A password that is exchanged, by the cardholder with their card-issuing bank, at the time of the transaction. The transactions may then be authorised by the retailer with the potential for the liability to shift to the bank.
3D-secure relies upon the integrity of the password being maintained, and a threat to this is the number of times that users need to use passwords when trading on the Internet:
Username and password to log onto computer
Username and password to log onto ISP for Internet access
Username and password for internet banking
Username and password to log onto many e-commerce sites (without one you cannot trade)
Card number and 3D-Secure password to do business at the bank's risk this will make the banks nervous, despite the technology working well at face value.
Many users have one or two passwords which are used for everything hence increasing the chance of compromise
Conclusions: VbV works well particularly when combined with CV2 and AVS. The liability shift has caught the headlines and rightly so, except the rules are complicated.
3D-Secure requires a high level of adoption by cardholders to be successful. The trouble being that those customers that do not register for whatever reason may be treated as potential fraudsters. That may be acceptable from a bank's perspective but it certainly is not from a retailer's. Use 3D-Secure but be prepared to authorise the transaction using merchant risk ECI indicator.
Any retailer trading in CNP channels must take responsibility and implement systems designed to help them manage their risk by understanding exactly who they are dealing with. A first step is to stop considering it a payment issue and start regarding it as: Shoplifting with home delivery!
Last year UK retailers spent an estimated £100 million pounds delivering stolen goods to fraudsters!