Problem solve Get help with specific problems with your technologies, process and projects.

Online password security: Are Verified by Visa-like programs enough?

Randall Gamby offers additional security measures enterprises can employ to supplement their existing password-reset process.

I've read about some security concerns relating to the Verified by Visa program, specifically that it's often trivial for a criminal with access to a credit card to reset the user's online account password and conduct authorized transactions. Our company is a merchant and outsources virtually its entire payment-processing ecosystem to avoid problems like this, but is there a way to add greater security to the password-reset process without a huge infrastructure change?

Ask the Expert!

Randall Gamby, SearchSecurity.com's resident expert on identity management and access control, is standing by to answer your toughest enterprise IAM questions. Send in your questions today! (All questions are anonymous.)

The Verified by Visa program, as described by the credit card giant is, "an extra layer of security at the point where you enter credit card information online." It requires the user to input an additional password to help prevent unauthorized use of a credit card. That way, should someone steal the card and try to use it to make purchases from an online merchant before the cardholder is aware of the theft, without the additional password, the card should be rendered useless. However, some security experts have criticized Visa's password mechanism, saying it is trivial for a savvy attacker to reset a user's password.

Unfortunately, as a merchant, you likely have little influence in altering any element of the Verified by Visa program, especially the more technical elements like online password security capabilities, other than voicing displeasure directly with Visa and asking a stronger process be put in place.

However, there are certain controls you can implement to help the consumer in protecting their transactions. You can refuse to process transactions where the billing and shipping addresses are different; you can require a physical shipping address (no P.O. boxes) for shipping; and, depending on your market, you can limit shipments to specific geographic locations, or refuse shipments to countries known to harbor online identity thieves. 

Visa and other credit card companies need to understand the security measures they have previously put in place are now outdated in today’s Internet market. They put both consumers and the merchants that want to provide good service to their customers at risk due to the weak measures they employ to protect consumers from fraud. 

This was last published in June 2012

Dig Deeper on Password management and policy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.