For years, credit card issuers such as Citi, Discover and Bank of America have touted single-use card numbers, or “virtual credit cards,” as a means of thwarting credit fraud. Generally speaking, the idea behind virtual card numbers is this: consumers download a piece of software to their computer that generates a new credit card number for each transaction, potentially allowing the creation of card numbers for specific merchants with set credit limits and expiration dates. These numbers can be used either online, over the phone or through the mail, but not anywhere a physical card is required.

Though their use is free, consumer adoption of the technology has been low, prompting American Express to drop the feature several years ago. The latest revelations about the limitations of virtual card numbers, as reported in this SD thread, are not likely to help spread their use, either.

The claims, in fact, are a bit unsettling.

According to the original poster on SD, a merchant was able to successfully use an expired virtual credit card number to make a fraudulent charge:

They used an expired ShopSafe number from a couple of years ago. Not only was it expired but it was for more than the limit I had set for that number.

I was shocked that Bank of America had accepted the clearly bogus charge from an expired and over the credit limit virtual card number. The ShopSafe CSR explained that if a merchant used a manual claim (rather than electronic processing) that they were legally required to accept the charge and it was up to the customer to spot the fraud and dispute the charge. WTF! Apparently, if you’re a crook just make sure you submit manual charges and all will be well.

Later in the thread, another poster, who claims financial industry experience, writes this:

Typically, when a merchant runs your credit card through, virtual or real, they get an authorization number form their processor that this is a valid card and than the merchant can claim their money through this authorization number.

However, an authorization number is not required. Any merchant can just bill the account based on account number and expiration date regardless of whether or not this is an active account or expiration date. The bank will pay them in this scenario as well.

So, apparently there are no automatic safeguards in place if the merchant processes the charge as a manual claim.

It should be noted that most people in the thread that had experience with Citi’s virtual account numbers felt that they worked as expected, blocking unauthorized charges. So on the surface it appears that Citi’s system may have more safeguards in place than Bank of America’s.

What’s the moral of the story here? It appears that virtual card numbers do not offer a level of protection as robust as credit card companies would like you to believe. In the scenario where the merchant manually processes a fraudulent claim, the consumer can easily initiate a chargeback, assuming they notice the charge. But unfortunately, that would seem to defeat much of the purpose of virtual numbers in the first place. With or without virtual numbers, consumers will need to remain vigilant in watching their statements for unexpected charges.