The whole reason this is required, is because creditcards are inherently insecure, by just requiring a number and an expiration date. EMV was supposed to fix this on card-level, but missed the importance of online payments completely.
In Europe, where debet-cards are the de-facto standard, most online shops use a payment aggregator, which forwards your payment request to your online banking platform of your own bank, which you then have to confirm. Sometimes using a cryptographic challenge/response from the chipcard, but more and more just by using your phone and banking app to scan a QR code and validate the payment there.
This completely side-tracks the insecurity of creditcards, there is nothing to steal.
I like the Blik system we have in Poland. It requires you to use your bank's app to generate a 6-digit, single-use code that's valid for two minutes. That's the only piece of information you give to the merchant, so transactions are fully anonymous (as far as the merchant is concerned). They can't even link transactions from the same account.
After the code is processed, you get a request on your phone, with the merchant's verified name, the transaction amount, and the title of the transaction. You're able to deny this request, so it's perfectly safe to give your code to someone you don't fully trust, i.e. to let a child buy something, or if it's just more convenient if someone makes a purchase for you, but you still want to pay for it. That happens surprisingly often in families, where you're talking about a particular product, one person looks it up and is ready to purchase, but you're the one who actually wants it. You also don't have to worry about the security of the device you're entering the code on.
Of course, since entering a code is so easy, this often also works in ATMs and shops. You don't need fancy, super-secure hardware to process BLIK transactions, anything with a keypad and an internet connection will do.
Oh my good this is SO COOL! This is even better than that Google Pay virtual card something something. Are there other countries in EU which have similar mechanisms?
Most countries redirect you to your bank's website and require you to login (often with a token/ mobile app as the 2nd factor). This is still better than credit card numbers, but not as good as Blik.
Until you get payment processors, mostly US based, which still don't follow the standards.
Have to click the dangerous sounding "Open card to ALL internet purchases for 60 minutes" button every time I buy a game on Steam, otherwise my bank simply declines it. All Stripe gateways used to be like that, but fixed it two years or so ago.
I think Amazon.se rounded it somehow, last time it worked without 3D secure, which was surprising since .co.uk and .de usually required opening the card. I'd guess they are on the hook if any fraudulent transactions would happen though. Amazon's interface for dealing with failed transactions at least used to be horrible since you would actually get past the checkout, but then be forced to somewhere in the lists find the order and from there retry the transaction, instead of simply failing visibly at the checkout like any normal webshop.
That is 3D secure, which is just an additional authentication level on top of regular credit cards. It protects merchants from accepting stolen credit cards, but doesn't really protect the card holder from a malicious merchant.
3D sucks. I have to remember some other damn password. It happens rarely enough that it's even worse than if everyone did it because I have to go check what the password is first. You can basically check whether someone hacked me. The hacker would not take 2 minutes to answer the 3D challenge...
In Europe, where debet-cards are the de-facto standard, most online shops use a payment aggregator, which forwards your payment request to your online banking platform of your own bank, which you then have to confirm. Sometimes using a cryptographic challenge/response from the chipcard, but more and more just by using your phone and banking app to scan a QR code and validate the payment there.
This completely side-tracks the insecurity of creditcards, there is nothing to steal.