wow thats great news!

Great! It is a very nice feature.

I can see this becoming the standard for all online transactions involving a major credit or debit card. Account information theft is thwarted and online retailers can breath a sigh of relief.

Of course, Paypal now becomes a HUGE target. But I'd rather have one point of vulnerability than dozens.

This should be a standard Mastercard/Visa feature. Paypal beat them to the punch.

I've been using Disposible Email Addresses for website registration and online commerce for some time. This is a logical extension.

I'd rather have one point of vulnerability than dozens.

That's the whole reason why I like Paypal.

For those with mastercards, this has been out for some time. Its nice to see its been integrated with paypal now. Prior to this, if you used a disposable credit card # with paypal, it'd store that # for future use without realizing that the number would no longer be valid after that purchase.

"To find out if you qualify for all features of PayPal Virtual Debit Card, including virtual card numbers, review the PayPal Virtual Debit Card Checklist."

Where do I find out to see if I qualify to see the paypal virtual debit card checklist? ;)

None of the links seemed to work. Just get punted to the profile summary page.

But I'm Canadian, so maybe that's why I can't access anything. Either that or the website is buggy / got pulled.

Anyone else from Canada able to access the virtual debit card?

Happy Holidays.

Hi,

There are many other on-line providers of virtual (ie throw-away or single-use) VISA/MC numbers. I know, since I was CTO for one of them...

It *is* a very kewl idea, and stops all sorts of fraud dead in its tracks.

Rgds

Damon

I was thinking for several years when something like this will come out. Great feature! Finally people can have 100% trust in online shopping. To sum up my post: awesome!

Anyone else from Canada able to access the virtual debit card?

Second that question.

There isn't 100 percent trust in a transaction. In fact, if they somehow got access to the generator, it'd be harder to stop them/detect them and they'd be able to victimize one person for longer.

Hi rohitj,

I think that you need to support that statement.

I can't say that would have been true in our case, and indeed some of the links in our chain were designed to be fragile and break if someone pulled too hard.

Rgds

Damon

For those with mastercards, this has been out for some time.

ALL Mastercards? Or only certain banks?

I certainly haven't heard of this. They seem to have done a terible job of marketing if this is true.

Hi,

Certainly VISA has the concept of the "virtual" VISA card which can be put to a number of uses (it just has no issued plastic). But VISA is not a bank (or other retail financial institution, it is a trade club of them) and usually does not create/market new products directly for retail, mainly the brand concept. You need a third-party institution to directly create and market new such retail products, such as the one I referred to. You may not have heard of us because our marketing and budget was a little lower than VISA and some banks. B^>

But a little Googling will find the company that I am referring to, and others, and so far as I know Canadians are welcome.

Rgds

Damon

Looks like this beta is available in the USA only. There is no option for any such card in my Indian Paypal account.

DamonHD wrote:

I think that you need to support that statement.

I can't say that would have been true in our case, and indeed some of the links in our chain were designed to be fragile and break if someone pulled too hard.

I don't think rohitj needs to.

There isn't 100 percent trust in a transaction.

This is the only statement rohitj implies to be a fact, and since I do not trust such transactions completely, therefore rohitj is correct.

In fact, if they somehow got access to the generator, it'd be harder to stop them/detect them and they'd be able to victimize one person for longer.

I do not believe the 'card generator' is complex - it is just hard to get to.

I believe the security will fail first at the weakest point - end user. There will be mock sites of card generators which require to enter the full-card information, or some variant thereof.

The problem may not be at the banking institutions but the user apathy toward security, and general misconception of what is and is not secure.

Still, I am delighted PayPal is implementing this. It will eliminate some credit card fraud. Bad timing of course - should have been implemented in October, before the Christmas shopping rush.

[edited by: Tapolyai at 12:21 am (utc) on Dec. 26, 2006]

My Swedish bank has supported creating one-time-use Mastercard numbers for several years. You have to be eligible for a real card first though, and access the bank with secure ID verification.

There is seldom any reason to give any other type of credit card numbers when shopping online. At my bank you can even create a card which is good for multiple purchases (up to a limit you decide) until a set expiration month (which is also decided by you when creating the card). The same options should be possible to implement for other banks (or Paypal).

[edited by: ADovervik at 2:20 am (utc) on Dec. 26, 2006]

I've already used this function alot, citibank offers this as a protection for online transactions... But paypal bringing this feature will have more users protected than before I suppose.

I used the Virtual Debit Card because a I ordered from today did not provide a HTTPS link. Can you believe that?!

Yeah, I believe it, though some sites are unsecure up until you click Submit, and then they post to an https url.

Yeah, nice to see Paypal catching up. I've been using this feature with my Visa card for about 5 years now.

I don't really like this at all. As a merchant that sells jewelry (transactions of $10,000 or more sometimes), my website generates about 40% fraudulant transactions that we hand-sift through and reject (no automatic credit card processing, the information is saved and manually verified).

