Virtual Account Numbers and eCommerce Fraud Prevention
The very thing that makes credit cards so easy and convenient to use in so many different situations is the same thing that makes them so vulnerable to fraud. You only need to have a few key numbers to complete a credit card transaction, and in the age of ecommerce those numbers are being stored and shared constantly.
From one small act of data theft, a fraudster can potentially steal thousands of dollars. But credit card numbers don’t have to be permanent. Could the virtual account numbers that some banks are offering help to prevent ecommerce fraud and chargebacks?
A virtual account number is a lot like a tokenization scheme, but it gives the cardholder more control about when and how to make use of it. When a cardholder makes a transaction with a virtual account number, their actual card number is never transmitted to the merchant, making it impossible to steal, even if fraudsters have breached the merchant’s network defenses. Cardholders may also feel more secure using virtual account numbers with newer, smaller merchants that haven’t yet earned a trustworthy reputation.
Virtual account numbers are only usable in card-not-present environments, but in that context they provide very strong protection against fraud resulting from data theft. However, they have some limitations in certain scenarios, and merchants should be aware of some complications that can arise when they are used—complications that can lead to chargebacks.
How Can Cardholders Obtain Virtual Account Numbers?
A virtual account number is easy to get—if your bank offers them, which most don’t. Capital One and Citibank make virtual account numbers available for certain credit card account types, and cardholders can easily generate virtual account numbers through their online banking account. Other banks that used to offer virtual account numbers have discontinued those programs due to lack of interest—proving once again that security always struggles to compete against convenience.
When a cardholder wants to create a new virtual account number, they just log in and request one. Their issuing bank will then provide a virtual credit card number, complete with CVV, which cannot be traced to their real account. They can enter the virtual account number when they checkout at an ecommerce store, and the charge will hit their regular card account without exposing any of their true payment credentials.
Cardholders can set various usage parameters for their virtual account numbers, setting them to expire after a certain number of uses (one-time virtual account numbers are popular—and extremely secure), after a specified time limit, or when a particular dollar amount has been reached. A few issuers offer virtual account numbers that are tied to specific merchants.
These options allow cardholders to use virtual account numbers in a wide variety of situations, including recurring billing subscriptions. Even if fraudsters steal a stored virtual account number and use it to make purchases, the cardholder is protected from liability just as if they had used their real card number. In other words, they can demand a chargeback.
Is There a Downside to Virtual Account Numbers?
Considering how effectively they can thwart fraudsters, it may seem strange that virtual account numbers aren’t more widely used. Aside from the aforementioned fact that generating new virtual account numbers simply more of an inconvenience than most consumers like to deal with while shopping online, there are some situations where they can cause problems.
For merchants who use credit card numbers to verify customer identities, virtual account numbers will complicate matters. Most ecommerce merchants won’t have a hard time devising workarounds for this, but it can be a bigger hassle in travel and hospitality, where customers are frequently asked to present physical cards to verify that they purchased reservations or tickets online.
From a chargeback perspective, however, the biggest problem with virtual account numbers has to do with refunds. When a customer has an issue with a product they purchased and returns it, the merchant typically issues a refund to the card number used to make the purchase. When a virtual account number has been used, that card number may no longer exist. If merchants aren’t on top of this and don’t act quickly to contact the customer and arrange an alternate way to provide the refund, the customer may grow impatient, become convinced that the merchant is ignoring them, and go to their bank to ask for a chargeback instead.
Some news stories have circulated about certain states restricting the use of virtual account numbers. Alabama, Connecticut, and Georgia have enacted laws allowing medical providers to refuse virtual account numbers as a form of payment from insurers. Insurers had been using them because they were cheaper than mailing paper checks, but this was causing the credit card processing fees to be passed on to the medical providers. Doctors, dentists, and others in the industry successfully lobbied for laws protecting their right to refuse such payments.
On balance, it would be a good thing for the ecommerce sector if virtual account numbers were in wider use. EMV chip technology has worked well at reducing fraud in card-present environments because it generates randomized tokens for transactions, keeping the cardholder’s data safe from data breaches, card skimmers, and other hazards. Virtual account numbers work according to similar principles, and would likewise help to bring overall fraud levels down by making it harder for fraudsters to find vulnerable data to steal.
The similarities extend to the fact that, like EMV chips, using a virtual account number adds some friction to a transaction, and it can take consumers time to warm up to new anti-fraud technologies that change the manner in which they’re accustomed to completing transactions.
Merchants can support the wider use of virtual account numbers—and protect themselves at the same time—by taking them into consideration when establishing policies and procedures around customer identity verification, returns and refunds, recurring billings, and other areas of their business operations that might be impacted by temporary credit card numbers that may expire unexpectedly.
While they may pose some challenges, merchants should embrace this technology. By reducing true fraud, virtual account numbers can help merchants avoid chargebacks that they would otherwise have to accept.