Here(in portuguese): https://www.itau.com.br/cartoes/cartao-virtual/
Or am I missing something?
Edit: They launched it in 2002: http://exame2.com.br/mobile/tecnologia/noticias/itau-agora-t...
Edit2: Sounds new in the US. This is not supposed to be a bragging/snarky comment. Just genuinely surprised as innovation usually come the other way around, from US to Brazil. So Congrats on the launch! Good job, sounds tough to launch it not being a Bank!
I'm excited that I can hop on and use Privacy but it seems like it's more of a feature than a product.
Edit: the web app for Citi was also a flash app last time I checked (few months ago). That plus them not supporting 2FA for every login makes me not use it.
People are surprised when I point it at them because it is almost as if BoA does not want you to use it. Check the right side bar towards the bottom.
Edit to add: This is not a tech issue, it is politics and the like.
Fraud was a lower risk to credit card companies in America because  they were better at detecting and preventing fraudulent transactions, and were better at passing on the costs of fraud to retailers and consumers.
Here's an interesting article from 2000 , declaring it basically unnecessary because cards were safe in transit. Some of the quotes and rationale are hilarious. Definitely from the pre-breach-of-the-month era.
Blur from Abine.com has an almost identical system to the one described here.
Because this service draws directly from your bank account, and takes what would otherwise be your rewards from the credit card fees their banking partners charge, it provides a nice business model for them at the cost of you getting 0% rewards back. Not worth it, in my opinion.
All online transactions are processed as credit - even if the card used is debit/prepaid debit - and the card issuer earns 1-3% for each transaction.
Some of this fee is rebated back to people through cashback/travel rewards cards, but I am assuming Privacy & Customer's Bank will be using it to fund their business.
Pretty cool idea! And even cooler website!! Would be interesting to see some sort of loyalty/rewards program implemented, although that doesn't really jive with your anti-marketing pitch.
I'll be sticking with my credit cards for now. They're worth a lot more than their rewards, and it's a shame so many people choose to stick with debit...
These guys directly debit you, so they have to float nothing, they have no fee on the ACH, and they keep the 1-3% merchant fee. That said... avoiding some of those earlier issues of fees and data selling, this seems kinda cool.
In fact a few places accept debit cards but do not accept credit cards as fees with debit cards can be lower.
There's just a handful of subscription merchants that don't take prepaid debit cards.
I'm not too aware of how cards are in the US but generally in Europe & Australia (afaik) they're this way. Do cheque cards have mastercard/visa on them in the US (What about maestro/electron)?
You are right -- if the card is bank-issued, then they can simply place a hold and release it without money flowing. With Privacy, it would seem they will need to actually pull the cash to be able to ensure that its there when the final charge comes through. Curious to see how this plays out.
My company used to send us on work related trips which were paid for in advance, but relied on us to provide our own cards at the hotels for incidentals. After a few (presumably less financially stable) employees used debit cards with low balances to check into hotels (effectively leaving them with no money during their stay), this policy changed so now the company credit card is used for hotel check-ins.
I personally hate the new policy because I have good credit and like getting room service, and for some reason I find it kind of emasculating that I'm not allowed to use my own card.
I for one don't care for the puny rewards which are much smaller than the value of the data they get from me anyway.
We've been neck-deep in payments stuff on the card issuing side (getting a BIN sponsor, ACH origination, etc), so happy to answer any questions on that front as well.
P.S. For new users, your first $5 donation to watsi.org is on us :)
Say there are 3E9 people on Earth, each with 3 cards. That's around 10 digits right there. There's 1 digit for checksum. I imagine you'd want to leave space for least 1000 financial institutions around the world, so that's another 4 digits. Which means you can only have 100 transactions per person.
None of this takes into account the fact that the same people are issued way more than 3 card numbers either.
So my question is, how are we not close to running out of card numbers? How is this not even a problem yet?
If you're curious about the number scheme, check out https://en.wikipedia.org/wiki/ISO/IEC_7812
Using the number scheme, this person calculated^1 that (assuming Amex starts issuing 16 digit cards) there would be 3*10^14 + 10^11 or 4.001e+14 possible combinations.
You vastly overestimate the number of people with credit cards.
It isn't there, and disclosing it is mandatory under the Google Analytics T&C's (Section 7 here, it's crystal clear with the language "You must..." https://www.google.com/analytics/terms/us.html )
Anyway, thanks for bringing it up. We've pushed the updated terms.
I generate Citi's virtual credit card numbers every month for numerous online shopping payments and I haven't run into issues.
It seems that it's not possible to determine if a card is a virtual number by parsing the digits. Do you have other information stating that merchants know how to reject virtual cc numbers?
