[makmanalp]

I've seen some horrific UI on some 3D secure implementations. Also, I've seen some websites refresh to a "loading 3D secure ..." page, only to somehow skip it and go further. If the merchant can just skip it and charge your card like a regular credit card, then what's even the point of having it?

[phlo]

As another comment already pointed out, you are probably seeing your card issuer's risk-based 3D Secure system in action. If your system (IP address, location, user-agent) and/or the transaction (merchant, sector, amount) look familiar enough, some issuers let you skip the password/TAN entry. If they are doing it right, that's a good thing.

[captn3m0]

The worst I've ever experienced is the RuPay card network's (India) Second Factor. You pick an image out of collection of thirty odd images that you must select again at the time of every transaction. It also forces you to type your PIN via a shuffled numeric clickpad on the browser.

[Elhana]

I believe that if buyer supports 3dsecure and merchant skips it, then he'll be the looser in case of a fraud.

[vladvasiliu]

The merchant can choose wether and when to use 3dsecure (at least in France). I work for a company that uses Paybox for online payments. We can set an amount above which 3dsecure is used, e.g 20 EUR. I'm guessing the bank has to support 3dsecure, but they can't or at least don't impose it.

[mack73]

I work with fraud detection at an online travel agency. If you use 3D Secure and there is a fraud, your insurance will cover the cost of that transaction. As a merchant you may bypass (not use) that security feature at your discression. 3D Secure is a Mastercard feature, no?

[vladvasiliu]

3dsecure works with Visa too. I don't know about AmEx, although I do know that for Point Of Sale payments we have to have a special bank contract (one for Visa / Mastercard and one for AmEx).

I suppose the merchant decides wether to use this or not by trying to find a balance between user experience and fraud risk.

In our case I think the limit is set right above the usual purchase amount (we sell movie tickets). It's low enough that a fraud wouldn't hurt us too badly and there's not much incentive for it either. Also, most of the clients don't have to fiddle with 3dsecure (in my case I would have to cary a fob around, which I never do), so it's a better experience for them.

If someone tries to buy a lot of tickets at once, they are more likely to be doing something fishy so we use 3dsecure.

[Flimm]

I'm guessing that the page gets skipped when you're on a familiar IP address with a familiar cookie, or there are other factors where the bank decides more authentication is unnecessary.

[mack73]

10 years ago I got a Mastercard that for the first time required me to answer a 3D Secure questing each time I did an online purchase. It's been at least seven years since I had to answer that question though. How 3DS figures my card carries no fraud risk I have no idea. Is my card less likely to get stolen? Perhaps they have geography as a metric?