David Woolley wrote:
I've deferred registering with VbV and I haven't used Mastercard online,
for a long time, but, does the system authenticate itself to you, and
does that authentication depend on a shared secret, but not pass it over
the wire? If not, it is vulnerable to a man in the middle attack, and
you need to check the SSL certificate and ignore the way it authenticates
itself to you.

"Reece Bythell" wrote
Speaking for Securecode only (I don't have a VbV card), the system can be
user-configured to offer you a greeting which only the card owner should
know. The greeting is completely separate from the authentication
credentials.

That's a shared "secret" that *is* passed over-the-wire. So,
as the man said, it is vulnerable to a man-in-the-middle attack.