Understanding Virtual Credit Cards and How to Get One

It's 2018, and if you're an adult you've probably been caught up in at least one major credit card hack — maybe the Target card hack from 2013, or the recent hack that netted 15 million credit card numbers from Chipotle and other retail locations.

The modern retail economy has a lot of incentives to make it easier to pay for what you want. Only a few hundred years ago, we were all walking around carrying baskets of eggs and woven cloth to barter. Precious metals like silver and gold made it a little easier to figure out the rate of exchange, but were also heavy!

The banking system came along and eventually paper money and paper checks made it possible to pay for things without needing a back brace, but it was still a pretty slow system, where payment could take anywhere from a few days to a few weeks to make its way around.

Enter credit cards, invented (roughly) in the 1950s. Over time, improvements in access (nearly anyone over 18 can get some kind of card now, and many minors have access to a card through their parents) and in technology have made them one of the easiest ways to pay for what you're buying. And it's just getting easier.

At first, credit cards weren't widely accepted, and transactions still had to be recorded on pen and paper (or typewriter) and took time to go through completely. Eventually, computers, satellite technology, and the Internet reduced all the time involved to a few seconds.

Now swiping your card, or pushing it into a chip reader, is being rapidly replaced by simply tapping the card on a reader if you buy something at a retail location, or just entering it into a field on a computer screen. Up next, maybe a connection directly into your brain . . . okay, not yet, but you see what I'm saying. There's very little friction involved in paying for anything with a credit card anymore. That's very convenient, both for us as buyers and for merchants.

But the increasing ease of paying has also made credit cards vulnerable to the kinds of hacking and fraud that have sent lots of credit card numbers sloshing around the Internet. It's not fun to keep close tabs on your accounts and try to catch fraudulent charges, and banks spend a lot trying to prevent people's numbers from getting out into the world.

"Virtual credit cards" try to help solve the security problems caused by credit cards, while still allowing you to buy what you want with the ease of use of a normal credit card.

The main problem with credit card security is that the same identifying information is used every time to link you to your card. Your name, the credit card number, the expiration date, and the security code printed on the back of the card never change. That means that once the data is stolen, either in a major hack or old-fashioned credit card theft, it can be reused by someone who isn't you. (This is why you're always encouraged to cancel your cards immediately after losing them.)

Virtual credit cards use computers and the Internet to solve a problem largely created by computers and the Internet. Neat, huh? They use dynamic rather than static data to verify your identity with online retailers.

Most online retailers, ranging from Amazon and Target on down, store their customers' payment information. It's very convenient for everyone involved not to have to re-enter the data every time. But the problem is that hackers can and do routinely gain access to that data, leaving you at risk of identity theft and fraud.

Virtual cards, unlike your normal credit card, use an app to generate a new (numerical) credit card number, or "token," for every single transaction. That token is transmitted between the bank and the retailer to confirm that it's ok to put the transaction through. But unlike a normal static token based on the information printed on your card, these tokens can't be used again, making its storage and potential theft useless to would-be fraudsters.

I'm not going to lie: it's a bit more of a pain to shop with a virtual credit card than it is to shop with a normal one. Not much more — but it requires a little thought and a separate login credential to your bank or virtual credit card service. Maybe it's fair enough to take the extra step if it protects you from identity theft, though!

• First of all, virtual credit cards can only be used online or over the phone. (If you're worried about the security of your credit card number in a physical retailer, you might want to consider a mobile payment app on your phone; these apps, like Apple Pay and Google Pay, also use one-time tokens.)
• So, you're online and your (virtual) cart is full. When you're ready to check out, you'll need to open your virtual credit card's site. Some banks that support virtual credit cards are integrating browser extensions, but some require you to log into your account on their website.
• In either case, once you've signed into your account with a username and password, you can generate a one-time token. It'll include a unique card number and security code. Depending on your servicer, you may be offered an expiration date, or you may have the chance to set the expiration date for yourself.
• You may be able to set a spending limit on the card number, too. (That can be useful if you want to share a card with someone else, say a child or a roommate.)
• At this point, you can go ahead and pay with the virtual card's details.
• If your virtual card is linked to a "normal" credit card you have with a bank, transactions will show up on your statement like usual.
• Returns also operate normally if your virtual credit card is linked to your regular account. You send the item back, and the amount is refunded to the virtual number. Even if it was set for one-time use, the refund credit should still appear normally on your statement.

