal environment and regulatory requirements for the tracking and reporting of CRS standards or disclosures and the actions of suppliers, partners, and other third parties. Certain of our regulators have proposed or adopted, or may propose or adopt, rules or standards related to these matters that would apply to our business. New regulations have been enacted and/or are expected in several jurisdictions, including the EU’s Corporate Sustainability Reporting Directive, the SEC climate-related disclosures that could require disclosure of climate-related information and the State of California’s legislation requiring broad disclosure of greenhouse gas emissions and other climate-related information. Prevailing CRS standards and expectations may also reflect conflicting values or objectives, which can result in our practices being judged by standards that are continually evolving and are not always clear. From time to time, the methodologies for reporting our CRS data may be updated and previously reported data may be adjusted to reflect an improvement in the availability and quality of data, changing assumptions, changes in the nature and scope of our operations, and other changes in circumstances. This may result in a lack of consistent or meaningful comparative data from period to period or between us and other companies in the same industry. Further, where new laws or regulations are more stringent than current legal or regulatory requirements, we may experience increased compliance burdens and costs to meet such obligations.

Our stakeholders often hold differing views on our CRS-related goals and initiatives, which may result in negative attention in traditional and social media or a negative perception of our response to concerns regarding these matters. In addition, we also face potentially conflicting supervisory directives as certain U.S. regulatory and non-U.S. authorities have prioritized CRS-related issues while Congress and certain U.S. state governments have signaled pursuing potentially conflicting priorities. These circumstances, among others, may result in pressure from investors, unfavorable reputational impacts, including inaccurate perceptions or a misrepresentation of our actual CRS practices, diversion of management’s attention and resources, and proxy fights, among other material adverse impacts on our business. These circumstances, among others, may result in pressure from 27Table of Contentsinvestors, unfavorable reputational impacts, including inaccurate perceptions or a misrepresentation of our actual CRS practices, diversion of management's attention and resources, and proxy fights, among other material adverse impacts on our businesses. Any failure, or perceived failure, by us to adhere to our public statements, comply fully with developing interpretations of CRS laws and regulations, or meet evolving and varied stakeholder expectations and standards could negatively impact our business, reputation, financial condition, and operating results.

Our indemnification obligation to fund settlement losses of our clients exposes us to significant risk of loss and may reduce our liquidity.

We indemnify issuers and acquirers for settlement losses they may suffer due to the failure of another issuer or acquirer to honor its settlement obligations in accordance with the Visa operating rules. In certain instances, we may indemnify issuers or acquirers in situations in which a transaction is not processed by our system. This indemnification creates settlement risk for us due to the timing difference between the date of a payment transaction and the date of subsequent settlement. Our indemnification exposure is generally limited to the amount of unsettled Visa card payment transactions at any point in time and any subsequent amounts that may fall due relating to adjustments for previously processed transactions. Changes in the credit standing of our clients or concurrent settlement failures or insolvencies involving more than one of our largest clients, several of our smaller clients, significant sponsor banks through which non-financial institutions participate in the Visa network, or systemic operational failures could expose us to liquidity risk, and negatively impact our financial position. Even if we have sufficient liquidity to cover a settlement failure or insolvency, we may be unable to recover the amount of such

29

---

Table of Contents

payment. This could expose us to significant losses and harm our business. See Note 12—Settlement Guarantee Management to our consolidated financial statements included in Item 8 of this report.

Technology and Cybersecurity Risks

Failure to anticipate, adapt to, or keep pace with, new technologies in the payments industry could harm our business and impact future growth.

