VCCs are a no-brainer

It’s impossible to ignore the fact that many aspects of the financial world are being disrupted. What is interesting, however, is not what is being disrupted, but why the environment is ripe for disruption. The adoption and industry support of Virtual Credit Cards (VCCs) is an effective example of this environment.

What is a VCC?

A VCC describes when a bank (or other card issuer) generates a unique set of credit card details for a specific transaction, on behalf of its customer. Where a card is not required to be present (i.e. for online transactions), the VCC can be used as an alternative to the primary card.


The value of VCCs

  1. Primary card details are not disclosed. This is especially valuable online, where there is a greater risk of fraud/card details being compromised. It doesn’t matter if a VCC is lost/disclosed to the world; the bank won’t need to issue a new card, as the primary card details won’t have been compromised. This saves, time, money, and customers. Reissuing cards can be a relatively expensive process, and can even mean the customer’s primary card of choice shifts to a different bank issued card.
  2. VCCs allow for greater use of card controls. Card issuers have done a lot of work over the last few years to bring out a richer set of card controls. These include:
  • Virtual credit card limits (that can be set to zero, for example);
  • Blocks on certain types of transactions (online, international, etc.); and
  • Temporary blocks on the cards.

If card controls like these are applied to the primary card, they can become a real nuisance for the customer. When used with VCCs, however, policies can be much more strongly enforced, and fraud events more easily spotted, as they can, in theory, be blocked because of the card control enforced. Coupled with the disposability of VCCs, this should reduce fraudulent transactions in the online space drastically.

Primary cards vs. VCCs

Firstly, something you’re all familiar with. Your bank issues you with a primary physical credit card. This features:

  1. 16 digit card number: 5454 5454 5454 5454
  2. Expiry date: 12/18
  3. CVV: 123
  4. Name: Bob User

When you use this card at any point of sale (either electronically or via a website), it is routed through the network (Visa/Mastercard) and then to the bank. The bank checks the credentials to ensure they are correct and provides approval for the charge amount (this is done assessing the amount of charge against the available balance).

A virtual credit card is issued in much the same way. A similar set of details (a different 16 digits, Expiry, CVV, name) is issued. This new number can be provided to the customer in any manner, so long as it is PCI compliant.

The hardest issue from a bank’s perspective is building a system to reconcile the multiple charges from different ‘card numbers’ back to a primary card number. However, in theory, this has been solved with the work that banks have already done to support subsidiary cardholders on each account and for some of the NFC wallet transactions. As such, this is a solved problem for most banks.

So why haven’t VCCs taken off?

We know that some banks have been and continue to actively push VCCs:

In both of the above cases, the heightened security associated with VCCs for online transactions is driving adoption.

Having said that, there hasn’t been tremendous consumer adoption of VCCs to date. There are three possible reasons for this:

  1. User experience
    To date, the user experience hasn’t been great. It often requires requesting a new number from the bank, typically via a desktop applet — requiring it’s own tedious download and install process, then manually copying and pasting those numbers into a shopping cart. This required behaviour change has likely been a serious drag on customer adoption.
  2. Communication
    While there are clear advantages of using VCCs, especially when it comes to security, they haven’t been communicated well. For the customer, the benefits of using a VCC immediately obvious, even when it comes to security. They automatically have a liability shield against fraudulent transactions when they use their primary credit card.
  3. Tokenisation
    Over the last decade, while VCCs have been developed, a competing solution has also been offered to the market: tokenisation. Again, the main benefit of tokenisation is better overall security. Tokenisation does, however, require additional work on the merchant side with complex integration. This was best evidenced by 3D Secure (the first version). 3D Secure failed as it was too complex and difficult for the customer to use. However, this has been the preferred security solution of the card schemes/networks. It further integrates them into the payment flows and therefore their ongoing business. As this has been the primary objective of the industry, VCCs have been a lower priority.

In some cases it has been suggested that the schemes/networks have actively blocked issuers from supporting VCCs. In their negotiations with issuers (worth millions of dollars … often in the favour of the bank) they have sought to push an integrated agenda. To this day, the schemes/networks ‘support’ VCCs but don’t actively support them. Just look at the Visa API portal ( — there are tools and integrations to manage every other aspect of cards and issuing … but nothing on VCCs.


VCCs can play an important role in the ongoing fight against fraudulent transactions online, where most credit card fraud is moving. Most of the challenges around user experience of VCCs that hampered their growth are now solved. For starters, we’ve solved this at Onefill. And most issuers support multiple card numbers linked back to a primary card.

It seems like a no-brainer. And better still, pockets remain ripe for disruption.