CYBERSPACE — Though undoubtedly Visa and MasterCard are trying to make the cybersphere more secure for people who like to use their credit cards online, the companies’ latest methods to accomplish that laudable goal actually may be making the situation worse for both merchants and shoppers.Two similar programs framed by the companies as providing an extra layer of security between buyers and fraudsters frequently are reported as installing an extra layer of frustration.

Here’s the problem: Verified by Visa and SecureCode are third-party services that link into merchants’ shopping pages via a pop-up window or iFrame. Buyers seldom realize a merchant participates in the sometimes-voluntary programs until they’re asked to enter their VbyV or SecureCode code into one of the forms — which look suspiciously like phishing traps. In fact, several phishing schemes employing fake VbyV or SecureCode interfaces have been reported.

Here’s where the situation goes from bad to worse: If a buyer declines to enter his or her code in a suspicious interface, the transaction is declined. On the other hand, if they enter their code and the code is ripped off by a fraudster because the interface actually is a phishing scheme, the transaction may or may not go through, but subsequent transactions for which the phisher now has the user’s VbyV or SecureCode code suddenly become the defrauded buyer’s responsibility instead of Visa’s, MasterCard’s or the acquiring bank’s. Because the code was used and only the cardholder is supposed to have the code, the transactions are considered legit and will not be charged back.

In other words, buyers are damned if they do and damned if they don’t utilize the darn codes.

Some acquiring banks have mandated use of VbyV and SecureCode technology. The services are little publicized and consumers are not allowed to opt out. The authorization schemes are part of a security protocol known as 3DSecure, which requires three components be entered in order to complete a transaction: card number, CVV code and VbyV or SecureCode. The system is based on the notion that if two identity checks are better than one, then surely three are better than two.

Consumers are not amused. One commenter at The Register’s website noted, “Verified by Visa and Mastercard SecureCode are there purely to protect the banks, not the cardholder. They offer zero additional protection to the consumer, but allow the bank to claim that transactions using purloined credit card credentials were really made by the cardholder. It is as simple as that.”

Visa will not say what percentage of its member banks have made VbyV compulsory for online transactions or what percentage of VbyV transactions have decried as fraudulent. However, it is more than happy to promote the benefits it perceives in the product.

“Visa does always recommend best practice when shopping online, such as Verified by Visa, and that cardholders are vigilant when using their card whether it be in traditional or online retailers,” the company noted in a prepared statement. “Verified by Visa is easy and quick for consumers to sign up to, and we believe most consumers and merchants welcome extra security measures designed to prevent fraud.”