The meteoric growth of online shopping
would be even more dramatic were it not dogged by continuing
consumer security concerns. Emerging technologies like virtual card
numbers and one-time passwords promise to alleviate the problem
altogether, provided the consumer warms to them, writes Charles
Davis

Dissposable card numbers – one-time card
numbers that can be generated instantly for a single transaction –
are an increasingly popular and effective way for consumers to
protect their accounts when shopping online.

The single-use numbers have proven far more
popular with small business cardholders, driven in large part by
MasterCard’s InControl platform, which contains one-time cards as a
central component of its offerings. The more stringent security
standards of small businesses are creating demand for disposable
account numbers, and could in turn offer proof of the concept that
could find its way, in time, to the consumer segment as well.

MasterCard bought Ireland-based software
company Orbiscom in 2009 to develop the technology. Michael Fiore,
senior vice-president and group head for MasterCard inControl, says
the numbers are a core offering of the MasterCard Small Business
Controller, a platform that allows businesses to create customised
spending profiles for each employee and control exactly how, when
and where a card can be used.

For example, a maximum single purchase amount
can be set, or transactions can be limited for specific merchant
categories or to the total amount spent over a time period, such as
a month. Business also can adjust spending profile settings in real
time, and receive real-time alerts via email or text whenever
spending occurs outside established parameters.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Electronic Payments International.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

“One-time-use card numbers are ideally suited
for many business purchases, many of which tend to be one-off
transactions,” says Fiore. “With inControl, a business card user
can instead use a one-time card number and not have to worry about
it being left on file at a business.”

Fiore says that in some markets, one-time use
is really catching on in the consumer market. He cites a deal in
Kenya that saw airtel Africa, Standard Chartered Bank and
MasterCard team up to create a virtual card product for airtel
Africa customers to make online purchases through their mobile
phone.

Each time an airtel customer is shopping
online he or she will be able to request a single-use shopping card
number. Airtel money services will then generate a special 16-digit
number that enables the completion of the transaction.

“We see a great deal of potential for this
sort of one-time card number application in markets all over the
world,” says Fiore.

Driving technological
development

Visa also has been ramping up its promotion of
one-time-use card data for security, and has been vocal in its
support of dynamic data used at the point of sale with EMV.

In August, the association announced plans to
accelerate the migration to EMV technology in the US. Visa hopes
the adoption of dual-interface chip technology will help prepare
the US payment infrastructure for the arrival of NFC-based mobile
payments by building the necessary infrastructure to accept and
process chip transactions that support either a signature or PIN at
the point of sale.

Visa will require US acquirer processors and
sub-processor service providers to be able to support merchant
acceptance of chip transactions no later than 1 April 2013.

Chip acceptance will require service providers
to be able to carry and process additional data that is included in
chip transactions, including the cryptographic message that makes
each transaction unique.

Not only will chip technology accelerate
mobile innovations, it is also expected to secure payments into the
future through the use of dynamic authentication. Chip technology
greatly reduces a criminal’s ability to use stolen payment card
data by introducing dynamic values for each transaction. Even if
payment card data was compromised, a counterfeit card would be
unusable at the point of sale without the presence of the card’s
unique elements.

Discover Financial Services discontinued
single-use account numbers earlier this year, joining American
Express and PayPal in moving away from disposable card numbers –
only to reconsider the move in the wake of customer response.

“Given the existing security measures taken by
Discover and all credit card companies, we felt SOANs were not
needed,” a Discover spokesperson said in an email statement.
“However, after we discontinued the feature, we received an
overwhelming amount of feedback from cardmembers encouraging us to
reinstate the programme.

“Although we have many security processes in
place – including $0 fraud liability – we learned through their
feedback that our cardmembers still liked to have the added control
of using encrypted account numbers.”

Competition to EMV

In August, First Data’s Star ATM network
started to roll out CertiFlash, a chip application embedded in both
debit cards and merchant POS terminals. CertiFlash generates
single-use card numbers at point of sale and was introduced as an
alternative to EMV cards, which few US merchants currently
accept.

Fremont Bank in Northern California is among
the first CertiFlash institutions, issuing a new contactless debit
card using the Star electronic funds transfer network’s
technology

For Fremont and other CertiFlash clients, the
technology offers a way to avoid the frequent use of the magnetic
stripe on debit cards, which include the cardholder’s full name,
account number and card validation code number. Instead, for
transactions under $25, the chip encrypts and transmits a card
number usable just one time for tap-and-pay transactions.

