Regular readers of this column will recall that earlier this year, I had three credit-card numbers stolen across a few months. This has led me to express joy and wonder at the growth of Apple Pay in the real world and for in-app physical purchases, and of course Apple Pay in Safari, coming to Sierra and iOS 10. (Android Pay and other options are also coming to Web-based ecommerce.)
But we can’t use Apple Pay everywhere. That’s where a product like Final may remain useful for some time. Final revives and improves on an idea that merchant banks introduced many years ago: virtual, sometimes disposable, credit-card numbers. I recall using this as early as 2004 with a Chase card. In that model, you go to a website, make some choices, and generate a card. The process was a little ugly, only available for some cards, and didn’t seem to be available for long.
I see it’s being revived by some banks now, including Citi and Bank of America. And Square just added an option to create a single virtual card to Square Cash on September 9.
This approach firewalls your card numbers online. A stolen number will be blocked when it’s used outside of set parameters, and you won’t need to get a new physical card, either.
The Final frontier
Final’s twist on this is an app: you generate virtual credit cards directly within the app, and then can copy and paste the number into a Safari-based form. You can also use Final’s website to create virtual cards, see charges, and make payments. An iOS app is out already, and Android is coming. (Citi and Bank of America appear to require use of their respective websites.)
The approach is very simple. In the app, you tap a card icon, pick between a merchant-locked card and a one-time use card, and then tap Generate. The app talks to the backend and uses secret sauce to come up with a legitimate fresh Visa number. (The company said it won’t discuss the process with which it works with its banking partner, First Bank & Trust.) The number has its own expiration date and CVV (the security code typically printed on the back of a card) and it can be used globally like any other Visa.
While you can’t specify a merchant in advance to which to lock the virtual card, the first merchant that charges using the number you generate occupies that role. With a one-time card, after the first charge, the number is deactivated. For recurring payments or sites that you frequent and trust, a merchant-locked number makes sense; for purchases from sites you don’t want to provide any recurring method of payment, a one-time card is the right way to go.
A merchant-locked card will work indefinitely for a single charging identity, but if it’s used elsewhere, the transaction is blocked and Final notifies you. Final has an admirable set of alert selections, so you can refine very precisely what you want to know about and what you don’t, and choose to receive the alerts via push notifications, email, or both.
This compartmentalization doesn’t change your exposure: in the U.S., your liability for a stolen credit-card number—whether you report it as stolen first or the card issuer determines it’s being used by thieves—is just $50, and effectively all U.S.-issued credit card networks take that down to $0.
But your time has value. If a virtual number is stolen, you just have to replace that number at a single merchant—and you’ll know which merchant has a leaky operation, too. Ostensibly, Final and other virtual-card issuers will eventually be able to pinpoint card leakage more rapidly than any current system. This could also drive poorly secured merchants out of business, because card issuers and customers alike will be less likely to trust them. That can help with a virtuous cycle of card-accepting online retailers improving how they secure systems.
This gets you closer with online purchases to EMV and mobile payments. Those real-world systems generate tokens and use cryptography to pass along card information without revealing too many details to the point of sale and points in between. Final and the like still require you paste an unencrypted credit card number directly into a form, but it’s far, far less leaky than using the same number printed on your card for every online purchase.
Any virtual card can be disabled with a tap or click in the iOS or Web app, although Final helpfully notes this doesn’t eliminate your contractual liability to pay legitimate charges.
Square Cash’s latest release lets you create a virtual Visa credit card that’s linked to a balance held in a Square Cash account, or that can be funded by transferring money from a linked account. However, it’s a single card, not linked to any merchant.
Let’s not take virtual too far
A significant limit with a virtual card is that you shouldn’t use it for a transaction you have to confirm in person, because you can’t present a physical card. Most businesses are going to look askance at that, or think you’re trying to commit fraud, I’d wager. There have been virtual card “wallets” in the past that let you scan a card and carry a single digital device with an electronic magnetic stripe, and some are soon coming to market. I have never seen someone try to use that with a retail clerk, especially at locations that check the card number and signature.
Final doesn’t try to play that game—at least not yet! They issue a conventional credit card with both an EMV chip and a stripe, and recommend sensibly to dip the card whenever possible. If the physical card number is stolen or the card lost, this doesn’t affect any of your virtual card numbers; they just reissue a card.
There’s one thing Final could do to make its process better: release a Safari extension, like many password-storage app makers have done. In that scenario, I could be in Safari in iOS, tap the Share button, select Final, use Touch ID for authentication, and then use its extension to generate and fill in a card in the form completely, rather than a round-trip that involves copy and paste.
Final is in a slow rollout, so you currently have to sign up for a waiting list to apply. But the company says it’s gradually accelerating customer acquisition and hopes to remove the waiting list in the next couple of months.
With both startups like Square and Final and established banks like Citi and Bank of America revving this up, perhaps the inevitable leaking of credit cards online will inconvenience us less at last.