It should be a choice a business can make based on their circumstances. Instead, the EU legislates conversion loss for everyone.

If you think about it, when was the last time you entered even a CVV2/CVC on Amazon? Compare that to most regular sites which require you to enter CVV. Some allow you to enter the card holder name and address, while others don't and just sent the shipping address you've entered.

And it's not like this is a surefire way to make things better anyway. Like was mentioned before, it makes people that know about these things queasy when a random site redirects you to your bank and wants you to log in. What better way to scrape bank login info than a fake login screen for your bank? It's like when banks introduced TAN numbers. Then indexed TAN, SMS TAN etc. What regular user that fell for the "Please enter 3 TAN numbers to verify your account" will figure out whether a shady site is scraping their logins?