Fraud and abuses funded through the use of virtual cards are growing across the eCommerce landscape. These cards allow for the account holder to change their merchant-facing card details for payments with no connection or reference back to the parent account.
Not only can merchants not reference the parent account but they cannot even determine, with certainty, that the credentials being used are a virtual card.
Payment details are often used for connecting fraudulent activity together and as indicators of fraudulent activities. Now, bad actors can have Payment velocities on the same account be one-for-one... same account with new merchant-facing credentials for each transaction.
For abuse, this means that, even after you action an account on your platform, they could create another and use the same payment account with new credentials to do it again. You can stop activities however you choose to with the card details you have, but they just change them.
You lose all key identifying payment details to relate behaviors from account-to-account and have to rely on the rest of your data to do so.
The same problem arises with chargebacks. Most problems merchants see with virtual card chargebacks are through service or product issue complaints to the issuer after a refund from the merchant had already been received. Again, to get around any merchant prevention, they change their payment credentials and continue using the same account.
Virtual cards are not just offered by big banks. There are many online financial services doing the same and not all of them have secure registration and approval processes. Not all registrations are done online, either. In some instances, as long as the account is funded, the creation process can be rather lax and missing multiple protective layers.