RSSPayPal 'Virtual Debit Card' Beta Seeks to Eliminate ID Theft
By Scott M. Fulton, III | Published December 28, 2006, 5:47 PM
The PayPal division of eBay, which operates the Web's most respected online payment voucher system, is beginning beta trials of a next-generation online payment system, in cooperation with MasterCard. Using what's described as a virtual debit card, a customer will be able to make a PayPal-authorized purchase using a one-time number good only for that transaction.
Perhaps the most innovative feature of the VDC system, the implications of which could be enormous if the trial is successful, is that it generates a new MasterCard number for each purchase. That number will be automatically filled in forms for retailers that accept MasterCard, by way of a browser-based add-in program. Once that number is validated, and a supplemental verification takes place between PayPal and MasterCard, that number would be discontinued.
As PayPal described in an FAQ mailed to prospective beta participants, "PayPal Virtual Debit Card's virtual card number is a MasterCard number used in place of your credit or debit card number. Each time you make a purchase on a website, a new number is generated. It protects you from sharing your personal credit card number when you shop online."
It's the Secure Sockets Layer principle applied to payment transactions: The participating sites agree to a transaction number that's good for the duration of the transaction itself. It can't be used for any other transaction, and it becomes invalid after the transaction is complete. If it works, it could conceivably render online credit and debit card number theft a pointless pursuit.
Rather than have the customer's MasterCard number tied to a physical debit card, under the PayPal VDC system, the "session key"-like VDC number is linked to a PayPal account from which funds are immediately withdrawn at time of purchase. But furthermore, should the PayPal account run dry, it can withdraw backup funds from a secondary source of the customer's choice: a PayPal credit account, a specific PayPal credit card account, or the customer's bank account.
How does the use of the VDC change the payment experience for the online merchant? As PayPal spokesperson Amanda Pires told BetaNews late yesterday, it won't. In fact, the merchant won't even have to explicitly support PayPal with a logo. Whenever the customer's active Web site supports MasterCard, the PayPal VDC browser add-in will detect this fact, and ask the customer if she wants to pay via VDC. This may be the tricky part, the details for which may be worked out during the beta process.
As Pires told us, the add-in client doesn't have to transact with the merchant at all - for instance, to determine in advance whether it would accept the VDC number, or whether it accepts MasterCard numbers. "If the merchant does accept the number, then it will go through," said Pires. "It would be such an anomaly for a site to not accept MC and accept other credit cards, that we did not build any logic for this."
Once the customer approves the notification, the VDC client begins a separate negotiation process with MasterCard. As Pires told us, this process takes place over a separate SSL connection. "VDC communicates to PayPal via SSL," she said, "so any personal or financial information between the user and PayPal is secure. The security of the site itself does not affect the security of the VDC. However, the intent of VDC is to protect users, so if a site is not transmitting information securely and the message is intercepted, then they are still protected by our 'one-time use number.' Only one merchant can use this number and any other merchant that tries will be declined."
The VDC service, once formally launched, will replace PayPal's existing Virtual Debit Bar service, which uses a static MasterCard number for online merchants that don't accept PayPal directly. No date has yet been given for VDC's formal launch.
Paypal and identity theft? I thought Paypal invented it...naw...wait that was Al Gore
Score: 0
|"Eliminate"? Yeah, right. Until we start embedding RFID tags inside our bones, nothing short of that will be safe from theft or copying. Even that may not work.
Score: 0
|RFID in our bones would seem a perfect opportunity for more identity theft. Look at the new flawed U.S. Passports and you can easily see why.
Score: 0
|Agreed. Probably some sort of DNA probe will be used. I imagine if the IRS has any say in it, it'll look like a prostate exam device.
Score: 0
|PayPal sucks, that's why we are going for the Google Checkout.
Score: 0
|Google checkout doesn't even have a history, how can you claim it's superiority yet without seeing how it reacts to ticks like security breaches, payment resolution, federal compliance, etc?
Score: 0
|"PayPal 'Virtual Debit Card' Beta Seeks to Eliminate ID Theft"
Well, I might as well look for the Ark of the Covenant or the Lost City of Atlantis--chances are far greater for me to find one of those than the chances that someone will ever eliminate ID theft :D
Score: 0
|To the "foreigners": ditto. Another example is Polish online bank mBank (the card is called eKarta there) as well as many other banks in the country - such solutions are known in Poland as virtual credit cards. A bit about is here (in English): http://www.mbank.com.pl/...offer/cards/ekarta.html The cards have been known for four-five years.
The cards is widely accepted, however, some American online shops do not accept ANY cards issued in Europe (I currently work for German and Polish institutions, so I have both Polish and German credit cards in my wallet). The infamous policy is lead mainly by American photo stores (I do not know the reason). I also buy electronics in Japan and DVDs in Australian shops (mainly in www.ezydvd.com.au) because they are cheaper than shops downtown.
