This is an issue with any domain-verified TLS certificate, which make up the overwhelming majority of certificates in use. Only CAs which offer organization-verified (OV) or extended-verified (EV) certificates, typically at exorbitant prices, does the TLS certificate attest the publisher of the website.
> Only CAs which offer organization-verified (OV) or extended-verified (EV) certificate, typically at exhorbitant prices, does the TLS certificate attest the publisher of the website.
Even so, I’ll expect financial institutions to have that.
Note: I’m not saying the above is a Cloudflare issue, perhaps someone at Visa was being stingy - I’m just saying it’s an issue and would be bad if that becomes the mainstream.