"As there is no way for a merchant to identify a card as virtual up-front,"
That's fascinating. Perhaps PayPal killed it for multiple reasons because the (possibly biased) answer from a PayPal said not enough people were using it: "The one-time card numbers -- technically they were MasterCard virtual debit card numbers -- were discontinued as a public user-facing feature because they were not generating sufficient transaction volume and revenue to warrant further development."
If a lot of merchants were flagging and rejecting transactions from Paypal's virtual CC BIN numbers, that would prevent people from using it very often, leading to "not generating sufficient tx volume", right?
Tell me about AVS please.
Existing virtual card services have me covered on the virtual card front - both cost and (limited) privacy. I want something that gets me past the virtual card + AVS issue. All the virtual card providers seem to suck on this front...
irl, Card acquirers do verify transactions without AVS, but they charge higher provided the merchant can demonstrate pre-transaction fraud mitigation
>AVS dropped fraud rates on card-not-present transactions dramatically, and it'd skyrocket without it.
AVS was less than moderately effective 6-7 years back, but it's less effective now, almost not at all. Most "researchers" have the card dumps with the addresses already so AVS does nothing to decrease the attack surface. Pre-transaction approval risk mitigation and post transaction fraud review is the only thing that works.
Either is fine with me. I just want a virtual card (to protect my bank acc) that I can use in as many places as possible.
Currently I've got a virtual card that only works like half the time...That's pretty underwhelming by any criteria.
I work at a small ecommerce company and we'd be effed without our AVS service to help with CC fraud.
>Do you want your address actually verified or a feature that makes AVS useless?
What do you do when you get subpoenaed? Do you link all the accounts to the real identity? Lavabit-style exit?
Do you have any plans to add batching+noise to foil global passive adversaries? For example, I opt to keep a running balance target of ~$50 and today's charge for $34.56 is debited as $31.37 a week later.
I'm pretty sure that KYC trumps privacy, in this case :(
Lavabit wasn't doing financial transactions. Openly, anyway.
It's a long story, but there's probably a good blog post in this.
I’m working on an idea that will need to pay hundreds of vendors for the services they perform for our customers. We want to pay the vendors electronically where possible so having unique card numbers for each vendor would be a great thing.
After looking at Privacy.com I want to take it a step further by generating a unique card number for each of our customers. We’d need higher spending limits and the ability to manage the cards via API. Other than that, what you’ve built sounds like a perfect fit for our use case.
The expiration date and CVV aren't fully visible - and for some reason clicking the "Open" button does nothing, so I can't close it.
The money is transferred from your account before the card is issued / transaction go through so it's pretty much a charge card.
Though Privacy's approach of being extension-first and launching first is probably the right one.
* Can I use your card to pay for FreedomPop?
* Can I pay for your card using prepaid credit?
Alright, now let's look at the security. I should eliminate stealing a specific card or using malware on the machine to forge transactions. These are main attack vectors. Might mitigate the first. Looks like it will be vulnerable to the second. Admittedly, most methods are vulnerable to the second and those that aren't stay niche due to "inconvenience." So, still could be value in mass market where people get compromised anyway but want to knock out a common attack. The third risk is an unknown with some of the claims looking good on paper but to abstract to evaluate.
Note: The split-keys between employees part on the security page is funny. It's a banking control for sure. I'll just let your imaginations work out how little protection it brings from hackers, management, or the government. ;)
They are punishing themselves! Why!?
Will it affect my rewards? Will businesses still show up unaffected with the same categories on my credit card statement? (I have a travel rewards only card, so breaking the rewards flow is a deal-breaker for using a higher level service.)
Edit: I misunderstood the service as being able to be layered on top of normal credit cards. It looks like the funding source is only bank accounts for now. Still my question remains if building on credit or debit cards is on the roadmap.
Edit 2: They are one-time use numbers, right? "Use at merchants" (plural) seems to possibly imply otherwise.
> What happens when I generate a new Privacy card?
> We'll give you a random 16-digit Visa card number that you can use at merchants that accept Visa debit cards...
Edit 3: It sounds like the business model results in keeping the money that would go to rewards on a normal card.
> How do you make money?
> Every time you spend using a Privacy card, the merchant or website pays a fee (called interchange) to Visa and the issuing bank. This fee is shared with us. We have some premium features planned, but rest assured, our core virtual card product will always be free and we will never sell your personal data.
That's what those "free" rewards really are...getting more detailed information on your spending patterns and profile so they can resell that info to interested parties.
Of course it's a simple rebate as well, but I didn't think I needed to point out something that obvious.
A credit card company could collect spending information and resell it for all cardholders, not just those holding cards having good rewards.
Perhaps this is naive and instead more valuable customers (based on spending more money annually or having a higher credit score to qualify for the card in the first place) have their information sold more, but privacy and reward programs seem like orthogonal aspects of the business to me.
