A while ago I was the victim of a little credit card fraud. Visa's excuse was that the site where the fraudulent transactions took place (not a site I'd ever visited) did not ask for the 3 digit security number. All it asked for was data that could be gleaned from the front of the card. They suggested that the most likely way my card details were stolen was that a merchant handled my card. Well the only time that had happened recently was two days before the dodgy transactions at the petrol station of a well known supermarket who's chip and pin machines were out of action. Coincidence? I told Visa and my bank this, but they weren't interested and just refunded my account. I tried the police who were also not interested. They said it was unlikely the spotty faced youth who'd handled my card had used my card to fund an online gaming habit (yeah right!) and that it wasn't worth pursuing.
Anyway the point about that was that Visa should refuse to deal with such an insecure site, but they didn't. Likewise these should not be guidelines they should be mandatory.