If you read the 3D Secure specification you soon realize that 3D Secure is a "PIN-code terminal" on the Web. It odd to note that the Internet- banks in Scandinavia with their maybe 7 million Internet-bank users, essentially have 3D running since a couple of years back but using an entirely different approach. In the scandinavian systems, the transaction request is redirected not to a puny pop-up, but to the Internet-bank that _replaces_ the web-shop. Then the payment is carried out in the bank-environment. I think this is a better approach and is much more extensible as an information-rich version of 3D could be used also in P-card operations from a purchasing system.
Note that this difference is only governed by a few HTML-tags, but with huge consequences for the user. In 3D it is up to the Merchant to issue pop-ups or not, although it seems to me belong to the "issuer domain". Cheers, Anders
