Post EMV, virtual cards can become token powerhouses

If mobile wallets and virtual payment cards are to obtain lofty status in the payments industry and build consumer confidence, providers have to deliver on the promise of better security.

A virtual card is a form of tokenization, creating a one-time-use account number to replace a physical card's 16-digit primary account number on any merchant or service provider network. It's a relatively old technology, but is gaining steam in the wake of the EMV migration, which reduces counterfeit fraud at the physical point of sale while increasing digital risk.

The use of one-time tokens has picked up steam in the past year, especially with merchant groups waiting for EMV standards body EMVCo to release specifications for a payment account reference, or PAR, that would link to a payment token associated with a primary account number. A PAR would eliminate the need for those using tokenization to rely on the primary account number when delivering other services.

Whether the type of one-use virtual card technology that some companies embrace can be under the hood of open standards for tokenization services remains to be seen. But that's what merchants are seeking, as they prefer tokenization managed through industry standards rather than through the major card brands.

"Wex doesn't provide the technology directly to the consumer right now," said Jim Pratt, senior vice president and general manager of virtual payments for Wex Inc. "But you are starting to see mobile wallet providers do that for consumers, using a card on your mobile phone, but having a one-time use PAN behind it."

That use case will become more common in the future, first on e-commerce sites, Pratt said. "When people get used to it, then it will become common in restaurants and taxi cabs and other places."

Wex Inc. has been providing virtual cards to the travel and hospitality industry for several years, while also experimenting with applications in their fleet card and health care payments. "We've been at it for awhile with virtual cards, initially calling them a single-use card with a 16-digit number an acquirer could process," Pratt said."That concept has since spawned much of the one-time mobile card use you see, or with Mastercard or Visa providing digital tokens behind personal account numbers."

Following the move to chip cards, many virtual cards are making a risk management play, serving business sectors that face security exposure from holding onto a consumer's card credentials for additional or recurring charges. And the technology behind virtual cards may eventually find its way into most aspects of mobile and digital payments.

Aside from the obvious benefit of virtual or digital payment cards for businesses buried in paperwork, replacing a physical card with a one-time code simply makes security sense.

In a common use case, Wex works with companies like Expedia or Orbitz to provide, upon request, a virtual payment card to that booking agent in real-time to replace a customer's plastic card after they check into a hotel. The virtual card from Wex acts as the account number on which to add charges during the consumer's stay at the hotel. Neither the hotel, Wex nor Expedia has access to the original card number under that scenario, with only the acquirer using it to process payments.

"This absolutely is another form of tokenization, or replacing the PAN with a proxy number that has limited or no utility outside of the merchant’s environment," said Julie Conroy, research director and fraud expert with Boston-based Aite Group.

The hotel industry is a perfect setting for this technology, because the alternative that many hotels have in place is to keep the full PAN stored in the system for the duration of the guest’s stay, Conroy said.

"As we’ve seen from all the POS malware directed at hotels, criminals realize that they represent a soft target," Conroy added.

But the concept applies beyond the hotel industry as "another flavor of tokenization that devalues the data" in order to minimize risk when criminals breach the merchant’s system, Conroy said.

"And all merchants should be viewing this as 'when', not 'if' given the current threat environment," she added.

Currently, virtual card providers are seeing more market potential outside of the United States.

"We are seeing places like India going right from currency to digital payments and just skipping physical cards altogether," Pratt said. "That's a great area for us, and we are seeing really good takeup in Singapore."

For a major deployment of virtual cards in the U.S. to unfold, more retailers of all types would need to become more comfortable with consumers abandoning physical cards, Pratt said. "It might just be an image on a phone, and in certain places of the world, that is very common."

But many U.S. merchants remain leery of digital technology, feeling that most anyone could possibly create a card image on a phone. In that regard there remains a significant educational curve to navigate regarding digital payments, Pratt said.

Plus, the digital card on a consumer phone does nothing if the merchant doesn't have the technology, such as Near Field Communication, at the point of sale to communicate with the phone, he added.

"Do those two things, and it is a much more normal evolution to go to virtual cards than it is to go to tokenization," Pratt said. "Consumers are more used to cards and, in emerging markets, that's the way they will develop."