These firms have a novel solution to online fraud: Disposable credit card numbers

Andrew Deitrich, left, and Aaron Frank are two of the founders of Final, an Oakland credit card company that lets customers create "virtual" cards for use at online merchants.
(David Butow / For The Times)

In an era when online credit card fraud seems like a foregone conclusion, here’s one potential solution: Instead of trying to prevent card numbers from being pilfered on the web, simply use card numbers you don’t mind being stolen.

That’s the pitch from a handful of start-ups that specialize in offering so-called virtual cards — credit or debit card numbers that link to a real payment account but that can be used at only a single merchant or that expire as soon as they’re used, limiting the potential damage if a hacker gets hold of them.

“It’s a way of muddying the waters,” said Boling Jiang, chief executive of New York payments start-up Pay With Privacy. “Fraudsters get these numbers, but they’re useless.”

Jiang’s company and rival New York firm Token Payments both offer free online services that allow you to pay with your existing checking, debit or credit card accounts. Oakland start-up Final offers a credit card of its own, complete with a rewards program. And all three have a similar set of features, designed to make users feel more secure giving out payment information to online merchants.

They allow users to generate an unlimited number of virtual cards, which act like an ordinary credit or debit card and come with an expiration date and three-digit security code. But unlike ordinary cards, these can be set to expire after a single use or after a certain amount has been charged to them, or they can be locked to a particular merchant.

If a fraudster steals the number you gave to Amazon and tries to use it at Target, the transaction will be blocked.

None of the firms are worried about running out of card numbers. There are theoretically 10 quadrillion possible 16-digit numbers, and virtual card companies have the option to recycle numbers that no longer are in use.

By creating payment information that would be of limited benefit to thieves, these companies are mimicking other security measures and payment technologies, including chip cards, which have been introduced over the past few years.

When you swipe a credit or debit card at a store, the magnetic reader is giving the merchant the same 16-digit number printed on the front of the card. That’s an attractive target for fraudsters who can try to use those numbers elsewhere if they hack into the retailer’s network. That was the concern when there was a data breach affecting some 40 million Target customers in 2013.

When you insert a chip card into the new checkout-counter readers that retailers have been installing, the merchant is getting what’s known as a token, or a single-use number that is useless if stolen.

Tokens are used in online and mobile payment systems too, such as Apple Pay, Android Pay, Visa Checkout and Masterpass from Mastercard. PayPal also allows users to pay without directly providing their card or bank account information to merchants.

Still, virtual card start-ups see opportunity in e-commerce because not all websites and mobile apps accept such payment systems, while nearly all still accept cards.

“A lot of people are still competing for the button at checkout,” said Andrew Dietrich, Final’s chief operating officer, referring to payment options such as PayPal that appear on merchants’ checkout screens. “But there’s no standard of acceptance. What’s still accepted universally are these 16-digit numbers. It works everywhere.”

Virtual card start-ups

These companies say they'll help protect your payment information online.


Headquarters: Oakland

Product launched: 2016

Final, a credit card company, offers account holders a physical card and the ability to create merchant-locked or single-use virtual cards online or through a mobile app. The card, which is available to applicants with good to excellent credit, has a variable interest rate, no annual fee and offers 1% back on all purchases.

Pay With Privacy

Headquarters: New York

Product launched: 2016

Privacy is a free service that works with most checking accounts. Unlike with Final, users do not need to apply or have a credit check. Once a user links a checking account to the service, he or she can create virtual card numbers through a mobile app or browser extension.

Token Payments

Headquarters: New York

Product launched: 2017

Token is a free service that works with any bank account, debit card or credit card. Like with Privacy, there’s no credit check. Users can create virtual cards through Token’s mobile app.

The idea of virtual cards is not new, as big banks and credit card companies have offered them for years, though the offerings have been little used or not well-known.

Discover used to offer virtual card numbers but stopped the practice in 2014. Bank of America’s Shop Safe virtual card feature has been around for a decade, but the bank acknowledges the tool is used by only a small number of customers. It works only through the bank’s website and is not built into its mobile app.

Now, with online credit card fraud on the rise and after a number of high-profile data breaches, including the one at credit bureau Equifax that affected 143 million Americans, virtual card start-ups are hoping to gain traction.

The venture-backed firms all generate revenue by taking a piece of the payment processing fees merchants pay to accept credit and debit cards. Final, unlike the other firms, issues its own credit card through a South Dakota bank, so it also can make money on interest.

The start-ups are particularly going after young, mobile-first customers, pitching their products as a fit for consumers who rely on subscription services for everything from music and movies to food and clothing. And they feature simple apps that work in a few taps.

Say you want to place an order online. A Final cardholder can open the app and touch an icon to create a new card. The app displays a new 16-digit card number, complete with an expiration date and CVV code — the three-digit number that would appear on the back of a physical credit card.

With Final and Pay With Privacy, consumers can create two types of virtual cards. For subscription services and online merchants where customers buy frequently — think Amazon — there are merchant-locked cards. These cards, once used by a particular merchant, can be used only by that merchant.

Because each merchant has its own card, users can effectively cancel a subscription by shutting down a single virtual card. Final’s Dietrich said that’s in many cases easier than trying to go through the merchant itself.

“You don’t have to think about it and go to their website and go through all the layers of customer service to cancel,” he said.

Final and Pay With Privacy also offer one-time-use cards, or “burners,” which expire after a single transaction, a feature that might be attractive when purchasing from an unfamiliar website for the first time.

Token offers only a single type of virtual card, but Zohar Steinberg, the company’s chief executive, said any of its cards can be quickly deactivated, making them practical for recurring or single use.

“You go into the app and go to a payment token, swipe right, and it’s frozen in 10 seconds," he said.

Brian Riley, a director at payments consulting firm Mercator Advisory Group, said this new batch of virtual card offerings seems designed to play into consumers’ concerns about fraud, even though consumer protection laws effectively shield consumers from the consequences of card number theft.

“It’s leveraging the fear people have,” Riley said. “But the important thing to remember is, at the end of the day, consumers already have zero liability behind them.”

Indeed, federal rules and credit card network policies protect consumers from responsibility for fraudulent transactions, limiting their liability to no more than $50 if they report their physical card as lost or stolen and $0 if card numbers are stolen online.

But new virtual-card firms say consumer protection is only half the point. Their pitch is that consumers should not only have no financial liability for fraud, but that they also shouldn’t have to deal with the hassle of reporting fraud, getting a new credit card or changing payment information with numerous merchants.

Final’s Dietrich said he was traveling in Europe when, because of the 2013 Target data breach, his bank shut down his credit card.

Because he was traveling, getting a replacement card proved difficult, forcing him to borrow cash from friends. And the difficulties continued when he got home.

“That number stays in your Uber and Lyft apps, your Netflix account, your car insurance,” he said. “You realize that one card number affects everything.”

Follow me: @jrkoren