Regarding VBV - some processors allow an issuer to allow a card holder to bypass VBV registration x times. If your system is set up this way and fraud happens because VBV registration was bypassed--ou will be liable to your account owner for the unathorized charge, and you will not have chargeback rights because your configuration of VBV had the weakest security. I would check with your processor and if the cardholder is allowed to bypass VBV registration x times, I would change the setting so your cardholder can bypass the registration zero times.
Also, some scammers are sophisticated enough that they might have social engineered the info needed to register for VBV or the cardholder's VBV password. You're still liable for the transaction in that scenario.
Nothing I say should be considered legal advice or the opinion of my employer.