In 2009, the Reserve Bank of India, made it mandatory to use Verified by Visa or Mastercard Securecode for all online transactions. This was a misguided (but well intentioned effort) to make online transactions more secure for all Indians, who were shopping using their credit cards on the internet. This was revealed in a new research paper by security researchers at the University of Cambridge.

However, due to the business practices of Visa and Mastercard, what is actually happening that this system allows the bank to push liability to the customer - in other words they can say “hey, only you knew the password.. and a fradulent transaction has taken place. We have done everything we can, so you pay up for the stolen credit card”.

However, Verified by Visa or Securecode, does NOT enforce the password system to be phishing safe or specified the connection strength for secure transactions. This lets a person be fooled by spoofing and there is no liability for the banks!

Are there better solutions - yes. Visa/Mastercard can make it mandatory to use a authenticator for all credit card transactions (Note: some banks in India provide this service, but this is only to log into the bank itself - not for any transactions).