The whole reason this is required, is because creditcards are inherently insecure, by just requiring a number and an expiration date. EMV was supposed to fix this on card-level, but missed the importance of online payments completely.
In Europe, where debet-cards are the de-facto standard, most online shops use a payment aggregator, which forwards your payment request to your online banking platform of your own bank, which you then have to confirm. Sometimes using a cryptographic challenge/response from the chipcard, but more and more just by using your phone and banking app to scan a QR code and validate the payment there.
This completely side-tracks the insecurity of creditcards, there is nothing to steal.
I like the Blik system we have in Poland. It requires you to use your bank's app to generate a 6-digit, single-use code that's valid for two minutes. That's the only piece of information you give to the merchant, so transactions are fully anonymous (as far as the merchant is concerned). They can't even link transactions from the same account.
After the code is processed, you get a request on your phone, with the merchant's verified name, the transaction amount, and the title of the transaction. You're able to deny this request, so it's perfectly safe to give your code to someone you don't fully trust, i.e. to let a child buy something, or if it's just more convenient if someone makes a purchase for you, but you still want to pay for it. That happens surprisingly often in families, where you're talking about a particular product, one person looks it up and is ready to purchase, but you're the one who actually wants it. You also don't have to worry about the security of the device you're entering the code on.
Of course, since entering a code is so easy, this often also works in ATMs and shops. You don't need fancy, super-secure hardware to process BLIK transactions, anything with a keypad and an internet connection will do.
Oh my good this is SO COOL! This is even better than that Google Pay virtual card something something. Are there other countries in EU which have similar mechanisms?
Most countries redirect you to your bank's website and require you to login (often with a token/ mobile app as the 2nd factor). This is still better than credit card numbers, but not as good as Blik.
Until you get payment processors, mostly US based, which still don't follow the standards.
Have to click the dangerous sounding "Open card to ALL internet purchases for 60 minutes" button every time I buy a game on Steam, otherwise my bank simply declines it. All Stripe gateways used to be like that, but fixed it two years or so ago.
I think Amazon.se rounded it somehow, last time it worked without 3D secure, which was surprising since .co.uk and .de usually required opening the card. I'd guess they are on the hook if any fraudulent transactions would happen though. Amazon's interface for dealing with failed transactions at least used to be horrible since you would actually get past the checkout, but then be forced to somewhere in the lists find the order and from there retry the transaction, instead of simply failing visibly at the checkout like any normal webshop.
That is 3D secure, which is just an additional authentication level on top of regular credit cards. It protects merchants from accepting stolen credit cards, but doesn't really protect the card holder from a malicious merchant.
3D sucks. I have to remember some other damn password. It happens rarely enough that it's even worse than if everyone did it because I have to go check what the password is first. You can basically check whether someone hacked me. The hacker would not take 2 minutes to answer the 3D challenge...
I really wanted to be a customer, but when I visited privacy.com and saw the number of 3P services they load up (thanks uBlock Origin) I realized that they talk the talk but don't walk the walk.
I use the service. The name of the service is sort of misleading advertising. In reality what you get is protection from theft of a card number when shopping online (this is what happened to make me decide to use the service), spend limits on reusable cards (for something you pay a recurring payment for, this comes in handy when a merchant raises their rates and doesn't tell you) and you can use any name and region and so protect your identity from being sold by merchants to advertising firms.
Your bank still has access to everything (and they sell everything, of course) and the service itself also has access to everything. But all in all it is a good layer of insulation from merchants and vendors and has some useful features. Think of it like a VPN service for card payments.
Another solution that's been around for a lot longer - and with more features, but less catchy name - is Abine Blur - https://www.abine.com
Disclosure: I was one of the co-founders
In general, there is a tradeoff between the anti-fraud and the privacy requirements in payment processing, and pseudo-anonymous onetime cards are a good solution.
