Disposable credit card numbers provide extra security

By James Rufus Koren

Los Angeles Times

(TNS)

At a time when online credit card fraud seems like a foregone conclusion, here’s one potential solution: Instead of trying to prevent card numbers from being pilfered on the web, simply use numbers you don’t mind being stolen.

That’s the pitch from a startups that specialize in offering virtual cards — credit or debit card numbers that link to real payment accounts but that can be used only at a single merchant or that expire as soon as they’re used, limiting the potential damage if a hacker gets hold of them.

“It’s a way of muddying the waters,” said Boling Jiang, chief executive of New York payments startup Pay With Privacy. “Fraudsters get these numbers, but they’re useless.”

Jiang’s company and rival New York firm Token Payments offer free online services that allow you to pay with your existing checking, debit or credit card accounts. Oakland startup Final offers a credit card of its own. The three have similar features, designed to make users feel more secure giving out payment information to online merchants.

They allow users to generate an unlimited number of virtual cards, which act like ordinary credit or debit cards and come with expiration dates and three-digit security codes. But unlike ordinary cards, they can be set to expire after a single use or after a certain amount has been charged to them, or they can be locked to a particular merchant.

If a fraudster steals the number you gave to one merchant and tries to use it at another, the transaction will be blocked.

The companies aren’t worried about running out of card numbers. There are 10 quadrillion possible 16-digit numbers, and virtual card companies have the option to recycle numbers that no longer are in use.

By creating payment information that would be of limited benefit to thieves, the companies are mimicking other security measures and payment technologies, including chip cards.

When you swipe a credit or debit card at a store, the magnetic reader is giving the merchant the 16-digit number printed on the front of the card. That’s an attractive target for fraudsters who can try to use those numbers elsewhere if they hack into the retailer’s network. That was the concern when there was a data breach affecting some 40 million Target customers in 2013.

When you insert a chip card into the checkout-counter readers, the merchant is getting what’s known as a token, or a single-use number that is useless if stolen.

Tokens are used in online and mobile payment systems too, such as Apple Pay, Android Pay, Visa Checkout and Masterpass from Mastercard. PayPal also allows users to pay without directly providing their card or bank account information to merchants.

Still, virtual card startups see opportunity in e-commerce because not all websites and mobile apps accept such payment systems, while nearly all still accept cards.

“A lot of people are still competing for the button at checkout,” said Andrew Dietrich, Final’s chief operating officer, referring to payment options such as PayPal that appear on merchants’ checkout screens. “But there’s no standard of acceptance. What’s still accepted universally are these 16-digit numbers. It works everywhere.”

These companies say they’ll help protect your payment information online.

Final, a credit card company, offers account holders a physical card and the ability to create merchant-locked or single-use virtual cards online or through a mobile app. The card is available to applicants with good to excellent credit.

Privacy is a free service that works with most checking accounts. Unlike with Final, users need not apply or undergo a credit check. Once users link checking accounts to the service, they can create virtual card numbers through mobile apps or browser extensions.

Token is a free service that works with any bank account, debit card or credit card. Like with Privacy, there’s no credit check. Users can create virtual cards through Token’s mobile app.

The idea of virtual cards is not new, as big banks and credit card companies have offered them for years, though the offerings have been little used or not well-known.

Discover used to offer virtual card numbers but stopped the practice in 2014. Bank of America’s Shop Safe virtual card feature has been around for a decade, but the bank acknowledges that the tool is used by only a small number of customers. It works only through the bank’s website and is not built into its mobile app.

The venture-backed startups generate revenue by taking a piece of the payment processing fees merchants pay to accept credit and debit cards. Final, unlike the other companies, issues a credit card through a South Dakota bank, so it also can make money on interest.

The startups are particularly going after young, mobile-first customers, pitching their products as a fit for consumers who rely on subscription services like music, movies, food and clothing. And they have simple apps that work in a few taps.

With Final and Pay With Privacy, customers can create two types of virtual cards. For subscription services and online merchants where customers buy frequently, there are merchant-locked cards. These cards, once used by a particular merchant, can be used only by that merchant.

Because each merchant has its own card, users can effectively cancel a subscription by shutting down a single virtual card. Final’s Dietrich said that in many cases, it’s easier than trying to go through the merchant itself.

“You don’t have to think about it and go to their website and go through all the layers of customer service to cancel,” he said.

Final and Pay With Privacy also offer one-time-use cards, or “burners,” which expire after a single transaction, a feature that might be attractive when purchasing from an unfamiliar website for the first time.

Token offers only a single type of virtual card, but Zohar Steinberg, the company’s chief executive, said any of its cards can be quickly deactivated, making them practical for recurring or single use.

“You go into the app and go to a payment token, swipe right, and it’s frozen in 10 seconds,” he said.

Brian Riley, a director at payments consulting firm Mercator Advisory Group, said this new virtual cards seem designed to play into consumers’ concerns about fraud, even though consumer protection laws effectively shield consumers from the consequences of card number theft.

“It’s leveraging the fear people have,” Riley said. “But the important thing to remember is, at the end of the day, consumers already have zero liability behind them.”

Federal rules and credit card network policies protect consumers from responsibility for fraudulent transactions, limiting their liability to no more than $50 if they report their physical card as lost or stolen, and there is no liability if card numbers are stolen online.

But new virtual-card companies say consumer protection is only half the point. Their pitch is that consumers should not only have no financial liability for fraud, but also that they also shouldn’t have to deal with the hassle of reporting fraud, getting a new credit card or changing payment information with numerous merchants.

———

©2017 Los Angeles Times

Visit the Los Angeles Times at www.latimes.com

Distributed by Tribune Content Agency, LLC.