I've read about some security concerns relating to the Verified by Visa program, specifically that it's often trivial for a criminal with access to a credit card to reset the user's online account password and conduct authorized transactions. Our company is a merchant and outsources virtually its entire payment-processing ecosystem to avoid problems like this, but is there a way to add greater security to the password-reset process...
without a huge infrastructure change?
Ask the Expert!
Randall Gamby, SearchSecurity.com's resident expert on identity management and access control, is standing by to answer your toughest enterprise IAM questions. Send in your questions today! (All questions are anonymous.)
The Verified by Visa program, as described by the credit card giant is, "an extra layer of security at the point where you enter credit card information online." It requires the user to input an additional password to help prevent unauthorized use of a credit card. That way, should someone steal the card and try to use it to make purchases from an online merchant before the cardholder is aware of the theft, without the additional password, the card should be rendered useless. However, some security experts have criticized Visa's password mechanism, saying it is trivial for a savvy attacker to reset a user's password.
Unfortunately, as a merchant, you likely have little influence in altering any element of the Verified by Visa program, especially the more technical elements like online password security capabilities, other than voicing displeasure directly with Visa and asking a stronger process be put in place.
However, there are certain controls you can implement to help the consumer in protecting their transactions. You can refuse to process transactions where the billing and shipping addresses are different; you can require a physical shipping address (no P.O. boxes) for shipping; and, depending on your market, you can limit shipments to specific geographic locations, or refuse shipments to countries known to harbor online identity thieves.
Visa and other credit card companies need to understand the security measures they have previously put in place are now outdated in today’s Internet market. They put both consumers and the merchants that want to provide good service to their customers at risk due to the weak measures they employ to protect consumers from fraud.
Dig deeper on Password Management and Policy
Related Q&A from Randall Gamby, Contributor
Is your remote desktop access software really secure? Randall Gamby offers advice for conducting a remote access audit to validate security.continue reading
Expert Randall Gamby discusses risk-based authentication, and whether that type of user identification system is right for the enterprise.continue reading
Expert Randall Gamby discusses various types of single sign-on, specifically the approaches of Ping Identity's SSO and Symplified SSO.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.