>If you have a loyalty card or shop online, the supermarkets will build up a demographic profile of you, and collect data about how loyal you are, what you buy and how much you spend, says Guy Montague-Jones of The Grocer.
This is how retail in America works now: collect data, adjust to fit.
The numbers can be one-time use (burners) or re-usable at the same merchant.
You could set limits per number, have it lock to just single merchant, etc. pretty nifty when paying some wacky merchant online.
All have since shuttered the service because pretty much every CC comes with purchase protection that you can invoke to charge the vendor back in case of something going wrong.
Virtual CCs provide very limited utility in my mind - because the place you're likely to have your CC swiped - a bar or a cab - are still going to use only the legacy plastic version.
1. Track down and audit exactly which company stole/leaked your CC
2. No need to update ALL payment methods any time your card is used fraudulently.
3. Set limits and purchases and save yourselves the headache of trying to charge back if you get some vendor who tacks on unexpected fees.
Just to name a few.
Abine.com also has such a service.
Edit: I wonder what your burden would be in bankruptcy cases.
It's anti-privacy in the guise of being anti-fraud.
Yes, we do have to comply with subpoenas.
Still, users arguably need to trust you more than they trust traditional credit card companies. But it's about the same as PayPal, I guess. They often do have access to users' bank accounts.
So anyway, I get the point. It's a useful service.
I have changed my online banking password after signing up successfully, and I received an email complaining that "Our connection to your bank is broken".
I can understand the need for initially providing my banking credentials for AML/KYC reasons, but I feel uncomfortable with your company continuing to use those after the initial check.
Why can't you just use the routing/account numbers for ACH after the initial signup?
If we took routing / account numbers, you'd have to preload your account and wait up to 3 business days. It's something we're definitely looking into though as well though.
My concern with plaid.com using my banking credentials on an ongoing basis still stands though, and for me this currently outweighs the privacy benefits to be gained by using the service. Additional ways of funding (either using a debit card or ACH preloading) would be most welcome and go a long way towards addressing my concerns.
privacy.com would be a very useful service to me, and I hope you will be successful with it!
While that's common in Germany, in Poland giving your login & passto 3rd party means that bank has no responsibility for any loss/fraud/anything if something goes wrong for whatever reason. This is breaching the term with the bank, that your login and password are confidential.
In Poland a oauth like alternative for payments is used, where you end up on your bank website to confirm payment and then you go back to the merchant.
> You agree to: 1) keep your password secure and strictly confidential, providing it only to authorized signers on your account(s);
2) instruct each person to whom you give your
password that he or she is not to disclose it to any unauthorized
3) immediately notify us and select a new password
if you believe your password may have become known to an
unauthorized person. We may suspend or cancel your password
even without receiving such notice from you, if we suspect your
password is being used in an unauthorized or fraudulent manner
You would freely give out the private key of your credit card (credit card number/expiry date/cvv) to any online merchant, but hesitate on authing your bank account user/pass which you can change anytime you want?
Maybe different for other banks, but this was the requirement for Chase.
Is privacy.com actually asking for bank logins, or just your bank account number/routing? In either case, it is nothing new or uniquely scary about this service. If you're not comfortable with this, then there really aren't any third-party online banking apps you are going to be comfortable with anyway.
I always giggle when I see that.
"Our Security Auditor Is An Idiot. How Do I Give Him The Information He Wants?"
Hey, us too!
This is very misleading to say the least. Not paying for a service doesn't cancel a service. If they tried to bill your card and the card was rejected that doesn't mean the service is cancelled.
All this depends on the company, what you signed up for, if it was a contract, the TOS, etc, etc, etc.
For a real silly example to illustrate - lets say I signed up for Comcast and gave them a single use credit card number for automatic bill pay. When the second month comes around they attempt to charge my credit card and the card is declined. That doesn't mean I suddenly don't have to pay my Comcast bill, it just means they can't collect it automatically. Comcast will take a few months to cut off service so you'll end up owing them several hundred dollars. Eventually if you don't pay they could send you to collections. Collections can take you to court and then when they win they can garish your wages, etc, etc.
Yes, I know this is a silly example and its unlikely to happen with the majority of "free trial" services on the net but that doesn't mean its responsible to basically advertise "yeah, just give any company a temporary number for a free trial and forget about it." Especially since a lot of services with a free trial are with companies that have a lot of resources.
A less silly example would be if I signed up for a gym with a two year agreement and a year later I canceled my credit card and stopped going to the gym. In that case the odds of me being billed further and sent to collections is very very high.
 they do that around here, I know someone who only pays their Comcast bill every 4 months or so...
It would be very hard to convince a judge that you honestly believed, based on reading that slogan, that Privacy.com would somehow release you automatically from any terms of any contract you might sign that happens to involve a trial period.
Where on earth did I say that? Where on earth did I say it would be a defense in court?
