Finding out you’re a data breach victim is bad enough. But the process of canceling credit cards and checking statements for suspicious activity will likely be an even bigger headache.
Capital One is the latest bank to offer a possible solution to fraud and online shopping scams: merchant-specific virtual card numbers.
Virtual card numbers are temporary, randomly generated digits used in place of real account numbers. Because virtual cards don’t require users to share their actual debit or credit card numbers, they’re meant to make online shopping safer.
But whether creating a virtual credit card is worth your time is debatable. Some experts question whether certain virtual cards make shopping online more secure.
“If they’re billing this as a security solution, I don’t think of it as a security solution,” says Joseph Carrigan, a senior security engineer at Johns Hopkins University about Capital One’s new virtual card numbers. “I think of it as a convenient solution.”
Virtual cards struggling to catch on
But consumer adoption of virtual cards has been slow. Originally, they were meant to help corporate clients avoid fraud. But eventually, virtual card numbers were offered to everyday consumers, says Brian Riley, a director at payments and banking consulting firm Mercator Advisory Group.
“The ones that were really big on this in the beginning were appropriately big corporate treasury companies,” Riley says. “It just moved over into the consumer side of the business with the online fraud that’s happened.”
Some of the card companies that started offering virtual cards to their retail customers — like Discover and American Express — ultimately discontinued them.
“As with any of our products, benefits or innovations, we are always listening to the consumer and want to provide our cardmembers with the best possible experience,” says Laks Vasudevan, Discover’s vice president of products and innovation. “In this case, our cardmembers didn’t find as much value in the virtual card and we adjusted accordingly.”
Where to find virtual card numbers
Today, only a few big banks offer consumers virtual cards. Citi, Bank of America and Capital One customers can log on to their online accounts and create virtual card numbers for specific credit cards. Capital One’s virtual cards are available through its digital assistant, Eno.
A number of startups provide virtual credit cards, too. Token Payments lets consumers who download its mobile app create virtual payment tokens. Netspend, a subsidiary of TSYS, gives prepaid debit card users access to virtual card numbers.
Pay With Privacy, a New York-based startup, offers two types of virtual debit cards. Single-use cards expire after they’re used once. Single-merchant virtual cards, on the other hand, can be used to send recurring payments to the same merchant. With merchant-specific virtual cards — like the ones offered by Citi and Bank of America — it’s often possible to set spending limits and expiration dates.
Deciding whether to go virtual
Dealing with a data breach involving a regular debit or credit card can be stressful. If a thief has access to your account number and other personal information, you could be vulnerable to identity theft and fraud.
If you’re using virtual cards, you’ll have a lot less to worry about. In the event of a data breach, you could quickly pause your virtual card or delete the card number altogether, says Michael Reiff, Netspend’s vice president of product management.
Despite how wonderful virtual cards may seem, there are some downsides to using them. Not all merchants accept virtual cards. And depending on where you shop, returning an item you’ve purchased with a virtual card number could be tricky.
“I can find my way back into my statement if I need to do it,” Riley says. “But if I’m going to return something to Overstock.com, they probably don’t have the account number on file.”
Typically, customers have no problems making returns when using his company’s virtual card, says Bo Jiang, co-founder and CEO of Pay With Privacy. But to be on the safe side, you may want to hold on to your receipts. If you can set your card’s expiration date, it’s best to give yourself plenty of time to make returns before the virtual card number gets deleted.
Not a perfect solution
No solution is foolproof, and virtual cards are no exception. Anything can be compromised, says Michael Aminzade, vice president at an information security company called Trustwave.
Though the amount of damage that can be done may be limited, a criminal could get his hands on your virtual card number, especially if you find out about a data breach months after it happens, Aminzade says. And paying with multi-use, merchant-specific virtual cards — like the ones offered by the banks — isn’t necessarily the best way to prevent fraud.
“No less secure than normal cards, by allowing the data element to be reused it is more open to be attained by the cybercriminal then re-used by them as the unapproved user,” Aminzade says.
One-time use virtual cards are a more secure solution for online shoppers, says Carrigan from Johns Hopkins.
Liability for unauthorized transactions is limited for debit and credit cardholders. Constantly checking your checking account and credit card statements is one of the best ways to protect yourself from fraud. If that seems like a hassle, creating virtual account numbers for your online transactions could give you peace of mind. Another option is to set up alerts so that you’re notified when your credit limit or checking account balance dips below a certain level.
If you’re skeptical about the benefits of virtual cards, there are other ways to add an extra layer of protection when shopping online. Use prepaid cards or a PayPal account, Aminzade says.