The global payments industry is undergoing significant and rapid technological change, including increased proliferation of mobile and other proximity and in-app payment technologies, ecommerce, tokenization, cryptocurrencies, distributed ledger and blockchain technologies, cloud-based encryption and authorization, and new authentication technologies such as biometrics, FIDO 2.0, 3D Secure 2.0 and dynamic cardholder verification values or dCVV2. As a result, we expect new services and technologies to continue to emerge and evolve, including those developed by Visa such as our new flows offerings. For example, generative AI solutions have emerged as an opportunity for Visa, its clients, suppliers, merchants, and partners to innovate more quickly and better serve consumers. For example, in the past year generative AI solutions have emerged as an opportunity for Visa, its clients, suppliers, merchants, and partners to innovate more quickly and better serve consumers. Rapid adoption and novel uses of generative AI across the marketplace may also introduce unique and unpredictable security risks to our systems, information, and the payments ecosystem. In addition to our own initiatives and innovations, we work closely with third parties, including potential competitors, for the development of, and access to, new technologies. It is difficult, however, to predict which technological developments or innovations will become widely adopted and how those technologies may be regulated. Moreover, some of the new technologies could be subject to intellectual property-related lawsuits or claims, potentially impacting our development efforts and/or requiring us to obtain licenses, implement design changes or discontinue our use. If we or our partners fail to adapt and keep pace with new technologies in the payments space in a timely manner, it could harm our ability to compete, decrease the value of our products and services to our clients, impact our intellectual property or licensing rights, harm our business and impact our future growth.

A disruption, failure or breach of our networks or systems, including as a result of cyber incidents or attacks, could harm our business. A disruption, failure or breach of our networks or systems, including as a result of cyber-attacks, could harm our business.

Our cybersecurity and processing systems, as well as those of financial institutions, merchants and third-party service providers, have experienced and may continue to experience errors, interruptions, delays or damage from a number of causes, including power outages, hardware, software and network failures, computer viruses, ransomware, malware or other destructive software, AI technologies by bad actors, internal design, manual or user errors, cyber attacks, terrorism, political tensions, war or other military conflicts, or civil unrest, security breaches of our physical premises, workplace violence or wrongdoing, catastrophic events, natural disasters, severe weather conditions and other effects from climate change. In addition, there is risk that third-party suppliers of hardware and infrastructure required to operate our data centers and support employee productivity could be impacted by supply chain disruptions, such as manufacturing, shipping delays, and service disruption due to cyber attacks. In addition, there is risk that third party suppliers of hardware and infrastructure required to operate our data centers and support employee productivity could be impacted by supply chain disruptions, such as manufacturing, shipping delays, and service disruption due to cyber-attacks. An extended supply chain or service disruption could also impact processing or delivery of technology services.

Furthermore, our visibility and role in the global payments industry also puts our company at a greater risk of being targeted by hackers.28Table of ContentsFurthermore, our visibility and role in the global payments industry also puts our company at a greater risk of being targeted by hackers. In the normal course of our business, we have been the target of malicious cyber activity. We have been, and may continue to be, impacted by attacks and data security breaches of financial institutions, merchants, and third-party service providers. We are also aware of instances where governments have directed or sponsored attacks against some of our financial institution clients, and other instances where merchants and issuers have encountered substantial data security breaches affecting their customers, some of whom were Visa account holders. We are also aware of instances where nation states have sponsored attacks against some of our financial institution clients, and other instances where merchants and issuers have encountered substantial data security breaches affecting their customers, some of whom were Visa account holders. Given the increase in online banking, ecommerce and other online activity, we continue to see increased cyber and payment fraud activity, as cybercriminals attempt phishing and social engineering scams, distributed denial of service attacks and other disruptive actions. Given the increase in online banking, ecommerce and other online activity, as well as more employees working remotely as a result of the COVID-19 pandemic, we continue to see increased cyber and payment fraud activity, as cybercriminals attempt DDoS related attacks, phishing and social engineering scams and other disruptive actions. Overall, such attacks and breaches have resulted, and may continue to result in, fraudulent activity and ultimately, financial losses to Visa’s financial institution clients, merchants or third-party service providers. Overall, such attacks and breaches have resulted, and may continue to result in, fraudulent activity and ultimately, financial losses to Visa’s clients.

Numerous and evolving cybersecurity threats, including advanced and persistent cyber attacks, targeted attacks against our employees and trusted partners, insider threats, social engineering threats, such as phishing or deepfake schemes, including those using synthetic media, could compromise the confidentiality, availability and integrity of data in our systems, particularly on our internet-facing applications, or the systems of our third-party service providers. Because the tactics, techniques and procedures used to obtain unauthorized access, or to disable or degrade systems change frequently, have become increasingly more complex and sophisticated, and may be difficult to detect for periods of time, we may not anticipate these acts or respond adequately or timely. For example, cybercriminals have increasingly demonstrated advanced capabilities, such as use of zero-day