They take your points/cashback and in return shield your transaction info from your bank and vendor, that's their business model unless you sign up for one of their paid plans.
Well that fee is what pays for points/cash back. So although they're not literally taking them, they are taking the fees that would have funded them. So they are in effect taking them.
You stand between the carnival operator and the riders holding up a curtain so they can't see each other. In exchange for this anonymizing service you take a 1% cut of each transaction, then spend it on a ride yourself at the end of the day. The 1% cut is priced into the operator's ticket prices so they still make enough profit, and is practically invisible to the rider, but if the service did not exist, then the tickets could be sold 1% cheaper. This is the model, whether or not you call it "taking" the 1% or "adding on" the 1% is inconsequential.
That merchant-facing fee is how you earn cashback/points when you're a credit card holder. Instead of passing it on to you in the form of points or cash back, Privacy.com keeps it.
> Card issuers can afford to pay cash back because merchants pay an interchange fee on each transaction.
We need something like Privacy.com for Europe (and other countries too). If Privacy won't support Europe in the future, then there is a huge market gap not being filled for potential EU customers. I know I would love something like this to manage my spending and I love the way you can create your own 'window' of time on the card to prevent unexpected charges on the card (as many cards are kept 'on file' and I often forget that lol)
Living in Europe and my bank has virtual cards I can freely suspend, change available balance etc. Doesn't look as advanced as privacy.com, but is backed by actual account with multiple other services
Great, what bank? We had it for ages and ages but they removed it a couple of years ago. Still missing it badly. It was programmed in flash so I guess that's why they shut it down...
Pretty easy to digest explanations and some fine opsec tips in there. Obviously self promotion (How can you protect yourself? Use privacy.com!!) but nothing strikes me as being a lie or misrepresentation
>but nothing strikes me as being a lie or misrepresentation
I think this point is kind of sketchy.
>Go incognito with a unique credit card number. Virtual cards allow you to use improvised information at checkout to fight against hackers and protect yourself against data breaches—an important consumer safeguard right at the point of sale.
Does privacy.com allow you to put in fake billing addresses when you use their cards, and does that pass AVS? I really don't see how using a virtual card number is like "incognito" if you still have to use your real billing address, especially when you already have multiple credit cards.
Which is tied to your legal name and real address, as per the Privacy.com terms. A chain is only as strong as its weakest link, and unless you register a Privacy.com account with fake credentials, you can throw any notion of privacy out the door.
It's privacy such that the seller doesn't know who you are. Which is certainly more privacy, even if it doesn't provide privacy against legal process, etc.
It would also depend on who Privacy.com shares the link between you and your pseudonyms with. Their ToS/privacy policy mention third party identity verification and fraud prevention but it's not really clear what that means and if it entails de-anonymizing pseudonyms towards payment intermediaries.
Payment networks now support the Payment Account Reference standard, which will map any virtual account number to an underlying funding account. Does privacy.com pay out of its own bank account? If not, this part of their value proposition is mostly privacy theatre.
With fraud protection that is mandated by the government, and that most credit card companies provide, virtual credit cards are not necessary.
All that does is push the burden of fraud management into consumers when it is clearly the fault of merchants, processors and credit card companies.
By implementing things like virtual cards or even PIN numbers, they are doing this to limit their own liabilities and push the burden onto consumers. Currently, consumers don’t need protection. The protection from credit card fraud is largely excellent, at least in the US.
We as consumers should not let this erode away by these articles trying to convince us that credit card fraud is our problem, not the credit card companies’.
It's simply an act of giving control to the customer - nobody likes sitting on the phone for a few hours with your bank's fraud department and then waiting a week to get a new card in the mail. Being able to cancel a single merchant's card without affecting anything else in your life is a net-positive.
Virtual cards are also good for the customer outside of general fraud, such as when you might have a stingy business that only cancels subscriptions over the phone or whatnot; the only downside is that technically the business can send those charges to collections, but even then most small collections charges aren't considered in credit decisions.
