CardsFTW #113: Problems with Persistent Credentials

Primary Account Numbers, Phone Numbers, and Tokens

The sixteen-digit number on the front of your credit card, known as the Primary Account Number (PAN), has an interesting history. Originally, this number was your actual account identifier. If your account was compromised and you received a new card, you also got a new PAN, leading to changes even in your statement records. In today’s digital economy, managing persistent credentials presents significant challenges and is increasingly complex.

As the industry matured, the PAN shifted away from being the actual account identifier. Instead, a Primary Account now serves as a parent account, allowing users to create multiple cards under one umbrella. However, the challenge of handling persistent credentials remains, especially with the growth of pay-by-bank and peer-to-peer payment apps.

The evolution of parent and child accounts has enabled multiple cards per account and introduced virtual card numbers, significantly enhancing security. While this technology was pioneered in the early 2000s, with issuers like Discover and MBNA providing virtual card numbers for use online, their usage has grown tremendously in recent years. Major card issuers like Apple Card make this a primary feature of their card to reissue numbers for security easily, and specialized providers like Privacy.com have grown for users who want to tightly control cards (of note, Apple Cash, the debit card offering powered by Green Dot, just launched virtual card numbers).

Consumers have come to believe that canceling a card should create an opportunity for a fraudulent or nuisance charge to stop (e.g., if you subscribe to a service and have trouble unsubscribing, a new card number might save the day).

Defining your credential or identifier is a major problem in payments. While many everyday payments occur via cards, payments are shifting to pay-by-bank or peer-to-peer apps like Zelle, CashApp, or PayPal. Peer-to-peer apps use phone numbers, email addresses, or usernames as identifiers. This seems like an easier approach, but they can create their own set of problems. I can only have one Zelle account if I have one phone number. What if I want different accounts for different purposes? What if someone hijacks my phone number? The same problem holds true for email and usernames.

Looking at pay-by-bank (e.g., ACH), we have a similar problem. My accounting number and routing number are all over the place. If someone misuses that information, regulations and operating procedures protect me, but it is a pain to sort out.

Some fintech platforms are innovating on this, like Increase, which enables account holders to have multiple virtual account numbers to aid in reconciliation and control, with a single underlying account, much like a virtual card number.

(An important note is that debit cards, like ACH, can be used bi-directionally to both push and pull money on and off a card. Don't think about this problem as just a spending problem.)

Just as I was writing this, a timely article in the Wall Street Journal also highlights a new issue with how we manage PANs. The Account Updater is a feature the card networks have developed to ensure consistent subscription billing. When I update my card number (or when its expiration date changes, etc.), the account updater pushes my new account credentials to merchants so that there is no interruption in service.

That sounds useful, but as the article points out, if the charge is problematic (e.g., fraudulent), the account updater allows the charge to continue.

There are solutions to account updater problems. It should really only update cards if the expiration date changes. If the PAN changes, no update should be pushed. Cardholders should also be able to opt out of account updater. More virtual numbers and fine-toothed controls should exist, but many users won't want to manage things that carefully.

Card payments handle PANs decently well: they can be replaced, and you can have more than one per account and person. However, peer-to-peer apps need better identity management solutions. Phone numbers alone aren't sufficient.

Imprint Launches an Airline Card

Fintech card issuance platform Imprint launched its first airline card last week, the Turkish Airlines Miles&Smiles Premier Visa Signature Card. Imprint, like fellow fintech issuer Cardless*, is a technology platform and credit card program manager that works with an underlying core processor and partner bank (First Electronic Bank for both companies) to issue co-brand credit cards.

Traditionally, airlines have worked with legacy co-brand banks such as Barclays, Citi, Chase, or American Express to issue a card. However, the largest co-brand issuers have reduced the size of their program portfolios in recent years to focus on larger card programs, leaving an opening for smaller programs.

Cardless has launched a series of airline cards in the past year, following an initial foray into sports cards (most, if not all, of which are closed). Imprint has previously launched both retail cards (HEB) and hotel travel (e.g., Westgate Resorts), but the Turkish card is their first airline card.

Air travel programs are the tried-and-true most successful co-brand cards, and it is a strong indicator that these fintech providers will succeed in that they are winning airline programs, likely with better user experiences and speed to market.

One area where Imprint and Cardless differentiate from other fintech issuing platforms is that they fully manage the programs and provide lending capital. In contrast, other providers, such as Highnote or Tallied, require partners to bring their own receivables financing and offer more APIs and SDKs for custom-developed experiences.

CardsFTW

CardsFTW, released weekly on Wednesdays, offers insights and analysis on new credit and debit card industry products for consumers and providers. CardsFTW is authored and published by Matthew Goldman and the team at Totavi, a boutique consulting firm specializing in fintech product management & marketing. We bring real operational experience that varies from the earliest days of a startup to high-growth phases and public company leadership. Visit www.totavi.com to learn more.

Interested in reaching our audience? You can sponsor CardsFTW.

*Indicates a company with which Totavi has a financial relationship.