Intro
As security practitioners, we are constantly evaluating new technologies and practices which may reduce our attack surface. While the specific objectives may vary greatly, the topic of security often crosses into a threshold which blurs the line with its close sibling, this being the topics and practices of privacy – another main topic of this site.
One practice firmly in the center of security and privacy which has demonstrated reductions in metadata collection, use (or requirement) of Personally Identifiable Information(PII), fraud, overpayment, cancellation refusals and arguing with banks; is the use of virtual cards for online payment processing.
In this post, I’ll provide a general overview of virtual card services and discuss some of the privacy and security advantages to utilizing these cards where possible. I’ll also share some of my personal experiences with both success and failure and finally, my recommendations for a service provider.
Overview
Virtual cards are temporary credit or debit card numbers which are created (usually within minutes) from your service providers dashboard. These service providers, such as privacy.com, serve as a middleman between your bank account and the vendors of goods and services you seek to acquire, granting you (the account holder) more flexibility and privacy than what is available through most financial institutions, including any major bank or PayPal. In roughly 2 years of everyday use, I’ve found that some of the key benefits include:
- Cards an be used for most (99%) of online purchases
- Cards can be locked to a specific merchant
- Cards can be built for a one-time use
- Cards an be shut off instantly if unauthorized charges appear
- Services facilitate significant reduction in PII available to fraudsters and markers alike
As I mentioned that privacy cards serve as a middle man, this is accomplish by linking your back account to your privacy card account, which funds your transactions. Each time a purchase is made through your virtual card, your privacy account will clear the transaction and withdraw the funds from the linked bank account.
As an added feature of privacy, your bank cannot build data on your purchase history. From your bank’s online dashboard, you will only see the volume of funds transferred to your privacy card service provider, so you will need to track your transactions from the service providers dashboard.
What Virtual Cards Are Not
As discussed above, there are many privacy and security benefits to virtual card services. However, privacy focused virtual cards, are mainly used to shield both (a) the buyers identity from fraudsters and (b) grant some level of privacy from the buyer’s bank. With this in mind, they do not seek to usurp vendors providing the following services:
- They will not replace P2P transfer platforms, such as Zelle and Venmo
- They do not protect you from product, service or auction fraud
- They do not (typically) offer lines of credit or payment plans
- They do not act as a merchant payment processing system, like Square
- They will not provide buyer/seller protection services, in which the seller is responsible to retain traceable proof that goods were shipped – like PayPal
Personal Experience
In a more specific and personal example: About two years ago, someone gained access to my personal credit card information and used it to sign up for a recurring monthly payment to reddit.com. I have never had registered a reddit account, had access to the account or associated email opened for the charges, and even after filing multiple claims with Chase through their online portal and changing my card and billing address, Chase still allows the monthly charge to persist. At the time of the credential leak, I had been utilizing the same card information for purchases across all of my e-commerce activity as well as in-person charges during my travels, so not only was someone able to gain my credentials, but Chase bank will not stop the charges – which is one of many reasons I am leaving them.
Despite practicing [what I thought was] good OPSEC and only processing payment through secure checkout portals, had I used privacy’s services at the time my credentials were compromised, not only would there have been a significantly lower risk of this happening in the first place, but I could easily and immediately disable the card and protect my funds rather than fighting a loosing battle against a big bank.
Personal Experience with a Small Company
A few years back, a disgruntled employee working remotely left on less than amicable terms and without notice. Due to the nature of their work, they had access to at least one company card, which was more for general purposes and not issued with their name on the front. Well, they decided to buy an iPad, some other things at Office Depot, and fill up the tank of their truck. While this type of action is more of a thorn in your side financially, it could have been a serious issue for a start-up or small LLC operating on a shoe-string budget.
Unfortunately, the dollar value of the items charged to the card were below the value it would cost to sue them for a refund, which is typically out of the questions unless you suspect more of this will happen and need a public hanging – and it was not as if the goods would be returned in usable order, or that we would attempt to return them anyways. Regardless, this would go on to happen several more time with the same business unit before I would be given the opportunity to offer my recommendations.
My first recommendation was to have cards issued to the employees who needed them (usually traveling sales), which would make them liable for any unauthorized charges. In lieu of this we could also set clearly defined policy of reimbursement, which often works in the employees favor. Unfortunately, this was not an option either, because some of the employees were working in entry level roles and may not have the flexibility in their financial situation.
In the end, we structured a series of virtual cards, all of which could be managed from a single dashboard, and limited reimbursement policy.
Recommendation
There are many features of Privacy.com’s virtual card system which protect the consumer’s privacy and security, whether that consumer is an individual balancing multiple online subscriptions and purchase, or you are running a small team. Personally, I use the Pro account, which is allows up to 36 new cards per month & 1% cashback on your purchases, but the free accounts off many of the same features as Pro. Do I need 36 new cards per month? My personal answer, even with many single use cards is “not right now”, but I have run into the limits in the past and I’m getting closer to needing an upgraded account each month.
Privacy.com also features some very polished applications and browser extensions. I do not use the browser extensions or mobile applications myself, mainly because I have de-googled / de-appled my life, so I will not be reviewing these here. What I can say is that my friends, family and privacy consulting clients often use the mobile applications and browser extensions and are very happy with the flexibility that it offers them in both payment processing and account management.
As you can see in the image above, the web-based account dashboard is one of the simplest user-interfaces that most of us will ever navigate in our life. In dead center of the page is your account activity, itemized, timestamped and with value and vendor. Just above this, you’ll see a blue button titled “New Card” which brings you to the card set up interface. All cards are managed from their own interface, but the main dash give you a snapshot of the three most recently used.
Disclosure: If you like this article and want to use my referral link ( https://app.privacy.com/join/QN4JV ) , we will both get $5 USD to spend anywhere online, and no information is shared between either party. If not, then no worries, I still recommend Privacy.com over the other services I have used in the past.
Closing Thoughts
As always, I built this post for your consideration in building more private and secure practices in both your personal and professional roles. Though we dove a little deeper into a specific service this post than normal, I felt that given the prevalence of fraud, identity theft and online privacy concerns in most connected societies is such that diving into details of PII exploitation was not needed. With this, I hope that the overview of the features of virtual cards, my personal experiences and recommendations served as a brief guide in your journey.