So while checking out at newegg.com with my dual-core bundle o’ joy, I got asked (or rather demanded) to sign up to “Verified by VISA” as a required part of the checkout process. So I grumbled, because it was another hoop to jump through between me and my new toy, and another damn password to remember, but failure to do so would result in the loss of a shopping cart that took hours of research and planning to assemble, so I signed up. The official story of how this works is, the first time you shop at a VbV site you create a password which is tied to your credit card number. Now every time you shop at a VbV site, it asks for your password in addition to credit card number, allowing the site to reject a buyer who doesn’t have the password. But does it really protect the cardholder from fraud?
I may be biased somewhat on this issue, since I’ve been personally credit-frauded once (full story by clicking here, here, here, and here in that order) and know others who have (AL at work was hit twice in as many months). But it seems like this measure not only will do sweet FA to limit fraudulent use of a stolen card number*, but could actually be detrimental to the cardholder. Upon more careful review of the TOS, the following caught my attention.
(Obligitory warnings: The following represents my own interpretation of the Verified by Visa Terms of Service (TOS), for which I am contacting VISA for clarification. I am not a lawyer, and this is not legal advice. I could be wrong. No lifeguard on duty, yadayada…)
7. CARDHOLDER PASSWORD AND SECURITY
You are solely responsible for maintaining the confidentiality of your password, Registration Data and other verification information established by you with Verified by Visa, and all activities that occur using your password, Registration Data or other verification information supplied to or established by you with Verified by Visa. You agree not to transfer or sell your use of, or access to, Verified by Visa to any third party. You agree to immediately notify our customer service department at 1-800-318-9617 for debit cards and stored value cards, or 1-877-262-8636 for credit cards of any unauthorized use of your password or other verification information, or any other breach of security. You acknowledge and agree that, except as otherwise provided by Applicable Law, we shall not be liable for any loss or damage arising from your failure to comply with this TOS. Transactions made with your password through Verified by Visa will be deemed to have been authorized by you.
(All bolded sections are emphasis added by me. Note that, as is my interpretation of the above, a compromised password could be construed as a “failure to comply with this TOS”, as it pins responsibility for the password solely on the user.)
So this means for me, the dear consumer:
- Explicitly ON-HOOK for any fraud committed with the password.
(Time was, if some pimply-faced IT-guy at Best Buy snarfs the credit card database and buys himself a big-screen TV, the cardholder is (by federal law) only on the hook for the first $50, and usually even that is waived.) It remains to be seen whether these rights will be considered waived by agreeing to the VbV contract. - Another damn password to remember.
Verified by Visa’s 8-character limit and other restrictions mean I can’t use my ‘secure tier’ password**, which is burned into my memory – I have to write this one down somewhere, which, no matter where and how this is done, is less secure than not having a written-down password. - No additional security whatsoever.
If the thief snarfs the password… He shops anywhere he damn well pleases. Since he has the valid VbV password, some of the usual sanity checks (billing/shipping address match or shipping address on file, statistically anomalous usage patterns, etc.) may be bypassed.
If the thief doesn’t have the password… he shops *almost* anywhere he damn well pleases. As I’ve been a cardholder for 8 years and this is the first time I’ve heard of Verified by VISA, my experience thus far is that a relatively small percentage of sites actually implement this. The thief simply shops at the numerous sites that don’t. Of course, that’s only if the cardholder has stumbled across one that does first, and had to sign up. If not, the thief still shops anywhere he damn well pleases.
So there’s my (non-lawyer) take. I’ll keep you posted on what VISA has to say about the bolded TOS items and their effect on cardholder liability.
* until every site on the planet uses it. I’m guessing this will happen for VbV at about the same time as it does for IPv6.
** Password tiers. Is it more secure to have 3 or so “master passwords” for different tiers of security (a small enough number that they can all be remembered, not written down), or a different password for every service, web site, bank, phone/voicemail account, and etc. (dozens or hundreds) which are far too numerous and rarely-used to be remembered? I won’t state for the record which method(s) I use, but junk logins (e.g. New York Times, or other places that make you register for the sake of having registered) tend to have the password ‘password’ as a matter of general fuck-you.
Leave a Reply