This is a good summary of how to do strong customer authentication by the ECB.
The document states that transactions should only be initiated following "strong customer authentication". The ECB recommendations require the use of two or more "mutually independent elements" taken from something only the user knows, such as a password, something only the user has, for example a card reader or mobile phone and something only the user "is" - a biometric characteristic such as a fingerprint.
The challenges for commerce businesses however remain the same, security and authentication gets in the way of genuine customers completing purchases. Ecommerce Managers monitor abandoned carts as a key performance metric, if extra authentication leads to less sales, then they will not want to introduce them.
In addition implementation of new standards is key, as every business is happy to adopt any new industry standard once they know that all competitors are adopting them also.
However, once one leading business decides not to implement the standard, then it becomes a competitive advantage not to have those extra security steps in the checkout or log in processes which leads to less adoption of new security standards without regulation.