Well, I used to be rather critical of 3D Secure until a few months ago. My wife's card (on our shared account) got compromised and a 300 euros or so payment was made with it. No 3D Secure enabled for her because she had not given her cell phone number to the bank.

Our bank refunded it alright, though it took about a month, but the next week I received an SMS with a 3D Secure confirmation number for a similar payment, in HKD, with my own card (by the way, the only place we used both cards for payments was Taobao). I was able to call my bank which blocked the card and quickly issued me a new one. At least in this case it both saved us, our bank and some unknown online shop, time and money.

Also, I think the smart way to do 3D Secure is what capitainetrain.com does, they use it only for the first payment of a customer (and explain what's going to happen during the payment process) and all subsequent purchases don't go through it (since the customer has already been verified as being legitimate). It only works when you expect customers to come back regularly, though.

These verification mechanisms don't freak people out once people are used to them. Pretty much anyone who uses credit cards to buy anything online in Europe will have encountered this system before and will be more suspicious if they don't see it!

Using customers birthdate is indeed a very poor authentication mechanism, but even that is going to defeat the majority of fraudsters who are simply trying to bulk-authenticate a list of CC numbers. Personally, I don't give my real birthdate to any website unless they have a very good reason for knowing it.

My bank asks for three random characters from my online banking password (the same mechanism used to log in to my online banking) which provides enough security without risk of revealing the full password to key-loggers, etc.

But since the actual authentication mechanism is left up to the card issuer, there's nothing to prevent them using more advanced systems - like 2-factor authentication, hardware tokens, etc.

Here in Belgium 3D-Secure is also commonplace, and the experience provided by my bank has significantly improved throughout the years. I also don't think it hurts the conversion of webshops around here because everybody is used to performing these extra steps.

It works as follows:

- Merchant redirects me to his payment provider

- I enter my debit/credit card number into the payment provider screen

- I am redirected to my bank website, and am able to verify the URL (no iframes anymore!)

- My bank has two methods of verification: scanning a QR-code with the mobile banking app on my phone, or logging into the online banking website (with a Vasco DIGIPASS 836, which requires a debit card+pin to generate a OTP)

- I verify the amount and creditor in the mobile/online banking app, and sign the transaction with my mobile pin/digipass.

- I am redirected back to the merchant.

All in all, I think it costs me 30 seconds to complete the extra 3D-Secure steps when using my mobile banking app.

Re: Conversion rates, as a consumer I have got used to it and it does not affect conversion for me at all.

Everyone uses it now in the UK and you always get redirected to the exact same page. I expect it, it doesn't put me off buying.

So it's a bad objection to the system, because once everyone's using it, it becomes the norm. Yes, there will be a dip in conversions to begin with as consumers are scared by the new page, but it will recover. Some people's implementation sucks, but that's a different matter.

Some banks implementing 3D Secure/Verified By Visa/MasterCard do it by asking for a separate password.

Given how few sites actually implement it, it becomes a pain to use if you have to dig out the password or set it up on first use.

Sure, banks can do it really horribly (most of them), but some use it to force proper 2FA. For example, Nordea asks you to open their phone app and confirm the purchase (with a message that includes the total price) on there.