A few years back, I was looking into something on my credit report, when I called Amex about it, they asked me, not for my CC number, but the number on my credit report, which linked back to my account.
That got me thinking. Why not have a different number on your statement? This number would be used by the CC company for applying your payment if you pay by check or for finding your account when you call in. It couldn’t be used for making purchases and they could require your real number or other identifying info before accessing anything more sensitive then trying to make a payment on your account.
ISTM that this would cut down on a lot of fraud. I wouldn’t have to worry about my statement being stolen out of the mail. I could toss it in the garbage without having to worry about someone fishing it out. I could accidentally leave it laying on my table without worrying about a ‘friend’ writing down the number etc… Is there any good reason why they have to put it on the statement?
This question comes up every time I look at my file cabinet full of statements knowing that I can’t just toss them, I have to shred them all. It would be nice to be able to open my statement, double check that everything is correct and toss it in the recycling without another thought.
Some cards are phasing out the number, but I think the main reason it’s not being done is that that sort of fraud is extremely rare. There are much better ways for people to get your credit card number.
I don’t even get paper statements any more. When I get my online statements now, the number is partially XXXX, so even if I printed it, the whole number wouldn’t be on it. The more I think about it, I think my paper statements from the last 8 years or so were like that, too. I remember statements with my whole card number on them in the 90’s, but not really since.
Must depend on the card company.
What about just permanent-marker-lining the number off the statement, if you don’t have a shredder and just want to throw them out?
There are so many ways credit card payments could be improved, but they’re not introduced. My favourite idea would be to use one-time-use numbers for payments rather than credit card numbers that stay the same throughout the existence of the account - your CC company would mail you a list of numbers, each one could be used exactly once for authorising a purchase to be charged to your account. If fraudsters intercept communication, the numbers they get will be useless because they’ve been used up. When you run out of numbers, your CC company would mail you new ones, very much like the TANs used in many online account systems in many countries now to authorise direct transfers.
Why is this not introduced? Simply because transition to such a system would cost the CC companies more than they would gain from cutting down on CC fraud by these means. They regard credit card fraud as a calculated risk - they know a certain percentage of transactions will be losses due to fraud, but as long as this percentage doesn’t exceed a threshold of acceptability they simply put up with it and factor these losses into the fees they charge. I suppose a very similar motivation lies behind the non-introduction of your statement-specific numbers.
American Express used to do this. Not exactly the way you mentioned, but the same idea. I had a USB card reader (free from AMEX). Put my AMEX card in it, did something on my computer and it would spit out a CC number that was good for something like a week or so.
I never understood why they spent all that money on the card readers. It would have been a lot cheaper to just have users log in to their account and request a new number.
It is trivially easy to read numbers that have been covered with permanent marker. Methods are left as an exercise for readers with criminal intent. Trust me, it’s a bad idea to do that rather than shredding.
Citibank offers this feature, in the form of Virtual Account Numbers. You can generate them through a web interface or a downloaded app for Windows. Each number will only accept charges from a single merchant, and you can choose the dollar limit and expiration date if desired. I use them for all of my online and over-the-phone purchases.
A credit card number on it’s own is not the best thing for fraud. You almost certainly can’t use it online. You need the customer id number on the back and the zip code.
A credit valid card number can be generated at random with any number of online programs. I don’t mean a number that works but rather a number that verifies the algorithm.
A customers acct can be verified with phone number and/or SS# as well, but a cc number on the statement is useful for those who have many credit cards. Suppose you have four Visa cards. It helps to see what number goes with what card.
A lot of credit card fraud is done through havesting numbers by low paid clerks.
Going through the trash and intercepting credit cards via transmission is very very small potatoes.
Now you’re thinking well why not be extra safe? On the surface that sounds correct, but you have to weigh things.
It’s similar the way a business budgets for shrinkage. Each item you pay not only represents the cost of the item and the costs of running the business and desired profit but also of the cost of stolen items.
Often times you don’t even need that. I have a lot of credit cards that I run, that for one reason or another tells me I have the address and zip wrong, but the charge still goes through. My current machine doesn’t even ask for the CID. Our last machine didn’t give the results of the address and CID. It’s VERY rare for a card to be declined based on your address, zip or CID being incorrect. It happens, but not often.