30

---

Table of Contents

vulnerabilities, and rapid integration of new technology such as generative AI are being used by threat actors to create sophisticated attacks that are increasingly automated, targeted, and more difficult to defend against. The security measures and procedures we, our financial institution and merchant clients, other merchants and third-party service providers in the payments ecosystem have in place to protect sensitive consumer data and other information may not be implemented effectively, may differ in scope and complexity across different ecosystem participants, or may not be successful or sufficient to counter all data security breaches, cyber incidents and attacks or system failures. The security measures and procedures we, our financial institution and merchant clients, other merchants and third-party service providers in the payments ecosystem have in place to protect sensitive consumer data and other information may not be successful or sufficient to counter all data security breaches, cyber-attacks or system failures. In some cases, the mitigation efforts may be dependent on third parties who may not follow the required contractual standards, who may not be able to timely patch vulnerabilities or fix security defects, or whose hardware, software or network services may be subject to error, defect, delay, outage or lack appropriate malware prevention to prevent breaches or data exfiltration incidents. In some cases, the mitigation efforts may be dependent on third parties who may not deliver to the required contractual standards, who may not be able to timely patch vulnerabilities or fix security defects, or whose hardware, software or network services may be subject to error, defect, delay, outage or lack appropriate malware prevention to prevent breaches or data exfiltration incidents. Cyber incidents and attacks can have cascading impacts that unfold with increasing speed across our internal networks and systems and those of our partners and clients. Despite our security measures and programs to protect our systems and data, and prevent, detect and respond to data security incidents, there can be no assurance that our efforts will prevent all such threats.

In addition, as a global financial services company, Visa is increasingly subject to complex and varied cybersecurity regulations and cyber incident reporting requirements across numerous jurisdictions. With the often short timeframes required for cyber incident reporting, there is a risk that Visa or its third-party service providers will fail to meet the reporting deadlines for any given incident. With the often short timeframes required for cyber incident reporting, there is a risk that Visa or its suppliers will fail to meet the reporting deadlines for any given incident. It may take considerable time for us to investigate and evaluate the full impact of cyber incidents, particularly for sophisticated attacks. These factors may inhibit our ability to provide prompt, full, and reliable information about the cyber incident to our clients, partners, and regulators, as well as to the public. In the event we are found to be out of compliance, we could be subject to monetary damages, civil and criminal penalties, litigation, investigations and proceedings, and damage to our reputation and brand.

Any of these events, individually or in the aggregate, could significantly disrupt our operations; result in the unauthorized disclosure, release, gathering, monitoring, misuse, loss or destruction of confidential, proprietary, sensitive and personal information (including account data information) or data security compromises; impact our clients and consumers; damage our reputation and brand; result in litigation or claims, violations of applicable privacy and other laws, and increased regulatory review or scrutiny, investigations, actions, fines or penalties; result in damages or changes to our business practices; decrease the overall use and acceptance of our products; decrease our volume, net revenue and future growth prospects; and be costly, time consuming and difficult to remedy. Our brand reputation may also be negatively impacted by a number of factors, including authorization, clearing and settlement service disruptions; data security breaches; compliance failures by Visa, including by our employees, agents, clients, partners or suppliers; failure to meet expectations of our clients, consumers, or other stakeholders; negative perception of our industry, the industries of our clients, Visa-accepting merchants, or our clients’ customers and agents, including third-party payments providers; ill-perceived actions or affiliations by clients, partners or other third parties, such as sponsorship or co-brand partners; and fraudulent, or illegal activities using our payment products or services, and which we may not always be in a position to detect and/or prevent from occurring over our network. In the event of damage or disruption to our business due to these occurrences, we may not be able to successfully and quickly recover all of our critical business functions, assets, and data through our business continuity program. Furthermore, while we maintain insurance, our coverage may not sufficiently cover all types of losses or claims that may arise.

Structural and Organizational Risks

We may not achieve the anticipated benefits of our acquisitions, joint ventures or strategic investments, and may face risks and uncertainties as a result.

