Verified by VISA

So while checking out at newegg.com with my dual-core bundle o’ joy, I got asked (or rather demanded) to sign up to “Verified by VISA” as a required part of the checkout process. So I grumbled, because it was another hoop to jump through between me and my new toy, and another damn password to remember, but failure to do so would result in the loss of a shopping cart that took hours of research and planning to assemble, so I signed up. The official story of how this works is, the first time you shop at a VbV site you create a password which is tied to your credit card number. Now every time you shop at a VbV site, it asks for your password in addition to credit card number, allowing the site to reject a buyer who doesn’t have the password. But does it really protect the cardholder from fraud?

I may be biased somewhat on this issue, since I’ve been personally credit-frauded once (full story by clicking here, here, here, and here in that order) and know others who have (AL at work was hit twice in as many months). But it seems like this measure not only will do sweet FA to limit fraudulent use of a stolen card number*, but could actually be detrimental to the cardholder. Upon more careful review of the TOS, the following caught my attention.

(Obligitory warnings: The following represents my own interpretation of the Verified by Visa Terms of Service (TOS), for which I am contacting VISA for clarification. I am not a lawyer, and this is not legal advice. I could be wrong. No lifeguard on duty, yadayada…)


7. CARDHOLDER PASSWORD AND SECURITY

You are solely responsible for maintaining the confidentiality of your password, Registration Data and other verification information established by you with Verified by Visa, and all activities that occur using your password, Registration Data or other verification information supplied to or established by you with Verified by Visa. You agree not to transfer or sell your use of, or access to, Verified by Visa to any third party. You agree to immediately notify our customer service department at 1-800-318-9617 for debit cards and stored value cards, or 1-877-262-8636 for credit cards of any unauthorized use of your password or other verification information, or any other breach of security. You acknowledge and agree that, except as otherwise provided by Applicable Law, we shall not be liable for any loss or damage arising from your failure to comply with this TOS. Transactions made with your password through Verified by Visa will be deemed to have been authorized by you.

(All bolded sections are emphasis added by me. Note that, as is my interpretation of the above, a compromised password could be construed as a “failure to comply with this TOS”, as it pins responsibility for the password solely on the user.)

So this means for me, the dear consumer:

  • Explicitly ON-HOOK for any fraud committed with the password.
    (Time was, if some pimply-faced IT-guy at Best Buy snarfs the credit card database and buys himself a big-screen TV, the cardholder is (by federal law) only on the hook for the first $50, and usually even that is waived.) It remains to be seen whether these rights will be considered waived by agreeing to the VbV contract.
  • Another damn password to remember.
    Verified by Visa’s 8-character limit and other restrictions mean I can’t use my ‘secure tier’ password**, which is burned into my memory – I have to write this one down somewhere, which, no matter where and how this is done, is less secure than not having a written-down password.
  • No additional security whatsoever.
    If the thief snarfs the password… He shops anywhere he damn well pleases. Since he has the valid VbV password, some of the usual sanity checks (billing/shipping address match or shipping address on file, statistically anomalous usage patterns, etc.) may be bypassed.
    If the thief doesn’t have the password… he shops *almost* anywhere he damn well pleases. As I’ve been a cardholder for 8 years and this is the first time I’ve heard of Verified by VISA, my experience thus far is that a relatively small percentage of sites actually implement this. The thief simply shops at the numerous sites that don’t. Of course, that’s only if the cardholder has stumbled across one that does first, and had to sign up. If not, the thief still shops anywhere he damn well pleases.

So there’s my (non-lawyer) take. I’ll keep you posted on what VISA has to say about the bolded TOS items and their effect on cardholder liability.

* until every site on the planet uses it. I’m guessing this will happen for VbV at about the same time as it does for IPv6.

** Password tiers. Is it more secure to have 3 or so “master passwords” for different tiers of security (a small enough number that they can all be remembered, not written down), or a different password for every service, web site, bank, phone/voicemail account, and etc. (dozens or hundreds) which are far too numerous and rarely-used to be remembered? I won’t state for the record which method(s) I use, but junk logins (e.g. New York Times, or other places that make you register for the sake of having registered) tend to have the password ‘password’ as a matter of general fuck-you.

Tags:

5 Responses to “Verified by VISA”

  1. Tom Joad says:

    I had the same experience on New Egg. I too was annoyed by the unexpected intrusion, and the onerous TOS. However, rather than sign up, I managed to skip that page. I may have simply closed my browser; I don’t recall.

    However, while I did not complete the VbV thing, my order was still processed by New Egg.

    Later (a year?), I went to order again from New Egg, having forgotten about the VbV thing, and did the same thing. I just back-buttoned to my account, or closed the browser, by whatever I did the order was place with no actual VbV confirmation process.

    Overall, this seems like a good deal for merchants and Visa, but offers nothing new for consumers. And the requirement that use of the VbV password constitutes approval by me is evil. (Seems to me that if VbV is actually safe and secure, then that would not be needed.)

  2. Mike says:

    I agree with each of your takes on VbV but personally I enjoy the service and hope more sites use it. The service itself is deployed by the bank through the merchant website. It’s almost status-quo at all electronics sites

    I use it all the time at TigerDirect.com, NewEgg, and Continental Airlines.

    My now ex-wife tried to use my card at Dell last year. Because she couldn’t complete the purchase due to VbV I saved myself several nice size payments on an that latitude. I loved that phone call. Now she’s stuck with my old inspiron but she did get the house.

  3. I agree. Chances are if one has your credit card number he might as well have your additional password. Doesn’t really improve the security that much.

  4. elyse says:

    my bank wells fargo says they never use card verification and it is fraud! the vendor (western union and champion calling card says definitely wells fargo does use the card verification. whom do i believe?

  5. Anonymous says:

    I just had an “issue” with the vbv thing, I tried to order a monitor for someone with their card, after checkout it came up to that screen asking for the password, which he didn’t know he had even setup one, but what happened because he got his account locked, the charge was reversed from his card, or actually DENIED by the bank, but for some reason newegg shipped him the item and never contacted him again, so really he was happy because it was umm kinda free….but really it wasn’t(He doesn’t know anything of this..), because right after it had denied it, I then took his money put it in my bank and ordered another one but actually it came to my address and then his came to his address, and I never told him that I had gotten one at my house….so actually I got one free..

    I blame it all on the VBV system..

Leave a Reply