One-Time Credit Card Numbers for More Security

The sixth largest payment processor in the country Heartland Payment Systems disclosed recently their system was compromised by hackers with a piece of data sniffing software watching credit card data pass by between Heartland and credit card networks.

That system processes 100 million transactions a month. This had gone on for months until Visa and MasterCard alerted Heartland about unusual patterns of fraudulent activities. The Wall Street Journal quoted a credit card industry analyst as saying this could be largest credit card data breach ever.

While credit card companies typically reimburse customers against unauthorized charges, having your credit card number stolen is still a hassle. You have to get a new card number, update your recurring charges, and change your bill payment set up. It’ll be best if your card data aren’t stolen in the first place.

If you have the right card, you can make your credit card number more secure by using one-time card numbers.

You need a card by Citibank or Bank of America (including its subsidiary FIA Card Services). These banks offer software that generates a one-time card number, officially known as a “controlled payment number.”

You can configure the expiration date and the maximum amount allowed for the one-time card. Once used, the card is tied to the merchant where it was used. If you gave the card number to online or your dentist’s office over the phone, only or your dentist’s office can use it. If you put the maximum at $50, they can only charge up to $50. If the card number is stolen, the thief can’t use it elsewhere. They don’t have your real card number.

The banks call this software by different names. Citibank calls it Virtual Account Number. Bank of America calls it ShopSafe. Under theĀ  hood, they are pretty much the same thing. The software is made by the same company: Orbiscom in Dublin, Ireland. Orbiscom is recently acquired by MasterCard for $100 million.

I have used the Orbiscom software for one-time credit card numbers for a few years. It works well. I use it for online, mail, and phone orders. These days you never know who’s going to lose your data once you give your credit card number out. With the one-time card numbers, you gain a little bit peace of mind.

Refinance Your Mortgage

Mortgage rates hit new lows. I saw rates as low as 3.25% for 30-year fixed, 2.625% for 15-year fixed, with no points and low closing cost. Let banks compete for your loan. Get up to 5 offers at


  1. Ulysses says

    The Citibank version is useful, but continues to not be friendly to Mac users. The software is Windows only, and if you’re on a Mac, you’re forced to deal with the alternative – a tiny flash pop-up window that keeps resizing itself when you login and generate a new card number.

  2. James says

    Having credit cards stolen is more than just hassle as tfb detailed above. The credit card numbers then sold to shady businesses who continued to hassle us for not pay up and then threaten with collection agencies.
    Having been there, we totally endorse the one-time use numbers. It takes longer to complete an online purchase but then again that may not be a bad thing. No impulse purchase there. Although one-time use is a bit of misnomer. The numbers can be used again and again with the same vendor but useless with a different vendor.

  3. Ed Averill says

    I looked into using the B of A ShopSafe card and found it does not produce one-time safety. Once a number is created with a maximum transaction amount it gets tied to the first vendor that uses it (presumably the one you gave it to), but nothing prevents that vendor from submitting an indefinite number of transactions for amounts below the amount you specify as the maximum amount. At least that is what the on-line-chat support person told me. So, there is a little bit of safety in the number, but not as much as one would want.

  4. Ed Averill says

    To add to what I said above, I would say that “one-time” is what I want but not what they provide. The descriptor “virtual account” better describes what they provide.

    In addition, I could say that the access to Shop Safe, while a bit buried in the menus, was working for me on a Google Chrome browser under Linux with no problem. (Well, the demo button didn’t work, but the real thing did.) It was obviously java-dependent, but most browsers on most operating systems provide that these days.

  5. Harry Sit says

    Ed – The max amount is cumulative. Although the first vendor can submit multiple charges against the virtual card, the sum of those charges can’t exceed the maximum you set. I have had this happen multiple times with different vendors. When I used the same virtual card number at the same vendor but I forgot to up the maximum, the authorization was declined. Not true “one-time” but the maximum you set can make it effectively one-time.

  6. Bengal says

    I asked Capital One but they didn’t have anything that is One-time or virtual or disposable. Could you please help me TFB? I’d like to buy this acai berry product and Paypal is no longer offering the plugin. I tried searching in Paypal for that “secure card” but nothing came up under help. I guess they’re discontinuing that in order to advertise their own Paypal credit card that comes with their own protection guaranteed. Or should I reach out to Visa/Mastercard websites to find this option?

  7. Harry Sit says

    Bengal – In the United States, only Citi, Bank of America, and Discover offer this service. If you don’t have a card from these three banks, you can’t use it.

  8. Jack says

    Am I correct in thinking the Discover virtual credit card doesn’t allow you to set it for “only one use” with a particular merchant?

    And does the Bank of America Shopsafe allow you to set when the virtual credit card expires? I read on their website:

    “Secure account numbers always expire on the same date as your actual Discover Card account number.”

  9. Harry Sit says

    Jack – Never used the Discover version. Bank of America’s ShopSafe lets you set both the dollar maximum and the expiration month and year. You choose from 2 months to 12 months from today.

  10. Melvin says

    Just curious if anyone knew if these would work with a debit card or whether you have to have a credit card. Thanks.

  11. Curious says

    How many “virtual” numbers can be made, and how often?
    In other words, are there any limitations on how many new credit card numbers can be made per day?
    Can one or more be made per day?

    Does making a new number make the previous ones be bad, or after a certain quantity be bad?

    I know the number of digits on a credit card allows for many trillions of numbers, but still, I am thinking if a lot of people began making a few per day, then how does that number limitation based on the number of digits, have an impact.

    I know I would want at least 1 new number per day, if not a few new numbers per day.

  12. Harry says

    I haven’t run into any limit in the number of virtual card numbers you can create per day. Creating a new one doesn’t invalidate the previous one. Not that many people use this. You don’t have to worry about running out of numbers.

  13. MikeY says

    I just had my card hacked, along with several others at an online merchant. So FIA issued a new card and I get to do the hassle of updating a few dozen websites with my new number. I thought shopsafe might help with this for the next future hack (this was my third in 5 years). But in discussing it with FIA,

    1) If your main card is hacked, all your shopsafe numbers are cancelled immediately with no possible extension (you can get a 30-90 day extension on your main card if it is hacked).

    2) If ANY of your shopsafe numbers are hacked, all your shopsafe numbers AND your main number are cancelled.

    The only use I see for shopsafe is when you want to limit the amount an online store can bill you your card (and based upon some info from consumers online, even that is iffy).

  14. Harry says

    MikeY – The point is if you use one-time card numbers at online merchants, your main card won’t be hacked in the first place. If someone gets hold of your one-time card, it’s already used and it can’t be hacked and used at a different merchant.

Leave a Reply

Your email address will not be published. Required fields are marked *