Verified By Visa is more-or-less the brand name for the 3-D Secure service. 3-D stands for "Three Domain", referring to the three parties (Visa calls them domains) that provide the software that comprise the service.
- Implementor: Card holder account; Card issuer or processor
- Servers: Access Control Server, Authentication Enrollment Server (or pages)
- Implementor: Visa
- Servers: Visa Directory Server, Authentication Server
- Implementor: Merchant
- Servers: Web Server fitted with Merchant Server Plug-in
The issuer implementation is a relatively straightforward secure HTTPS web service. It is even possible (and permitted) to use a single web server instance to fulfill the roles of both Access Control Server and Authentication Enrollment Server. The Issuer server accepts requests from merchant web pages via web requests sent AJAX style and makes requests of Visa's Interoperability Domain servers. All communication is done using a straightforward XML protocol.
I created a nice diagram that details the communication flow between the 3-D parties, but I probably shouldn't publish it. Ask me if you've got questions.