Credit cards are one of the most widely used payment mechanisms for both business-to-consumer and business-to-business commerce today. Credit card transactions account for billions of dollars in transactions daily [18], and these transaction records are often stored in various kinds of databases. Many e-commerce websites store credit card information for user convenience, as users will use these sites multiple times over a period time and would prefer not to enter the credit information for each transaction. Examples of such sites include PayPal, online shopping websites such as Amazon.com, and online travel sites such as Expedia. Online merchants may also keep records of credit card numbers for dealing with charge-backs and other disputes. Credit card processing centers will also store credit card numbers and transactions in an attempt to detect fraud. Anomalies in purchase characteristics such as amounts, retailers, frequencies, and locations can be an indication of fraud. Detecting these anomalies more quickly can be beneficial to both the cardholder and card issuer. Other organizations such as hotels, will store credit card numbers for liability from damages and incidentals.
The extensive databases kept by numerous parties quickly become highly desirable targets for those wishing to steal credit card numbers and commit fraud. There have been several high-profile cases in recent years. For example, in 2001 attackers stole the customer records (including credit card information) of the online merchant Bibliofind, a subsidiary of Amazon.com [9]. In 2005 attackers broke into credit card processing center CardSystems Solutions Inc. and stole over 40 million credit card numbers [12]. Not all losses are the result of an online attack. Recently, stolen laptops have resulted in the loss of credit card numbers for 243,000 Hotels.com customers [1] and 80,000 Department of Justice employees [19].
In this paper, we propose a dynamic virtual credit card number scheme that reduces the damage caused by theft of stored credit card information. A user can use an existing credit card to generate a “virtual credit card (VCC) number” that is restricted in a number of ways. For example, it may be usable for a single transaction, or be linked with a particular merchant and have a lower credit limit and a shorter expiration date than the actual card. Such a VCC number can be generated using devices carried by the user, e.g., a cell phone or a PDA, without online contact with the card issuing bank. In our scheme, VCC numbers have the same format as normal credit card numbers. Merchants should be able to process a transaction with a VCC number in the same manner they use today; no change to their existing databases and applications is needed. Only the end points, i.e., the cardholders and the card issuers, need to be aware that a VCC is used. We also point out that a card holder can still use the actual card the old fashioned way. Our design aims at facilitating deployment.We have implemented a prototype for generating VCC numbers using Java 2 MicroEdition (J2ME) that runs on MIDP2.0 compliant cell phones. We have tested our MIDlet on Sony Ericsson z520a and Nokia 6102i model phones.
Several credit card issuers (CitiBank, Discover, and MBNA) already offer services similar to the concept of VCC. However, they all require users to install software onto a computer and communicate with the credit card issuer to get a new VCC number, and such numbers cannot be tied with a particular merchant.
The rest of this paper is organized as follows. We review current attempts to secure credit card transactions online in Section 2. In Section 3, we analyze the necessary security properties for a VCC scheme and examine the solution space. We present our approach and discuss real-world considerations in Section 4, and give proofs of security in Section 5. We conclude with 6.
