I've read about some security concerns relating to the Verified by Visa program, specifically that it's often trivial...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
for a criminal with access to a credit card to reset the user's online account password and conduct authorized transactions. Our company is a merchant and outsources virtually its entire payment-processing ecosystem to avoid problems like this, but is there a way to add greater security to the password-reset process without a huge infrastructure change?
Ask the Expert!
Randall Gamby, SearchSecurity.com's resident expert on identity management and access control, is standing by to answer your toughest enterprise IAM questions. Send in your questions today! (All questions are anonymous.)
The Verified by Visa program, as described by the credit card giant is, "an extra layer of security at the point where you enter credit card information online." It requires the user to input an additional password to help prevent unauthorized use of a credit card. That way, should someone steal the card and try to use it to make purchases from an online merchant before the cardholder is aware of the theft, without the additional password, the card should be rendered useless. However, some security experts have criticized Visa's password mechanism, saying it is trivial for a savvy attacker to reset a user's password.
Unfortunately, as a merchant, you likely have little influence in altering any element of the Verified by Visa program, especially the more technical elements like online password security capabilities, other than voicing displeasure directly with Visa and asking a stronger process be put in place.
However, there are certain controls you can implement to help the consumer in protecting their transactions. You can refuse to process transactions where the billing and shipping addresses are different; you can require a physical shipping address (no P.O. boxes) for shipping; and, depending on your market, you can limit shipments to specific geographic locations, or refuse shipments to countries known to harbor online identity thieves.
Visa and other credit card companies need to understand the security measures they have previously put in place are now outdated in today’s Internet market. They put both consumers and the merchants that want to provide good service to their customers at risk due to the weak measures they employ to protect consumers from fraud.
Related Q&A from Randall Gamby
Which authentication method is better for securing enterprise devices and systems: two-factor authentication or multifactor authentication?continue reading
Securing biometric information is a crucial step for enterprises to take, but what happens if the data is still compromised? Expert Randall Gamby ...continue reading
Simple photography cracking biometric systems highlights the need for two-factor authentication in enterprises according to expert Randall Gamby.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.