This is not quite true in the context of 3D Secure.
You are correct in that this is how banks operated before 3D Secure. They shift all the fraud liability onto the hapless merchant and then charge them through the nose (with both the amount and the chargeback $35, as well as a potential disabling of the merchant account if it has more than 1% of fraud - which is easier to achieve that you'd think, especially if you're low-volume, e.g. if you're a small business or startup).
The purpose of 3DSecure is to "fix" this situation in favour of the merchants. Do the card companies (VISA & Mastercard, basically) now take on liability for fraud? OF COURSE NOT. With 3D Secure, they have shifted the liability from the merchant straight to the issuing bank, which can choose whether to pass it on to the cardholder, and sometimes does. It's really entirely up to them. Also, it's worth pointing out that a lot of credit card fraud is only detected months later, so "in a timely fashion" may be excessively difficult to achieve.
Now, the question to ask is, who actually benefits from 3DSecure?
- The merchants
That's it. Who bears the burden of getting everyone to sign up to 3DSecure?
- The issuing banks
Who stands to lose money if the merchants are protected?
- The issuing banks
In view of this, it's no surprise that implementations are shoddy and many people are not signed up. Why would the issuing banks want to push a scheme that makes them lose money?
You are correct in that this is how banks operated before 3D Secure. They shift all the fraud liability onto the hapless merchant and then charge them through the nose (with both the amount and the chargeback $35, as well as a potential disabling of the merchant account if it has more than 1% of fraud - which is easier to achieve that you'd think, especially if you're low-volume, e.g. if you're a small business or startup).
The purpose of 3DSecure is to "fix" this situation in favour of the merchants. Do the card companies (VISA & Mastercard, basically) now take on liability for fraud? OF COURSE NOT. With 3D Secure, they have shifted the liability from the merchant straight to the issuing bank, which can choose whether to pass it on to the cardholder, and sometimes does. It's really entirely up to them. Also, it's worth pointing out that a lot of credit card fraud is only detected months later, so "in a timely fashion" may be excessively difficult to achieve.
Now, the question to ask is, who actually benefits from 3DSecure?
- The merchants
That's it. Who bears the burden of getting everyone to sign up to 3DSecure?
- The issuing banks
Who stands to lose money if the merchants are protected?
- The issuing banks
In view of this, it's no surprise that implementations are shoddy and many people are not signed up. Why would the issuing banks want to push a scheme that makes them lose money?