Security Matters When Choosing Your Virtual Card Provider

December 16, 2016         By: Andy Stearns

By Andy Stearns, Head of Commercial Card Business Development at Capital One

The most amazing thing about checks is that businesses still write them. It’s not just the expense of writing a check, measured in employee time and processing costs, that argues against their persistence.  It’s their vulnerability to the more basic forms of fraud like counterfeiting.  According to the Association for Financial Professionals, 77 percent of organizations that experienced attempted or actual payments fraud in 2014 were victims of check fraud.

In response, more and more companies are adopting virtual cards. According to the RPMG 2015 Electronic Accounts Payable Benchmark Survey Results, spending using virtual cards is growing steadily, reaching $72 billion in 2015 and projected to hit $110 billion by the end of the decade.

While the various kinds of protections designed for checks literally paper over their inherent insecurity, virtual card systems have been designed from the bottom up with security in mind.  The master account number is masked from the public, and one-time numbers are issued for specific transactions.  Every other stage of the payment process—from buyers entering vendor information to suppliers processing payment—is similarly protected with its own security measures (see the sidebar for a synopsis of the virtual card payment process).

When combined, these measures form a highly effective barrier to fraud.  According to the RPMG survey, losses associated with virtual card fraud amount to 0.0005 percent of electronic accounts payable spending, the equivalent of $5 for every $1 million in transactions.

Insist on Enhanced One-Time Card Control

The challenge for businesses when selecting a virtual card provider is to maximize the security potential of the virtual card system. Card issuers offer a number of innovations that enhance both the security of virtual cards and the ease with which they can be processed.  One option is to place restrictions on the transaction amount tied to a specific account number.  For instance, you could stipulate exact pay, requiring the vendor to process payment for the precise amount you specify, not a penny more or less.

Businesses can also establish an “up-to” amount if there are unknown costs associated with a purchase, like exchange-rate fluctuations or shipping and handling fees.  In addition, you can set a maximum amount for a series of partial payments on a single account number.  Finally, you can set a hard expiration date for the virtual card.  This ensures that the supplier processes the payment in a timely manner.

Get the Ultimate in Virtual Card Security: Buyer-Initiated Payment

The standard virtual card transaction is a pull transaction, where the supplier initiates the process by sending the buyer an invoice.  Some card issuers now offer buyer-initiated payment (BIP), which enables the buyer to push payment directly into the supplier’s bank account without using a card number at all.  With BIP, the card issuer sends the payment to the supplier’s merchant acceptor.  At the same time, the card issuer notifies the supplier that the payment has been processed along with the details they need to match the payment to the right invoice. The convenience and reliability of BIP is an inducement for suppliers to entrust their terminal and merchant identification numbers with the card issuer.

Look for Robust Authentication

Authentication, which provides checks on human interactions with the system, can be inserted into almost every part of the virtual card process. Look for providers who offer a rich set of authentication methods and choose the ones that work best in your situation.

The first three—dual control, rights management, and user activity monitoring—safeguard internal processes:

Dual Control

Dual control simply means that approvals by two different people in an organization must be secured before a process—like submitting a payment file—can be completed.

Rights Management

The virtual card provider should offer several different options for rights management.  You should be able to assign rights by position, transaction size, and supplier, among other factors.

User Activity Monitoring

Any change in system state—caused, for instance, by adding a vendor or generating a payment file—should be logged.  This log should be available in real time or as a report.

The last method—out-of-band authentication—is primarily meant for external intrusions.  Out-of-band authentication is familiar to consumers logging in to their online bank account from a new device.  Their login will trigger a text message or phone call to a number they had specified when setting up the account. The message or call will deliver a randomly generated PIN, which they must enter to proceed with login. This system provides an extra layer of protection because it requires an attacker to have both an email address and the designated telephone number.

Out-of-band authentication, also called one-time PIN (OTP), is now available with virtual card as a single or dual control option (where the PIN is sent to a second person).  It can be set for entering a user, adding or editing a vendor, or when uploading a payment file.  Out-of-band authentication can also be implemented on the supplier side. When suppliers are notified that the buyers are ready to proceed with payment, they must enter a PIN to receive the card details.

Secure Connections Are a Must

Once your accounts payable department approves a payment, payment information can be either pushed or pulled to your card issuer.  Either way, it is protected by secure FTP, an encrypted channel that is required for bank communications.  Your card issuer should be able to connect directly to your AP system, eliminating vulnerabilities associated with middleware.

The connection from supplier to merchant acceptor is similarly secure.  These transactions are screened by the sophisticated fraud monitoring facilities that are part of the credit card system. Transactions are compared to normal spending patterns, and abnormal activity is flagged as potential fraud.

Virtual Card Security—It All Adds Up

When the inherent security of the virtual card system is augmented with features like exact pay and BIP and reinforced by such measures as secure authentication, secure FTP, and credit card fraud monitoring, the result is a system that is highly resistant to intrusion.

Of course, the comprehensive security features of virtual cards are just one of its advantages.  When you combine fraud protection with the opportunity to generate revenue through rebates, reduce expenses through automated electronic processing, and better manage cash flow by controlling payment, virtual cards add up to a strategic advantage for any organization.

The Virtual Card Process

To understand the layers of virtual card security, it may help to review the virtual card process.  In simplified form, it can be reduced to six steps, and each successive step should be covered by at least one form of security:

  1. A buyer enters suppliers who accept virtual card into its system.
  2. The buyer places an order and receives goods and services in return, followed by an invoice.
  3. The buyer approves the invoice.
  4. It sends the approved invoice file or payment instruction file to the card issuer.
  5. The card issuer sends a card number to the supplier.
  6. The supplier submits the transaction to the merchant accepter, who issues payment.