As part of our overall business strategy, we make acquisitions and strategic investments, and enter into joint ventures. We may not achieve the anticipated benefits of our current and future acquisitions, joint ventures or strategic investments and they may involve significant risks and uncertainties, including:

•disruption to our ongoing business, including diversion of resources and management’s attention from our existing business;

•greater than expected investment of resources or operating expenses;

•failure to adequately develop or integrate our acquired entities or joint ventures;

•the data security, cybersecurity and operational resilience posture of our acquired entities, joint ventures or companies we invest in or partner with, may not be adequate and may be more susceptible to a system failure, service disruption or cyber incident or attack;

•difficulty, expense or failure of implementing controls, procedures and policies at our acquired entities or joint ventures;

•challenges of integrating new employees, business cultures, business systems and technologies;

•failure to retain employees, clients or partners of our acquired entities or joint ventures;

31

---

Table of Contents

•in the case of foreign acquisitions, risks related to the integration of operations across different cultures and languages;

•disruptions, costs, liabilities, judgments, settlements or business pressures resulting from litigation matters, investigations or legal proceedings involving our acquisitions, joint ventures or strategic investments;

•the inability to pursue aspects of our acquisitions or joint ventures due to outcomes in litigation matters, investigations or legal proceedings;

•failure to obtain the necessary government or other approvals at all, on a timely basis or without the imposition of burdensome conditions or restrictions;

•the economic, political, regulatory and compliance risks associated with our acquisitions, joint ventures or strategic investments, including when entering into a new business or operating in new regions or countries. For more information on regulatory risks, please see Item 1—Government Regulation and Item 1A—Regulatory Risks above;

•discovery of unidentified issues and related liabilities after our acquisitions, joint ventures or investments were made;

•failure to mitigate the deficiencies and liabilities of our acquired entities or joint ventures;

•dilutive issuance of equity securities, if new securities are issued;

•the incurrence of debt;

•negative impact on our financial position and/or statement of operations; and

•anticipated benefits, synergies or value of our acquisitions, joint ventures or investments not materializing or taking longer than expected to materialize.

In addition, we may pursue additional strategic objectives, such as additional exchange offers, which can divert resources and management’s attention from our existing business and, if unsuccessful, may harm our business and reputation.In addition, we may pursue additional strategic objectives, such as the potential exchange offer program, which can divert resources and management’s attention from our existing business and, if unsuccessful, may harm our business and reputation.

We may be unable to attract, hire and retain a highly qualified and diverse workforce, including key management.

The talents and efforts of our employees, particularly our key management, are vital to our success. The market for highly skilled workers and leaders in our industry, especially in fintech, technology, cybersecurity and other specialized areas, is extremely competitive. Our management team has significant industry experience and would be difficult to replace. We may be unable to retain them or to attract, hire or retain other highly qualified employees, particularly if we do not offer employment terms that are competitive with the rest of the labor market. Ongoing changes in laws and policies regarding immigration, travel and work authorizations have made it more difficult for employees to work in, or transfer among, jurisdictions in which we have operations and could continue to impair our ability to attract, hire and retain qualified employees. Failure to attract, hire, develop, motivate and retain highly qualified and diverse employee talent, especially in light of changing worker expectations and talent marketplace variability regarding flexible work models; to meet our goals related to fostering an inclusive and diverse culture or to adequately address potential increased scrutiny of our inclusion and diversity-related programs and initiatives; to develop and implement an adequate succession plan for the management team; to maintain our strong corporate culture of fostering innovation, collaboration and inclusion in our current hybrid model; or to design and successfully implement flexible work models that meet the expectations of employees and prospective employees could impact our workforce development goals, impact our ability to achieve our business objectives, and adversely affect our business and our future success. Failure to attract, hire, develop, motivate and retain highly qualified and diverse employee talent, especially in light of changing worker expectations and talent marketplace variability regarding flexible work models; to meet our goals related to fostering an inclusive and 30Table of Contentsdiverse culture or to adequately address potential increased scrutiny of our inclusion and diversity-related programs and initiatives; to develop and implement an adequate succession plan for the management team; to maintain our strong corporate culture of fostering innovation, collaboration and inclusion in our current hybrid model; or to design and successfully implement flexible work models that meet the expectations of employees and prospective employees could impact our workforce development goals, impact our ability to achieve our business objectives, and adversely affect our business and our future success.

The conversions of our class B and class C common stock or series A, B and C preferred stock into shares of class A common stock would result in voting dilution to, and could adversely impact the market price of, our existing class A common stock.

