[GrinningFool]

The problem for me as a potential user is that I no longer trust some.random.dude.com with my CC info. I have no way to know if they're storing it locally unencrypted or if they're using a trustworthy third party provider.

I'm down to maybe three places that have my CC on file. Everyone else, I enter it - every month - at time of payment. I don't exactly like this, either - there is still the possibility that a poorly written component is logging the card somewhere[1], but it's better than handing over my wallet and walking away.

[1] seen it...

[kintamanimatt]

I'm not sure your concern is warranted. Your bank provides a lot of protection against such fraudulent transactions, both at the time of authorization and after the fact if one does slip through. In any case, if you're really worried about your card number being stolen use a secondary card that you use for internet use only that just lives in your "backup wallet".

You're spending more of your life entering your credit card number every month than is likely to be spent dealing with fraud.

[GrinningFool]

That seems far more of a series of workarounds than a solution in order to save myself a few minutes (collectively) a month.

[kintamanimatt]

I do it myself and I'd struggle to call it a workaround. Your solution is certainly a workaround though.

The time to pull a different card out of a different wallet is seconds. The time and tedium to re-enter your credit card every place you want to make a payment is greater. You should have backup bank accounts and credit cards anyway. What if you lose your wallet? If I do, I have my backup one ready to go.

You're worrying over nothing. You're so heavily protected by the bank that you're just making work for yourself for no benefit. If your card details get nabbed, you're not going to lose anything anyway. And hey, who knows, they might be storing your card numbers behind the scenes anyway with your order, and therefore you're not at any advantage! Or they might have been compromised and your card details are floating off every time you enter them. Who knows? In any event, I'd be more worried about my card being skimmed at an ATM. That's definitely more likely than having it compromised online.

[GrinningFool]

As someone who used to work in the credit card industry, perhaps I'm more sensitive to the costs that my bank's protection of me incurs. Because you're right - I am covered. But someone is still paying.

And hey, who knows, they might be storing your card numbers behind the scenes anyway with your order, and therefore you're not at any advantage

Indeed. Frustrating as hell.

[eCa]

I always [1] use a virtual credit card [2]. It's only possible for the merchant to charge a specified amount during a specified time.

I create a new card for every purchase, but long standing relationships (ie my VPS provider) gets a longer lasting card so I don't have to update it every month.

[1] The only time I ever enter my true CC is when bying something that requires a physical card (some airlines, certain tickets).

[2] similar to http://www.visaeurope.com/en/cardholders/virtual_cards.aspx but branded by my bank

[tezza]

I use a virtual card when I don't trust a merchant / service too.

But the markup ... say EntroPay of 3.5% makes regular usage very expensive.

[jsonne]

Interesting. This is something we've thought about as we're designing our product. Would a little "powered by Balanced" image at the bottom help you think?

[GrinningFool]

For me personally it would - though I don't know to what extent my concern is one for a broader audience.

There is still a matter of trust: you can say you're using a given provider, but I can't verify it. It happens that I believe that you actually are - but unfortunately it really is a judgement call that has to be made for each service provider that I want to sign up with.

I think it's a larger issue, but the types of solutions that would help have largely been rejected by the market place: centralized storage of payment data with a few trusted providers.

I have some good (and I think relatively new) ideas on how to fix it, but it would require a fairly massive buy-in from the industry in order to work. So essentially, DoA.

[jtdowney]

It wouldn't even need to be a poorly written component. There is a good chance they would log the card number along side the transaction in their database.

[eCa]

Unless they are PCI compliant [1] they really (really) shouldn't, and would deserve any (and all) kind of hurt that's coming to them.

[1] https://www.pcisecuritystandards.org/