You don’t need to manage your credit cards. The only reason why you need to is because the credit card companies have developed a flawed system that makes transactions very easy without any security. But they designed it this way so that payments are frictionless.
If this is the system they want, they should deal with the consequences. The burden of fraud, etc should rest on their shoulders, and it currently does. The more burden they put on our shoulders, the less it is for them. It’s like boiling a frog. When they implement PIN numbers, then they will be able to completely put the burden of liability on our shoulders. They want the convenience of quick payments with none of the liabilities.
What you’re talking about is presumably hundreds of virtual credit card numbers being distributed, which is even more of a burden for us. And then figuring out which number to cancel etc.
Credit card companies currently have a lot of incentive to catch fraud early because if you need to cancel a card, you will switch it to another card from another company, presumably.
> They want the convenience of quick payments with none of the liabilities.
All payment systems are moving in that direction: PayPal, any RTP like PayTM, cryptocurrencies, etc. You (the consumer) control the account and the transactions are easy to make. If you want to revert a transaction, you have to prove that you lost control of the account in a way that is not your fault. And even then you may not have a recourse other than going through the legal system.
Merchants eat the majority of fraud costs not the credit card companies. It is up to them verify billing address and whether to allow a shipment to another address. Only time credit card company will eat the fraud is on a stolen credit card that is used in a chip based payment. Card not present is still on the merchant.
There are also ways to avoid subjecting merchants to the responsibility of securing credit card data in the first place, like the Click to Pay initiative launched last year by Mastercard, Visa, American Express and now Discover. Merchants cannot lose data they never have.
Tokenized payments also work to help avoid giving data to Merchants, via services like Apple or Google Pay. Other PSP services can serve a similar role like Pay with Amazon or PayPal.
I don't personally use credit cards at all, for a variety of reasons. Virtual card #s on my debit cards are very desirable when it comes to online purchases, especially with vendors that don't accept paypal.
Reality, this is just an ad for a virtual card service.
Virtual cards are a crap fix (security through obscurity).
In reality, we need a new financial endpoint identification scheme for the masses that is not run by a cabal of self-interest laced with debt-usury dating from a period in US domestic history where interstate-interbank was a challenge (basically things ran on telex). We need to completely unbundle endpoint identification (ie. card number) from information visibly requested or exchanged for authentication (as proof of authorization to pay). Discussions of the status quo need to occur with the recognition that these systems are effectively, foremost, massive global intelligence gathering and economic sanction and seizure platforms and not just payments facilitators. China has completely surpassed the west in payment efficiency because they jumped credit cards straight to mobile payments like they jumped wired telephones straight to cellular. China is opening banks all over the world at a lightning pace.
Europe and much of the world is charging ahead with IBAN which is IMHO well conceived and facilitating settlement systems often ~instant and free. Years ago in the early days of Kraken I proposed an internet form IIBAN compatible with crypto settlement and arbitrary financial endpoint registrars. Unsure if it is still in use at Kraken, however, in general it seems big crypto is now against interoperability as like traditional incumbents - re: government sponsored regulatory ingress means their money now comes from gatekeeping. China meanwhile are creating their own digital currency system and have maintained interbank clearing directly run by the state, with existing digital payments via a tiny number of proxy commercial entities (ring any bells?). It's efficient and effective but comes with the issues associated with such a configuration: primarily "eat it or wear it", re: innovation. Still, it's light years ahead of the US in terms of the consumer: no debt, instant approval, foreign participation welcome, global reach, zero cost, totally pervasive, no cards or snail-mail required, friends-as-reputation, none of that card not present bullshit, none of that 'tell us if you travel' bullshit, none of that 'points' or 'annual fee/waiver', or 'full personal and economic profile including n-months of local income to play' bullshit.
@dang only works if Dang happens to read the article comments as part of his work, which isn't always guaranteed. You'll want to email mod requests like this to HN, using the Contact link in the footer, when you think a change needs to be made.
