Walmart Pay Puts A Spotlight On Customer Identity Management Weaknesses

The recently introduced Walmart Pay service shows great promise as the company tries to compete with other online retailers, such as Amazon. I am delighted to see this effort towards providing better customer experience. After trying out the service and seeing how it ties into my only customer profile, it led me to conclude that the company has a lot to improve to protect its consumers.

The How To Register To Use Walmart Pay video left me wondering if users can actually use simple passwords such as "password" shown in the clip. To my surprise, the service allows as short as six character passwords and limits the maximum password length to 12 characters for no good reason. Common password complexity rules are nonexistent, as I was able to set mine temporarily to "123456". This password ranks right behind "password" on the most commonly used password list.

This lax password policy is in stark contrast with the recommendation on Walmart's own site. The below table shows how Walmart compares to other online retailers:

MerchantMinimum lengthMaximum lengthComplexity rules
Amazon.com 8 120 (!) none
Jet.com 8 not defined at least 1 uppercase letter, 1 lowercase letter, 1 digit
Target.com 8 20 at least 1 number, special character, or capital letter
Walmart.com 6 12 none

Even though payments via the Walmart iOS app are protected by a PIN, I am still baffled by the registration video. It suggests that "1111" is an acceptable code that provides sufficient security to protect against unauthorized payments. Visa's Issuer PIN security guidelines from 2010 (!) provides succinct recommendations about numbers to avoid:

Select a PIN that cannot be easily guessed (i.e., do not use birth date, partial account numbers, sequential numbers like 1234, or repeated values such as 1111)
There are no restrictions on reusing old passwords either, as I was able to reset the password to my old (and more secure) value.

Advanced security features available at other e-tailers are also missing from Walmart accounts. Amazon.com has allowed Multi-Factor Authentication on both customer as well as Amazon Web Services accounts. Users of Amazon Payments accounts must also answer security questions at the time of registration to protect their accounts, and Walmart has implemented nothing of the sorts.

Even after noticing all these flaws, I tested Walmart Pay in store. Let’s just say that the only positive thoughts I had afterwords were, “At least I tried.” The application had no problem scanning the QR code displayed on my screen, and the payment went through successfully. However, the cashier realized that she had accidentally scanned an item from the customer behind me as well, and had to make adjustments. In other words I had to redo the payment, and this time I couldn’t use the app. I had to pull out my credit card to pay, proving this “convenient” system was an insecure inconvenience. It has potential and is a step in the right direction for the company, but until improvements are made their attempts are not worth fussing over.