At issue is a security protocol called “3 Domain Secure,” (3DS), a program designed to reduce card fraud and shift liability for fraud from online merchants to the card issuing banks. Visa introduced the program in 2001, branding it “Verified by Visa,” and MasterCard has a similar program in place called “SecureCode.”

Cardholders who chose to participate in the programs can register their card by entering the card number, filling in their ZIP code and birth date, and picking a passcode. When cardholders go to use that card at a merchant site that uses 3DS, the shopper then enters the code, which verified by the issuing bank and is never shared with the merchant site.

via Loopholes in Verified by Visa & SecureCode — Krebs on Security.