If you’ve ever had your debit card number stolen after shopping at a sketchy online retailer, you already know the drill. You catch a strange charge on your statement, call the bank, freeze the card, wait a week for a replacement, and then spend the next month updating every recurring payment that was tied to the old number. It’s not just a hassle. According to the Federal Trade Commission, consumers reported losing more than $12 billion to fraud in 2024, and a meaningful chunk of that traces back to compromised payment card data from breached merchants and skimming sites.
Virtual card numbers are one of the simplest, least-talked-about tools for sidestepping that whole mess. They’ve existed for years, but most people still haven’t tried them, partly because banks rarely advertise the feature on the front page of their apps. Here’s what they are, how they actually work, and why it might be time to start using them for online purchases.
What a Virtual Card Number Actually Is
A virtual card number is a temporary, randomly generated 16-digit card number that’s linked to your real account but acts as a stand-in. It comes with its own CVV and expiration date, and you use it the same way you’d use a normal card on a checkout page. The merchant never sees your real card number. Their database stores the virtual one. If their system gets breached, the worst-case scenario is that someone tries to charge a number that’s either expired, locked to that one merchant, or already deleted by you.
Underneath, the bank handles the translation. When a charge hits the virtual number, the bank’s payment processor maps it back to your real account, posts the transaction to your statement, and you barely notice anything different. From your wallet’s perspective, it’s the same dollars moving from the same checking account. From a fraudster’s perspective, the stolen number is worthless once you turn it off.
Capital One explains the basic mechanics on its virtual card numbers page, and the Consumer Financial Protection Bureau has a good general primer on payment fraud that explains why this kind of tokenization matters in the broader fight against card-not-present fraud.
Why They’re Safer Than the Card in Your Wallet
Three features separate virtual numbers from regular ones. The first is merchant locking. Most virtual card services let you tie a number to a single retailer, so even if the number leaks, it can’t be used anywhere else. The second is spending limits. You can set a hard cap on what the merchant is allowed to charge, which is especially useful for free trials that quietly turn into recurring charges. The third is the kill switch. You can pause or delete a virtual number from your phone in seconds, which beats the multi-hour ordeal of canceling a real card and reissuing it.
Put together, those three controls solve the most common online fraud headaches. A breached merchant can’t take the number elsewhere. A subscription service can’t sneak in a price hike beyond your set cap. And if a charge looks wrong, you don’t have to wait on a fraud investigation. You just delete the number and the problem disappears. The card in your wallet, meanwhile, stays untouched, so your direct deposits, autopay bills, and Apple Pay setup keep working without interruption.
Which Banks and Issuers Offer Them
Adoption is uneven. Citi has offered virtual account numbers for years and lets most credit card customers generate them through the website by logging in and finding the virtual account number tool. Capital One’s version is called Eno, available as a browser extension and through its mobile app, and it lets you generate merchant-specific virtual numbers and lock, unlock, or delete them on demand. American Express supports dynamic virtual numbers through Amex Send & Split and certain integrations, and Chase offers them on select cards through its mobile app.
For everyone else, third-party services fill the gap. Privacy.com is the most popular standalone option in the U.S. It links to your checking account or debit card and lets you generate single-use, merchant-locked, or paused virtual cards from a browser extension. The free tier covers most casual shoppers, with paid tiers adding more cards per month and category controls. Apple Card holders get a built-in virtual number too, since the physical Apple Card never has a printed number on the front and the digital number rotates automatically through the Wallet app.
A short note on debit versus credit. If you have the choice, generating virtual numbers from a credit card is safer than from a debit card or checking account. Credit card fraud generally has stronger zero-liability protections under federal law, and a fraudulent charge doesn’t drain your real cash while you sort it out. Debit and checking-linked virtual cards are still safer than handing out your real numbers, but the recovery process is slower if something does go wrong.
When to Use a Virtual Card Number
The clearest use cases are first-time purchases at merchants you don’t fully trust, free trials and subscriptions, gift purchases through smaller niche sellers, and any site that triggers a gut “this checkout page looks weird” reaction. Travel sites with foreign vendors are another good candidate, because virtual cards make it easier to dispute or simply cut off a charge from across the world without having to reissue your main card.
For free trials specifically, virtual cards are almost cheating. Set the spending limit to one cent above the trial amount, or to zero if the merchant just needs a number on file, and the company physically cannot bill you when the trial ends. You decide whether to keep the service, and if you forget about it, the charge simply fails. No more discovering a $14.99 charge eleven months in for an app you used twice.
Recurring bills are a slightly different story. Some recurring services like utilities, insurance, and gym memberships are accounts you do want to keep paying without interruption, and a single-use virtual card will fail those charges. For those, generate a merchant-locked card with a high enough spending cap, write down which merchant it’s tied to, and treat it like a normal autopay arrangement. NerdWallet has a useful overview of how to think through which merchants deserve a “permanent” virtual card and which deserve a single-use one.
The Limitations Worth Knowing About
Virtual cards aren’t a magic shield. They don’t help against phishing emails that trick you into giving up login credentials, and they don’t protect against account takeovers where a fraudster logs into your bank app directly. They also can’t be used at most physical retail locations because there’s no card to swipe, although mobile wallets like Apple Pay and Google Pay are essentially doing the same tokenization trick automatically every time you tap your phone at a register.
A few practical headaches show up too. Some merchants flag virtual or one-time card numbers and reject the transaction, especially for high-risk categories like gambling sites and certain crypto on-ramps. Hotel and rental car holds can be tricky if the eventual charge exceeds your spending cap. And if you’re returning a purchase that was made on a deleted virtual number, the refund sometimes still goes through correctly to your real card behind it, but occasionally it lands in a “credit balance” that you have to claim manually. None of these are dealbreakers, but they’re worth knowing before you commit your monthly subscriptions to a virtual card.
A Reasonable Way to Start
If you’ve never used virtual numbers, the easy on-ramp is to pick one mid-tier risk purchase and try it. Sign up at your card issuer if they support it natively, or open a free Privacy.com account if they don’t. Generate one card, lock it to a single merchant, set a spending cap, and watch how the charge clears. Once you’ve done it once, the friction drops to almost nothing.
Most people who start using virtual cards end up using them for almost every new online purchase within a few months. Not because they’re paranoid, but because it’s genuinely easier to delete a number when something goes sideways than to call the bank and reissue your real card. In an environment where merchant data breaches keep making the news and online fraud is still the fastest-growing slice of payment crime, that ease of cleanup is worth a few seconds of extra setup at checkout.