The O-Card worked as follows:
- You get to a checkout on an on line site looking for credit card details.
- Fire up the O-Card application and log in.
- Select the credit limit for the one time Credit Card.
- It gives you a Credit Card number with the same user name and billing address as your real card that has the following differences:
- It can only be used once. As soon as the vendor clears the transaction it can no longer be used for anything.
- It has a low credit limit - provided you chose to do this of course.
- The Card number and CVV2 number are different
- The issue date is the current month and the expiry date is next month.
- I give these details to the online vendor and my order clears.
- If they are evil and chose to try and reuse the number or are unlucky and get hacked by some Zero day sploit or are stupid\inept and just let my details get stolen later I don't care. In all cases the card number is useless.
- All I have to worry about is whether I get my stuff and my real credit card remains safe.
In their defence the O-Card application model probably had some serious security problems but frankly since there hadn't been a single update to the client app since 2002 (and maybe even 2001) I think that no one was really making any effort to make the client any better. Suggesting that we all just trust "Verified by Visa" is certainly a lot easier for them though and I suspect that their risk assessment process just told them to dump the service since it wasn't very popular. Its low popularity had a lot to do with the fact that their marketing of it was abysmal but what do I know about marketing eh?
All is not lost however because it seems that Paypal are launching something similar. This blog post from Techimo points to this Paypal info page that describes a new Paypal service\utility that is not hugely dissimilar to the O-Card. I'm quite keen to see this come out of restricted beta and check how well they have implemented this. It's the first positive sign that I've seen that one of the large operators in the online payments game is making a serious effort to give end users a more concrete way of managing the risk they are prepared to handle when paying for things online. For me I'm just looking forward to being able to shop with confidence at www.wearaetotallydodgy.com again. Happy days.