Online fraud has prompted two different methods of protecting card numbers during e-commerce: virtual numbers and Verified by Visa. We recently tested both at different issuers to see how they work.
Virtual numbers are created for purchases at a particular online merchant. They may have a time limit or a maximum purchase amount. If stolen, they cannot be taken from one merchant and used at another. They are generated at the user’s behest through the issuer’s Web site or through downloaded software. Today only MBNA Corp., Citigroup Inc.’s Citibank, Morgan Stanley’s Discover Financial Services, and American Express Co. offer them.
Verified by Visa is available to all Visa issuers, and many of them, including J.P. Morgan Chase & Co., Bank One Corp.’s First USA, and Bank of America Corp., offer it. Cardholders simply register their card and pick a password, which is required thereafter to make a purchase online through a participating merchant. The banks offering it don’t offer virtual numbers.
The advantage of virtual numbers for the cardholder is that they can be used at any online merchant that takes credit cards. The disadvantages: Extra effort is required each time a virtual number is created, and the tracking of multiple-use numbers may be confusing.
The advantage of VbV is simplicity of use, once the registration is completed and the password is remembered. The disadvantage is that most online merchants don’t take it yet. Also, once it is generated, the password must be used when shopping at a participating merchant, whereas a forgetful virtual number user can dispense with the procedure at any time and continue with the real number.
There is no evidence from our tests as to which might be more effective in combating fraud. In any case, cardholders are generally insulated from fraud, so they won’t be influenced by that.
We tested virtual numbers at MBNA, Citibank, and Discover. (The Amex function was inoperative when we conducted our tests.) In each case, we downloaded the software to our desktop machine. It resides on the system tray and can be easily activated. Both Discover and Citibank have the number generator pop up automatically for Web pages with fill-in fields. All three services require a login and password. Once a user is logged in, Discover will connect directly to the secure area of their Web site; Citibank links to the standard login page; and MBNA’s does not link to their site at all.
Both MBNA and Citibank numbers have a user-selected expiration date and a maximum life of 12 months. Discover’s expiration date matches that of the real account. All three providers’ numbers can be reused at the same online merchant. Amex’s numbers cannot. Citibank is the only one that allows operation from either a software download or its Web site.
Discover, MBNA, and Citibank use different data to auto-fill the checkout address fields. Discover will take the billing address from the user’s master file at discover.com. MBNA allows the user to input two addresses for billing and shipping. Citibank takes the billing address from its files and the shipping address from user input. All three feature desktop reporting of virtual numbers that are used and still open. Discover’s statement reports virtual-number purchases the clearest, while MBNA’s statement doesn’t distinguish them at all.
VbV is featured as a value-added service on the Chase, B of A, and Wells Web sites. Chase calls it ChaseSecure, and B of A incorporates it in its Total Security Protection. First USA lists it in menus behind the password, as does Fleet. In all five cases, the user is led off-site to a series of registration and information pages sponsored by Visa. Also, a search engine takes any 16-digit card number from a participating issuer and directs the user to the appropriate registration pages.
U.S. Bank, Pentagon Federal Credit Union, and, we suspect, many small issuers do not mention VbV on their sites.
During registration, cardholders identify themselves, pick a password, and select a “personal message.” After that, all operational aspects of VbV are the same. Visa gives a list of about 100 participating or soon-to-participate online merchants. A “receipt” pops up at the end of the checkout process that contains the “personal message” and requests the password. Without it, the purchase is blocked.
A “Personal Account Manager” that lists a cardholder’s purchases can be accessed offsite but not on the issuer’s site. This function is available through Chase, Bank One, and B of A, but not many others. Unfortunately, receipts are grouped by month, not cycle, and may not always match the month’s transactions because of shipping delays. This could inhibit cardholder reconcilement.
VbV requires mass acceptance to be successful, but the registration process is awkward and depends on proactive cardholders. A better approach would be to integrate it into new account applications and the online enrollment process, utilizing the same password. Also, receipt reporting should be integrated into the issuer’s e-statement.
Virtual numbers can function even with low acceptance, but experienced PC users, who may be less paranoid about online activity, most easily utilize them. They are a competitive differentiator, which could help issuers, and merchant-specific numbers could offer a way to integrate merchants and issuers better.
In the long run, mass adoption of either may require more tangible benefits than currently available. Online shopping volume has continued to increase without these methods, and many large merchants now believe their sites are “trusted” by consumers.
Nevertheless, there are many other things issuers can do to make the credit card the online payment of choice, so the safe-shopping campaigns are probably not in vain.