The PayPal division of eBay, which operates the Web's most respected online payment voucher system, is beginning beta trials of a next-generation online payment system, in cooperation with MasterCard. Using what's described as a virtual debit card, a customer will be able to make a PayPal-authorized purchase using a one-time number good only for that transaction.
Perhaps the most innovative feature of the VDC system, the implications of which could be enormous if the trial is successful, is that it generates a new MasterCard number for each purchase. That number will be automatically filled in forms for retailers that accept MasterCard, by way of a browser-based add-in program. Once that number is validated, and a supplemental verification takes place between PayPal and MasterCard, that number would be discontinued.
As PayPal described in an FAQ mailed to prospective beta participants, "PayPal Virtual Debit Card's virtual card number is a MasterCard number used in place of your credit or debit card number. Each time you make a purchase on a website, a new number is generated. It protects you from sharing your personal credit card number when you shop online."
It's the Secure Sockets Layer principle applied to payment transactions: The participating sites agree to a transaction number that's good for the duration of the transaction itself. It can't be used for any other transaction, and it becomes invalid after the transaction is complete. If it works, it could conceivably render online credit and debit card number theft a pointless pursuit.
Rather than have the customer's MasterCard number tied to a physical debit card, under the PayPal VDC system, the "session key"-like VDC number is linked to a PayPal account from which funds are immediately withdrawn at time of purchase. But furthermore, should the PayPal account run dry, it can withdraw backup funds from a secondary source of the customer's choice: a PayPal credit account, a specific PayPal credit card account, or the customer's bank account.
How does the use of the VDC change the payment experience for the online merchant? As PayPal spokesperson Amanda Pires told BetaNews late yesterday, it won't. In fact, the merchant won't even have to explicitly support PayPal with a logo. Whenever the customer's active Web site supports MasterCard, the PayPal VDC browser add-in will detect this fact, and ask the customer if she wants to pay via VDC. This may be the tricky part, the details for which may be worked out during the beta process.
As Pires told us, the add-in client doesn't have to transact with the merchant at all - for instance, to determine in advance whether it would accept the VDC number, or whether it accepts MasterCard numbers. "If the merchant does accept the number, then it will go through," said Pires. "It would be such an anomaly for a site to not accept MC and accept other credit cards, that we did not build any logic for this."
Once the customer approves the notification, the VDC client begins a separate negotiation process with MasterCard. As Pires told us, this process takes place over a separate SSL connection. "VDC communicates to PayPal via SSL," she said, "so any personal or financial information between the user and PayPal is secure. The security of the site itself does not affect the security of the VDC. However, the intent of VDC is to protect users, so if a site is not transmitting information securely and the message is intercepted, then they are still protected by our 'one-time use number.' Only one merchant can use this number and any other merchant that tries will be declined."
The VDC service, once formally launched, will replace PayPal's existing Virtual Debit Bar service, which uses a static MasterCard number for online merchants that don't accept PayPal directly. No date has yet been given for VDC's formal launch.