The market price of our class A common stock could fall as a result of many factors. The value of our class B-1, B-2 and C common stock and series A, B and C preferred stock is tied to the value of the class A common stock. The value of our class B and C common stock and series A, B and C preferred stock is tied to the value of the class A common stock. Under our U.S. retrospective responsibility plan, upon final resolution of our U.S. covered litigation, all class

32

---

Table of Contents

B-1 and B-2 common stock will become convertible into class A common stock. Under our Europe retrospective responsibility plan, Visa will continue to release value from the series B and series C preferred stock in stages based on developments in current and potential litigation. The series B and series C preferred stock will become fully convertible to series A preferred stock or class A common stock no later than 2028 (subject to a holdback to cover any pending claims). Conversion of our class B-1, B-2 and C common stock into class A common stock, or our series A, B and C preferred stock into class A common stock, would increase the amount of class A common stock outstanding, which would dilute the voting power of existing class A common stockholders. Conversion of our class B and class C common stock into class A common stock, or our series A, B and C preferred stock into class A common stock, would increase the amount of class A common stock outstanding, which would dilute the voting power of existing class A common stockholders. In addition, the sale of significant portions of converted class A common stock could adversely impact the market price of our existing class A common stock.

Holders of our class B-1, B-2 and C common stock and series A, B and C preferred stock may have different interests than our class A common stockholders concerning certain significant transactions.

Although their voting rights are limited, holders of our class B-1, B-2 and C common stock and, in certain specified circumstances, holders of our series A, B and C preferred stock, can vote on certain significant transactions. Although their voting rights are limited, holders of our class B and C common stock and, in certain specified circumstances, holders of our series A, B and C preferred stock, can vote on certain significant transactions. With respect to our class B-1, B-2 and C common stock, these transactions include a proposed consolidation or merger, a decision to exit our core payments business and any other vote required under Delaware law. With respect to our series A, B and C preferred stock, voting rights are limited to proposed consolidations or mergers in which holders of the series A, B and C preferred stock would receive shares of stock or other equity securities with preferences, rights and privileges that are not substantially identical to the preferences, rights and privileges of the applicable series of preferred stock; or, in the case of series B and C preferred stock, holders would receive securities, cash or other property that is different from what our class A common stockholders would receive. Because the holders of classes of capital stock other than class A common stock are our current and former financial institution clients, they may have interests that diverge from our class A common stockholders. As a result, the holders of these classes of capital stock may not have the same incentive to approve a corporate action that may be favorable to the holders of class A common stock, and their interests may otherwise conflict with interests of our class A common stockholders.

Delaware law, provisions in our certificate of incorporation and bylaws, and our capital structure could make a merger, takeover attempt or change in control difficult.

Provisions contained in our certificate of incorporation and bylaws and our capital structure could delay or prevent a merger, takeover attempt or change in control that our stockholders may consider favorable. For example, except for limited exceptions:

•no person may beneficially own more than 15 percent of our class A common stock (or 15 percent of our total outstanding common stock on an as-converted basis), unless our board of directors approves the acquisition of such shares in advance;

•no competitor or an affiliate of a competitor may hold more than 5 percent of our total outstanding common stock on an as-converted basis;

•the affirmative votes of the class B-1, B-2 and C common stock and series A, B and C preferred stock are required for certain types of consolidations or mergers;

•our stockholders may only take action during a stockholders’ meeting and may not act by written consent; and

•only our board of directors, Chair, or CEO or any stockholders who have owned continuously for at least one year not less than 15 percent of the voting power of all shares of class A common stock outstanding may call a special meeting of stockholders.

33

---

Table of Contents

ITEM 1B. Unresolved Staff Comments

Not applicable.

ITEM 1C.ITEM 1A. Cybersecurity

Visa’s Approach to Cybersecurity

As a global company providing payment services to consumers and companies around the world, trust is an indispensable asset. A strong cybersecurity program is a key element to maintaining this trust. As a result, we consider cybersecurity risk one of our key enterprise risks and we assess, identify, and manage such risk as part of our overall enterprise risk management framework. See Item 1A for further discussion on our overall risk factors, including technology and cybersecurity risks.

