Virtual Credit Card Numbers

[Valerie S. Johnson]

By Valerie S. Johnson

In an effort to combat credit card theft and identify fraud, credit card issuers created virtual or disposable credit card numbers. The user gets a number to use for a single transaction. This number expires after a short period of time, and neither the user nor anyone else can ever use it again.

Most major credit card issuers have a “zero liability” policy, meaning if your card is stolen and you report it promptly, you will not have to pay for the thief’s charges. The disposable credit card numbers are a good option for those customers who are still nervous about shopping online. Their concerns are not unreasonable; even if a credit card issuer removes the fraudulent charges, it may take a lot of time and trouble for the innocent cardholder to get their credit report cleaned up.

If you get a disposable credit card number, you do have to remember that there are circumstances when you cannot use them. For example, some credit cards provide, as an extra benefit, insurance for rental cars. You must use the same card to reserve the car and to pay for it. If you use a virtual credit card, it might expire too soon. Another disadvantage of disposable credit cards is that you cannot use them for recurring expenses or automatic bill paying.

Disposable credit card numbers were introduced as far back as 2000. Yet they have not proved to be as popular as the credit card issuers hoped.

[poundwise]

I have used this feature before and enjoy the extra layer of protection it provides. I am not scared of using a card online, it is safer than handing you card to the waiter at a restaurant, but its nice to know that if the company's records were ever breached (which seems to happen a lot) the hackers would only get a number that is worthless to them.

I must admit though, I don't usually do this. Only when I am less familiar with the web site/merchant.

Also, this is not worthwhile if you are creating an account that will receive recurring (automatic or otherwise) charges. For instance, I have a card on-file where I buy online music. They charge my card whenever I buy some songs.

[vsjhoc]

Further to Poundwise's point about the danger of using credit cards in restaurants, see this article from the WSJ:

"Card Companies Crack Down On Restaurants
Diners' Personal Data Not Well-Protected, Visa and Others Say"
By ROBIN SIDEL
March 24, 2007; Page B1

"The credit-card industry is cracking down on tens of thousands of restaurants for not adequately protecting diners' credit-card data from thieves.

In recent months, Visa USA Inc., MasterCard Inc. and financial institutions that process electronic payments have levied fines, sent warning letters and held seminars to pressure restaurants into being more careful about protecting the information.

"There are tens of thousands of restaurants that aren't complying" with industry security rules, says Robert Carr, chief executive of Heartland Payment Systems Inc., a Princeton, N.J., company that processes card transactions for small merchants. About half of Heartland's clients are restaurants.

All companies that accept plastic must follow a complex set of security rules put in place by Visa, MasterCard, American Express Co. and Morgan Stanley's Discover unit.

Since January 2005, restaurants represented about 40% of incidents in which intruders gained unauthorized access to credit-card information, according to data tracked by Visa. That is the largest percentage of incidents among merchant groups.

Meanwhile, Chicago-based AmbironTrustWave, which conducts security audits for merchants, says that 62% of the security breaches it has seen over the past 18 months came from the restaurant industry.

The incidents involve myriad security breakdowns, including poorly protected wireless networks that criminals can tap into from a laptop from the parking lot and systems that allow employees to steal card information.

Not all incidents resulted in successful frauds. Visa doesn't disclose how much fraud can be traced to restaurants. Most merchants don't disclose incidents unless there is a big chance that a major fraud will occur or has already been spotted.

So consumers often don't know when their credit-card information becomes vulnerable to thieves. Card issuers typically don't close a customer's account unless fraud appears to have occurred.

The credit-card security rules have proved tricky for smaller merchants, which could explain why restaurateurs are having a hard time with them.

"We're starting to hear now from restaurants that thought they did what they were told, but are discovering [their systems are] not working correctly and are being penalized," says Todd Mann of the National Restaurant Association, a Washington-based trade group representing 935,000 eateries.

Joseph Sanscrainte, a New York lawyer, says one of his restaurant clients was fined more than $100,000 -- an unusually large fine for what he described as a small business -- for storing card data in violation of the rules. He declined to identify the client. "The heat is certainly being turned up," Mr. Sanscrainte says.

Visa last year fined merchants of all sorts $4.6 million for security violations, up from $3.4 million in 2005. Visa declined to disclose a breakdown of merchant types. Visa recently held special security briefings with several hundred restaurants, says Michael E. Smith, a senior vice president at Visa responsible for compliance issues.

Restaurants "are a merchant segment that we believe requires additional attention," Mr. Smith says.

Companies that process card transactions also are increasing the pressure on restaurants, threatening to cut off service to those that aren't complying with their security rules. These processors include Wells Fargo & Co., Fifth Third Bancorp and Chase Paymentech, which is a joint venture of J.P. Morgan Chase & Co. and First Data Corp.

"We haven't turned anyone off yet, but we are ready to do that," says Debra Rossi of Wells Fargo's merchant-processing unit.

Of particular concern to card companies is specialized software used by restaurants that combine many features, tabulating bills, relaying orders to the kitchen and tracking reservations. Card companies can't force software makers to comply with their security rules, so they pressure restaurants instead. Visa posts on its Web site a list of software programs that meet its requirements.

Even with the best software, though, if restaurants "don't have proper password protection or firewalls, they could clearly have a problem," says Peter Rogers of Micros Systems Inc., which makes restaurant software. "It's not really our job to tell the restaurateurs what they need to do to be compliant with credit-card regulations," he adds.

The focus comes amid concerns about credit-card security following a number of high-profile data thefts. In January, discount retailer TJX Cos., which owns clothing chains T.J. Maxx and Marshalls, disclosed it had discovered a wide-ranging security breach that left millions of consumers exposed to fraud after its computers were hacked.

Last month, the Stop & Shop supermarket chain said thieves had tampered with the devices used by customers to make card purchases. Card information was stolen from two stores in Rhode Island, according to the Ahold NV-owned chain."