The transaction sends only the last four
digits of the card number, and then the merchant’s reader is able
to authenticate the cardholder before creating the one-time
transaction number.

Star then reverts the one-time number back
into the actual card number at its switch before sending the
transaction to the issuer for authorisation.

Because the technology produces a one-time-use
card number, that particular cardholder’s account information would
be unusable if a criminal hacks into a merchant’s payments system.
And card skimming is virtually eliminated for CertiFlash
transactions because issuers would decline a stolen one-time card
number if a hacker tried to use it.

“The promise of chip-based contactless
technology to reduce fraud has not been fully realised in the US,
but Star CertiFlash alleviates the PCI compliance concerns with
one-time account number generation,” says Julie Saville,
vice-president, product development, for the Star Network. “It is
our hope to help accelerate contactless adoption while providing
secure technology and increased choice that consumers can feel
confident about using.”

Star has already tested the technology in a
mobile environment using microSD and NFC technology, and will
eventually roll out the technology for online use as well.

Another entrant to the disposable card number
market Muscato Group, and its operating company M2, recently
received a patent for its single-transaction security code
technology for credit and debit cards.

M2’s Secure Access for E-Commerce (SAFE)
system allows a cardholder to generate a unique, one-time-use card
security code for each transaction, replacing the three-digit value
located on the back of a card often required to complete online or
telephone transactions.

SAFE allows the cardholder to generate codes
through text messages or emails.

The system’s real advantage is that it asks
nothing of merchants accepting the transactions. SAFE requires no
changes to the pay page or website, no plug-ins, no registration
and is cost-free.

Moving to mobile

Mobile commerce represents the optimal
environment for one-time-use numbers to gain traction. A South
African prepaid card company has unveiled an innovative application
that replaces plastic cards with virtual accounts that users access
with mobile phones that could represent the model for disposable
mobile technologies.

The company, Net1 UEPS Technologies, has
teamed up with a wireless carrier to offer its virtual prepaid card
app to customers. The VCpay app accesses funds stored in prepaid
accounts and generates one-time-use account numbers to allow
cardholders to make secure purchases online or by phone.

The app fights payments fraud while also
creating a built-in incentive for cardholders to keep topping off
their accounts – the biggest challenge for prepaid issuers seeking
to retain cardholders beyond the initial issuance of the card.

Net1’s growing prepaid business has been built
by issuing closed-loop prepaid cards to unbanked and underbanked
consumers in developing countries around the world, as well as
co-branded MasterCard cards issued by a range of bank partners.

Through a Texas-based subsidiary, Net1 Virtual
Credit Card, US customers can set up a prepaid account that
functions like a traditional general-purpose reloadable card, minus
the plastic. They can load cash into their accounts at any of
MoneyGram’s 35,000 US agent locations. The virtual accounts are
issued by Bancorp Bank, and processed by FSV Payment Systems.

To make a purchase, a user enters a PIN and
dollar amount into the app, which then generates a one-time-use
card number for that specific amount. The user enters the code when
paying online or over the phone.

One-time numbers overall have been “a bit of a
disappointment in terms of acceptance”, says Avivah Litan, a
vice-president at Gartner.

“It’s a bit much to ask of the consumer, at
least in this generation of the technology,” Litan says. “There
really isn’t any benefit beyond a marketing play, really. For
consumers, they already have zero liability, and it’s asking them
to do stuff that adds work for no real benefit.”

Litan says systems generating one-time
security codes offer greater potential, because they target a real
vulnerability in terms of fraud prevention.

“Disposable card number technology, if it is a
step in the evolution of strengthening security – assuming we never
get to EMV in the US – can lead to future systems that do a lot of
good on the security code side, which has greater utility to
merchants.”

Despite Visa’s efforts, inertia for EMV in the
US still seems to be lacking, Litan says, because of decades’ worth
of investment in back-end security systems which diminishes the
business case for implementation.

“The US has traditionally had really good
back-end security features baked in, so fraud detection was way
ahead,” Litan says. “The perceived need is not there.”

Sign up for our daily news round-up!

Give your business an edge with our leading industry insights.

Sign up