Over the last couple of weeks I've felt it necessary to backtrack e-commerce submissions, to three different companies, because:
- one site wanted my mother's maiden name, as well as all the usual credit card details;
- one site's card processing agency, rather than the issuing bank (as determined by the SSL certificates), requested my Verified by Visa password;
- one site's system wouldn't tell me who the actual courier would be, at least not before I had committed to a contract, but required unspecified ID to be provided before they would send to a work address, and required an email to find out how to provide it. I'm still waiting for the reply to the email.
Before I go into details, the real answer to the question in the subject is probably no, at least for the first two cases, as the general public will not appreciate the security issues. The only winners will be the con artists, for whom social engineering will be made easier.
All these companies were seemingly reputable UK companies.
The maiden name wasn't even asked for the payment system, but was a condition for entering it. It was the lost password recovery password for their "customer relationship" system. I really don't like having to register in CRM systems if I'm only making ad hoc purchases. I hope the security implications of mother's maide name are obvious.
Verified by Visa is promoted as using the challenge phrase to confirm that you are really talking to the issuer, but anyone who has the information you have already given can find that, so the only way of checking properly is to verify SSL certificates (caution: some banks use pages with certificates belonging to Cyota Inc, although not the one in this case - if the certificate doesn't match your bank, you should not rely on what I just wrote here about Cyota as this is not a secure channel from your bank).
What happened in this case is that the card processing agency copied the banks form into their form. It did actually purport to submit to the bank, but, without extensive checking, that could have been subverted by checking. In any case, they had to handle the clear text challenge phrase to do this.
They are actually one of the major UK agencies, who have recently changed their name, something that you also shouldn't do, as it breaks the trust relationship. The e-tailer did link to them from a secure page, so there was trust there.
Fortunately, in this case, the company also accepted BACS.
The third case is really one of a secure system getting in the way, although it could be partly mitigated by giving complete shipping details up front. The main security risk here stems from the fact that the key product in my order can be obtained about 30% cheaper by ordering from some slightly dodgy looking US companies. Being US companies, the UK business names rules don't apply and you can't, easily associate the web site with a geographic address and company registration.
By making place of work delivery difficult, they are making so that I would have to wait for the failed delivery card and then go to the depot, to collect. Without knowing the courier in advance, I don't know how difficult it will be to get to the depot, or whether there is a risk of having the delivery returned before I can get there. Also, there is no signature at the door.
I didn't get as far as their verified by Visa system, but the card processing agency was a total unknown to me, and there was no warning about who they used on the web site, and presumably none on their offline literature. I forgot to note whether the link to the agency was secure.
So, all my recent purchase attempts have either encountered overbearing security measures, some of no direct benefit to the customer, or security measures that are actually insecure.