It's very misleading advertising. So misleading I think its irresponsible.
> STEP THREE
After the card is charged, we withdraw the money from your chosen funding account, similar to a debit card.
Not sure I get this. Do you have to fund an account on Privacy.com? So it's like a Paypal where you generate a new payer name every time you pay for some other service with it?
> Sensitive information is encrypted using a split-key encryption with partial keys held by separate employees, meaning no one can decrypt your data; not even us.
Umm. Pretty sure that giving your employees the ability to decrypt my data means that "you" can decrypt it.
It is mainly designed to prevent employees from selling off sensitive data, but I think in practice with the right audit controls it's pretty effective.
I guess if there was a system in place where the two employees didn't know who the other employee was then it would mitigate risk.
Makes me wonder what sort of auditing system could be used that guarantees total transparency around when the keys are requested by both parties, by whom and for what reason without disclosing the employees? More interestingly I'd be really interested in a system that ensured that nobody knew who the two employees were but the keys could still retrieved.
Then on top of this it would awesome to have a way of revoking keys.
Probably impossible, but that would be the ultimate in security!
Touche, thanks for bringing that up. Updating the language.
I've been a customer for about 5 minutes, have used it twice, and am already going to recommend it.
edit: I'm quite aware that this has been possible, but both banks/credit cards that I have make me jump through tons of ugly UI and clicks to make it happen.
Excited to see someone giving it a try.
These services aren't usually very popular.
I think most people prefer to do what's most convenient (have one credit card/number) and patch up any abuse/fraud after-the-fact.
"Please ensure this information is accurate. We're
required to verify this information against public
records. But don't worry, we'll keep it private."
I suppose I'm legally opening a bank account, which has similar requested info as this, but are they checking my credit (probably not, I know, but it makes me uncomfortable)? Will wait a while.
What we need here is a physical credit card that I can use in the real-world that has a new number on each swipe. Most of my historical fraud has happened because I probably swiped my card at a location that was compromised.
Just my two cents.
We have that already (chip cards, which are currently being rolled out in the US and already standard in the rest of the world, generate a new single-use token for every transaction).
Not only is it more secure but it also helps protect your privacy against retailers that use your card number to track your purchases across their brands.
I travel a ton and also do all my shopping online, for years. I have to replace one of my three credit cards every 3-4 months. That is usually within a week or two of visiting a gas station or taxi, places where they don't use chips and in the case of taxis still have the gall to use the paper carbon copy machine things. Whatever though, when a card gets lifted Chase takes care of the charges and overnights me a new card wherever I am (even international).
Although I've had many notifications over the years about my card data "possibly" being compromised in some online breach, I don't know that it's every been a real issue.
This service makes sense if you don't have a (real) credit card and for some reason want to link your real cash account to a payment service. Otherwise I don't think I get it, or why I would forget my credit card, anyway.
From: Account Management Team <email@example.com>
Thank you for being a valued customer.
Online Banking Team
I really want a product that let's me proxy my credit card (and change it when I get a new card). I want a firewall for my credit card.
I never really liked these services they don't really support recurring payments, some of them force you to purchase a card with a specific amount rather than it being valid for a specific transaction, some times they have issues with various 3d party checks (pre-paid card check, region lock/address verification, fraud etc.) and more importantly it's not an elegant solution as you end up with allot of credit card numbers.
Overall while this one might have a nice UX it doesn't really solve a problem that hasn't already been solved either through Paypal or trough your own credit card company.
I can see all payments on my Amex and Visa cards in the UK, I can check which ones are recurring, I can initiate a charge back and for everything else well there's paypal which offers even an easier UX.
If you're going to do business with someone, a certain amount of trust is required, and there isn't any working around that with technology. If you don't trust a vendor to refrain from stealing your credit card information, how can you trust them to actually deliver the goods, not spit in your food, honor the warranty, etc, etc? Alternatively, if you do trust them to do those things, trusting them with your credit card number isn't much of a leap, especially given that banks are actually incredibly efficient at identifying and dealing with fraud, if not preventing it outright.
The biggest issue i see with this is that this isn't the most sustainable business model credit card costs are balanced more or less by the trust that the issuers has in the credit card holder (your credit limit, interest etc.) and the trust the acquirer has in you when you perform a transaction, prepaid cards are more or less notoriously untrusted by both because the issuer basically thinks you are too much of a liability to give you credit and the acquirer doesn't know who you are because that card has no credit history and single use cards are much more often abused for illicit purposes.
"Provide an online cancellation procedure if the Cardholder's request for goods or services was initially accepted online"
Looks like they used to have an online form a several years ago, but it went missing. Various blog/forum posts indicate that most people have had no luck getting any sort of response from Visa via mail.
Does privacy.com see where I make all my purchases? Is there a collection of my metadata? What assurances do I have that you take personal privacy seriously?