Vendors do that because they’re left holding the bag in chargebacks. Addresses are de facto knowledge based authentication questions in lieu of dynamic credit card codes.
I have a little app in my phone from my credit card company where I confirm when I am really buying something and it looks more secure than relying on fraud detection.
3D Secure trains customers to type their bank login into popups!
It shifts fraud loss liability onto the customer who is even less prepared to deal with it than the merchant. Only a few merchants tried it like Newegg.com. It flopped because the hit to conversion was more than the fraud prevention. It usually fails open (allows transaction to proceed). Merchant side fraud detection is inherently inferior to the bank doing fraud filtering, but banks don't care. Not their liability not their problem.
If that happens then it's definitely an issue, but I've had a couple cards with 3D Secure for about 6-7 years and it's always 2FA using an app ("Did you really buy X at vendor Y?") or, before that, with a keychain hardware token.
I wonder if there's rules depending on which country. When I worked for a small-time credit card "vendor" we could put pretty much anything we wanted in our iFrame.
3DS1 isn't because it leads to unacceptable cart abandonment rates, but 3DS2 is designed to address that problem by using SMS or app-based authentication for only high-risk transactions, instead of username and password for every transaction.
SCA is therefore likely to become a requirement in the US once it's reached maturity in Europe, as we saw with EMV.
