I have implemented this ...
... where I work and it wasn't easy.
To avoid the phishing attacks most banks allow you to add a phrase that is displayed every time the 3DSec box appears. I have set this up with all my cards as I opted in so I could test the system I was building.
Most banks ask for the whole password which a key logger would get. But if your OS is full of security holes that is hardly the banks fault. What is the banks fault is the moving of the liability from the CC company basically to you. It was explained to me that successful 3DSec makes it almost impossible for a person to claim fraud, the only defence being "that someone was holding a gun to my head"!
My cousin runs a airport transport service. He picked up a party of 15 who had pre-paid via CC. 6 months later the money was removed from his account as the CC owner claimed it had been used fraudulently. My cousin worked his nuts off to prove the guy had used the service. He is loving 3DSec, now he doesn't have to photograph every punter who uses his service as he requires 3DSec.
When we forced users to use 3DSec here our sales plummeted, so unless the bank says that payment can not be made unless the person goes through it - we don't do it. The amount we lost in legitimate sales was huge compared to the amount of fraudulent sales, which was and still is negligent.
For those that do not like Sec3D, can you please stop complaining and suggest an effective, secure alternative please?