WMLR Articles masthead

Colpitts: A new development in payments cards is creating a fraud risk that is currently without a response


Fraud fighters, we are faced with a newer enemy whose schemes are on the rise... and we have no way to specifically identify them.

WMLR Articles section banner

Fraud and abuses funded through the use of virtual cards are growing across the eCommerce landscape. These cards allow for the account holder to change their merchant-facing card details for payments with no connection or reference back to the parent account.

Not only can merchants not reference the parent account but they cannot even determine, with certainty, that the credentials being used are a virtual card.

Payment details are often used for connecting fraudulent activity together and as indicators of fraudulent activities. Now, bad actors can have Payment velocities on the same account be one-for-one... same account with new merchant-facing credentials for each transaction.

For abuse, this means that, even after you action an account on your platform, they could create another and use the same payment account with new credentials to do it again. You can stop activities however you choose to with the card details you have, but they just change them.

You lose all key identifying payment details to relate behaviors from account-to-account and have to rely on the rest of your data to do so.

The same problem arises with chargebacks. Most problems merchants see with virtual card chargebacks are through service or product issue complaints to the issuer after a refund from the merchant had already been received. Again, to get around any merchant prevention, they change their payment credentials and continue using the same account.

Virtual cards are not just offered by big banks. There are many online financial services doing the same and not all of them have secure registration and approval processes. Not all registrations are done online, either. In some instances, as long as the account is funded, the creation process can be rather lax and missing multiple protective layers.

Shawn Colpitts is here: Linkedin

Using different payment details for any purchase is a good idea for everyone's protection. However, merchants do face additional risks that need to be considered with these cards to make things more secure on their side.

Merchants don't need to see the parent account details. Two things would be simple and smart to help.

1. Supply the information to tell the Merchant the details in use are those from a virtual card, much like what is done with prepaid cards.

2. Supply a unique token in these instances that connects back to the original account with every credential used from that parent account.

Again, merchants don't need the parent account details, and I am stressing that point... but they should be able to relate the activity to the fact it is a virtual card and to its account of ownership.

Shawn Colpitts is the senior fraud investigator with Just Eat Takeaway in Winnipeg, Canada.