Transforming Credit Card Security with Google
Capital One’s tech transformation allowed us to collaborate with Google to bring the security of virtual cards to consumers
July 1, 2022
To transform credit card security with Google, we first had to transform ourselves
It reminded me of when I first visited my brother in Seattle in the late 90’s, I remember him telling me you could see huge mountains from his home. Being a kid from the DC area where the closest mountains we see are more like hills, I was excited. It wasn’t until the last day of our visit that the weather cleared up and “the mountains were out”. Then I could see clearly that I was surrounded by greatness all along. This is an apt analogy for a digital transformation.
Capital One is the very first bank to be all in on the public cloud, closing down our last data centers in 2021. This is just one recent step in our technology journey alongside our cultural transformation to adopt agile and product management, our unflagging focus on customer and user experience by making design and user research as high of a priority as tech investment, and our data evolution to become a machine learning first company. These types of efforts on such grand terms are often scary, risk prone, and you don't see the incremental benefits at each step.
That’s until one day when the “mountains are out”, then you see how it all adds up. With the newly announced virtual card feature built directly into Google Chrome and Android, the mountain of Capital One's digital transformation is peaking through the “clouds”. See what I did there?
Capital One has been an innovator in the industry with virtual cards
A virtual card (sometimes called a virtual credit card or virtual card number) is a uniquely generated digital card number that is a substitute for a customer’s actual credit card number. Because virtual cards are tied back to the existing credit card account, customers accrue all the same card benefits or rewards,
and the transactions appear on account statements as they normally would. Virtual cards make online shopping more convenient and more secure by letting customers pay for purchases in their browser or via a mobile phone app without sharing their actual credit card information with merchant websites and risking someone getting access to that info in the event of a hack or data breach.
Capital One introduced virtual cards back in 2017, surfaced via a browser extension, and they've been growing in popularity ever since.
When we first started this journey to virtual cards in 2017, we took a strategic bet. We started our tech transformation several years prior and after surveying the market solutions, we decided we would build our own virtual card platform in-house and from the ground up. We felt this was going to be an innovation in the market to enable our customers to transform how they interacted with their credit card from an analog concept to a truly digital experience. We knew this would become a potential new paradigm and more central to our business than many were thinking about at the time. So we took the bet, and built a peak in the clouds. We built the platform on highly resilient technology, with tremendous flexibility and performance potential. First enabled by our browser extension, virtual cards were then made available on our mobile app, our web apps, and now, through the collaboration with Google — Capital One credit cardholders can use virtual cards from Capital One quickly and easily on Chrome or Android anytime they're checking out at a merchant. No extension required, it just works when you need it where you need it.
However this is just one part of the mountain.
A peak always sits on a strong foundation. Ours is a foundation of APIs, Machine Learning, and serverless technologies
The next time you're shopping online on Chrome or on an Android, you'll see an option to use your Capital One virtual card where you're used to seeing your actual credit card numbers. You no longer have to get up to find your physical card to grab your CVV and expiration date. A virtual card is available at checkout and can be pre-filled with one click. In order to bring this to life, we were able to stand on the foundation of years of infrastructure enablement, which is Capital One at its heart. This enabled us to bring bank level security, controls, and auditability to API development, while ensuring that we are bringing the fastest protocols to the table like gRPC to ensure transactions can be as optimized as possible.
One of the amazing things about Capital One virtual cards is that they are designed as a ‘security first’ utility. Capital One creates virtual cards that are retrieved at the specific merchant checkout by Google –- and Google doesn't store or save the card info you're presenting to the merchant. We do this through the use of machine learning models, which smartly identify an underlying merchant site or Android app, and ensure that the virtual card for that merchant only works for that merchant, thus reducing the risk for our customers. This machine learning model would not have been possible without the institutional and cultural transformation Capital One has gone through to build out the right tools, talent, and methods to bring things like this to market.
Lastly, one of the amazing things about working with Google on this was watching the pace at which the team was able to innovate while also doing so with rock solid enterprise resiliency. The API integration with Google is built entirely with serverless technology. This allows us to scale quickly and easily, and allows our developers to think about APIs and performance optimizations and not infrastructure maintenance while still knowing we are using bank grade security. This type of pivoting and adapting is something you have a real advantage doing when you have made the jump to being truly all in on the public cloud.
A mountain is meant to be climbed…by people
The last element of this journey that really showed through in our collaboration with Google, was the collaboration itself. Capital One has gone through a real end-to-end workforce enablement transformation to ensure we can collaborate with the most modern technology partners in the industry. We started on this journey in 2012 when Capital One began to build our engineering capabilities in-house, then in 2013 we fully adopted modern agile practices at scale, while also instilling the value of best in class UX design and product management. We have built an integrated Design, Product, Delivery, and Technology organization from the ground up to enable both craft and collaboration. At one point during our collaboration with Google, I had to stop and take note that it was difficult to identify where Google design started and Capital One design stopped. I think this is a credit to the maturity of this cultural transformation we’ve been going through for almost a decade. It also goes without saying, this entire effort was designed, implemented, integrated, and deployed during a global pandemic where the Capital One and Google teams never actually met in person. Capital One’s investment in cloud SaaS-based productivity tools, long before the pandemic, like Google Workplaces, really paid off here.
Seeing the mountain through the clouds
Mountains always look like paintings from far away, even when you can see them. The trees blur together, the craggy rocks appear softer. Sometimes the clouds against the blue sky are indistinguishable from the snow covered peaks. Looking at the landmark step Google and Capital One was able to take in bringing the security of virtual cards to as many consumers as possible, I can see the entire outline of the mountain and am excited to see our collective team at the peak.
Enrollment for virtual cards with Google Pay may not be available to all Capital One customers, depending on the types of accounts held. We are constantly working to expand virtual cards with Google Pay to more of our customers.
Virtual cards through Google Pay are currently available in Chrome for desktop computers (Mac, Windows, and Linux), Chrome for Android, and via merchant apps running in the Android OS. Additional availability may be added in the future, including Chrome for iOS.