In Sweden, all cards that are issued are forced to use that "Verified by" Visa and Mastercard "SecureCode" program for two-factor authentication. Merchants can turn it off, but then they're liable for misuse - so plenty of places have it on by default.
Some banks, require that you use the token generator you've gotten to log on and manage your bank account while most other use a seperate password for the Verified by Visa/Mastercard SecureCode thing.
I don't know if it's really fair to call Verified by Visa two-factor authentication as your card number is just another string (that can be replicated). With Verified by Visa you go from one to two "passwords".
It adds a "something you know" (password, PIN/Password to your token generator) factor to the "something I have" (The card, with numbers on front and back) factor, so I would say it's fair to call it two-factor authentication.
I beg to disagree. The credit card is "something you know" just as much as "something you have", because when used on the web it is just a (copyable) 23 digit number. Whether you remember the number or look it up in your wallet is no different than whether you remember your password or store it on a post-it.
Other things "you have" in popular 2FA solutions are quite different, for instance your mobile phone number identity (for SMS) or your Google Authenticator.
I generate a one-time card number for each online purchase. Only valid for a specific time and up to a specific account. Supporter by some banks. Pretty good solution in my opinion.
Some banks, require that you use the token generator you've gotten to log on and manage your bank account while most other use a seperate password for the Verified by Visa/Mastercard SecureCode thing.