So here's another tidbit from a Cambridge paper that I found amusing.
Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication
The 3DS specification only covers the communication between the merchant, is- suer, acquirer and payment scheme, not how customer verification is performed. This is left to the issuer, and some have made extremely unwise choices. For instance, one bank asks for the cardholder’s ATM PIN. It’s bad enough that EMV has trained cardholders to enter ATM PINs at terminals in shops; training them to enter PINs at random e-commerce sites is just grossly negligent. (Phishermen are also asking for ATM PINs on bogus ADS forms.)
(bold mine)
BTW, after reading about how botched VbV/SecureCode are, I actually don't feel so bad about US banks no longer supporting it now.