The basic idea behind MasterCard's SecureCode program is that a cardholder can attach a personal message and a password (the SecureCode) to their credit card. When the cardholder attempts to make a purchase using the card at a merchant that supports SecureCode the payment processor--not the merchant--presents their personal message and asks them to enter their SecureCode. After authenticating the SecureCode the payment processor completes the transaction and the cardholder goes on their merry way. If authentication fails the charge is declined and the transaction is cancelled. Bottom line, SecureCode is a way for the card processor to authenticate the cardholder.

For merchants it could help them eliminate chargebacks due to unauthorized transactions since most chargebacks are caused by cardholders saying, "I didn't buy that." For cardholders it may provide added security to their card in the form of a "secure code" which is basically a password that the merchant never sees. This would reduce the risk associated with card number falling into the wrong hands.

There are a few problems however. Until all merchants support it SecureCode does only a little to protect the cardholder and more to protect the merchant. In fact, if cardholders don't pay attention or forget what their personal message was they could be tricked into entering their SecureCode into a malicious interface. The result of this would be even worse than not having SecureCode on their credit card in the first place because the merchant, bank and MasterCard can all say, "Well, you entered your SecureCode so it must have been you." The result would be to penalize the cardholder.

So should people use SecureCode? Well that depends. If you are the paranoid type who will choose a very unique personal message, a strong SecureCode, and are not likely to get tricked into accidentally providing your SecureCode to someone with malicious intent, then it's probably worth it. If, however, you are a novice web user who always forgets their password, doesn't know what phishing means, just clicks OK on every system message you are presented and are generally disorganized when it comes to record keeping, SecureCode might do more harm than good. Personally I'm a fan of virtual account numbers that expire after a short time or have low credit limits or both.

Some things to remember:

• The personal message is your way of knowing that you are communicating with the right entity so choose a good one that you will remember.
• The SecureCode is a password so all the rules that apply to passwords should be applied to your SecureCode.