Amid the holiday surge of online and mobile shopping — on Black Friday alone, online sales were $3.34 billion, a 21.6% increase over last year, and a third of that was on mobile devices — a group of fintech startups are launching virtual cards intended to make ecommerce more secure and easier on the web and mobile devices.
The idea of virtual or "burner" cards, also referred to as tokens or temporary card numbers, is not brand new, but startups Privacy.com, which officially launched Tuesday morning, Final and token, believe it's time for new technology to provide a better and more secure mobile and online shopping experience. Their platforms let consumers make purchases with a few taps. Instead of sharing sensitive information, tokenized card information is provided that a merchant or hacker would have trouble reusing. If they're right, consumers will gravitate toward these alternatives, leaving banks to partner or compete.
Security is one reason to use burner cards. Analysts have been making dire predictions for a few years now about how chip cards, which are hard to duplicate, would push fraudsters from using fake cards to using stolen card data online (in other words, card-not-present fraud). These forecasts are beginning to prove out: According to Auriemma Consulting Group, as of the end of the second quarter, the share of financial losses stemming from counterfeit fraud had decreased by 19% this year, while losses stemming from card not present fraud increased 14%. At the same time, 42% of consumers have personally experienced card fraud, half of them multiple times.
Virtual cards can prevent hackers from screen-scraping or keylogging sensitive data from merchant websites. They also block hackers from stealing card or account information from merchants, because they don't have it. They can try to hack the virtual card providers, who say they're protected with many layers of security. And if fraudsters try to use stolen identity data to create new accounts, they will face the startups' identity proofing and Know Your Customer processes, which these startups all say is rigorous though they decline to give details.
Virtual cards are not a perfect answer to fraud, partly because there's so much stolen identity and account information floating around and sophisticated malware that's constantly redesigned to circumnavigate security controls. But they do offer some protection and peace of mind, particularly for consumers buying from a smaller or lesser-known merchant online.
"Sending account credentials in the clear is a very bad idea and it gets worse all the time," said Steve Mott, principal of BetterBuyDesign, a management advisory firm based in Stamford, Conn. "These are all temporary expedients, and they're a little better right now than the magnetic stripe card. It's putting a very small band aid on a very big problem."
Privacy.com has created a Chrome browser extension for its virtual cards. Once it's installed, and the user clicks on a little green padlock in the browser header, it populates a website checkout cart with virtual card information.
At registration, customers give Privacy.com their online banking user names and passwords, which it passes on to account aggregator partner Plaid. When customers use a virtual card to buy something, Privacy.com debits the transaction from their accounts through the ACH network. To the merchant, these look like Visa debit card purchases authorized by Privacy.com.
Users typically create a different virtual card for each merchant. Privacy.com creates card icons with the merchants' logos on them (because regulators think of it as a prepaid gift card, this doesn't trigger copyright issues). Privacy.com's app and site provide users a view of all their purchases and their status.
Early users tend to be younger — the biggest segment is 18 to 29 years old. Some millennials, like Venmo and Facebook users, like to overshare. The ones who sign up for Privacy.com question the need to provide their credit card information everywhere.
"These people are more aware of security and privacy," said Bo Jiang, CEO of Privacy.com. "They're people who don't accept that default setting in life, people who are like, 'Why do I have to share this?'"
Jiang's team initially thought people would care a lot about privacy. "The reality is more grey with our user base," he said. "There's a segment of users who are aware, they use all our privacy settings, they turn on two-factor authentication, they use a pseudonym."
But more of the time, users like the control that Privacy.com provides; for instance, the ability to end a subscription by killing the virtual card that's paying for it. About a third of Privacy.com's virtual cards (it had "tens of thousands" of customers in beta mode) are used for subscriptions.
"It puts the control back in the hands of consumers whereas before it's always been, I've given you my card number, you can go to town," he said.
Privacy.com is also tapping into the debit card zeitgeist — 63% of people between the ages of 18 and 29 use debit cards exclusively.
Like Privacy.com, token's app generates a 16-digit number a customer can use online the same way she would a card number, and a fake yet usable cardholder name. It works with Visa and Mastercard. The funds can come from a bank account, a credit card or a debit card.
token is still in trial, it plans to go live in February. "We're testing with verticals and audiences," said Zohar Steinberg, founder and CEO.
The target audience is people who have had their identity or card stolen in the past and people who are concerned about privacy, Steinberg said. Candidates for the service abound: people who buy physical prepaid cards to use online, diaper buyers who don't want Amazon to know how much their babies have grown, or classic government-conspiracy theorists.
"It will take time before it will become a commodity, but I believe it will be a commodity," Steinberg said. "Every revolution has to start with a foot in the door."
In its identity proofing, token looks at social information as well as more typical identity information.
"The whole design started from thinking like hackers: What would a hacker do?" Steinberg said. "We've designed it in a way that it's going to be more cost effective to attack someone else and counterfeit something else."
Final, which is also in beta mode, issues credit cards through a bank partner, First Bank and Trust in South Dakota, that the startup then offers as virtual cards through a mobile app.
"We think about it as convenience and control and doing things that align with consumers' view of how a credit card should work, not with the bank's view of how a credit card should exist in the world," said Aaron Frank, co-founder. "We're competing in credit cards. We're not hamstrung by legacy. By building out totally new credit card technology, we have a leg up technologically to continue to drive innovation."
For now, Final is focused on mobile commerce, but the company is working on a browser extension.
The aim is to give consumers the best digital experience possible. Final offers 1% cash back on its card now, and is looking to provide more holistic rewards and loyalty programs in the future.
"We're providing more functionality and control to consumers for this thing that is their primary payment vehicle," Frank said. "Then you get ancillary benefits, where you as a consumer never have to worry about a breach or a lost card."
The product will resonate with digital-first customers, he believes. "It's not millennials, though millennials love it, but it's people who live on their phone 24/7," he said. "By making it two taps on your phone, we make it easier than getting your wallet."
Final's highest transaction volume day was Black Friday. Active customers spent between $1,000 and $1,400 on average.
Back to the Future
So, why haven't virtual cards been popular to date? PayPal, for instance, launched a virtual card in 2005 and later quietly withdrew it. Bank of America's and Citigroup have offered virtual cards for about a decade, but their products have yet to take the country by storm. The banks did not respond to requests for interviews.
PayPal's offering "worked great and was safer than the main PayPal capability at the time," Mott said. Four million people signed up for it. "I think the reason they discontinued the pilot was they didn't want to convert the entire system to that." There were also questions at the time about whether MasterCard and Visa would be able to accommodate all the new, made-up numbers. The startups say this is no longer an issue.
Also, 10 years ago, "online shopping wasn't at the magnitude it is now," Steinberg said. "Mobile wasn't as strong as it right now."
The time is right, in Frank's view, because Americans have changed the way they shop. "Online shopping is still nascent compared to where it will be in future," he said. "Also what we have now that we didn't have 10 years ago is the mobile phone."
Steinberg also opined that financial institutions haven't had the motivation to provide virtual cards.
"We do," he said. "I think it's going to happen."
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.