Virtual Account Numbers and eCommerce Fraud Prevention
Table of Contents
- How Can Cardholders Obtain Virtual Account Numbers?
- Is There a Downside to Virtual Account Numbers?
- Are Virtual Account Numbers the Future?
- What Banks Offer Virtual Credit Card Numbers?
The very thing that makes credit cards so easy and convenient to use in so many different situations is the same thing that makes them so vulnerable to fraud. You only need to have a few key numbers to complete a credit card transaction, and in the age of eCommerce those numbers are being stored and shared constantly.
From one small act of data theft, a fraudster can potentially steal thousands of dollars. But credit card numbers don’t have to be permanent. Could the virtual account numbers that some banks are offering help to prevent eCommerce fraud and chargebacks?
A virtual account number is a lot like a tokenization scheme, but it gives the cardholder more control about when and how to make use of it. When a cardholder makes a transaction with a virtual account number, their actual card number is never transmitted to the merchant, making it impossible to steal, even if fraudsters have breached the merchant’s network defenses. Cardholders may also feel more secure using virtual account numbers with newer, smaller merchants that haven’t yet earned a trustworthy reputation.
Virtual account numbers are only usable in card-not-present environments, but in that context they provide very strong protection against fraud resulting from data theft. However, they have some limitations in certain scenarios, and merchants should be aware of some complications that can arise when they are used—complications that can lead to chargebacks.
How Can Cardholders Obtain Virtual Account Numbers?
A virtual account number is easy to get—if your bank offers them, which most don’t. Capital One and Citibank make virtual account numbers available for certain credit card account types, and cardholders can easily generate virtual account numbers through their online banking account. Many other banks that used to offer virtual account numbers have discontinued those programs due to lack of interest—proving once again that security always struggles to compete against convenience.
When a cardholder wants to create a new virtual account number, they just log in and request one. Their issuing bank will then provide a virtual credit card number, complete with CVV, which cannot be traced to their real account.
Customers can enter the virtual account number when they checkout at an eCommerce store, and the charge will hit their regular card account without exposing any of their true payment credentials.
Cardholders can set various usage parameters for their virtual account numbers, setting them to expire after a certain number of uses (one-time virtual account numbers are popular—and extremely secure), after a specified time limit, or when a particular dollar amount has been reached. A few issuers offer virtual account numbers that are tied to specific merchants.
These options allow cardholders to use virtual account numbers in a wide variety of situations, including recurring billing subscriptions. Even if fraudsters steal a stored virtual account number and use it to make purchases, the cardholder is protected from liability just as if they had used their real card number. In other words, they can demand a chargeback.
Is There a Downside to Virtual Account Numbers?
Considering how effectively they can thwart fraudsters, it may seem strange that virtual account numbers aren’t more widely used. Aside from the aforementioned fact that generating new virtual account numbers simply more of an inconvenience than most consumers like to deal with while shopping online, there are some situations where they can cause problems.
For merchants who use credit card numbers to verify customer identities, virtual account numbers will complicate matters. Most eCommerce merchants won’t have a hard time devising workarounds for this, but it can be a bigger hassle in travel and hospitality, where customers are frequently asked to present physical cards to verify that they purchased reservations or tickets online.
From a chargeback perspective, however, the biggest problem with virtual account numbers has to do with refunds.
When a customer has an issue with a product they purchased and returns it, the merchant typically issues a refund to the card number used to make the purchase. When a virtual account number has been used, that card number may no longer exist. If merchants aren’t on top of this and don’t act quickly to contact the customer and arrange an alternate way to provide the refund, the customer may grow impatient, become convinced that the merchant is ignoring them, and go to their bank to ask for a chargeback instead.
Some news stories have circulated about certain states restricting the use of virtual account numbers. Alabama, Connecticut, and Georgia have enacted laws allowing medical providers to refuse virtual account numbers as a form of payment from insurers. Insurers had been using them because they were cheaper than mailing paper checks, but this was causing the credit card processing fees to be passed on to the medical providers. Doctors, dentists, and others in the industry successfully lobbied for laws protecting their right to refuse such payments.
Are Virtual Account Numbers the Future?
On balance, it would be a good thing for the eCommerce sector if virtual account numbers were in wider use. EMV chip technology has worked well at reducing fraud in card-present environments because it generates randomized tokens for transactions, keeping the cardholder’s data safe from data breaches, card skimmers, and other hazards. Virtual account numbers work according to similar principles, and would likewise help to bring overall fraud levels down by making it harder for fraudsters to find vulnerable data to steal.
The similarities extend to the fact that, like EMV chips, using a virtual account number adds some friction to a transaction, and it can take consumers time to warm up to new anti-fraud technologies that change the manner in which they’re accustomed to completing transactions.
Virtual account numbers have the additional drawback of requiring some setup before use, unlike EMV chips which simply arrived in the mail for most customers. The banks that do still offer the service typically don't advertise it, so only those customers who go looking for it will even encounter the option.
On the other hand, virtual account number don't require any setup on the merchant's end to accept. In fact, it's entirely possible you've already authorized a transaction which used a virtual account number without even knowing it.
Merchants can support the wider use of virtual account numbers—and protect themselves at the same time—by taking them into consideration when establishing policies and procedures around customer identity verification, returns and refunds, recurring billings, and other areas of their business operations that might be impacted by temporary credit card numbers that may expire unexpectedly.
On the other hand, the future of virtual account numbers isn't looking very bright at the moment. A coalition of the major credit card networks are rolling out a new service called Click to Pay, which uses similar technology to Google Pay and Apple Pay to allow secure use of credit card information through tokenization. It's also designed to be integrated into eCommerce websites in the same way that many now integrate PayPal Checkout.
Since this new service is being offered by the same credit card networks merchants already deal with, and allows the use of any card connected with any of them, it's likely to see widespread adoption in the future, which could further limit the demand for virtual account numbers. However, as with any new technology, there will always be merchants who lag behind in adoption, and one of the primary advantages of virtual account numbers is that they can be used with any merchant. In short, while virtual account numbers probably aren't the future, they do offer customers some peace of mind when dealing with merchants who are stuck in the past.
Although they may pose some challenges, merchants should always give serious consideration to embracing any technology that reduces fraud. By reducing true fraud, virtual account numbers can help merchants avoid chargebacks that they would otherwise have to accept.
What Banks Offer Virtual Credit Card Numbers?