This is a solved problem in the Netherlands with iDEAL. Go to checkout, select your bank, authenticate at your banks website with your credentials and 2FA (SMS/EMV CAP reader/QR code), confirm transaction details and you'll be redirected back to the web store. The wire transfer is not instant but it is guaranteed so the merchant can start shipping immediately.
In France we have 3D Secure, when you make the paiement you are redirected to a page that belongs to the bank, you receive a SMS with a one time code to validate the paiement and are redirected to the merchant with the validation.
Quite efficient, but I think there's fees for the merchant in this case.
3D Secure is used to authorize credit card payments, while Sofort and iDEAL send wire transfers. Big difference.
With 3D Secure, you provide the normal card data (i.e. card number, expiration, name, CVV/CVC) to the merchant and are then redirected to an authentication form from your card issuer. There, you'll be asked to either provide a password or, as you described, input a confirmation code from a text.
With Sofort, you're entering your login data to your e-banking account on a login page served by Sofort. They, in turn, use it to log in to your e-banking using a simulated browser and send a wire transfer. You lose control, however, of what else they do: once they are logged in to your e-banking, they can check your previous transactions, send other transfers or they might change your mailing address...
As far as I know, 3D secure also works for debit cards. In many countries debit and credit cards use the same system (Visa/Mastercard). Have seen 3D secured payments several times for my UK debit Mastercard.
I've seen some horrific UI on some 3D secure implementations. Also, I've seen some websites refresh to a "loading 3D secure ..." page, only to somehow skip it and go further. If the merchant can just skip it and charge your card like a regular credit card, then what's even the point of having it?
As another comment already pointed out, you are probably seeing your card issuer's risk-based 3D Secure system in action. If your system (IP address, location, user-agent) and/or the transaction (merchant, sector, amount) look familiar enough, some issuers let you skip the password/TAN entry. If they are doing it right, that's a good thing.
The worst I've ever experienced is the RuPay card network's (India) Second Factor. You pick an image out of collection of thirty odd images that you must select again at the time of every transaction. It also forces you to type your PIN via a shuffled numeric clickpad on the browser.
The merchant can choose wether and when to use 3dsecure (at least in France).
I work for a company that uses Paybox for online payments. We can set an amount above which 3dsecure is used, e.g 20 EUR.
I'm guessing the bank has to support 3dsecure, but they can't or at least don't impose it.
I work with fraud detection at an online travel agency. If you use 3D Secure and there is a fraud, your insurance will cover the cost of that transaction. As a merchant you may bypass (not use) that security feature at your discression. 3D Secure is a Mastercard feature, no?
3dsecure works with Visa too. I don't know about AmEx, although I do know that for Point Of Sale payments we have to have a special bank contract (one for Visa / Mastercard and one for AmEx).
I suppose the merchant decides wether to use this or not by trying to find a balance between user experience and fraud risk.
In our case I think the limit is set right above the usual purchase amount (we sell movie tickets). It's low enough that a fraud wouldn't hurt us too badly and there's not much incentive for it either. Also, most of the clients don't have to fiddle with 3dsecure (in my case I would have to cary a fob around, which I never do), so it's a better experience for them.
If someone tries to buy a lot of tickets at once, they are more likely to be doing something fishy so we use 3dsecure.
I'm guessing that the page gets skipped when you're on a familiar IP address with a familiar cookie, or there are other factors where the bank decides more authentication is unnecessary.
10 years ago I got a Mastercard that for the first time required me to answer a 3D Secure questing each time I did an online purchase. It's been at least seven years since I had to answer that question though. How 3DS figures my card carries no fraud risk I have no idea. Is my card less likely to get stolen? Perhaps they have geography as a metric?
That would suck if anytime I wanted to deal with things back home while travelling I had to remove my local sim and put back in my home sim just so I could receive SMS messages from my bank.
In France they do not have a non SMS option. Also if you change your number you have to wait days while your bank mails a new activation code to your postal address. Actually snail mail. (At least with BNP.)
An incredible pain. I hate it. ApplePay for the web is far superior.
Data point of one here, but my experience is different. I used Crédit Coopératif, and they issued me with a password generator fob (like a small calculator in which you stick your Visa chip-card) which the 3D Secure page would ask for a response from.
I suspect it depends on your bank. Back when i used Crédit Agricole, i was indeed forced to do SMS auth, which is inferior.
3D Secure (at least in India) offers both SMS OTP and Password validation. So you can use your 3D Secure Password (which is different from bank credentials) or use SMS OTP to confirm the transaction.
Have 3d Secure here in Turkey too. Most merchants provide a checkbox to enable 3D secure, if you do so, they redirect to the bank's page and you need to enter a code.
Most of the time, non 3d secure purchases take a little more time to go through and if the amount is higher than your regular spendings or the charge happened to be in the middle of the night, banks ask for confirmation via SMS anyway. If you go with 3D secure, it just works instantly.
All banks provide virtual credit card numbers with predefined limits too though.
Yes, the same system exists in Germany too (confusingly alongside Sofortüberweisung). It's called Giropay and it works the same in that you sign in on your online banking website and the wire transfer is guaranteed by your bank, not a third party.
It's nice and works well. All would be great if it weren't for the fact that it's only offered by some banks (mainly cooperatives I think) and only accepted by some shops. Why the German banks have tried to sue Sofortüberweisung out of existence instead of implementing their own universal system that undercuts Sofortüberweisung's merchant fees (0.9% + €0.25 per transaction) is beyond me.
Oh right, thanks! It seems they're such a strong competitor that I've never even heard of them. And they still support nowhere near as many banks as Sofortüberweisung, although I appreciate that these things take time (and there are a lot of banks in Germany).
I don't consisted that a solved problem. Austria has the same "solution". Try paying as a foreigner without a local bank account. Also no support for chargebacks.
However the cost is minimal.
As a foreigner you can pay with credit cards - the merchant might not support it due to the horrendous cut that Visa/MC/Amex take (several percentage points).
This is how most ecommerce works in Lithuania too. Debit cards (vs credit cards) typically didn't allow online transactions until last year, so most ecommerce companies just do this - there are only 3 or 4 major banks, so for the user it's pretty easy. I assume the fees are lower for the business too.
The only downside is if you don't have a local bank account (i.e. as a foreigner) you can't use it.
2FA is done by a) paper code b) passcode generator fob or c) mobile signature, which uses your SIM which holds an RSA key (it doesn't use SMS):
See https://www.ideal.nl/demo/en/ for a demo.