It’s fairly well known that as chip cards and chip card readers are putting a big dent in fraud conducted at the point-of-sale (counterfeit fraud), the bad guys are shifting their efforts to committing fraud online. E-commerce fraud (52%) clearly outweighs swiped fraud (28%) on credit cards, with debit card fraud still experiencing swiped fraud, since not as many debit cards have been reissued with chips – that will change by the end of this year. Meanwhile, ecommerce breaches are popping up in the news with increasing frequency.
What can a credit union do to help members stay safe when shopping online? One solution is to offer virtual cards. A virtual card is a separate temporary card number, associated with the member’s credit card account, randomly generated. The temporary card number has no real-life plastic version – it only exists as a number, an expiry and a CVV2.
When a member wants to shop online at a site that is not known or trusted, or give a card number over the phone to a merchant that the member has reason to believe may not keep the card number secure, the member goes online, requests a virtual card, copies the card number onto the e-commerce site, or reads the card number over the phone. Think of the virtual card number as a token representation of the real card – a token that looks like and works like a credit card.
Virtual cards come in three types: 1) Burner cards, which are single use cards. Once the virtual number is charged, the card is expired. If it is breached, it cannot be authorized. 2) Single merchant cards, which can be used multiple times, but only with a single merchant. If a member is planning on ordering multiple items, or multiple items will ship at different times, the card will authorize for that merchant. But after the first authorization, the card cannot be used with any other merchant. 3) Limited time cards, in which the member sets an expiry date, in order to shop at multiple sites, but only within a strict period. For example, the virtual card could be authorized for use over a two-day period or up to a one-year period. The card could also be used for a Netflix subscription or for monthly deliveries of meal kits. In addition, each of the cards typically have a spending limit, for both a single transaction and total card usage.
If the virtual card number is compromised, the true card number remains safe, and the breached virtual card number is limited by its expiry, or merchant or both, making it virtually worthless to a fraudster.
Virtual cards are in the market today, but consumers who want this have two choices. For a true virtual credit card, a consumer can get a credit card with a financial institution that also offers virtual cards. Bank of America calls their virtual card program ShopSafe, while Citi refers to their program as Virtual Account Number. Both are free.
The other option is from various third-parties that offer different forms of virtual cards. Privacy.com allows anyone to enroll their checking/saving/share draft account, and after installing a browser extension and following the instant account validation, immediately access virtual cards. The drawback to this approach is that each transaction using the virtual card draws immediately from the consumer’s account, much like a debit card works. Another third party that offers virtual cards is netspend, which is primarily a prepaid debit card, but also offers the ability to generate a temporary card number online and then cancel the temporary card online.
Although virtual cards seem like a panacea for keeping a member safe when shopping online, there are a few drawbacks and some major criticisms against this unique capability.
There are some hotels and some car rental agencies that validate a reservation by requesting to see the same card used to make the reservation. If a virtual card is used, not only is there no plastic representation of the card to show, but most likely the member didn’t write down or capture separately the full card number.
If a member makes a purchase online, then returns an item to a brick and mortar store, the credit for the purchase is typically put back on the same card, by swiping or inserting the card at the returns desk. With no card to show, the only option the consumer may have is to accept store credit.
Setting an expiry date provides a level of protection but can also cause unintended problems. Some merchants charge upon shipping, which could be several days or even weeks after the order. If the expiration date is set too soon, the order may be cancelled when the card doesn’t authorize.
And most importantly, virtual cards offer very little protection over the real credit card. Visa and Mastercard both offer zero liability in case of fraud, and many issuers offer next day replacement for cards that need to be reissued. Some issuers who used to offer virtual cards, including AmEx, Discover, and Chase, found that the low number of users did not justify the cost of maintaining the functionality and subsequently dropped the service.
Benefit to credit unions
The key reasons why a credit union would consider offering virtual credit cards to its members is to help reduce fraud and to create a “sticky” member service. There is a cost to offer this service, but there is a cost of fraud – reissuing cards, shipping a replacement card overnight, refunding amounts to a breached debit account. And this service is popular with those who use it – so much so that it may keep a member from leaving just because virtual cards are offered.
Luckily, virtual cards are not the only option to protecting members from card-not-present fraud. Using Apple Pay in-app and in browser where merchants have added Apple Pay as a payment acceptance method assures the user that a secure token is used in the transaction, if you are shopping from your phone. If shopping from a desktop or laptop or from a phone, using Visa Checkout or Masterpass also affords the same level of protection as Apple Pay where accepted – again the payment is tokenized. And the best part, the cost to the credit union to enroll in Apple Pay, Visa Checkout and Masterpass is less than creating virtual cards.