EMV is all very well and good (to be clear, without a cryptogram the payment can't be charged), but it falls down because of the requirement for backwards compatibility. For physical, retail transactions the easy way out of this is a liability shift (make the retailer liable for any fraudulent transactions that aren't run using EMV), but it's much harder for card-not-present (online) transactions, where people just type in card numbers and go.
For cardholder not present transactions there's 3D Secure[1], which sits in the middle of online transactions. Customers fill in their details on the merchant's site, then redirect to a service run by their card provider which asks for some form of authentication that only the provider knows about, and then a token is passed back to the merchant which can be used to authenticated the transaction.
Much as in store transactions which aren't conducted with Chip & PIN transfer liability to the merchant, online transactions without 3D Secure will also transfer liability, giving merchants a potentially hefty incentive to verify the customer's identity.
I hate this model. Try to buy something get redirected to a 4th party (not the retailer, buyer or the bank / card issuer) and get asked to enter private secret information. It teaches all the wrong things about security.
Well yes, for physical transactions there is the back compat issue, but hopefully as more countries take up the scheme (hint hint USA) we'll have less and less need of fallback.
I agree that a system for verifying/authorising specific amounts for online transactions would be a good thing, and I agree that the "here's my card info, charge what you like" model is a bad one.
