Q

Online password security: Are Verified by Visa-like programs enough?

Randall Gamby offers additional security measures enterprises can employ to supplement their existing password-reset process.

I've read about some security concerns relating to the Verified by Visa program, specifically that it's often trivial for a criminal with access to a credit card to reset the user's online account password and conduct authorized transactions. Our company is a merchant and outsources virtually its entire payment-processing ecosystem to avoid problems like this, but is there a way to add greater security to the password-reset process...

without a huge infrastructure change?

Ask the Expert!

Randall Gamby, SearchSecurity.com's resident expert on identity management and access control, is standing by to answer your toughest enterprise IAM questions. Send in your questions today! (All questions are anonymous.)

The Verified by Visa program, as described by the credit card giant is, "an extra layer of security at the point where you enter credit card information online." It requires the user to input an additional password to help prevent unauthorized use of a credit card. That way, should someone steal the card and try to use it to make purchases from an online merchant before the cardholder is aware of the theft, without the additional password, the card should be rendered useless. However, some security experts have criticized Visa's password mechanism, saying it is trivial for a savvy attacker to reset a user's password.

Unfortunately, as a merchant, you likely have little influence in altering any element of the Verified by Visa program, especially the more technical elements like online password security capabilities, other than voicing displeasure directly with Visa and asking a stronger process be put in place.

However, there are certain controls you can implement to help the consumer in protecting their transactions. You can refuse to process transactions where the billing and shipping addresses are different; you can require a physical shipping address (no P.O. boxes) for shipping; and, depending on your market, you can limit shipments to specific geographic locations, or refuse shipments to countries known to harbor online identity thieves. 

Visa and other credit card companies need to understand the security measures they have previously put in place are now outdated in today’s Internet market. They put both consumers and the merchants that want to provide good service to their customers at risk due to the weak measures they employ to protect consumers from fraud. 

This was first published in June 2012

Dig deeper on Password Management and Policy

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close