MBNA did this until they got bought up by Bank of America, starting at least 10 years ago. It was a swell idea for sure. It was really handy for signing up for subscription-type things that you didn’t want to renew. You could set it up so that the “card” was dead by the time the site would try to auto-renew.
That’s something I lobbied Citi’s credit card operation to implement, years ago when I was consulting for Citicorp.
This depends greatly on the credit card processor (company) that you use. I bet that if you had a card that wouldn’t read and you entered the number on the keypad, the terminal would ask you for the CVV2 from the back of the card.
Further, depending on your credit card volume and type of business, that would likely be processed as a “card not present” transaction with a higher merchant fee. On occasion when I’ve used an unreadable card at a merchant where the business is small enough that the card is run by someone who actually knows what’s in their merchant agreement, I’ll tell them to not enter the card manually, but to give them another card so they don’t get hit with an additional 1% or more fee. Places with lots of un-trained clerks just get confused if you try to help, though they may ask you if you have a different card. That generally isn’t because they’re too lazy to type the number in, but because they’ve been told by their bosses to always try to get a card that reads properly, “just because”.
Back to the OP’s question - years ago, I had a CC statement lost in the mail and called and reported it, and the CS rep said “don’t worry - they can’t do anything without the expiration date”, which was not at all reassuring. What I think is worse than putting the whole card number on the bill is the endless flood of “convenience checks” that come in both the bills and in separate mailings. If someone gets a hold of those, it is quite likely that fraudulent use would be processed and you’d have a hard time getting the mess straightened out. I suggest calling any CC company that sends you unsolicited convenience checks and asking them to mark your account as “no convenience checks”.
Not really the cost factor, I had such a card, I think I still have it. It works online, not by paper #'s, but allows you a lot more options including creating a new number, setting the expiration date, setting a total $ limit for that card, with the option of changing the expiriation date or total amount at any time, and the ability to close that CC#. It was also made to have a handy auto fill on web sites that would enter the info automatically or cut and paste style.
Ultimately I don’t use it because it’s a pain to manage all those numbers, credit cards are about convenience, and this system made your method as convenient as it could be given current technology, and they did a very good job at it, but it was not as easy as just using the single number.
I should have clarified, I was talking about keying in transactions. I key in anywhere between 1 and 30 or more CC numbers each day. Our current machine (FD200) doesn’t ask for the CID code. I believe all of our current machines did. Even so, entering the CID incorrect rarely made a difference as to whether or not the card was accepted.
It shouldn’t be reassuring since it’s not true. Most of the cards I run, I keep on file since I use them on a regular basis. If the card is expired, I call the person and update it. If I can’t get a hold of them, I just bump the expiration date to something in the future. Never, ever, fails to work. So, for those of you playing along at home, I can now run a CC with the wrong address, zip code, CID and expiration date.
I always call and throw a fit when I get those in the mail. My big problem with them is that unlike ordering regular checks (or even ordering convenience checks), I’m not expecting them. If they never made it to my house, I wouldn’t know I was missing them.
Quite a few years ago American Express sent me a letter saying that they had upped my credit limit AND they enclosed a bunch of convenience checks in the same envelope. &@^#^@???!!! I don’t recall the exact words I used in the letter I sent back to them but I basically told them that their security sucked and only an idiot would send convenience checks together with an indication of what the credit limit on the account was. Never got a reply back, but I have also never received any more convenience checks (which is fine by me - I have never used convenience checks tied to any credit card).
OK I understand what the OP is doing, you can even force a number through with a fake approval number. The thing is if the customer disputes the charge you lose automatically. If the customer pays without a hitch then you get the money.
I recall when I took over as asst controller at a hotel and tried to enforce CC policy to the merchant agreement, my boss, an offsite controller, told me that they’ve never had problems with getting paid and until those instances start causing problems we’d still do it the old way.
In other words even though we were using the CC incorrectly there wasn’t enough fraud to justify any loss of sales we’d have by enforcing the merchant agreement