Score: 0
|Every credit card company has offered this for many years. PayPal is just leveling the playing field by offering what everyone else already does.
Score: 0
|I would not install paypal bar. This won’t work on all operating systems. So they need another option to create a one time use card. I can see some problems with this because of how some merchants handle credit transactions. Some merchants do not know how to properly merge the authorization with the actual purchase. In your account info it would look like a double charge but the authorization would be removed in about a week. When an authorization goes through it would approve the card. Then when the actual payment goes through it could get denied. I have read bad things about how paypal handles your data. So if you do get paypal account. Get a checking account at another bank without overdraft coverage.
Score: 0
|Much like what these "foreigners" have mentioned having a system like this in their country, Visa offers this system at least with MBNA Bank, or at least it was available back when I used to have a MBNA WorldPoints card several years back. So sure I have one fixed card # for offline purchases, but you can obtain a new # for each purchase online as described on demand. That's great and all, but this still does not eliminate the key factor that PayPal accounts are being phished all over the world, and that doesnt stop fraudsters from loggin in and generating their own card #'s for online purchases. Key information remains to be username/login email, password, maybe a security question or 5, and maybe even the original card # and security code. I don't know what they all will be, but even when you could need all that, theres still those reluctlant to submit this information to a phish website and be subject to the same problem as before.
edit: unless they find a way to have it work only with a browser addon attached with security keys assigned to an individule computer... however then you run into issues with compatability, browser hi-jacks taking over and not letting add-ons run, not being able to use soeone elses computer to make purchases with paypal, etc. The list goes on. ;] But it's still a good idea, and no idea is the perfect idea, unless of course we make purchases from fingerprints. :) Then fellas, you better not get caught dead, cause someones gonna steal your fingers!
Score: 0
|Paypal is a product/service like any other available out there. You don't have to use it if you don't want to. I have been using it for years here in the UK and have had no problems. But what does this have to do with the anti-American statements? The dollars' value only make the products from the states cheaper here. Now if only we could stop the blokes from Nigeria from bidding in e-bay.... :)
Score: 0
|"The PayPal division of eBay, which operates the Web's most respected online payment voucher system"
Since when ?
Score: 0
|yea, your right. Should of said "the Web's most popular online payment voucher system"
Score: 0
|"Since when ?" Right after you stuck your head in the sand.
If you follow their rules, and are an honest buyer/seller/user, you should never have a problem with eBay or PayPal. Then again, not everybody RsTFM.
MasterCard had offered this service for a long time (5+ years???). MasterCard = US Company.
The US maybe late coming out with something, but by golly, the US makes it better -- Except Windows OS.
So before you start country bashing, lets compare the number of patents issued each year by country.
Score: 0
|And then let's compare the amount of people in said country to the amount of patents filed.
Score: 0
|I got my paypal account limited for f'all, how respectful is paypal?
Score: 0
|Me too... for using a virtual debit credit from my own bank - "suspicious behavior", they called it. Yes, spending your own money is always suspicious...
Score: 0
|Honest users do get their accounts suspended or limited. Paypal is ruthless in such cases.
I still remember the last lawsuit Paypal lost where they would suspend an account so you couldn't access your money but other could still put money in your account. I'm glad they lost that lawsuit.
And then there's the lawsuit......blah blah blah
There's always more to the story then meets the eye.
But I do like your cheap insult, funny.
Score: 0
|Nosey buggers they are.
Score: 0
|The British on-line bank - cahoot has had this feature for six or so years.
A unique one-off credit card number and an associated user-selected limit is generated through a small desktop applet. A CVV2 value and a short dated expiry are also provided. Sorry PayPal - nothing new here!
Score: 0
|BAhhh...in Portugal we have this kind of system ages ago (5 years). It works very well, and it´s the most secure form of shoping online. Paypal it´s just copying the idea of mbnet.pt, the portuguese service. The diference it´s that we associate a credit card (visa or mastercard), to mbnet, online (online banking) or in a cashmachine, our(multibanco), then we have a plugin for IE or firefox/opera, that after sucssfull login, gives us a one time use credit card number... and we can even estipulate the maximum value permited...
" next-generation online payment system" ...lol...not for portuguese people, maybe for the rest of the world...i think our system is even better since we can associate cards from mastercard or visa, and the plugins it´s not only for ie but for firefox too...
hope that they don´t publicise this new feature, as a new in the world...
Score: 0
|They're stupid Americans who think the world IS the USA. World Series Baseball anyone?
Score: 0
|Ha, good point! However, in baseball's defense, they pay many millions of [increasingly worthless] USD to get ballplayers from around the globe, notably from Latin America and Japan.
Score: 0
|Yeah, and who else would keep the steroid industry afloat? Soccer? Pffft.
Score: 0
|