Transforming Credit Card Security with Google

Capital One’s tech transformation allowed us to collaborate with Google to bring the security of virtual cards to consumers


To transform credit card security with Google, we first had to transform ourselves

Capital One and Google are working together to make online shopping even more convenient and secure. Now, Capital One credit cardholders can quickly add their credit card to Google Pay and start using virtual cards when checking out on Chrome or Android. We believe that this is a great win for our customers and is a landmark in bringing the simplicity and security of virtual cards to everyone.

It reminded me of when I first visited my brother in Seattle in the late 90’s, I remember him telling me you could see huge mountains from his home. Being a kid from the DC area where the closest mountains we see are more like hills, I was excited. It wasn’t until the last day of our visit that the weather cleared up and “the mountains were out”. Then I could see clearly that I was surrounded by greatness all along. This is an apt analogy for a digital transformation.

Capital One is the very first bank to be all in on the public cloud, closing down our last data centers in 2021. This is just one recent step in our technology journey alongside our cultural transformation to adopt agile and product management, our unflagging focus on customer and user experience by making design and user research as high of a priority as tech investment, and our data evolution to become a machine learning first company. These types of efforts on such grand terms are often scary, risk prone, and you don't see the incremental benefits at each step.

That’s until one day when the “mountains are out”, then you see how it all adds up. With the newly announced virtual card feature built directly into Google Chrome and Android, the mountain of Capital One's digital transformation is peaking through the “clouds”. See what I did there?

Capital One has been an innovator in the industry with virtual cards

A virtual card (sometimes called a virtual credit card or virtual card number) is a uniquely generated digital card number that is a substitute for a customer’s actual credit card number. Because virtual cards are tied back to the existing credit card account, customers accrue all the same card benefits or rewards,

and the transactions appear on account statements as they normally would. Virtual cards make online shopping more convenient and more secure by letting customers pay for purchases in their browser or via a mobile phone app without sharing their actual credit card information with merchant websites and risking someone getting access to that info in the event of a hack or data breach. 

Capital One introduced virtual cards back in 2017, surfaced via a browser extension, and they've been growing in popularity ever since. 

the vcn process

When we first started this journey to virtual cards in 2017, we took a strategic bet. We started our tech transformation several years prior and after surveying the market solutions, we decided we would build our own virtual card platform in-house and from the ground up. We felt this was going to be an innovation in the market to enable our customers to transform how they interacted with their credit card from an analog concept to a truly digital experience. We knew this would become a potential new paradigm and more central to our business than many were thinking about at the time. So we took the bet, and built a peak in the clouds. We built the platform on highly resilient technology, with tremendous flexibility and performance potential. First enabled by our browser extension, virtual cards were then made available on our mobile app, our web apps, and now, through the collaboration with Google — Capital One credit cardholders can use virtual cards from Capital One quickly and easily on Chrome or Android anytime they're checking out at a merchant. No extension required, it just works when you need it where you need it. 

However this is just one part of the mountain.

A peak always sits on a strong foundation. Ours is a foundation of APIs, Machine Learning, and serverless technologies

The next time you're shopping online on Chrome or on an Android, you'll see an option to use your Capital One virtual card where you're used to seeing your actual credit card numbers. You no longer have to get up to find your physical card to grab your CVV and expiration date. A virtual card is available at checkout and can be pre-filled with one click. In order to bring this to life, we were able to stand on the foundation of years of infrastructure enablement, which is Capital One at its heart. This enabled us to bring bank level security, controls, and auditability to API development, while ensuring that we are bringing the fastest protocols to the table like gRPC to ensure transactions can be as optimized as possible. 

One of the amazing things about Capital One virtual cards is that they are designed as a ‘security first’ utility. Capital One creates virtual cards that are retrieved at the specific merchant checkout by Google –- and Google doesn't store or save the card info you're presenting to the merchant. We do this through the use of machine learning models, which smartly identify an underlying merchant site or Android app, and ensure that the virtual card for that merchant only works for that merchant, thus reducing the risk for our customers. This machine learning model would not have been possible without the institutional and cultural transformation Capital One has gone through to build out the right tools, talent, and methods to bring things like this to market. 

Lastly, one of the amazing things about working with Google on this was watching the pace at which the team was able to innovate while also doing so with rock solid enterprise resiliency. The API integration with Google is built entirely with serverless technology. This allows us to scale quickly and easily, and allows our developers to think about APIs and performance optimizations and not infrastructure maintenance while still knowing we are using bank grade security. This type of pivoting and adapting is something you have a real advantage doing when you have made the jump to being truly all in on the public cloud.

characters climbing a snow-capped mountain

A mountain is meant to be climbed…by people

The last element of this journey that really showed through in our collaboration with Google, was the collaboration itself. Capital One has gone through a real end-to-end workforce enablement transformation to ensure we can collaborate with the most modern technology partners in the industry. We started on this journey in 2012 when Capital One began to build our engineering capabilities in-house, then in 2013 we fully adopted modern agile practices at scale, while also instilling the value of best in class UX design and product management. We have built an integrated Design, Product, Delivery, and Technology organization from the ground up to enable both craft and collaboration. At one point during our collaboration with Google, I had to stop and take note that it was difficult to identify where Google design started and Capital One design stopped. I think this is a credit to the maturity of this cultural transformation we’ve been going through for almost a decade. It also goes without saying, this entire effort was designed, implemented, integrated, and deployed during a global pandemic where the Capital One and Google teams never actually met in person. Capital One’s investment in cloud SaaS-based productivity tools, long before the pandemic, like Google Workplaces, really paid off here.

Seeing the mountain through the clouds

Mountains always look like paintings from far away, even when you can see them. The trees blur together, the craggy rocks appear softer. Sometimes the clouds against the blue sky are indistinguishable from the snow covered peaks. Looking at the landmark step Google and Capital One was able to take in bringing the security of virtual cards to as many consumers as possible, I can see the entire outline of the mountain and am excited to see our collective team at the peak.

***

Disclaimer

Enrollment for virtual cards with Google Pay may not be available to all Capital One customers, depending on the types of accounts held. We are constantly working to expand virtual cards with Google Pay to more of our customers.

Virtual cards through Google Pay are currently available in Chrome for desktop computers (Mac, Windows, and Linux), Chrome for Android, and via merchant apps running in the Android OS. Additional availability may be added in the future, including Chrome for iOS.


Mike Wolf, Vice President, Software Engineering

Mike has 23 years of experience driving innovation for organizations ranging from the world’s largest banks, to the biggest video game franchisees in the industry, to the world's most innovative start-ups. At Capital One, he leads a team of engineers who develop and run cutting edge and top rated digital payment solutions used by millions of customers everyday and that drive billions of dollars of spend for the business. We power the future of digital payments today to reduce fraud, increase spend, reduce friction, and lead the industry with highly scalable payment technology that just works. Mike also leads the engineering team at Capital One Lab that designs and develops innovative solutions that focus on pragmatic and transformative innovation to drive the future for our customers and fellow associates in both the short and long term. Mike lives in the nexus point between the business, product leadership, and technology delivery to drive transformation and business results in even the most entrenched cultures.When not geeking out in front of a device, he can be found with his wife and kids in Maryland, or playing guitar/bass and pretending to be a punk rocker.


DISCLOSURE STATEMENT: © 2022 Capital One. Opinions are those of the individual author. Unless noted otherwise in this post, Capital One is not affiliated with, nor endorsed by, any of the companies mentioned. All trademarks and other intellectual property used or displayed are property of their respective owners.

Related Content