When we talk about privacy enhancing technologies we often immediately jump to talking about encryption methods and DRM technologies and instance based access controls. But sometimes we forget about techniques for minimizing data disclosure. I know I’m guilty of this. I’d much rather debate the pros and cons of various policy expression languages!

I was reminded about data minimization recently when I tried for the first time a service from my credit card company, virtual credit card numbers. With so many people experiencing credit card fraud online, I’m surprised more people aren’t using virtual credit card numbers. They are a great way to minimize the disclosures of your real credit card to others. So I thought I’d share my experience with the service so far.

Virtual credit card numbers are valid credit card numbers that can be used for only one transaction. You use them exactly like a regular credit card when making an online purchase and it is linked to your real credit card and shows up on your credit card statement just like normal. As far as an online vendor is concerned, a virtual credit card number is exactly like your real credit card number.

So today I wanted to buy some touch up paint for my TSX. Found a vendor online. Never heard of them. Seemed like a mom ‘n pop kinda operation. So I decided to try it out. I followed the check out process all the way up to the point where it asked me for the billing information. Then I opened up a separate browser window and went to my credit card company site. (I use citicards.com but I believe other credit card vendors have similar services.) I logged on to the credit card site and went through a brief one-time set up wizard. Then it let me into the virtual CC site and I clicked a button and it generated a CC number for me. It was early January 2006 when I was making my purchse and the CC number expired in February 2006, so it was only valid for about 60 days, unlike my regular card which was scheduled to expire much later. It also told me the credit card verification number and then it also showed my billing name, address, etc which I had on file so I could enter all the right info on the vendors web site.

So I copied all that information into the appropriate fields on the touch up paint vendor’s site and submitted my order. It took the virtual card number just fine.

There is also a section on the virtual credit card web site where you can list all the virtual card numbers you have and the transactions that were done with those numbers.

Anyway, it’s a bit of extra pain. At first I thought I would only use virtual credit card numbers with web site vendors that don’t have well established brand names and reputations. But as I began to get the hang of generating the virtual credit card numbers, it added less than 2 minutes to the overall amount of time it takes me to complete an online transaction. For me, that extra two minutes is well worth the peace of mind knowing that even if the vendor’s site gets hacked, they can’t steal my credit card number becuase it simply isn’t there and the credit card number that _is_ on the site was invalid as soon as it was used by the vendor to charge me for my order.

Your mileage may vary of course, but it works for me.

This entry was posted by Calvin () on Tuesday, January 10th, 2006 at 8:35 am and is filed under Technologies. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Note: Blog posts are the opinions of their authors and do not reflect the official opinion of the National Science Foundation or North Carolina State University.