As Visa Inc. has been ramping up its promotion of one-time-use card data for security, Discover Financial Services is winding down its support of a similar technology.
The key difference between the two types of dynamic data is that the system Visa is pushing is used at the point of sale, adding steps for merchants, whereas the one Discover is discontinuing is used online, adding steps for consumers.
Discover will no longer allow its customers to generate disposable card numbers for online payments as of Sept. 8. Any of the disposable numbers, called Secure Online Account Numbers, generated before that date can be used until the customer's plastic card expires. Consumers who give online merchants a disposable number do not have to share their regular card account number.
"Given the existing security measures taken today by Discover and all credit card companies, we felt that [Secure Online Account Numbers] were no longer needed to keep cardmembers’ accounts secure," says Laura Gingiss, a Discover spokeswoman, by email.
Discover has "implemented numerous fraud detection processes behind the scenes … however, these are not things we can discuss in detail," she says. Its other fraud protections include alerts and ID theft protection.
Visa has been outspoken about its support of the dynamic data used at the point of sale with EMV, a secure-card standard that is common in other countries. In the U.S., contactless cards already use something Visa calls a dynamic Card Verification Value, which is nearly worthless to thieves because it cannot be reused after it was used to authorize a legitimate payment. A dynamic CVV is also invisible to the consumer, so it cannot be stolen through regular phishing tactics.
However, contact EMV and contactless cards do not improve security for online transactions unless the end user buys special add-on hardware, so it is unlikely that Discover is referring to EMV as its replacement for disposable card numbers.
Although Discover is shutting down its Single Online Account Number tool, "overall, we do support the use of dynamic transaction data," Gingiss wrote. Visa would not comment for this story.
The consumer advocacy website The Consumerist, which reported Discover's decision Wednesday morning, said in its story that "perhaps it turned out that maintaining the program was more hassle than the security it was supposed to provide."
Consumers do not always diligently protect their data online. So many people use simple, easily guessed passwords for sensitive accounts that Microsoft Corp. has actually banned the use of common ones (such as the word "password") with its webmail system. Many people also freely share on Facebook the sort of information that could be used to break into accounts at banks that use challenge questions for password recovery.
And yet, despite consumers' seemingly lax attitude toward security, their fear of card fraud has driven many to prefer alternative payment options. PayPal Inc., which launched its system before many were comfortable with shopping online, attracted consumers by assuring them that it does not share their card details with merchants. More recent entrants, such as ModaSolutions Corp.'s eBillme and Google Inc.'s Checkout, use the same message about payment-card security.
Several payment companies have also stopped using disposable account numbers online. PayPal stopped offering them last year, and American Express Co. stopped offering it in 2004.
But even as those companies have moved away from single-use account numbers, the threats to online shoppers have remained.
"Dynamic data is absolutely the way to go, both online and offline, because the risks are significant in both spots," says Julie Conroy McNelley, a senior risk and fraud analyst at Aite Group LLC. But despite the risks, "it actually doesn't surprise me that we're seeing another company get rid of single-use cards," she says.
Disposable card numbers are "clunky, from a consumer's perspective," she says. And many consumers are satisfied enough with zero-liability promises that they do not feel compelled to add another layer of security.
"When consumers don't have much skin in the game, they don't have much incentive to participate," McNelley says.