Cybersecurity Program

Visa’s cybersecurity program has been established to identify, analyze, mitigate, monitor, and govern cybersecurity risk and was designed around widely accepted international standards, such as ISO 27002 and the Payment Card Industry Data Security Standards, as well as applicable legal and regulatory requirements. We implement our cybersecurity program primarily through our Key Controls, which define the requirements for the protection of Visa information and technology assets. All employees must complete annual training on our Key Controls and are required to comply with the requirements. Exceptions to the Key Controls must be approved by an established senior management working group, which is overseen by our Corporate Risk Committee (CRC), the management committee responsible for overseeing Visa’s cybersecurity program and other operational risks. The Key Controls are updated and reviewed annually by our Cybersecurity Governance, Risk and Compliance team and approved by management committees to ensure they continue to address evolving cybersecurity threats and associated legal and regulatory obligations.

As part of our overall business strategy, we have acquired a number of companies for which our full cybersecurity standards may not be appropriate. These designated entities may deliver products and services using systems which are not fully integrated with our standard technology platforms or hosted in our data centers. We have established a separate set of Key Controls for designated entities appropriate to their size and operations that are designed around the same widely accepted international standards noted above, but tailored to the operational reality and business needs of these entities. Regular reporting of our acquired entities’ cybersecurity program is provided to our Chief Information Security Officer (CISO), President of Technology, management committees and the board of directors. For additional information about our structural and organizational risks, see Item 1A of this report.

Incident Response Plans

Visa’s global cyber security incident response team provides monitoring of Visa networks and digital assets across three cyber fusion centers in the U.S., United Kingdom, and Singapore. In addition, Visa’s threat intelligence and research teams monitor commercial and government intelligence sources for new and emerging threats. Our cybersecurity awareness team regularly publishes and shares information with Visa employees on emerging threats, such as deepfake and generative AI-powered social engineering schemes.

To address significant cybersecurity incidents and other crisis events, we maintain a business incident response plan, which identifies key stakeholders, defines escalation processes, and sets the thresholds above which our cybersecurity, legal, and crisis management teams will inform management’s Executive and Disclosure Committees as well as when the CEO and his designee will inform the board of directors of an incident. For cybersecurity incidents below these crisis thresholds, we maintain subordinate incident response plans and standard operating procedures used by our security incident response team. Like many companies, we, and some third parties on which we rely periodically experience cybersecurity incidents. However, as of September 30, 2024, we were not aware of any direct or third-party cybersecurity incidents in the past three fiscal years that have materially affected our business strategy, results of operations, or financial condition.

Internal and External Testing

We proactively manage our cybersecurity risk by continually seeking to identify and mitigate potential cybersecurity threats to and vulnerabilities in our information and technology assets, with both internal and external assessments, as appropriate. For example, public-facing technology assets are subject to both internal security

34

---

Table of Contents

assessments and external security researcher testing under our vulnerability disclosure and bug bounty programs. Identified threats and vulnerabilities are required to be remediated within stringent timelines, for which compliance and exceptions are tracked in reporting to management and the board of directors.

As further discussed in our risk factors in Item IA of this report, our cybersecurity policies and controls may not be implemented or followed appropriately to mitigate all of our risks. We employ three lines of defense designed to address this risk. The first line of defense consists of the technology teams who develop, build, and deploy our products and services. These teams are trained on and accountable for following our Key Controls. The second line of defense includes separate internal security and risk teams that conduct security assessments of our networks and products, overseeing the remediation of any findings. Finally, our independent internal audit function operates as the third line of defense, assessing the effectiveness of our policies and controls and implementation thereof. We are also subject to regular, detailed examinations by financial regulators and external auditors which often contain a significant cybersecurity component.

Third-party Risk Management

We also apply this same overall framework to our oversight and management of cybersecurity risk from service providers, vendors, suppliers, and other third parties. Our policies require due diligence on our service providers, vendors and suppliers prior to engagement and impose audit rights in our contracts in order to identify cybersecurity risks associated with third-party relationships, proportionate to the inherent risk associated with the products and services provided and the criticality and sensitivity of our information and technology assets to which the third party may have access. As noted in our risk factors in Item IA of this report, our third-party risk management framework may not be implemented effectively or may not be successful or sufficient to mitigate all of our risks. When we become aware that a service provider, vendor, supplier, or other third party has experienced any compromise or failure in the cybersecurity infrastructure owned or controlled by such third party, we may attempt to mitigate our risk, including by terminating such third party’s connection to our information and technology assets where appropriate.

