As momentum has gathered behind disposable credit card numbers account numbers that are used for a single transaction, then retired so that fraudsters cannot reuse them a company called Privasys has stepped forward to present its unusual approach to this type of product.
Privasys, which was incorporated in May 1999 in San Francisco, is developing a plastic payment card embedded with a liquid crystal display screen, a battery, a magnetic stripe, and a calculator-style numeric touchpad. Each time a cardholder wanted to make a card payment, he or she would enter a personal identification number on the card, which would generate a unique account number. That number which would be displayed on the LCD screen and simultaneously encoded by the magnetic stripe would be given to the merchant, either on the Internet or in a store.
Privasys system is not quite ready for prime time the cards have not been manufactured yet, for example but the company says it has accelerated its plans because of recent announcements by American Express Co. and MBNA Corp., which have both introduced one-time-use account number systems for Internet use. American Express introduced Private Payments in September, and MBNA came forward a week later with ShopSafe.
American Express validated the use of single-use numbers, said David Patterson, Privasys co-founder and vice president of new business development. There was this slow beat of the privacy drum, he said, and since the Amex announcement, now all the development is accelerated on every front.
Unlike the products from MBNA and American Express, the Privasys system requires a new piece of hardware and, in many ways, a new mindset. Private Payments and ShopSafe give consumers made-up numbers that mask the real account number, and are strictly for Internet use. The Privasys card which the company is tentatively calling the Universal Private card, or UP could be linked to a static account number on file at the bank that would not be used for transactions, but it would not necessarily have to be. Unlike the Amex and MBNA products, the Privasys card would be meant to be used everywhere online and offline.
The credit card account number is a very privileged piece of data that everyone walks around with, said Joan Ziegler, co-founder and chief executive officer of Privasys. For extra privacy, the card can have your name or a fictitious name thats up to the discretion of the bank.
While the principals of the company are confident their card will answer the problems of privacy and security, industry experts are wary of such a complex system that requires consumers to change the way they conduct card transactions. The more you have the consumer do, the more difficult it is, said James L. Accomando, president of Accomando Consulting Inc., a financial consulting company.
Mr. Accomando said Privasys has good intentions, but the real test, he said, is making the user feel comfortable. Consumers by nature are technophobic, he said. When the consumer has to be that involved with the process, they tend to shy away from it.
Michael Auriemma, president of Auriemma Consulting Group Inc., a management consulting firm for the payment card industry, said, We tend to favor products or solutions that arent stand-alone products, but are rather features that make consumers more comfortable using cards that already exist.
On the plus side, Mr. Auriemma said, the Privasys card appears to put the control into the consumers hands. But he cautioned about clustering too many ideas on one card. Its like buying a TV with a VCR built into it if the VCR fails, you have to throw away your TV, he said.
Privasys executives say their technology, which is protected by three patents, would be easy for banks to adopt. It is fully compatible with the MasterCard/Visa networks, and requires no change by merchants, Ms. Ziegler said. She envisions that the card would bear either a Visa or MasterCard logo plus the logo of the issuing bank.
Mr. Patterson said the technology is as easily ported to a chip as to a magstripe, and works with all manner of wireless devices. Moreover, he said, the same piece of plastic could function as a credit card, debit card, and corporate card.
Privasys executives say they will be conducting a test of the system with four banks in January, and expect to make a consumer launch sometime next year. They are busy shopping it to banks. Its radically exciting for some banks, Ms. Ziegler said. For each one of those unique numbers, we authenticate it, approve it, and expire it.
Consumers would have to get used to using credit cards in a different way, but Privasys executives say that is no problem, because credit and debit card users have experience using PIN pads. Were taking that PIN pad and the display and were moving it directly onto the face of the consumers card, Ms. Ziegler said.
Mr. Patterson said the PIN launches an algorithm that provides that user their one-time, single-use number, and that number is unique to the domain of the individual. Because the magnetic stripe is also changed to reflect that number, the card can be swiped through a point of sale terminal like a conventional credit card, or the number can be typed manually for use over the Internet. The number, which is tied to the consumers actual identity, can only be decrypted behind the card issuers firewall.
Ms. Ziegler and Mr. Patterson first joined forces in 1996, when they started up a company that sold an educational CD-ROM in mathematics called Jazz Interactive. That company failed.
In 1998 the partners set up another company, this time developing a payment card for teens to access the Internet. By the end of 1999 the twin issues of privacy and security had become hot topics, so we consequently repositioned our company, Mr. Patterson said. At about that time the two met Jacob Wong, who had developed patents for the PIN pad and the algorithm technology.
Though the public may perceive the Internet as an unsafe place for credit cards, Ms. Ziegler said, card fraud is more likely to occur when a card receipt from a brick-and-mortar store falls into the hands of the wrong person. Moreover, she said, since the vast majority of transactions today happen in the offline world, one-time-use-number schemes that work only on the Internet are of limited use.
Right now, were in a situation where people have to expose their credit card numbers, said Evan Hendricks, a privacy expert in Washington who edits a consumer newsletter and is consulting Privasys. Were talking about a transformation why should people expose their credit card numbers if they dont have to? This effectively anonymizes the credit card number in the public space.