Paypal used to have this feature that allowed you to install a browser add-on and you could generate a CC number on the fly that was good for either one time use or recurring use (for subscription services). This feature served two primary purposes:
1) to be able to pay using PayPal on sites that didn't support it
2) to help prevent against fraud which was becoming a massive problem at the time. If the number was stolen, it immediately wasn't good anymore and a hacker/thief could not use the CC number to purchase/steal anything.
It was that second aspect that I thought would totally eliminate all credit card fraud and make people comfortable with online purchases on smaller sites. I have no idea why PayPal killed the program, but even before it did, not many people used it. I was the only person I knew that was even aware it existed.
I don't think its too tin-foily to assume that there are non-technical reasons why the credit card networks don't want one-time-use credit card numbers, and that PayPal would care more about its relationships with those networks than it does for a product that didn't immediately take off.
This is how the innovater's dilemma works. Big entrenched company, too scared to make changes that will jeopardize existing partnerships and businesses, upended by a nimbler competitor that doesn't have to care about those things. It'll happen!
The one-time PAN patents (and the merchant or tx-bound PAN) patents of the late '90s are largely expired at this point, so it is open art now. I see more and more companies starting to implement it more broadly (Citi, BofA, CapitalOne). It's nifty because you don't have the hefty "Verified by Visa" type integration (nor any of that SET stuff also from the 90s).
The last time I logged into my PayPal pre-paid debit card portal, they still had this functionality (sans Browser plug-in), but I don't recall seeing it on PayPal proper for a while...
The last time I talked to the MC folks (granted, it has been a long while), they actually thought it (OTP) was a nifty client-side (plus closed-loop) technique and was a nice (and orthogonal) add-on to the types of security that they are pushing vis-a-vis tokenization on the merchant side...
Yeah but in PayPal's case, they were all MasterCard numbers. And keep in mind that since one of the primary uses was to be able to Pay secretly with PayPal on a site that doesn't support it, the number would have to validate through the merchant's existing CC system. MasterCard was clearly on board with the process.
> MasterCard was clearly on board with the process.
They might have been when it started, but clearly something changed. If it was desirable, the moment PayPal decided not to continue, MasterCard would have started looking for alternatives. Since they didn't (and haven't), its pretty reasonable to assume they decided intentionally not to pursue it.
The two other functioning alternatives listed in this thread, getfinal.com and privacy.com, both Visa. Kinda says it all there.
My mastercard had the same feature sometime along the way that they advertised strongly to me on the website. I think I might have used it once, but it was too much of a hassle to log in to my account, generate the number, go back to the website that I was purchasing from, etc.
Too bad it requires an invite code. Do you have one for us? :)
I use privacy.com for something similar, but it's a debit card (so it just connects to your bank account) rather than a credit card and doesn't offer any rewards.
the problem is you have to tie a debit account to this, right? Why can't I tie another credit card as a source of funding to this, or Paypal or some other stream? The less organizations that have my debit information, the better.
This tech is available and extremely well-implemented via Final Card. I use it and have numbers stored for probably 50 sites/services/etc. Anything where I put a card in online.
So next time my card gets compromised because I used it in a restaurant (seems to happen regularly) then none of those have to be reset. Just get a new "physical" card and go on my merry way. Many hours saved.
It's not just PayPal. I think Discover and American Express both had that feature but killed it off. Bank of America still has it and (IIRC) Chase does too.
On the Quora page they explained the main reason behind dropping the product was that fact that users had to install a browser extension to get the CC number, which put people off.
Surely they could have very easily sent the CC details to the users by email or SMS (security risks) or better still they could obtain the details by logging into their PayPal account.
Seems odds that the execs axed the product over this when they were so many solutions to the problem.
I suspect it had more to do with pushback from card providers as it likely made tracking users more difficult. Same reason some retailers still don’t support Apple Pay.
Both Bank of America and Citi credit cards do it. They have it available right on their websites, and Citi even has an optional desktop application to quickly generate temporary use cards. I use it all the time for shady subscription services, and also to sign up for "New User" promos multiple times :)
I really liked this about my BOA card. I don't use the card any more because the rewards suck but used to make one time numbers if I didn't have my wallet handy.
I think Privacy.com (no personal relation) offers a similar service now, though you've got to trust them with access to your money at some point in the process.
Edit: Since I started writing this comment others posted the same one - and pointed out it's not really a credit card.
In Portugal we have a company that provides a service that is very similar to what you described (creation of virtual CCs which can only be used 1 time, or X times by one retailer, for subscriptions). The service is called MBway (previously MBnet) and it works very well.
I experienced this 1 week ago. Imagine you used your one and only debit card for a subscription service. The billing system of this subscription service went mad. Guess what: To stop this subscription madness you can only block your whole card. On top of that you have stress to get a new one from your bank and you are several days without a debit card. Or imagine somebody does a fraudulent charge... when it's large and the limit is not big (or connected to your account with a debit card) the money is first lost. You practically loose time where you cannot use that account/card anymore.
Right, but this problem seems solvable by having multiple credit cards. I would only make an online purchase with a credit card, never a debit card. If there is a charge that I didn't authorize, I can just click a dispute button on my credit card's web app and never have to think about it again.
The critical feature is you can specify a credit limit and expiry period for each virtual number. By keeping the credit limit at a bit above the purchase amount you dont' have to worry about losing a bunch of money if the number is abused, and by keeping the expiry at 2 months (12 months max) you avoid any abuse channels that would take more than 2 months to transact on the dark market.
edit: And of course you have the credit card company on your side to assist with fraud awareness and refunds. You won't get this with Paypal, Android/Apple pay, and especially not with any blockchain technologies where there is no intermediary working on your behalf.
I keep a Citi mastercard just for the Virtual Account Number feature and use it every time for online and phone purchases. The BofA feature has some severe issues.
It was that second aspect that I thought would totally eliminate all credit card fraud and make people comfortable with online purchases on smaller sites. I have no idea why PayPal killed the program, but even before it did, not many people used it. I was the only person I knew that was even aware it existed.
EDIT - if anyone is curious, I looked it up. Two ex-PayPal employees explain here: https://www.quora.com/Why-did-PayPal-discontinue-their-one-t...