Management’s Role and Responsibilities

Our CISO is responsible for day-to-day management and oversight of our information security program and leads our cybersecurity organization, which comprises approximately 1,000 professionals globally as of September 30, 2024. Our CISO and President of Technology receive regular reports from our cybersecurity personnel in connection with monitoring the prevention, detection, mitigation, and remediation of cybersecurity incidents. Our CISO reports directly to our President of Technology and provides quarterly reports on our cybersecurity performance to the CRC.

Our current CISO has over 30 years of industry experience leading enterprise cybersecurity teams and enabling secure and scalable ecommerce and payment platforms at multiple Fortune 500 companies. Since joining Visa in November 2015, he has been a core part of building Visa's Zero Trust Architecture and advancing VisaNet's cybersecurity defense capabilities. Our current President of Technology joined Visa in November 2013 and has over 30 years of experience in leading the development and deployment of commerce and transaction technologies, which includes overseeing cybersecurity risk and transformational technology initiatives. At Visa, our President of Technology is responsible for the Company’s technology innovation and investment strategy, product engineering, cybersecurity, global IT, and operations infrastructure, and for accelerating the integration of engineering and product teams.

Board Governance

Visa’s board of directors exercises oversight and control of Visa’s overall enterprise risk management framework and delegates oversight and control of Visa’s cybersecurity program to our audit and risk committee (ARC), which is responsible for ensuring that management has risk-based processes in place designed to assess, identify, and manage cybersecurity risks to which Visa is exposed. As noted in Item 1A, however, these processes may not be sufficient to mitigate all cybersecurity risks. Our CISO provides an update on our cybersecurity program to the ARC twice per year and to the full board of directors annually. The updates to the ARC and the full board of directors provide an overview of our cybersecurity performance, progress against goals, cybersecurity threat landscape, and other relevant developments.

35

---

Table of Contents

Recently Filed

Click on a ticker to see risk factors

Ticker *	File Date
NTIC	1 day, 20 hours ago
OCSL	2 days, 10 hours ago
FFIV	2 days, 11 hours ago
ASH	2 days, 12 hours ago
ATO	2 days, 12 hours ago
ADNT	2 days, 12 hours ago
TWST	2 days, 12 hours ago
SONO	5 days, 11 hours ago
SWKS	5 days, 12 hours ago
CLFD	5 days, 15 hours ago
POST	5 days, 17 hours ago
SPB	5 days, 17 hours ago
PLXS	5 days, 20 hours ago
PTC	6 days, 11 hours ago
SBH	6 days, 11 hours ago
KNW	6 days, 11 hours ago
UNF	6 days, 11 hours ago
EPC	6 days, 12 hours ago
HZO	6 days, 12 hours ago
KLIC	6 days, 19 hours ago
DIS	6 days, 21 hours ago
TVC	1 week ago
GFF	1 week ago
V	1 week ago
ATIF	1 week ago
EZPW	1 week ago
PCYO	1 week ago
HP	1 week ago
BZH	1 week ago
BV	1 week ago
GLAD	1 week ago
ODYY	1 week ago
PXPC	1 week ago
TEL	1 week, 1 day ago
TSN	1 week, 1 day ago
EMR	1 week, 1 day ago
MUGH	1 week, 1 day ago
RMR	1 week, 1 day ago
DIT	1 week, 5 days ago
KRUS	1 week, 5 days ago
ECXJ	1 week, 5 days ago
TDG	1 week, 6 days ago
RFL	2 weeks ago
STCN	2 weeks ago
FICO	2 weeks ago
QCOM	2 weeks ago
CHSCP	2 weeks ago
LBUY	2 weeks, 1 day ago
SANW	2 weeks, 5 days ago
AAPL	2 weeks, 5 days ago

OTHER DATASETS

House Trading

Dashboard

Corporate Flights

Dashboard

App Ratings

Dashboard

TRADE SMARTER

with our free, cutting-edge alternative data platform

Please enter user name

Password too short

Sign in

Don't have an account? Sign Up for Free

Forgot password?

TRADE SMARTER

with our free, cutting-edge alternative data platform

Please enter user name

Please enter valid email

Password too short

Password too short

Sign Up

I already have an account, Sign In

App Store (iOS)

Play Store (Android)