We physically pick up the phone, call Visa, MC Amex, Discover, and get the phone number for the card issuing bank. From there we call to verify the billing address. We also ask them to kindly look to see if there's any pattern of suspisious activity and tell them how big a transaction we're going to run, what it's for, etc. We also ask them if the address has been recently changed. Sometimes they'll let us know if there are any red flags, and often times we have to make a gut-feeling type of call of whether to process it or not. Sometimes I go so far as to even check who the phone numbers are registered by doing a reverse white pages lookup, or even sometimes I have looked up the tax assessor's information for that cardholders residence to see if they're the actual owner. (I'm not going to ship a $50,000 ring to some shmuck in an apartment in the Bronx).

Anyone who uses paypal knows the risk of chargeback is still there and there's virtually no support if you process through paypal and get ripped off if you're a merchant.

To be honest I'd rather not accept any payments of this type at all. I'll tell my customers if I can't physically call their bank and verify the info the order will be cancelled. If this feature was offered by the VISA/MC or whatever company directly it would be of value since you're talking to the same people. But adding one more layer of processing with miserable support like paypal is not something I'd be willing to go through.

If VISA/MC did something to make CC-processing safe for both merchants and cardholders I think it would be quickly adopted. This is just crappy. I will not accept these types of payments... maybe for $200 gold chains but not $10,000+ diamond rings.

born, interesting post, from a point-of-view I hadn't considered. Thanks for the insightful observations.

Hi

One of the features offered by the company I mentioned was to remove much of the risk of chargebacks from merchants because we have the user money in the account first and verified before we let the user spend it. So (a) we don't do credit and (b) we DO know who they are if the police come calling, as it clearly says in the Ts&Cs.

So, although your position is a very difficult one, a virtual card need not be a bad thing for you to handle.

(And yes, when one of my unrelated plastic cards was cloned the scumbags immediately tried to use it to buy jewelry, and I think they got it out of the shop before they were rumbled.)

Rgds

Damon

[edited by: DamonHD at 9:59 am (utc) on Dec. 28, 2006]

Anyone who uses paypal knows the risk of chargeback is still there and there's virtually no support if you process through paypal and get ripped off if you're a merchant.

To be honest I'd rather not accept any payments of this type at all. I'll tell my customers if I can't physically call their bank and verify the info the order will be cancelled. If this feature was offered by the VISA/MC or whatever company directly it would be of value since you're talking to the same people. But adding one more layer of processing with miserable support like paypal is not something I'd be willing to go through.

Yep, PayPal is just a layer of crud that I don't need either...

> I will not accept these types of payments... maybe
> for $200 gold chains but not $10,000+ diamond rings.

Is there some consistency in the numbers issued by Paypal Virtual Debit Card (i.e. the first four numbers)? Are you rejecting them in an automated way? Or will this also be a manual process?

While privacy is one of the benefits of the Virtual Debit Card, keep in mind that it might also be used by PayPal account holders who don't otherwise have a credit or debit card they can use on your website. (They may just have a Verified bank account for funding purchases.) If your site doesn't accept PayPal, and only has credit card options during the checkout, then the Virtual Debit Card is one way for those PayPal account holders to make their payment. Even if your site lists personal checks or money orders as available payment options, these customers might prefer to use a Virtual Debit Card number to make an instant payment instead of waiting for the payment to be received via mail.

Of course, it's still up to you to decide which payments you will accept and how to manage your risk. :-)

Hi,

Every VISA/MC/etc card number starts with a unique 6-digit "BIN" (Bank Identification Number). You can block by BIN if you want to (though nothing stops BINs being shared between some different uses). The BIN indicates a sponsoring bank (within the VISA/MC/etc scheme), the card scheme, and other stuff like the currency for that range of cards...

You'd need a big look-up table to decide what to do given a card's BIN...

Rgds

Damon

Its not really that hard. You just call VISA or MC, punch in the card #, and it gives you the card issuing bank. For Visa its 1-800-847-2750, MC is 1-800-300-3069. Once you get the phone number of the card issuing bank (like Chase, or MBNA or Bank of America, etc) you just call them up and ask to verify name and address. Pretty straight forward. Then you can try to get more info from them like if the address has been recently changed (usually the case with fraud) or if the large purchase is out of their typical shopping behaviour, etc... most banks will cooperate somewhat.

If I call that VISA or MC line and it tells me the card issuing bank is Paypal, you can bet I will be voiding that transaction, especially if its a big purchase! Or I will call up my customer and tell him how it is and if they can please use the actual card.

As far as cards that pull funds out of a bank account (no credit) those ACH transfers can still be reversed. The only thing that cant be reversed is a wire transfer. I usually offer my customers a 5% discount for large purchases even though CC processing is only 2.4% or so, because it lets me put my mind at ease and the customer is usually very happy to get the discount. If someone is going to pay cash electronically, then why not do a wire transfer and save a good chunk of change, especially on a large purchase?

My industry is a bit unusual because jewelry has no serial number, and can be dismantled, melted down, etc and sold as scrap, loose gems, etc. So we are always targets of fraud.

Hi,

Yes, for your industry and transaction size, I'm sure you're doing the right thing.

Credit cards are really more for the middle ground of middle-sized transactions for ordinary goods and services between counterparties unknown to one another where risks are small or moderate.

Rgds

Damon