Get rid of credit card numbers

Short Version

Credit card companies should switch to a PayPal-like system for online payments, and use “blank” cards (no number visible to the human eye) for offline payments.

Long Version

As Sony restores service to its network after the possible theft of millions of credit card numbers, I wish people would start asking one simple question: Why do we need credit cards numbers?

By this, I don’t mean, why do we need lines of credit? That’s a question for the economists. I’m simply asking why we need some 16-digit number (plus an expiration date and 3-digit “security code”) that people can use to magically make you owe money. It’s an inherently insecure system.

I tried to split a bill once by asking my friends to let me swipe their cards using Square. For those who don’t know, Square is a little credit card reader that you can use with most modern smartphones. My friends were nervous about the security implications of me initiating a transaction with their credit cards on my phone. My response: If I really wanted to steal their credit card info, I would just memorize the number while it’s sitting on the table in front of me. Second response: Everyone seems quite OK with handing their card over to the underpaid high school student waiter.

The problem is that a credit card number is supposed to be a “secret”, but it’s one we frequently share with all sorts of random strangers. So what’s the alternative? Use a different “number” for every transaction, like PayPal does.

I love PayPal. Given a choice between paying for something using my credit card directly or using PayPal, I will choose PayPal (or a PayPal-equivalent) every time. It’s simply more secure.

Here’s why. When I pay for something using PayPal, the person or merchant I’m paying doesn’t get my credit card number. PayPal basically sends the electronic equivalent of a check. Only that person can cash it, only for that amount, and only once. The payee never gets any information they can use to charge me again.

Now let’s say I need to make a recurring payment — e.g. a monthly utility bill. Or maybe a merchant just wants to have my payment info on file to enable “one click purchases”. If the merchant lets me pay using PayPal, they don’t get my credit card number. Instead, they get a “token” that they can use to charge me via PayPal.

Why does that matter? Well, let’s say that instead of using PayPal, I stored my actual credit card number with that merchant. Now suppose that merchant was unscrupulous, or that the merchant’s webserver was insecure and a hacker had stolen all that stored credit card info, like with Sony. You’re screwed. That enables the unscrupulous merchant / hacker to make purchases on your behalf. You have to get a new number. And then you have to go back to every other merchant that has your payment info on file and pass along the new number.

That doesn’t happen with PayPal. When a merchant gets a token from PayPal to charge me to charge me for something, that token is unique to that merchant. If that token is stolen from the merchant, hackers can’t use it without also impersonating the merchant. And if PayPal or I have reason to suspect that the merchant has issues, either one of us can easily deactivate that token. That disables the ability of that one merchant to charge me for something without also affecting the ability of any other merchants who also have a token.

Even better, when a merchant uses a PayPal token, there’s no reason for that merchant to have access to my billing address (although sometimes they do need a shipping address) or any other identifying information. Because of the insecure nature of the credit card number system, credit card companies sometimes require your billing address, name, and other identifying information to verify that fraud is not occurring. Unfortunately, that’s even more “secret” information being shared and stored by merchants. When I use PayPal, I don’t have to pass along where I live just to pay a merchant, and I don’t have to worry about whoever hacks that merchant’s webserver also knowing where I live. Or at least that’s true in theory — again, sometimes merchants do require shipping addresses and the like. But ultimately, there’s less need to pass along identifying information, and identity-theft conscious consumers can more easily push merchants to deal with knowing less about their customers when merchants have no reason to know more.

Now the obvious concern here is what if someone gets a hold of your PayPal password. Well, that would suck, but it would suck less than if someone gets a hold of your credit card number. It’s far easier to change your PayPal password than it is to change your credit card number. And changing your PayPal password doesn’t affect the tokens used by third-parties to charge you (unless you want it to). In contrast, changing your credit card number requires contacting every merchant that has your number on file.

So why doesn’t every merchant just accept PayPal? Well, I can think of three reasons. The first is that consumers still don’t entirely understand PayPal. Hopefully, this post helps a little.

The second is that PayPal’s a middleman, and middlemen take a cut. But even if you don’t use PayPal, you probably still have to rely on other  middlemen like Authorize.net to process credit cards, and PayPal’s rates are actually more or less in line with those folks. That’s less probably less true for really large merchants who can cut out the middlemen. And sure enough, the largest online retailer, Amazon.com, does not take PayPal.

But middlemen or not, the credit card companies could still replicate the PayPal-model or security themselves fairly easily. So why haven’t they?

That’s the third reason — the PayPal token system doesn’t work offline. Can you imagine giving a different credit card to each merchant? We actually kind of do this with checks — but people don’t like carrying around checkbooks, and checks can be easy to fake. So how can we make this happen?

Maybe we could start using electronic devices like our phone to make payments. This is starting to become a reality with things like near-field communication. Instead of swiping your credit card, you just tap your phone. And in theory, it’s really easy for your phone to pass along a different “credit card number” or token each time it’s used.

But not everyone has a fancy phone. Nor is everyone willing to cary around key fob tokens instead of the convenient wallet-sized plastic card.

But there’s no reason why the offline system has to be the same as an online one. We could institute a two-track system. You use a PayPal-like system when paying for things online. And you use a normal credit card when paying offline — that is, normal except for the fact that the numbers are missing. This won’t stop the more hardcore crooks, but it will stop the waitress from memorizing your number to use on some website. Moreover, since the “number” tied to this card is used only for offline non-recurring purchases, that should make it easier for credit card companies to track down fraud.

So that’s my two and a half cents. I’m not sure why credit card companies haven’t done this already. It’d be expensive to transition everyone over to the new system, but identity theft is expensive for credit card companies as well. If the credit card companies are willing to make everyone jump through hoops for this silly 3-digit security code nonsense, they could also make everyone transition to a token-based / no-card-number system.

Comments