[cm2187]

We should have moved a long time ago to vendor specific credit card numbers (ecommerce isn't exactly a new activity). Say I get from my bank a token which I provide to this vendor, and the first time the vendor uses it to accept a payment, the token locks in to that vendor, i.e. my bank will not allow any payment with this token to another vendor (i.e. to another bank account). Then it doesn't matter if it's stolen, only that vendor can use it anyway. And I could have the option to tell my bank to make it a single use token, or to cancel a multiple use token or to set a payment cap to that token.

That doesn't seem very complex to implement and would alleviate the vast majority of the credit card related problems. I am sure it can be made simpler, have a protocol with redirects to the bank's website that eliminate the need for the client to copy-paste a token, or to have another mechanism with similar effects.

Banks are one of these many industries that don't seem to get technology. They employ massive IT and developer staff but are run by people who don't get it (and to make things worse, are most of the time massive bureaucracies which means that even when they know what they need to do they just can't execute).

[BlackFly]

This is already the case for instance in Portugal, for quite some time. In fact, a card holder in Portugal can generally just issue a new credit card number for personal use, tied to their account with whatever expiry they wish.

The big problem arises when you booked your hotel on one of these temporary numbers and show up to try to check in to the hotel. The card was not actually issued and some hotels have weird policies in that regard.

Of course, chip card based solutions that devalue the PAN are superior.

[cm2187]

yes but it is more akin to paying by bank transfer. A Hotel will not expect you to show a card if you paid by bank transfer.

[fastball]

Maybe you should start a tech-savvy bank. Might gain a lot of traction.

Or we could all adopt bitcoin. :p

[nmridul]

This is similar to how bank payment is working in India. When I make payment on seller website, it redirects me to the bank website. I enter my credentials (including phone based or device based OTP) to confirm the payment and its done. And there is also option to make easy subscriptions.

[sumedh]

Subscription based payments dont work in India though, which sucks.

[fragmede]

Bank of America has ShopSafe which allows you to generate a temporary credit card number to use with the sketchy online merchant that has the particular gadget I want to buy.

Their implementation leaves much to be desired, but it's a step in the right direction.

[twothamendment]

Discover card has gone back and forth on this. They had a tool on their site to give you a throwaway CC #. I used it for almost all online purchases. It went away for a short time, then came back. Now it looks like it is gone for good. I quit using their card since that was the only reason I had to use it over others.

Now if they'd only stop sending me "checks" in the mail that are tied to my account... I'm just waiting for those to be spent by someone else.

[matthewarkin]

Last I checked this was also only offered for credit cards, not their debit cards :(

[kalleboo]

I like the PayPal model (vendor gets nothing), I just wish it could be federated...

[cm2187]

Paypal is effectively using this token system. But why would we pay fees to a middle man when banks could do that directly.