I thought I would highlight today's case of how 3d secure fails. For a period of time today Visa card transactions would have either failed processing online (if the merchant implemented it properly) or would have just gone through without 3d-secure enforced.
To understand how this happens, perhaps some background how a 3d secure transaction typically happens:
1. Once you capture your card details on a merchant platform, the merchant system will call a BankServ webservice which will determine the 3d secure enrolment status.
2. The enrolment status is quite simple: "Y"-enrolled, "N"-not enrolled. But wait, there is also a "funky" "A" status which can mean that the BIN-range is enrolled, but the specific card number is not.
3. If a card is enrolled via 3d-secure, the merchant would then call a specific BankServ URL, which would then show you that nasty 3d-secure screen where you enter your mobile number/email for OTP (this is all bank-specific and varies)
4. Once the consumer submits his secret code/OTP via BankServ, BankServ then redirects to the merchant with a result-token.
5. The merchant then takes the result-token and calls a webservice to get the actual result
6. Based on the result (authenticated/not authenticated), the merchant will then call the payment gateway and pass along 3d secure information (such as transaction id, merchant reference etc).
So today the issuer system for Visa was slow to query the enrolment status (step 1) and BankServ returns a "N" for all Visa cards due to technical timeouts. Remember "N" means "STOP, card not enrolled". And now you get 2 types of merchants:
- The ones which will push the transaction through as a non-3d secure transaction (some label it as a "mobile" transaction as there is still some exemption where 3d secure does not apply)
- The ones which will decline the transaction - bad for business and inconvenient for customer (the majority of the big players never do this)
As a consumer you will never hear about those issues and you will actually never run into those types of problems, as most platforms do not process transactions properly. For what it's worth, the above "timeout" issue shifts the liability from the merchant to the bank. So this answers your question of "How could they have banked the transaction without me authenticating it via 3d-secure".
For the consumer: The bank, BankServ and the payment-gateway all have access to detailed transactional data and will be able to identify how a transaction was performed. In the above "N" scenario however, it is not very transparent as on the surface the bank will come after the merchant with a charge-back as the transaction was not 3d-secure, although the issuer/BankServ will shift liability. So all in all, a huge mess.