One thing to be careful about: since virtual credit cards, by definition, don't have a physical version, you can't use them in any situation where you need a physical card present. This doesn't come up a whole lot with online purchases, but if you use the card to reserve tickets online, you should print your tickets out rather than relying on the will-call window!

You know your Amazon Prime, Hulu, and other subscriptions charge your credit card regularly. Some virtual credit cards are "single use;" each token they generate is truly only available for the purchase you are making at the given moment. But others offer a "recurring use" option. You can set the token to be valid until a certain date, enabling it to be stored and reused until you want the subscription to run out.

You can also establish a spending cap for the token so that, in the event it is stolen, it can't be used for more than the amount you're comfortable paying Amazon every month!

Virtual credit cards are available in two ways: either directly from your bank if you have a credit card issued by one of the banks that offers this service, or by linking a pre-existing card from another bank to an online service.

Currently, three major American banks offer easy access to virtual credit cards to their cardholders:

• Citibank offers virtual credit cards for almost all of its cardholders. If you have a Citi card, simply enroll and then use the bank's website to generate virtual card numbers as needed.
  • Citibank's service doesn't allow you to use virtual numbers in any ongoing way — so don't enter one for a subscription you want to renew.
• Bank of America offers a service called ShopSafe for Bank of America Visa and Mastercard (but not American Express) cardholders. It's a pretty slick-looking experience; when you log into your online banking account, ShopSafe generates an image of a credit card, with the new token. You can set your expiration date up to one year in the future, and enable an option for recurring monthly payments to handle the subscription problem.
• Capital One's service is called "Eno." It, too, is only available to Capital One cardholders, and only to personal cards (see below for business options). 
  • Eno uses a browser pop-up window to log you in to create a virtual account number, so you can only use it with Chrome or Firefox (for now).
  • Eno lets you create account nicknames, and keeps a list of all the numbers for you, so if you want to find the numbers you've used with your cable company, Amazon, and Netflix, they're all in one place in your account.
  • You can't set a special spending limit on virtual card numbers; instead, the spending limit is the credit limit on the normal Capital One card the virtual number is linked to.

If you don't have a card from one of these three banks, you might want to consider another service that lets you use one-time tokens online. Various startups are entering this area; one that's free to users is Token. It's only available as a phone app right now, though the company says a desktop browser extension for Chrome is coming. You simply link your credit card or debit card to the app, it generates tokens for you on demand, and when you use them the charge is applied to your linked card.

Another big service right now is Entropay. It's not actually a credit card; rather, it works a little like a prepaid debit card. You can create up to 10 virtual card numbers at once, deleting and replacing them as you like. They are free to create, but when you fund them (using your normal credit card or bank account) you pay a 1% fee to Entropay. On the upside, you don't need to tie your spending to any one bank, you can pay in dollars, euros, or pounds no matter what source you're using to fund the card, and your virtual card numbers will be accepted everywhere Visa is — which is to say, everywhere.

While most of us are probably going to be individual virtual credit card users, if you own or help manage a business, these cards can really help solve one of any company's biggest problems — multiple employees needing to make purchases on the business's behalf, from printer ink and toilet paper to plane tickets and client dinners.

Just like individual credit cards, static "company cards" are open to theft. And if a company card with a single number is shared by a few people, it can also be prone to abuse if you can't figure out which employee made which purchase.

If you're at a U.S.-based business, you'll want to talk to your bank about its virtual credit card offerings. American Express offers one such service, called "vPayment," which only works with corporate cards. But if you're in Europe or the UK, regardless of what bank you use you might want to check out the service offered by Spendesk (which does hope to expand to the U.S. soon). Spendesk allows employees to request authorization, and once an expense is approved by a manager, the employee gets access to the token and makes the payment.

Random numbers, like the kinds used by virtual credit cards, are so much more secure than static numbers that it's probably inevitable they will become more widespread. I'd expect to see virtual credit cards more and more integrated into digital and mobile wallet services like Visa Checkout, Google Pay, Apple Pay, and so on.

I also expect to see them become more seamless from a user perspective — with less logging into your bank's website and more integration into browsers and payment apps. The economic imperative to combine safety with ease of use makes this seem inevitable.