I've been using Privacy.com the past few years and it's superb. The only things that bother me are the fact that they don't support Credit Cards as the backend payment method. And "some" (albeit very few) sites will not let you use their cards.
Privacy.com works because they become the credit card... if you could use a credit card as a backend payment method, they would not be able to pocket the processing charge.
Have you checked Extend (paywithextend.com)? They partner with banks - like Amex, City National Bank, Comdata, Silicon Valley Bank, and several others - to let you create and distribute Virtual credit cards directly from your existing credit card.
My bank (Citi) has actually offered virtual account numbers for close to a decade - their original implementation used a Flash web app (ostensibly for security?) but now thankfully it’s a more standard HTML5 setup.
They can be used at any online shop, have customizable credit limits and expiry dates, and you can enter whatever billing details you like. It’s a great solution. Payments still settle to your real credit card in the end, obviously, but the merchant never gets to see that info.
Similarly, my understanding is that Apple Pay (and probably Google Wallet?) do a similar thing: they roll a random virtual account number and pay with that.
Unrelated, but how does privacy.com work on purchase categories? Like I have a card which gives me more cash back for airline ticket purchases - will the info of transaction category be kept?
You generally don't use a credit card with them. You use a bank account. If they even offer a credit card option, their fees would need to be more than your points would be worth.
Is there a way as a consumer to get unique credit card virtual IDs? Even with a fee. I’d love to separate “let me just try this once” payments and if I forget about the random thing because it’s not useful to have the card vanish after a month (cough golds gym).
(Googler, I work on payments. opinions are my own)
Google Pay and Apple Pay sort of already do this. When you use tap&pay from your device, you're paying with a DPAN (device/digital primary account number), which was generated when you add the card to your phone (the number on your card itself is the FPAN (f = funding)). You can see the last-4 for this card within the App or when you pay at a store the the receipt shows you your last-4 of your card (it'll be different than your normal card.
I feel like the networks don't want new PANs per transaction, so you can get new ones, but the address space may not be large enough to high card # turnover.
When you do refunds, you want to make sure it’s going back to the same account via the same payment method. Otherwise, you’re opening yourself up to avenues of fraud.
Also helps merchants who offer refunds without receipts, as they can ensure the item was purchased from them at some point in the recent past.
In my home country (Turkey), we have virtual cards that usually have zero limit, and you can assign a limit to them temporarily (like an hour) to make a purchase. Then the card returns to the state without any limit, so no merchant gets to charge more than once or above the assigned limit. If that virtual card is compromised, you can just get a new card and kill the old one.
That sounds dangerous. If you sign up for a gym and then your credit card stops working for whatever reason, it won't cancel your contractual obligations. You would still be legally liable to pay the fees for the duration of the contract. So I imagine you would have to deal with debt collectors and crappy credit for years to come.
In my experience most vendors will just cancel/pause your account in the event of a failed transaction, unless it is for a very large amount (>$50) they wont bother sending it to collections because there are fees for them to do that.
In my opinion the best benefits of privacy.com is that you can provide a fake name and address during signup (they will authorize it with any name/zip/addr). Good luck sending stuff to collections without my real name or address.
Mercury.com also provides a similar virtual card service to business banking customers, but unfortunately they don't let you use fake names/addresses like Privacy.com does (probably for good legal reason).
I'm not sure someone saying "cancelling a credit card doesn't cancel a contractual obligation," which is an objective fact, warrants a downvote either.
In Europe, where debet-cards are the de-facto standard, most online shops use a payment aggregator, which forwards your payment request to your online banking platform of your own bank, which you then have to confirm. Sometimes using a cryptographic challenge/response from the chipcard, but more and more just by using your phone and banking app to scan a QR code and validate the payment there.
This completely side-tracks the insecurity of creditcards, there is nothing to steal.